Cybersecurity Essentials: Part 4

All organizations need to protect their systems and data from cyber-attacks, which means that all organizations need to implement a cybersecurity program. Our monthly blog, “Cybersecurity Essentials,” details the elements of a comprehensive program to ensure you are accounting for privacy concerns, compliance issues, and the policies and procedures critical to maintaining a secure organization and a culture of cybersecurity.

In part 1 of our series, we addressed privacy concerns as they extend to employee records, client or customer records and communications, and the use of mobile devices.

In part 2, we shifted our focus to a discussion of a security program, which includes training, policies, and other steps required to protect your organization’s sensitive data.

In part 3, we introduced some tools—applications and solutions—you can use to safeguard your organization from hackers.

Now in part 4, we offer five rules for “system hardening,” that is, tightening up access and adding security to ward off potential hackers.

Rule 1: Remove all unused programs on all systems. Programs stored on a server or workstation are potential entrance points for hackers. Removing unneeded programs cuts down the number of ways your systems can be hacked. Because the needs of organizations constantly change, you should check regularly to ensure all installed applications are needed and being used.

Rule 2: Maintain user group policies in Microsoft’s Active Directory. The policies should clearly define the rules for user groups for access to your systems. Simple errors can allow unauthorized individuals access to groups or settings, a potential gateway for a cyber attack. Conduct audits to validate group members, and ensure that nothing is left in systems or servers that those groups no longer need access to.

Rule 3: Implement a patch management plan. Your cybersecurity plan should include regular planning, testing, and implementing of patches through patch-management software to ensure all applications and operating systems are the most recent versions and that you’re not missing any critical security patches. If there is a vulnerability in a piece of software, Microsoft will release a patch for it, so have an automated process in place to ensure your machines aren’t susceptible.

Rule 4: Secure endpoints and perimeters. You can reduce the likelihood of attacks by strengthening user account controls and implementing security policies while maintaining user efficiency. The intent is to allow reasonable user access while ensuring your devices are protected by properly configured and deployed firewalls, routers, VPNs, and intrusion, detection, and prevention systems.

Rule 5: Monitor and track behavior in cloud applications. The goal is to detect abnormal user behavior, like “impossible travel time” (e.g., a user logging in in Pittsburgh then minutes later in Dallas). Abnormal behaviors include unfamiliar sign-in properties, or suspicious in-box manipulation, such as forwarding to an unknown account. Ensuring that security rules or settings haven’t been changed will help prevent attacks, email compromises, and ransomware.

If you have questions or concerns, our Vertilocity team can evaluate your cybersecurity strategy and discuss your options with you. Call us at 412-220-5744, or email me at jkrentz@vertilocity.com.

Cybersecurity Essentials: Part 3

All organizations need to protect their systems and data from cyber-attacks, which means that all organizations need to implement a cybersecurity program. Our monthly blog, “Cybersecurity Essentials,” details the elements of a comprehensive program to ensure you are accounting for privacy concerns, compliance issues, and the policies and procedures critical to maintaining a secure organization and a culture of cybersecurity.

In Part 1 of our series, we addressed privacy concerns as they extend to employee records, client or customer records and communications, and the use of mobile devices.

In part 2, we shifted our focus to a discussion of a security program, which includes training, policies, and other steps required to protect your organization’s sensitive data.

Here in part 3, we’ll introduce some tools—applications and solutions—you can implement to safeguard your organization from hackers.

Secure WiFi/wireless network: Take these steps to implement a WiFi solution with the security to protect your data and critical business systems:

Secure email gateway: Install a gateway online in the corporate path between the public internet and the corporate email. Email is the most common means hackers use to gain access to private company data. The gateway provides another layer in your security poster to inspect email for malicious content before it reaches your corporate systems.

System auditing: On your firewall, ensure that logging is enabled and the information it collects is periodically reviewed by designated IT staff for indications of a network compromise or ongoing attach. Providers have added the capability for detailed analysis of what’s coming through. Implement a process where someone is actually looking at that data and addressing any anomalies or attacks.

Endpoint detect and respond (EDR): As the sophistication of attacks has increased, the shortcomings of antivirus solutions have become more apparent. A modern replacement for antivirus software, EDR will continuously monitor and respond to advanced threats and is a critical piece of your security posture. EDR monitors the network 24/7, then uses business intelligence and analytics to recognize threats that historically don’t get caught by antivirus software.

Security incident and event management (SIEM): The solution collects all security logs across all network devices, and provides the ability to correlate activity across multiple devices and perform analyses to search for malicious activity. A SIEM is a more in-depth tool for helping organizations detect, analyze, and respond to security threats that could harm operations.

If you have questions or concerns, our Vertilocity team can evaluate your cybersecurity strategy and discuss your options with you. Call us at 412-220-5744, or email me at jkrentz@vertilocity.com.

Cybersecurity Essentials: Part 2

All organizations need to protect their systems and data from cyber attacks, which means that all organizations need to implement a cybersecurity program. This monthly blog, titled “Cybersecurity Essentials,” details the elements of a comprehensive program to ensure you are accounting for privacy concerns, compliance issues, and the policies and procedures critical to maintaining a secure organization and a culture of cybersecurity.

In Part 1 of our series, we addressed privacy concerns as they extend to employee records, client or customer records and communications, and the use of mobile devices. Here we shift our focus to a discussion of a security program, which includes training, policies, and other steps required to protect your organization’s sensitive data.

Security awareness training of employees and contractors

Staff and contractors who have regular access to your critical systems should be provided security training that is tailored to your organization and sensitive information. Online security training should be geared toward providing a basic understanding of cyber threats or physical threats of individuals seeking to gain access to information they shouldn’t have access to. The program should also cover how you will respond if access is compromised, and provide individuals with access to your systems an understanding of your threat landscape, what to do to mitigate your exposure, and what do to if sensitive data is exposed.

Phishing awareness training

The majority of data breaches start with an attacker sending an email that deceives someone in an organization into providing sensitive information or installing malware. Using a service that randomly tests users on their ability to identify phishing emails will reveal the individuals in your organization who are more prone to opening emails without doing what is necessary to validate they are not malicious. Phishing awareness training is critical to keeping bad actors from gaining access to your networks.

Clean desk policy

A “clean” desk is a user’s workstation that secures sensitive information by preventing access by an unauthorized individual. By securing sensitive information or removing sensitive information the user can prevent access by something as simple as moving a mouse. A clean desk policy seeks to ensure data confidentiality and that users are following the organization’s data protection guidelines.

Visitor program

A visitor program includes a set of physical safeguards. A clearly defined visitor policy, such as requiring a badge or escort to enter your offices, can keep assets from getting into the wrong hands. The program will vary in content and requirements from organization to organization but always seeks to ensure visitors adhere to whatever those guidelines are. The process should be shared with and understood by all employees.

Identifying digital assets

The organization should conduct an annual risk assessment that includes a complete inventory of digital assets and a vulnerability report. It should reveal risk blind spots, and identify where and how digital assets are deployed—and should be deployed. Risk assessments must be done on a recurring basis as assets regularly move around organizations and need to be tracked just as regularly.

Multi-factor authentication

Multi-factor authentication is a preventive measure that requires a combination of prompts from a user to access the information they are authorized to access. A second form of authentication serves, in particular, to protect against compromised, including stolen, passwords.

If you have questions or concerns, our Vertilocity team can evaluate your cybersecurity strategy and discuss your options with you. Call us at 412-220-5744, or email me at jkrentz@vertilocity.com.

Cybersecurity Essentials: Part 1

All organizations need to protect their systems and data from cyber attacks, which means that all organizations need to implement a cybersecurity program. This five-part series titled Cybersecurity Essentials will address each element of a program to ensure you are accounting for privacy concerns, compliance issues, and the policies and procedures critical to maintaining a secure organization and a culture of cybersecurity.

The first item on your cybersecurity checklist is to create and document a privacy program that will include developing an internal privacy policy, training employees on that policy, and creating an internal policy for data retention.

Internal policy

Your internal privacy policy is an employee-centric policy that addresses leadership’s expectations around the use of email and internet, systems and access. Privacy concerns extend to employee records, client or customer records and communications, and the use of mobile devices.

Your privacy policy is written language, a document that can be shared with employees and new hires that clearly outlines your expectations related to privacy and the policies and guidelines you have developed to ensure your expectations are met.

Employee training

Once you have developed your policies and documented that they have been attested to by your employees, it is essential to conduct employee training on a regular basis, at least annually, to ensure employees not only are kept up to date, but that they understand your internal privacy policy and their ongoing obligations.

A training program will include:

Data retention policy

Data is the most important aspect or component of your privacy policy. You should develop a “retention policy” that details how long you retain different types of data. Your policy might be driven by industry regulations, for example, HIPPA regulations requiring healthcare providers to retain certain patient data for a specific period of time. Your policy will be driven by compliance requirements, but also by when data can and should be expunged. It should include protocols on how data should archived as well as how long it will be kept, and on how it should be expunged.

Delete data when you can to:

If you have questions or concerns, our Vertilocity team can evaluate your cybersecurity strategy and discuss your options with you. Call us at 412-220-5744, or email me at jkrentz@vertilocity.com.

Date: October 26, 2022

Time: 10:00 – 11:00 am, ET

Hosts: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director; and Joe Brunsman, MSL, Brunsman Advisory Group

The HBK Risk Advisory October 26, 2022, webinar will provide insights on the topic of Cybersecurity Insurance, including how to prepare your business for new coverage or a policy renewal.

Attendees will learn:

• To define the term “control” as it applies to IT Security and cybersecurity insurance
• The factors causing the price of cybersecurity insurance to increase
• About cybersecurity insurance coverage “buckets”
• To recognize the common exclusions in cybersecurity insurance policies
• How to apply the “CIS Top 18” to improve your company’s cybersecurity posture

Join us October 26 for a discussion of how companies can prepare to add cybersecurity insurance or for an existing policy renewal.

REGISTER TODAY!

Date: September 28, 2022

Time: 10:00 – 11:00 am, ET

Hosts: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director; and Joel Van Horn, CPA/CITP, CISA, Senior Manager

Join HBK Risk Advisory Services’ Bill Heaven and Joel Van Horn for a September 28 webinar that will provide insights on SOC Reporting, including how to use an SOC 2 report to mitigate your third-party risk.

Attendees will learn:

• To define the key terms associated with SOC Reporting
• The types of SOC Examinations and Reports
• To Identify the SOC 2 Common Criteria
• To Recognize the components of a SOC 2 Report
• The information contained in a SOC 2 Report you can use to assess Third-Party Risk

REGISTER TODAY!

Date: August 24, 2022

Time: 10:00 – 11:00 am, ET

Hosts: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director; and Justin Krentz, Vertilocity Senior Manager

Our August 24 webinar will provide insights on the topic of ransomware, including steps you can take to protect your business from an attack and what you can do to expedite recovery in the event of an attack.

Attendees will learn:

• How to identify the most common attack vectors employed to introduce ransomware into a computer system
• Apply steps to take that will help prevent a ransomware infection
• List the steps to take if your system is infected with ransomware
• Define the components of a careful, specific data recovery plan
• Identify the value of reviewing the experiences of organizations that have been victims of ransomware attacks

Join us on August 24, 2022, for a discussion of how companies can prevent and recover from a ransomware attack.

REGISTER TODAY!

No one is immune to cyber risks. Digital vulnerability is ubiquitous. High net worth families, even those who take precautions against cyber criminal activity, are often unaware of and surprised by how much of their personal information is publicly available. Cyber criminals are increasingly sophisticated at piecing together disparate data points, stealing identities and launching elaborate cyberspace schemes.

HBK Risk Advisory Services recommends high net worth families adopt a strategic plan designed to manage cyber risks by enabling smarter use of digital technology. The plan should consider the multiple sources of cyber criminality and be updated regularly to address emerging threats.

The Internet

Anything connected to the internet can provide access for a cyber criminal. Of course that includes your computers and smart TVs, but don’t forget about other smart devices, like cars and even some refrigerators. Home and office routers are particularly vulnerable when they are employed beyond the date the manufacturer stops issuing software updates. When using a home Wi-Fi network, turn off remote administration features and be sure your router doesn’t appear in your network listing. And for public Wi-Fi, we recommend using a virtual private network (VPN). Smart devices should be password protected and protected with anti-virus software and a firewall, and the software that drives each device should be updated regularly with the provider’s latest security protections.

Family policies

A majority of cyber attacks are by “insiders,” that is, workers providing some type of service to the entity. We suggest that high-net families ensure they have written statements from each vendor or company they work with describing what that company is doing to protect the family from human and technology threats. We recommend regular background checks on vendors’ employees. We also recommend background checks on household and other staff with access to family houses, offices, and resources.

Administrative, technical, and physical controls are required for all cybersecurity frameworks to achieve cybersecurity. Policies must be well drafted and sufficient, and should be reviewed and updated annually.

HBK Risk Advisory Services can assist families with developing cybersecurity policies covering five key areas:

1. Connected devices: Defines how public Wi-Fi, VPNs, and home routers are used.


2. Identity protection: Details how the personal identity of each family member is being protected and includes credit monitoring.


3. Social media: Describes how to protect the physical security of the family, maintain private information, and protect the image and reputation of the family and business.


4. Passwords: Sets reasonable standards for developing and regularly changing device passwords.


5. Payment-authorization: Details how payments are approved and how to protect against unauthorized wire transfers and other fraudulent requests for payments.

Family policies need to be set, then reviewed on a regular basis. Keeping everyone current on and attentive to the policies that have been set is critical to protecting the individuals, family, and business from cyber attacks. One oversight can spell disaster.

Using technology

While protecting yourself from technology, HBK Risk Advisory also recommends the use of technological tools for protection. Key measures include:

• Data backups: Includes multiple backups of the family office server, smartphones, tablets, and laptops to protect against viruses and ransomware.
• Encryption: Financial information sent to external vendors, such as accountants and attorneys, can be protected by using secure document storage, which can provide an authorized user access to a particular document or folder, or encrypted email tools to secure the emails.
• Response: A comprehensive cyber security strategy includes identifying how to respond to a crisis, including forensic cyber services when a hack happens. The plan should address such potentialities as lost phones or laptops, how to respond to phishing emails and phone calls, and how to handle a ransomware event, hacked emails, and network intrusions.

Cyber insurance coverage can be tailored to your family’s needs. Any policy should include at a minimum coverage for breach response, cyber extortion, network interruption, and data restoration costs. HBK Risk Advisory Services can help you assess your cyber insurance coverage and suggest changes.

Cybersecurity can be a complex and technically challenging initiative. Protection requires an intelligent, comprehensive plan designed to meet the specific needs of a high-net-worth individual, family, and business. The plan needs to be thoroughly and meticulously implemented, then monitored regularly to ensure its continued effectiveness against increasingly sophisticated and constantly changing cyber-criminal activities.

Date: July 27, 2022

Time: 10:00 – 11:00 am ET

Host: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director and Joel Van Horn, CPA/CITP, CISA, Senior Manager

On July 27, our webinar will feature a review of the Employee Benefits Security Administration’s (EBSA) Cybersecurity Guidelines. The U.S. Department of Labor released the guidance to protect the retirement benefits of America’s workers, who combined count more than $9.3 trillion in retirement assets. The guidance is directed at plan sponsors, plan fiduciaries, record keepers and plan participants.

The EBSA cybersecurity guidance is provided in three forms: Tips for hiring a service provider, Cybersecurity best practices, and Online security tips.

We will cover:

• The cybersecurity guidance forms recommended by EBSA
• EBSA estimates of covered plan participants and assets
• How to identify service providers with stringent cybersecurity practices
• Best practices designed to assist plan fiduciaries and record keepers with managing cybersecurity risk
• Tips to help retirement participants and beneficiaries reduce the risk of online fraud

Join us on July 27, 2022, for a discussion of how the suggested guidance can mitigate risk for the retirement industry and plan participants as well as improve your business’s cybersecurity posture.

Register today!

According to the 2022 Verizon Data Breach Investigations Report (DBIR), businesses with 10 or fewer employees are becoming more enticing to cybercriminals. The two most common cybersecurity attacks on very small businesses are ransomware and credential (username and password) theft. A cybersecurity attack or incident can cause severe damage to a company, often irreparably.

The 2022 DBIR includes recommendations for actions business owners can take to avoid becoming a target of a cybersecurity attack. They are worthy of the attention of all business owners, including owners of very small businesses:

1. Use multifactor authentication.
2. Do not reuse or share passwords.
3. Use a password keeper/generator.
4. Change the default credentials on all hardware and software.
5. Install software updates promptly so that vulnerabilities can be patched.
6. Work with vendors to ensure you are as secure as possible and that they are also following the same basic guidelines.
7. Keep a consistent schedule with regard to backups and maintain offline backups (data not on a device connected to a computer).
8. Ensure that the built-in firewall is switched on for devices such as laptops and desktops.
9. Use antivirus software for all your devices.
10. Do not click on anything in an unsolicited email or text message.
11. Set up an out-of-band method for verifying unusual requests for data or payments.
12. Ensure that a computer used for financial transactions is not used for other purposes such as social media or email.
13. Use email services that incorporate phishing and pretexting defenses and use a web browser that warns you when a website may be spoofed.

The Verizon DBIR provides valuable and actionable information. It is relied upon by cybersecurity experts and business owners across the globe. Click here to watch our recent webinar on this topic.