Many recent articles about cybersecurity include discussion of Information Technology (IT) Governance. What is IT Governance is and why is it important?

The concept of IT Governance is not new. It gained visibility in the early 2000s along with the enactment of such regulations as the Sarbanes-Oxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act,” which was developed on the heels of a series of financial scandals involving public companies, including Enron, Tyco International and WorldCom. In light of such legislation, and the increasing roles and costs of IT, companies were advised to implement IT frameworks to provide accurate, visible and timely information, and, most relevant to cybersecurity, ensure the protection, privacy and security of information assets.

Gartner, Inc., a global research and advisory firm, defines IT Governance as, “the process that ensures the effective and efficient use of IT in enabling an organization to achieve its goals.” In its intended function, IT Governance is a subset of Corporate Governance; together they establish the rules by which an organization operates. IT Governance plays key roles in both public and private companies, ensuring investments in IT generate value and mitigating risks associated with IT departments and operations.

IT Governance can be mandated by regulation or voluntarily established to measure IT results or both. A key component of IT Governance is IT Policies, which convert the desired behaviors of IT team members relative to information security into a formal plan.

To establish an IT Governance program, an organization should:

• Obtain the commitment of its management
• Identify and record stakeholder requirements
• Align the IT security strategy with the business strategy
• Determine the IT Security Principles that will guide the IT Security Function
• Establish metrics to demonstrate the value of the IT Security Function

HBK Risk Advisory Services can help you design and develop your own IT Governance program to protect your business. Call us at 330.758.8613; or email me at wheaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

Millions of us use Bluetooth wireless communications every day—to make phone calls when driving, with our fitness trackers, streaming at work or play. Innocent enough, seemingly. But no technology comes without a warning: a recently discovered Bluetooth vulnerability allows hackers to spy on your conversations or take control of your smart phone. The vulnerability deals with the encryption between two devices. It even has a name—a KNOB hack (Key Negotiation Of Bluetooth).

This is not the first time Bluetooth has been hacked and it likely won’t be the last. And this one has its limitations. To take advantage of the KNOB vulnerability the hacker has to be in close proximity of your phone. There is also currently no evidence that this vulnerability has been exploited maliciously.

Still, for the sake of cyber hygiene, take the following steps to protect yourself from a KNOB hack:
• Install updates for your smart phone as they become available.
• Remove devices paired with your phone that you no longer need or recognize.
• Turn off Bluetooth when you are not using it.

iPhone users can manage Bluetooth from the Control Center or within Settings, including removing Bluetooth devices at the information icon under the “My Devices” section in the Bluetooth Setting. Android smart phones have similar capabilities.

For more suggestions for strengthening your IT security postures, see our article “Cyber Hygiene: It’s a Real Thing”.

HBK Risk Advisory Services can help you with your cyber hygiene. Call us at 330-758-8613 or email me at WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

Cybersecurity is a multi-faceted initiative. Protecting your business – and your family – from cybercrime requires a wide range of oversight and activities. One process being broadly employed is known as “multi-factor authentication” (MFA). Technically defined as a “security system,” MFA requires a user to provide more than a single input or authentication before granting access to an asset, a location or an online account.

Such required authentications are typically categorized in three ways:

1. Something you know (such as a password)
2. Something you have (like a key fob)
3. Something that uniquely identifies only you (such as a fingerprint)

The often-used term “two-factor authentication” is a subset of multi-factor authentication, which, as the name implies, allows access after two separate inputs.

MFA is not new; it has been in use for decades. One of the oldest applications is the bank ATM. To withdraw money from the ATM, you need minimally a two-factor authentication: your ATM card, which is the “something you have,” and your PIN (personal identification number); the “something you know.”

With the exponential growth of the internet and online accounts, MFA enhances protection beyond a password, that is, a single-factor authentication. Because people often use the same password for multiple online accounts, hackers have a much easier time gaining access to single-factor authentication online accounts than MFA accounts. MFA provides a much-needed additional layer of protection to compensate for the bad habit of repeatedly using the same password. (See our article, “Don’t Pass on Password Managers”, to learn about another layer of protection.)

The next time you are frustrated with the extra time it takes to enter multiple authentication factors, take heart. Your business or organization has deployed an additional layer of protection for you. It might be a little inconvenient, but it is hardly a waste of time.

MFA is one aspect of a multi-layered cybercrime defense strategy. We can help you develop your own strategy to protect your business and family. Contact Bill Heaven at 330-758-8613; or email WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

You’ve likely heard of FaceApp, maybe you have even tried it. It is unquestionably one of the most popular Apps circulating today. It quickly went viral due to the “#AgeChallenge,” where celebrities as well as ordinary folks download it to use an old-age filter generating an image of what a user might look like in a decade or more. Launched by a Russian start-up in 2017, FaceApp has come under fire lately because of fears that user data was being sent to Russian servers. There are other potential privacy concerns as well, including some claims that the App has an ability to access a user’s entire photo gallery.

Is FaceApp safe to use? Probably; though I’m not planning on using it personally, as I have zero interest in seeing what I’ll look like in 20 to 30 years. But as I was watching a TV news report on FaceApp, it reminded me of an important Cybersecurity issue that might fall under the category, “Social Media: Be Careful What You Share.”

When you use FaceApp and agree to its user terms, what are you sanctioning? For one, the App is permitted access to your photos, location information, usage history, and browsing history. During a news report, an executive representing FaceApp told CNBC that it only uploads the photo selected for editing. Further, the FaceApp rep said it does not take other images from a user’s library, and that most images accessed by FaceApp are deleted from its servers within 48 hours. Still, the user agreement allows the developer access to a user’s personal data. And, again, the developers of FaceApp and its Research and Development team are all based in Russia.

The amount and type of personal data we share, especially online, is something to consider. By way of example, the Apple X phone offers facial recognition as an alternative to using a personal identification number or password; does that suggest the Russian FaceApp programmers have developed a way to access a user’s entire online account, since they have access to their photos? Remember that passwords are giving way to other log-in options, including biometrics. Consider the pace of technological development, including artificial intelligence when making decisions about where and how you share your personal information.

While Cybersecurity experts don’t appear particularly nervous about the FaceApp itself, the scenario should give us pause and prompt us to consider the potential ramifications of sharing our personal information.

HBK can help you with your Cybersecurity issues, including protecting your data. For assistance, call 330-758-8613 or email WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

You might have heard the phrase “multi-layered defense” in relation to protecting your computer system from a cyber-attack. A multi-layered defense is, essentially, what the term implies: a defense architecture consisting of multiple layers, from developing policies to monitoring systems, to implementing backup procedures. It is a sensible strategy for protecting assets, physical as well as digital.

For example, consider the protections in place to control access to your safety deposit box. To obtain the contents of your box, you must navigate several layers of security:

• Enter the bank.
• Enter the restricted zone – with an escort.
• Enter the vault area.
• Use your safety deposit box key in conjunction with a second key held by the bank to open the box.

Similarly, you should use a multi-layered defense strategy to protect your computer system. Implementing a firewall and antivirus software are two well-known components of a multi-layered defense. But there are additional components that could make sense for your organization, such as network segmentation, data encryption and two-factor authentication.

Here are a few things you can do to ensure an effective multi-layered defense:

• Check to see that you have a firewall and an antivirus solution in place and confirm that they are working as intended.
• Understand what types of data are stored within your computer system, such as:
1. Company financial data
2. Personal data (employees, customers & vendors)
3. Propriety data (i.e. company trade secrets)
4. Public data

• Determine the perceived value of the various types of data stored in your computer system.
• Understand how all of these data types flow into, through and from your computers – that is, where your data comes from, what you do with it, and who you share it with.
• Determine if there are or should be restrictions as to who inside or outside your organization is allowed access to each type of data.
• Check with your IT Department or managed service provider regarding the implementation of additional multi-layered defense components.
• Lastly, conduct regular evaluations to ensure all of these mechanisms continue to operate efficiently.

HBK can help you develop and evaluate a multi-layered defense strategy. For assistance, email me at wheaven@hbkcpa.com. As always, we are here to answer your questions and discuss your concerns.

Tax Day is nearly upon us. And as April 15 approaches, many of us may be multi-tasking even more than normal as we prepare our final tax forms and file returns. Unfortunately, this creates a unique opportunity for cyber criminals to try to entice electronic preparers and filers to click on links that look like urgent emails pertaining to income taxes … but are really scams and/or attempts at phishing.

So, be on the lookout for any seemingly urgent emails claiming problems with your tax return, “corrected” tax documents from financial institutions requiring immediate downloads or similar scam email messages.

To lessen the likelihood of falling victim to cyber crime, keep the following points in mind when scanning your email inbox this tax season:

• The IRS and other legitimate financial institutions DO NOT send or request important information via email or phone calls.
• Sending tax or other financial information via regular email is NOT considered secure. NOTE: E-file is not email and is thought to be safer than traditional/postal mail.
• Safeguard your tax and associated financial information by following guidelines specified by the IRS and your CPA.

Action Items

1. Go directly to the website of the sending entity or call an authorized phone number listed for them to verify the institution’s legitimacy rather than clicking on an email link. These are the safest ways confirm a valid tax-related email requests.
2. Use a secure (encrypted) portal or message system provided by the sending entity.
3. If you must send sensitive information via email, be sure to encrypt it. You should provide your public encryption key to the recipient in a SEPARATE message.
4. Limit the amount of sensitive information you share via email or phone.
5. Destroy (SHRED) excess or outdated copies of your tax information. Contact your CPA before doing so, to ensure that you don’t prematurely dispose of necessary tax forms.

HBK can assist you with these or cybersecurity topics or questions. Please contact Bill Heaven at 330-758-8613 or WHeaven@hbkcpa.com.

Recent Cyber Security industry statistics show that weak, default, or stolen passwords are involved in up to 80% of data breaches each year.

Passwords figure prominently in many areas of our daily functions such as logging onto work computers, doing online banking, sending email, accessing social media accounts and making most online shopping possible. A consistent, clear, repeated warning from Cyber Security experts and insiders is: creating complex passwords (i.e. comprised of both upper and lower case letters, numbers, and special characters) that are unique and lengthy is one way to ensure safe online activity.

Practicing healthy Cyber Security hygiene by implementing unusual passwords is outstanding in theory; it’s just that the average person has multiple password-protected accounts. Remembering which password aligns with each one of those accounts can be a challenge. That’s why using a password manager is helpful.

Advantages of Password Managers:

1. It provides a centralized password storage location (i.e. vault) – with only a master password to remember.
2. It is able to automatically generate strong passwords for all of your accounts requiring a password.
3. It is equipped with strong encryption, which protects your vault.
4. It can simultaneously support multiple devices.
5. It offers the ability to safely store other sensitive information, such as credit card numbers, in the vault.



There are several good, highly-recommended options to choose from such as LastPass, Keeper, Dashlane and 1Password. Be sure to research each of the tools you are considering before making your decision to ensure that you are comfortable with the features and capabilities of the password manager you ultimately pick.

Action Items:

1. Research and choose a reliable Password Manager.
2. Choose a long and complex Master Password (Remember, with a Password Manager, you only need to remember one).
3. Be sure to take precautions to remember your new Master Password such as selecting one that has meaning to you but does not necessarily lend itself to hackers.
   Note: This is important because most providers have little or NO ability to assist you with finding/resetting a lost or forgotten Master Password.
4. Begin using your Password Manager as soon as possible and migrate all of your existing passwords to it.



HBK can assist you with questions on this or any other Cyber Security topic. For more information, contact William Heaven at WHeaven@hbkcpa.com.

This is an update to the original INSIGHT article Are You Cyber Secure?, which was published in July 2017.

System and Organization Controls 1 or SOC 1 (SOC) report provides assurance over controls at a service organization which are relevant to user entities’ internal control over financial reporting. Obtaining a SOC for Cybersecurity report can prove that a cybersecurity risk management program is designed and functioning effectively. It can also reassure everyone a member of a board of directors to a potential customer that information with which your company has been entrusted is being handled in accordance with cybersecurity best practices.

No matter your business or industry, cybersecurity is a concern. If you operate in cyberspace – and what business doesn’t? – you are vulnerable. To guard against the many risks ranging from exposure of confidential information to loss of business reputation, every organization should have a cybersecurity risk management program. However, conveying the maturity of your risk management program to stakeholders is a challenge that needs overcome.

To meet that need the American Institute of Certified Public Accountants (AICPA), the certification and standards organization governing the practice of accounting, has introduced Systems and Organization Controls (SOC) for Cybersecurity. Building upon the profession’s experience in auditing system and organization controls, SOC for Cybersecurity enables CPAs to examine and report on an organization’s cybersecurity risk management program.

HBK CPAs & Consultants (HBK) has been performing SOC 1 and SOC 2 attestations since they replaced the SAS 70 report in 2010. In the area of SOC for Cybersecuity, we offer management two types of assurance services, advisory and attestation.

In an advisory role, we perform a readiness assessment, which helps businesses assess their cybersecurity program against the industry’s leading frameworks, and more appropriately, against the AICPA Cybersecurity criteria. We assist with identifying gaps in the framework and remediating those gaps to further develop or implement an effective cybersecurity program. For more established programs, we help organizations formally align the existing program with the three criteria as established by the AICPA:

• Security – The system is protected, both logically and physically, against unauthorized access.

• Availability – The system is available for operation and use

• Confidentiality – Information designated as confidential is protected as committed or agreed

In an attestation engagement, we examine your cybersecurity program and provide an opinion on whether it is effective. We map your controls to ensure your program complies with the AICPA-established criteria. We review your description of how those criteria are accommodated, then test and validate the effectiveness of these controls and issue a report.

A cybersecurity risk management examination report includes the following three key components:

• Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of its cybersecurity risk management program, The report provides information on how the company identifies its information assets, how it manages the cybersecurity risks that threaten it, and the policies and processes implemented and operated to protect its information assets against those risks.

• Management’s assertion. The second component is an assertion provided by management that the description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

• Practitioner’s report. The third component is a practitioner’s report, which contains an opinion on whether management’s description is presented in accordance with the description criteria and the controls within the company’s cybersecurity risk management program achieve its cybersecurity objectives.

Our attestation is justification management can use to demonstrate to everyone from the board of directors to a potential customer that their cybersecurity program is in accordance with best practices. The AICPA logo of SOC Cybersecurity certification is a key differentiator for a business, assuring stakeholders the security of the information they handle.

All organizations should have a cybersecurity program in place. Having it assessed for readiness, that is, ensuring your controls are aligned with the AICPA-defined standard and criteria, will afford assurance that it is designed appropriately. Receiving official attestation demonstrates the design is functioning as it should, and only makes sense in providing a level of confidence to your stakeholders that you are a business that has implemented a robust and comprehensive cybersecurity program, that your organization is cyber secure.

Recently, the IRS issued a warning that internet hackers have stepped up their phishing campaigns. Specifically, the hackers are increasing the usage of business email spoofing and business email compromise phishing campaigns. A common variation of this type is known as CEO Fraud or Gift Card Fraud (which HBK Risk Advisory services warned clients and colleagues earlier this month – Don’t Fall for the Phish(ing) Bait).

1. Emails impersonating company employees to Human Resources staff members requesting changes to the “employees'” payroll direct deposit bank accounts.
2. Emails impersonating company executives to the staff members responsible for wire transfers requesting a wire transfer to a specific bank account on the “CEO’s” behalf.

1. Look for clues such as poor spelling or grammar, these are common in phishing messages.
2. Don’t fall victim to the “urgent request” prompt. Unexpected messages that requires “your immediate attention” or are earmarked as “emergency” emails are often phishing scams.
3. Be VERY skeptical! Place a phone call to the requesting employee or executive to verify the request of payroll or banking account changes.

1. Implement a formal Cyber Awareness Campaign. It should include regular educational updates about the red flags of phishing email campaigns.
2. Establish an inventory of your Information Technology (IT) assets (including data mapping).
3. Implement or update IT Security Policies (including data classification).

2018 marks the 15th consecutive, annual observation of October as Cyber Security Month, as sponsored by the Department of Homeland Security.

The goal of the campaign is to raise awareness about the importance of cyber security.

Did You Know:

1. Last year, employee errors were at the heart of 17% of breaches (including: failing to shred confidential information, sending an email to the wrong person, or misconfiguring a web server).

2. Ransomware, which initially appeared in 2013, is the top variety of malicious software prevalent today.

3. Statistically, about 22% of people click on phishing emails sent to them. Unfortunately, those who opt to click on phishing emails are highly likely to continue doing so.

Important Steps to Take:

1. Implement a Cyber Security Awareness Campaign within your organization.

2. Back up your data and verify the completeness and accuracy of individual and company backups.

3. Update your hardware and software with vendor-supplied updates on a timely basis.

HBK can assist you with any cyber security topics or questions. Please contact Matt Schiavone at mschiavone@hbkcpa.com, Bill Heaven at wheaven@hbkcpa.com, or Steve Franckhauser at sfranckhauser@hbkcpa.com for assistance.

Source of Statistics – 2018 Verizon Data Breach Investigations Report (DBIR)