Cybersecurity attacks are occurring at such a rapid pace during the COVID-19 crisis that it has become difficult to keep up with all the fraud attempts.

Fundamentally, everyone should:

• Have up-to-date antivirus software
• Use a Spam Filter
• Use VPN (Virtual Private Network) software
• NEVER trust public Wi-Fi
• Use Encrypted Filesharing, if necessary

Beyond those basic directives, there is an additional offline layer of controls that build on the “Defense in Depth” concept that every company can easily incorporate to help prevent bank fraud. Now that we are working remotely, business is being conducted with almost no face-to-face interaction among team members, clients, vendors. We rely more on email conversations than phone calls. Hackers see this situation as an opportunity and are developing schemes to take advantage of it.

Our recommendations for email payment security include (Your businesses may already have some or all of these in place):

1. Assemble a directory—mobile or landline—with pre-arranged telephone numbers

• Include your company leadership or C-suite
• Include your finance and/or accounts payable teams
• Include vendors that you have a history of paying electronically
• Include your bank(s) and regular contacts at your bank(s)

2. Require any team member receiving an email requesting a new or altered electronic payment to reach out to the “requestor” as listed in your new directory of “pre-arranged” phone numbers to verify that the request is real and to verify the account numbers.

Never rely on the contact information or account numbers provided in the email!

3. Require a secondary authentication from a pre-designated member of your company who is included in your directory of pre-arranged telephone numbers, such as your CFO or Director of finance. Additionally, you can add another layer of security by using a pre-designated “code word” with the members of the pre-designated directory.

4. To protect your pre-arranged telephone directory, store it inside your password vault. (Most have the capability to store secure notes).

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Call me at 330.758.8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.

Also, if you were unable to join us in February for our Risk Advisory Service Webinar on Banking Controls, you can access a recording of the session at: https://attendee.gotowebinar.com/recording/8846183878460240903

The new year brings with it an opportunity for a fresh start. From a cybersecurity perspective, a new year is also a typically dangerous time. Cyber hackers and cyber criminals often take advantage of the opening of tax season—January 7 for businesses, January 27 for individuals—to unleash social engineering campaigns. The campaigns can be digital, or phone based. They’re looking to steal login credentials or PII and will stress the need for you to respond urgently to an important communication, typically from your financial institution or accounting firm, about a problem with your account, a law you may have violated, or something else that requires your immediate attention.

As if such risks are not enough to wrestle with, the dawn of 2020 brings with it additional cyber worries rooted in the recently increased tensions between the U.S. and Iran. The Iranian government suggested its response to the killing of General Qasem Soleimani “concluded” with its January 7 missile launch. But according to The New York Times, cybersecurity experts are picking up on ongoing malicious cyber activity from pro-Iranian forces. And while Iranian cyber capabilities are not on par with those of Russia, China or the U.S., Iran does have the capability to inflict damage via a cyber attack.

The Cybersecurity and Infrastructure Security Agency (CISA), which was created through the Cybersecurity and Infrastructure Security Agency Act of 2018, is charged with protecting the nation’s critical infrastructure from physical and cyber threats. The agency’s January 6 Alert AA20-006A “Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad” suggests that employees as well as the IT departments of organizations adopt a heightened sense of awareness and increase organizational vigilance.

What you should do:
*Use known contact methods instead of those provided in an email or voicemail
*Do not open attachments or click links unless you are certain they are from a verified “trusted source”
*Do not divulge sensitive information unless you have verified the recipient
*Be sure to use approved solutions for transmitting sensitive information with clients or third parties

Cyber criminals continue to ramp up efforts to disrupt organizations and their ability to function in a digital society. Organizations must continue to enhance their efforts to keep themselves from becoming victims of cyber crimes.

Attend Our Cybersecurity Webinar
On Wednesday, January 22 join HBK Risk Advisory Services Director Matt Schiavone for our first webinar of 2020, “Security Awareness Programs: What You MUST Know to Protect Your Company & Workforce” at Noon EST. Register for the free webinar here.

As a cybersecurity professional, I’m often asked by clients if they should buy cybersecurity insurance. My answer is “definitely,” but not without considerations. For one, you should determine the value of what you are trying to protect. And when evaluating a policy, ensure that you are clear on exactly what the policy covers—and maybe more importantly, what it doesn’t.

Cybersecurity insurance policies come in many forms, from a “quick” cyber policy, where applying requires you only to answer three or four questions, to a full-length application policy. The protection level and policy costs vary accordingly; quick policies may include multiple coverage exclusions or costly gaps. For example, lack of applying security patches may trigger an exclusion pertaining to your coverage. If you implement a recognized cybersecurity control framework, you will likely be able to find policies with more coverage at lower costs. This could also help lower your probability of later being denied coverage under your cyber insurance policy by inadvertently answering a crucial application question incorrectly.

A follow-up question I often get: Can I mitigate my business’s cyber-risk through a cyber policy, or should I implement cybersecurity controls to improve my cybersecurity posture?

I posed the question to Joseph Brunsman, author of multiple published cyber insurance articles, and a book on cyber insurance, he stated, “Cyber insurance is a crucial component – but arguably the last component – in the defensive posture of business. I would prefer, as would the regulators who can bring sizable fines and consent orders, cyber insurers, and attorneys who specialize in post-breach litigation, that businesses do everything in their power to avoid a breach. After that first breach occurs, insurance companies begin to take a hard look at internal cybersecurity postures. Increasingly insurers are demanding specific controls be implemented as a prerequisite to coverage. If businesses fail to adopt the correct posture, they could quickly find themselves with no recourse but to pay for every breach out of pocket. Taken as a whole, businesses need to consider their cybersecurity posture now; while it’s convenient, and before it’s mandatory.”

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Call us at 330-758-8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.

As a business owner or chief executive you focus on increasing the value of your business. Costs that don’t produce a return, if sometimes necessary, are unwanted expenses.

As the practice of cybersecurity has emerged, many organizations have looked at implementing a cybersecurity program as an expense. But even beyond protecting your organization from potentially catastrophic data thievery, a cybersecurity program is an investment that adds real, quantifiable value to your business—added value clearly evident as owners look to merge or sell their businesses.

Consider the many businesses spanning myriad industries that have fallen victim to cyber attacks or data breaches subsequent to being acquired. FitMetrix, a MindBody acquisition; Starwood Group, a Marriot acquisition; MyfitnessPal, an Under Armor acquisition; and Bongo International, a FedEx acquisition are glaring examples.

All markets and industries have been affected. As a result, a company’s cybersecurity program –or lack thereof– is a central consideration in current M&A due diligence.

In a recent survey conducted by the International Information System Security Certification Consortium, or (ISC)², 96 percent of respondents say they take the maturity of cybersecurity programs into consideration when determining the value of a company. (ISC)² is a non-profit organization offering training and various certifications to cybersecurity professionals.

Moreover, 53 percent of respondents said values can vary widely depending on the maturity and effectiveness of the cyber program; 45 percent agreed that a cybersecurity program adds value but said that they assign value via a plus-or-minus or pass-or-fail indicator.

Perhaps most interesting, the study revealed cybersecurity infrastructure—including “soft” assets such as a risk management policy, security awareness training programs and other governance initiatives that might not traditionally be considered infrastructure—actually has a greater impact on value than IT.

Conversely, the lack of cybersecurity infrastructure indicates a liability potentially devaluing the company.

To illustrate the value of your cybersecurity initiative, we recommend you develop a formalized and documented cybersecurity program. The program should be continually improved and reviewed at least annually by an appropriate third party firm.

Simply put: Invest in cybersecurity. Secure the future of your business and its value.

HBK can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Contact Matthew Schiavone, CPA, CISSP, CISA for questions or to schedule an assessment.

HBK IT LLC, a member of the HBK family of companies, announced today it has acquired Unicom Solutions Group of Mountainside, N.J.

Unicom is a technology-consulting firm established in 1991 offering a suite of services to small and midsize private companies, nonprofits and government agencies. The acquisition complements the offerings of HBK IT LLC, which provides various digital transformation, managed services, cybersecurity consulting and enterprise resource planning to clients in a variety of industries.

“Bringing Unicom into the HBK family gives HBK IT even greater scale and technical expertise,” noted Tom Angelo, HBK Principal in the HBK Clark, N.J. office. “The merger will bring us a team of talented individuals as we continue to grow our advisory services and help our clients use technology to drive the growth of their business in an ever-changing digital world.”

“We continue to seek out new and innovative ways to transform our organization in this digital world through modern cloud solutions, financial applications, messaging and communications as well as infrastructure and cybersecurity,” added HBK Managing Principal and CEO Christopher Allegretti, CPA.

“Joining HBK was precisely the strategic move we were looking to make,” said Unicom founder Roman Sawycky. “It allows us to offer our staff more opportunities for personal development and professional training, and our clients a more complete set of products and services.”

HBK provides small to mid-market businesses and their owners and operators a wide range of financial solutions, including accounting, tax and audit services; wealth management; business valuation; corporate finance; forensic accounting; litigation support services; and business consulting, including specific expertise in a number of major industries. The CPA firm dates back to 1949 and added its wealth management practice in 2001. HBK CPAs & Consultants and HBKS Wealth Advisors collectively have hundreds of financial professionals serving clients locally out of offices in Columbus, Youngstown and Alliance, Ohio; Pittsburgh, Philadelphia, Erie, Hermitage, Meadville and Blue Bell, Pennsylvania; Princeton, Cherry Hill and Clark, New Jersey; and Fort Myers, Naples, Stuart, Sarasota and West Palm Beach, Florida. HBK CPAs & Consultants and HBKS Wealth Advisors are both Top 100-rated firms.

When working remotely to improve “cyber posture,” we typically recommend a Virtual Private Network (VPN) as an encrypted “tunnel” between sending and receiving networks to protect the confidentiality of data in the communication. A VPN would not be viable without encryption.

Encryption is a mathematical function. It is the part of a broad science of secret languages, called cryptography, that involves the process of converting plaintext into ciphertext, or “encryption,” and back again, known as “decryption.” Encryption has been around for centuries; one of the first examples dating back to ancient Rome, the Caesar cypher and uses the substitution of a letter by another one further in the alphabet to protect the secrecy of a message.

Central to understanding how encryption—and, indirectly, how VPNs increase security because of encryption—is the number of encryption “keys” that are used during the process of converting plaintext to cyphertext and back. At the highest level, there are two types of encryption:

1. Symmetric, where the same key is used to both encrypt and decrypt the data
2. Asymmetric, where “The Public Key” is used to encrypt, and “The Private Key” is used to decrypt. (The Public/Private Key Pair are “related” mathematically.)

Neither type of encryption is better than the other. In fact, both of these technologies are critical in achieving cybersecurity when utilized properly.

As always, HBK Risk Advisory Services (RAS) is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613 or via email at wheaven@hbkcpa.com. HBK RAS is here to answer your questions and discuss your concerns.

Adapting to technological change is a challenge all businesses face. Some changes force the matter — like required compliance with privacy and cyber regulations — while others, such as implementing a vendor risk management program, may seem less urgent. Regardless, businesses must recognize the need for a particular change and act accordingly.

A recent study conducted by the Information Systems Audit and Control Association (ISACA) and the global consulting firm Protiviti revealed the top five technology challenges faced by businesses today as:

1. IT security and privacy/cyber security
2. Data management and governance
3. Emerging technology and infrastructure changes
4. Resource/staffing/skills
5. Third-party/vendor risk management

While all organizations face the same challenges, small and medium-sized businesses can find them more difficult to overcome, especially as they relate to number four on the list: a lack of resources, staffing and skills.

Monetary considerations aside, it is difficult to find qualified personnel. Addressing security, privacy, governance and infrastructure (effectivel, numbers one through three on the list) requires professionals with sophisticated skill sets. The difficulty and expense associated with trying to meet these demands internally make it more reasonable to outsource them.

We are here to help. HBK offers cost-effective solutions to address these challenges. We have IT professionals across numerous disciplines, from specialists in privacy regulations to technicians who facilitate infrastructure changes. Get access to the specific skill sets and resources you need when you need them. For more information or to schedule an appointment, call (724) 934-5300; or email me at MSchiavone@hbkcpa.com.

October is Cyber Security Awareness Month, in accordance with the 16th consecutive year of the Department of Homeland Security’s (DHS) annual campaign. The goal of the initiative is to raise awareness about the importance of cyber security.

Did You Know? (From the 2019 Verizon Data Breach Investigations Report)

• C-level executives are 12 times more likely to be targeted by social engineering campaigns.
• Ransomware attacks are still going strong and remain a valid threat to all industries.
• Mobile users are more susceptible to phishing attacks, likely due to their user interfaces, among other factors.
• In 2019, 43% of cyber breaches involved small businesses.

Action Item Reminders:

• Implement cyber security awareness training and associated programs to measure effectiveness.
• Implement network vulnerability scans to identify security holes that a hacker could potentially exploit.
• Back up your data and verify the completeness and accuracy of individual backups.
• Implement vendor-supplied updates on both your hardware and software on a timely basis.

As always, HBK Risk Advisory Services is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. HBK is here to answer your questions and discuss your concerns.

HBK is in the cyber security business. Our Risk Advisory Services group exists to serve our clients and help ensure they remain healthy, active and viable. That is our business, ethical and moral purpose. We also realize that we alone cannot entirely handle your cyber security needs, because so much of cyber security is a function of business culture and self-awareness.

Here are five reasons cyber security starts and ends in the business setting:

1. Laws put the burden on your business to protect cyber data. If you peruse the California Consumer Privacy Act, the New York Department of Financial Services Cyber Security Regulations, the Ohio Cyber Security Safe Harbor Law, the Florida Information Protection Act, and the mother of all data regulations, the General Data Protection Regulation of the European Union, you will find two common denominators: none of them make it illegal to steal data and all of them make it incumbent on the business to protect data.

Each regulation sets forth actions businesses must take to protect data. This type of law used to be reserved for national security matters—power plants, national emergencies, disaster recovery—but state governments in the U.S. and foreign sovereigns are delivering a clear message that these laws apply generally. You are responsible for protecting data, and if you do not you will be punished.

2. The burden to protect cyber data is being pushed by big businesses to small and medium businesses (SMBs) under contractual mandates. Large multinational businesses are being attacked through their vendors. Target took a data breach hit because of an HVAC vendor. Capital One just announced a data breach allegedly caused by an employee of one of its vendors.

Large businesses are now insisting that their vendors adopt safe cyber hygiene practices or risk losing the business. The role of “vendor risk manager” has risen to the top of the charts as supply chain logistics expand and state laws mandate cyber security measures. SMBs risk losing their best customers if they do not tow the line on cyber security.

3. Blind Faith in outsourced IT and cyber security measures does not work. Pay close attention. Pushing problems to a third party does not solve problems, it merely hides them. Many SMB’s outsource IT and presume that their vendor has cyber security covered. This is flawed for two major reasons. First, IT vendors are only one part of the cyber security solution. Second, IT companies are particularly susceptible to data attacks because they are an entry point into your systems. SMBs must be assured that the people they pay are addressing cybersecurity. As one CFO recently told me, he is afraid of what he doesn’t know. That type of self-realization is healthy. Have your vendors demonstrate their cyber security.

4. Cyber Insurance underwriting guidelines will not accept cyber security indifference from management. Financing a cyber data breach or a ransomware heist is a big financial deal. CEOs, COOs, CFOs and BODs are tasked with managing the business vessel. Running afoul of cyber insurance guidelines can deprive a business of the requisite financial resources provided by insurance during a cyber data calamity. Good business management practices as well as operating agreements, by-laws and partnership agreements entrust these levels of decision to management. If C-level management and boards do not fulfill their obligations, they place the financial status of the business in peril. Study the cyber security laws and regulations listed in item 1 of this article. They are aimed directly at management.

5. Fiduciary Duty of Company Officers. Talk to your business lawyers about the respective duties owed to companies by their officers. Most state laws place this high level of responsibility upon the company officers. Fiduciary duties are non-delegable.

We do not have the luxury of cyber police patrolling the data streets of homes and businesses. Security always begins with the individual. Never confuse law enforcement with security. It is incumbent upon each person to do their part in cyber and data security because each person is a link in the cyber data chain. HBK understands this reality and bases its cyber security services on understanding the human, technical and management elements as being inextricably intertwined. In the end, you are only as secure as your weakest link.

For more information or to review your cyber security responsibilities and readiness, contact Steve Franckhauser at 614.228.4000 or sfranckhauser@hbkcpa.com.

Cybersecurity is a multi-faceted initiative. Protecting your business – and your family – from cybercrime requires a wide range of oversight and activities. One process being broadly employed is known as “multi-factor authentication” (MFA). Technically defined as a “security system,” MFA requires a user to provide more than a single input or authentication before granting access to an asset, a location or an online account.

Such required authentications are typically categorized in three ways:

1. Something you know (such as a password)
2. Something you have (like a key fob)
3. Something that uniquely identifies only you (such as a fingerprint)

The often-used term “two-factor authentication” is a subset of multi-factor authentication, which, as the name implies, allows access after two separate inputs.

MFA is not new; it has been in use for decades. One of the oldest applications is the bank ATM. To withdraw money from the ATM, you need minimally a two-factor authentication: your ATM card, which is the “something you have,” and your PIN (personal identification number); the “something you know.”

With the exponential growth of the internet and online accounts, MFA enhances protection beyond a password, that is, a single-factor authentication. Because people often use the same password for multiple online accounts, hackers have a much easier time gaining access to single-factor authentication online accounts than MFA accounts. MFA provides a much-needed additional layer of protection to compensate for the bad habit of repeatedly using the same password. (See our article, “Don’t Pass on Password Managers”, to learn about another layer of protection.)

The next time you are frustrated with the extra time it takes to enter multiple authentication factors, take heart. Your business or organization has deployed an additional layer of protection for you. It might be a little inconvenient, but it is hardly a waste of time.

MFA is one aspect of a multi-layered cybercrime defense strategy. We can help you develop your own strategy to protect your business and family. Contact Bill Heaven at 330-758-8613; or email WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.