As the shelter-in-place orders to deal with the coronavirus pandemic prolongs, cybercriminals continue to look for new opportunities to take advantage of business owners and the general public.

With all of the recent news regarding a possible funding shortfall of the Paycheck Protection Program “PPP”, the cyber-crooks are upping their fraudulent attempts including phony SBA websites (.com instead of .gov) as well as offering to process your PPP application faster for a small fee.

In addition to the SBA scams, criminals are perpetrating financial and data scams through a myriad of tricks. Current scams are related to:

• The IRS or CARES Act
• The status of your stimulus payment
• COVID-19
• Charitable giving sites
• Current updates – statistics and/or heat maps
• Early vaccine/treatment access
• Problems with a bank account or credit card
• Investment opportunities
• Blood donations

Here are a few of the current scams:

Method 1: Masquerading
Cybercriminals are exploiting the necessity for individuals and businesses to deploy new IT resources and methods to conduct work remotely such as VPNs, screen sharing technologies, and remote meeting software. Criminals are developing malicious tools that appear legitimate. Unsuspecting users, in search of a tool to facilitate their needs, instead downloads a malicious VPN agent. It is important to discuss any new IT resources you are considering with a professional who can advise you not only on the best, but the most secure tools.

Also, as your business operations change, cybercriminals are waiting to involve themselves in the process. Man-in-the-middle attacks involve criminals intercepting emails detailing payment instructions and bank account numbers and re-routing them to off-shore bank accounts before forwarding the email to the recipient. The sender and recipient are none the wiser until they discover that the money is gone.

Method 2: Phishing/Vishing/SMishing using COVID-19 themes
Attacks may come in the form of fraudulent emails (phishing), text messages (smishing) or voice calls (vishing). These attacks may take advantage of users by posing as the following:

1. The IRS
2. The SBA or Funding Bank
3. Charitable agencies
4. Tech Support

Remember, the IRS will NEVER call, text, or email you for payment or bank account information, nor will other government agencies. Scrutinize every unfamiliar call, text, or email and avoid disclosing your personal information.

Method 3: Fake Mobile Applications
Cyber criminals understand that we regularly download apps to facilitate our daily needs. There have been multiple cases of malicious Android applications claiming to offer information about the virus or to accommodate your business needs in these times of uncertainty. All they really offer is attackers the opportunity to spy on you, steal information, or ransom your data.

Method 4: Malicious and Fraudulent Websites
The Palo Alto Networks threat intelligence team notes that over the past few weeks more than 100,000 websites have been registered containing terms like “COVID,” “virus,” and “corona.” Many of these websites are used to deploy malicious software that can threaten your business operations and data security or trick you into thinking that you are applying for stimulus loans through its interface. Some websites spread false information to create unnecessary action or panic. Such risks can be avoided by using only trusted sources.

Do the following to protect yourself from becoming a victim of a fraudulent attack:

• Use extreme caution when dealing with any email with a subject line, attachment or hyperlink pertaining to COVID-19.
• Be cautious when dealing with an email, text message, social media post, or phone call with a subject line or topic pertaining to a COVID-19 related matter.
• Use only TRUSTED sources, such as known government websites, for updated information on COVID-19.
• NEVER trust a hyperlink in a communication stressing urgency, such as a warning about a severe problem pertaining to financial information—i.e. bank account, credit card or the IRS.
• Verify that the contact information is from a trusted source—for example, the toll-free phone number on the back of your credit card.
• If you visit a website, open it directly from your computer or a previously used App on your SmartPhone instead of from the requesting email.
• Never provide any identifying number over the phone, such as your Social Security number, your Medicare ID number, your driver’s license number or your bank account number.
• If you need to implement new technology or processes for your business or personal life, consult a professional.

As we begin 2020 and many have committed to (and already broken?) New Year‘s resolutions, we recommend one that is easy to keep: when dating documents from now through December 31, use the full “2020” to denote the year, as opposed to just writing/typing “20”.

Doing so will not only generate a sense of accomplishment for keeping at least ONE resolution by year’s end, it may also protect you from potential fraud. Signing documents with an abbreviation (e.g. 1/20/20) may make them more susceptible for manipulation, resulting in a greater risk of the signer falling victim to deceptive practices. Consider the following scenarios:

-You write a personal check to your new boyfriend or girlfriend in the amount of $5,000 on February 14, 2020 as an intended “shopping spree” Valentines Day gift. You date the check 2/14/20. Several month pass –and you realize this is not the person you want to spend the rest of your life with– so you part ways. If the check was not cashed within a reasonable time frame, it would not be honored by your bank so, no big deal. Fast forward to the year 2021 when your ex finds the check and decides to edit the date to 2/14/2021 (by tacking the final two digits onto the end of the date) so the bank will cash the check. Since the bank was unaware that the check was altered, you are now out $5,000 a full year after writing the check.

-You provide your shady landlord, with whom you’ve had several disputes, a document of notice for intent to vacate his property (i.e. You’re finally moving out!). You sign and date the document using the abbreviation 4/25/20. Now, assume the landlord refuses to return your security deposit, so you take him to small claims court. There, the landlord claims you overstayed your lease and remained on the property long after you informed him that you would vacate, which would allow him to retain the good faith deposit you paid in the beginning of your contract with him. He produces the document that you signed, but has altered the date to read 4/25/2019, thus “proving” that you stayed a full year after you told him of your intent to vacate. Assuming you did not keep a copy of the signed document, you will likely have a hard time proving the actual date on which you officially signed the notice. This may end up costing you your deposit, not to mention court costs.

While these scenarios may seem exaggerated, they both highlight how easily documents can be manipulated, especially this year. Clearly, in both scenarios writing out 2020 in reference to the date would have protected these documents and rendered them much harder to change.

The simple addition of a few pen strokes –by writing the full year of 2020 when dating documents– can save you potential headaches, and maybe even considerable money, down the line. Also, it will give you added peace of mind that your documents are secure. This is one New Year’s resolution that is definitely worth keeping.

The new year brings with it an opportunity for a fresh start. From a cybersecurity perspective, a new year is also a typically dangerous time. Cyber hackers and cyber criminals often take advantage of the opening of tax season—January 7 for businesses, January 27 for individuals—to unleash social engineering campaigns. The campaigns can be digital, or phone based. They’re looking to steal login credentials or PII and will stress the need for you to respond urgently to an important communication, typically from your financial institution or accounting firm, about a problem with your account, a law you may have violated, or something else that requires your immediate attention.

As if such risks are not enough to wrestle with, the dawn of 2020 brings with it additional cyber worries rooted in the recently increased tensions between the U.S. and Iran. The Iranian government suggested its response to the killing of General Qasem Soleimani “concluded” with its January 7 missile launch. But according to The New York Times, cybersecurity experts are picking up on ongoing malicious cyber activity from pro-Iranian forces. And while Iranian cyber capabilities are not on par with those of Russia, China or the U.S., Iran does have the capability to inflict damage via a cyber attack.

The Cybersecurity and Infrastructure Security Agency (CISA), which was created through the Cybersecurity and Infrastructure Security Agency Act of 2018, is charged with protecting the nation’s critical infrastructure from physical and cyber threats. The agency’s January 6 Alert AA20-006A “Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad” suggests that employees as well as the IT departments of organizations adopt a heightened sense of awareness and increase organizational vigilance.

What you should do:
*Use known contact methods instead of those provided in an email or voicemail
*Do not open attachments or click links unless you are certain they are from a verified “trusted source”
*Do not divulge sensitive information unless you have verified the recipient
*Be sure to use approved solutions for transmitting sensitive information with clients or third parties

Cyber criminals continue to ramp up efforts to disrupt organizations and their ability to function in a digital society. Organizations must continue to enhance their efforts to keep themselves from becoming victims of cyber crimes.

Attend Our Cybersecurity Webinar
On Wednesday, January 22 join HBK Risk Advisory Services Director Matt Schiavone for our first webinar of 2020, “Security Awareness Programs: What You MUST Know to Protect Your Company & Workforce” at Noon EST. Register for the free webinar here.

As a cybersecurity professional, I’m often asked by clients if they should buy cybersecurity insurance. My answer is “definitely,” but not without considerations. For one, you should determine the value of what you are trying to protect. And when evaluating a policy, ensure that you are clear on exactly what the policy covers—and maybe more importantly, what it doesn’t.

Cybersecurity insurance policies come in many forms, from a “quick” cyber policy, where applying requires you only to answer three or four questions, to a full-length application policy. The protection level and policy costs vary accordingly; quick policies may include multiple coverage exclusions or costly gaps. For example, lack of applying security patches may trigger an exclusion pertaining to your coverage. If you implement a recognized cybersecurity control framework, you will likely be able to find policies with more coverage at lower costs. This could also help lower your probability of later being denied coverage under your cyber insurance policy by inadvertently answering a crucial application question incorrectly.

A follow-up question I often get: Can I mitigate my business’s cyber-risk through a cyber policy, or should I implement cybersecurity controls to improve my cybersecurity posture?

I posed the question to Joseph Brunsman, author of multiple published cyber insurance articles, and a book on cyber insurance, he stated, “Cyber insurance is a crucial component – but arguably the last component – in the defensive posture of business. I would prefer, as would the regulators who can bring sizable fines and consent orders, cyber insurers, and attorneys who specialize in post-breach litigation, that businesses do everything in their power to avoid a breach. After that first breach occurs, insurance companies begin to take a hard look at internal cybersecurity postures. Increasingly insurers are demanding specific controls be implemented as a prerequisite to coverage. If businesses fail to adopt the correct posture, they could quickly find themselves with no recourse but to pay for every breach out of pocket. Taken as a whole, businesses need to consider their cybersecurity posture now; while it’s convenient, and before it’s mandatory.”

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Call us at 330-758-8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.

As a business owner or chief executive you focus on increasing the value of your business. Costs that don’t produce a return, if sometimes necessary, are unwanted expenses.

As the practice of cybersecurity has emerged, many organizations have looked at implementing a cybersecurity program as an expense. But even beyond protecting your organization from potentially catastrophic data thievery, a cybersecurity program is an investment that adds real, quantifiable value to your business—added value clearly evident as owners look to merge or sell their businesses.

Consider the many businesses spanning myriad industries that have fallen victim to cyber attacks or data breaches subsequent to being acquired. FitMetrix, a MindBody acquisition; Starwood Group, a Marriot acquisition; MyfitnessPal, an Under Armor acquisition; and Bongo International, a FedEx acquisition are glaring examples.

All markets and industries have been affected. As a result, a company’s cybersecurity program –or lack thereof– is a central consideration in current M&A due diligence.

In a recent survey conducted by the International Information System Security Certification Consortium, or (ISC)², 96 percent of respondents say they take the maturity of cybersecurity programs into consideration when determining the value of a company. (ISC)² is a non-profit organization offering training and various certifications to cybersecurity professionals.

Moreover, 53 percent of respondents said values can vary widely depending on the maturity and effectiveness of the cyber program; 45 percent agreed that a cybersecurity program adds value but said that they assign value via a plus-or-minus or pass-or-fail indicator.

Perhaps most interesting, the study revealed cybersecurity infrastructure—including “soft” assets such as a risk management policy, security awareness training programs and other governance initiatives that might not traditionally be considered infrastructure—actually has a greater impact on value than IT.

Conversely, the lack of cybersecurity infrastructure indicates a liability potentially devaluing the company.

To illustrate the value of your cybersecurity initiative, we recommend you develop a formalized and documented cybersecurity program. The program should be continually improved and reviewed at least annually by an appropriate third party firm.

Simply put: Invest in cybersecurity. Secure the future of your business and its value.

HBK can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Contact Matthew Schiavone, CPA, CISSP, CISA for questions or to schedule an assessment.

When working remotely to improve “cyber posture,” we typically recommend a Virtual Private Network (VPN) as an encrypted “tunnel” between sending and receiving networks to protect the confidentiality of data in the communication. A VPN would not be viable without encryption.

Encryption is a mathematical function. It is the part of a broad science of secret languages, called cryptography, that involves the process of converting plaintext into ciphertext, or “encryption,” and back again, known as “decryption.” Encryption has been around for centuries; one of the first examples dating back to ancient Rome, the Caesar cypher and uses the substitution of a letter by another one further in the alphabet to protect the secrecy of a message.

Central to understanding how encryption—and, indirectly, how VPNs increase security because of encryption—is the number of encryption “keys” that are used during the process of converting plaintext to cyphertext and back. At the highest level, there are two types of encryption:

1. Symmetric, where the same key is used to both encrypt and decrypt the data
2. Asymmetric, where “The Public Key” is used to encrypt, and “The Private Key” is used to decrypt. (The Public/Private Key Pair are “related” mathematically.)

Neither type of encryption is better than the other. In fact, both of these technologies are critical in achieving cybersecurity when utilized properly.

As always, HBK Risk Advisory Services (RAS) is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613 or via email at wheaven@hbkcpa.com. HBK RAS is here to answer your questions and discuss your concerns.

Adapting to technological change is a challenge all businesses face. Some changes force the matter — like required compliance with privacy and cyber regulations — while others, such as implementing a vendor risk management program, may seem less urgent. Regardless, businesses must recognize the need for a particular change and act accordingly.

A recent study conducted by the Information Systems Audit and Control Association (ISACA) and the global consulting firm Protiviti revealed the top five technology challenges faced by businesses today as:

1. IT security and privacy/cyber security
2. Data management and governance
3. Emerging technology and infrastructure changes
4. Resource/staffing/skills
5. Third-party/vendor risk management

While all organizations face the same challenges, small and medium-sized businesses can find them more difficult to overcome, especially as they relate to number four on the list: a lack of resources, staffing and skills.

Monetary considerations aside, it is difficult to find qualified personnel. Addressing security, privacy, governance and infrastructure (effectivel, numbers one through three on the list) requires professionals with sophisticated skill sets. The difficulty and expense associated with trying to meet these demands internally make it more reasonable to outsource them.

We are here to help. HBK offers cost-effective solutions to address these challenges. We have IT professionals across numerous disciplines, from specialists in privacy regulations to technicians who facilitate infrastructure changes. Get access to the specific skill sets and resources you need when you need them. For more information or to schedule an appointment, call (724) 934-5300; or email me at MSchiavone@hbkcpa.com.

Governance, Risk Management and Compliance (GRC) is a methodology that provides organizations with an integrated approach to cyber security maintenance. It is most efficient when executed in its entirety as a three-pronged but single initiative though they are often considered separately.

• Governance is the process ensuring effective and efficient use of Information Technology (IT) to enable an organization to achieve its fundamental goals.
• Risk Management is the process of identifying, assessing and managing risk as a way to help achieve an organization’s objectives and based on its tolerance for threats — in short, clearly establishing the company’s risk acceptance or risk avoidance.
• Compliance involves adhering to accepted practices, rules and regulations within a business at an industry or governmental level –or both.

One should take a holistic approach to GRC, as with any control or protocol it establishes to mitigate a risk. That is, the cost to implement the control should be less than the cost of actual exposure to the risk being mitigated. This approach is expanded by GRC when an individual or business considers costs associated with non-compliance — namely, fines or penalties.

The culmination of Governance, Risk Management and Compliance occurs when IT policies help convert the desired behaviors of team members into a formal, successful cyber security plan.

HBK Risk Advisory Services can help you design and develop your own GRC program to protect your business. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. As always, HBK is here to answer your questions and discuss your concerns.

October is Cyber Security Awareness Month, in accordance with the 16th consecutive year of the Department of Homeland Security’s (DHS) annual campaign. The goal of the initiative is to raise awareness about the importance of cyber security.

Did You Know? (From the 2019 Verizon Data Breach Investigations Report)

• C-level executives are 12 times more likely to be targeted by social engineering campaigns.
• Ransomware attacks are still going strong and remain a valid threat to all industries.
• Mobile users are more susceptible to phishing attacks, likely due to their user interfaces, among other factors.
• In 2019, 43% of cyber breaches involved small businesses.

Action Item Reminders:

• Implement cyber security awareness training and associated programs to measure effectiveness.
• Implement network vulnerability scans to identify security holes that a hacker could potentially exploit.
• Back up your data and verify the completeness and accuracy of individual backups.
• Implement vendor-supplied updates on both your hardware and software on a timely basis.

As always, HBK Risk Advisory Services is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. HBK is here to answer your questions and discuss your concerns.

Microsoft executives take security and privacy initiatives seriously. Not just their own, but those of their vendors, as well.

Microsoft is committed to Vendor Risk Management (VRM). Suppliers and business partners are often required to undergo varying levels of attestation to their information security initiatives, including SOC 2 or Microsoft’s Supplier Security and Privacy Assurance (SSPA).

Microsoft has established data protection requirements (DPRs) for suppliers who process Microsoft personal or confidential data. More often than not, suppliers must undergo annual attestation as to their ability to meet the requirements defined in Microsoft’s DPR.

“Process” in Microsoft’s DPR refers to any operation or set of operations performed on any Microsoft personal data or confidential data—and whether or not operations are by automated means. Processes include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or dissemination, and alignment or combination, restriction, and erasure or destruction.

SSPA is a Microsoft program that involves not only making sure that suppliers understand these requirements but ensuring their compliance. The program combines Microsoft Procurement, Corporate External and Legal Affairs, and Corporate Security to make certain that suppliers follow privacy and security principles when processing Microsoft personal data or Microsoft confidential data. It covers all global suppliers processing Microsoft personal or confidential data.

Suppliers considered high risk are required to provide independent verification of DPR compliance. Such companies are asked to select an independent auditor affiliated with the American Institute of CPAs (AICPA) or the International Association of Privacy Professionals to assess DPR compliance; that auditor is responsible for providing an unqualified letter of attestation to the Microsoft SSPA.

At HBK, our affiliation with the AICPA is merely one aspect of our capabilities. Our auditors have years of experience performing attestation engagements, including extensive SOC 2 work. We have intimate knowledge of security and privacy best practices and hold these critical credentials: Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Most importantly, we are experienced in navigating businesses through Microsoft’s SSPA and compliance with the company’s Data Protection Requirements.

We can help you if Microsoft is on your business horizon and you want to maximize the value of these efforts–or if you’re preparing for a security audit. Call us at 724.934.5300 or email me at MSchiavone@hbkcpa.comand let’s get started.