Join HBK Manufacturing Solutions and Special Guest, Tyler Gargano, CPE, CSF-CCSFP, Director of Advisory Services to discuss how management of manufacturing companies can improve business operations and create efficiencies in a manufacturing environment. Watch on demand.

Highlights of the July edition of the HBK Risk Advisory Services webinar series hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services.

Watch On-Demand.

Practical advice for protecting yourself and your company from cybersecurity attacks.

How hackers obtain personal identifiable information (PII): the most sensitive personal informatio.n

Credential stuffing and stealing (stuffing account credentials like combinations of user i.d.s and passwords, which they can sell for use on the dark web)

Social engineering

Malware (malicious software)

Public wifi

Password spraying: looking for other accounts for same person because people use the same password for multiple accounts (similar to credential stuffing)

Data breaches: information stolen that is held by another organization, like a retailer or medical insurance firm

www.haveibeenpwned.com – Use the site to check for breaches from data bases and learn where you might have compromised data or what has been compromised, such as email or phone number. The site also provides recommendations.

Biggest takeaway about responding to emails, etc: Be skeptical.

Key takeaways from the 2023 Verizon Data Breach Investigations Report (DBIR).

Key components of a data breach:

Stolen credentials

Phishing

Exploitation of vulnerabilities

Hacker motivations:

95 percent motivated by financial gain

Espionage, a very distant second, less than 2 percent

Pretesting on the rise:

Half of all social engineering incidents in 2022 used pretesting – a script to gain entrance

Business email compromises: almost all pretending be a vendor

Ransomware involved in 24 percent of cyber attacks in 2022:

External actors looking for money and data involved in 83 percent of braches

Internal actors cause 19 percent of data breaches

Errors (intentional or unintentional) down in 2022 but continue to be a trend

The PII Market

Surface Internet equals about 5.5 billion pages, only 4 percent of total internet.

The Deep Web: typically not searchable by general public, such as healthcare or academic records, legal documents; equals 90 percent of data on internet.

Dark Web: about 6 percent of internet pages

Difficult to get to; need special browsers

Don’t want to go there because likely to pick up malware or viruses

What you can get there: credit card data; social media user accounts; forged documents (scans); forged documents (physical); email database dump (can buy 10 million U.S. based email addresses for $120); online bank account login for U.S. banks; and hacking tools, including malware and DDOS attacks

Hygiene Habits to Mitigate Risk

Passwords:

Composition and length (to make it harder to crack)

Brute force password cracking

Use a unique password for each login

Use password manager to store passwords and gain access without remembering them

Turn off “save password” feature in your internet browser

Password composition and length:

Don’t use a single word or numbers in sequence

The more characters in your password, the longer it will take for a hacker to crack it

Averages: Most corporate passwords use 8 to 10: 8 character takes a day; 10 characters takes 5 years

Recommend using a passphrase combining numbers, symbols, uppercase, and lower case characters

Phishing/Smishing/Vishing:

Phishing: a social engineering attack via email

Smishing: a social engineering attack via text

Vishing: a social engineering attack via phone/voicemail

Ways employed to trick you:

Domain name is misspelled or spoofed

Use of cryllic alphabet

Antivirus and antimalware:

Top antivirus solutions in 2023: Bitdefender, McAfee, Malwarebyes, Norton

Run one of these programs to make sure you’re clean

Be careful:

Using out-of-office attendants: don’t give where you’re going, dates you’re traveling, any contact information

Replying to unsubscribe links: similar risks as out-of-office attendant

Using social media: giving too much information

Online Accounts:

Regularly monitor the account and sign up for alerts by email or text

Log in regularly to bank accounts to make sure your balances are accurate

Identity Protection:

Use your free annual credit report (annualcreditreport.com); one free report from each of three credit bureaus

Freeze your credit (even though you can’t get your annual free report)

Use mutifactor identifications

Shred documents containing PII

Use fictitious answers to security questions to avoid giving away personal information (have to remember the answers you make up)

If you are hacked, report it to the Internet Crime Complaint Center at www.ic3.gov.

The Verizon Data Breach Investigations Report (DBIR) is an annual report based on data provided by cybersecurity firms around the world. The primary purpose of the DBIR is to inform organizations about cybersecurity threats and how to protect against them. The DBIR is considered the “go-to resource” by many in the cybersecurity field.

Watch on demand.

Highlights of the July 19, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services.

Watch On-Demand.

The Verizon Data Breach Investigations Report (DBIR) is based on data reported to Verizon by global expert cybersecurity firms. The primary purpose of the DBIR is to inform organizations about the cybersecurity threats they face and how to protect against them. The DBIR is considered a “go-to resource” by many in the cybersecurity field. It is a global snapshot of what’s going on in terms of cybersecurity incidents and breaches in various industries.

Background

The 2023 Report is the 16th annual edition; was released in June.

Highlights about 20 vertical industries

67 contributing organizations

16,312 incidents: 1800 targeted at manufacturing industry (11%)

5,212 confirmed data breaches: 262 in manufacturing industry (5%)

Categorized by VERIS system: Vocabulary Event Recording and Incident Sharing.

Started tracking in 2010

Tracks eight patterns in a wide range of industries: denial of service, lost and stolen assets, miscellaneous errors, privilege misuse, social engineering, system intrusion, web applications, and everything else. Some attacks can be identified by more than one category.

Phishing is number one attack relative to lost and stolen assets, becoming more prevalent.

Definitions:

Incident definition: a security event that compromises the integrity, confidentiality, or availability of an information asset

Breach definition: an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party

Reasons definitions exist include for cybersecurity insurance applications.

For selected industries—financial, healthcare, manufacturing, information, and professional—the top three threats are social engineering, system intrusion, and web applications.

Why pay attention to DBIR?

The more you know about cyber threats you face, and what other companies in your industry are facing, the better your chances of keeping your data secure.

Helps you learn where to focus your attention.

The report is interesting as well as valuable.

Find the report via Google search or the Verizon.com/DBIR.

Full version is about 88 pages with an executive summary of less than 20 pages in length.

Also can get insider reports on particular industries.

Takeaways from the 2023 Report:

Ways attackers get to your information:

Credentials

Phishing

Exploiting vulnerabilities

Advice: Educate employees about phishing, and scan for and patch your vulnerabilities: 74% of all breaches includes human element (errors, privilege misuse, or social engineering)

Ransomware is still a big problem:

Increased by 13 percent in 2022 Report: more than previous five years combined.

Remains at same level in 2023 Report.

One in 4 cyber attacks involves ransomware.

Average cost to a company for a ransomware attack in 2022 was $4 million-plus.

Social engineering: incidence of pretexting rose

Half of all social engineering incidents used pretexting.

Business email compromises are common.

Errors continue as a trend:

Misdelivery (wrong recipient; 43% of breach errors)

Misconfiguration (21% of breach errors)

Publishing (showing to the wrong audience; 23% of breach errors)

Small and medium-size businesses

Used to be a large disconnect between occurrences in large versus smaller companies, but now moving closer together.

Patterns are virtually the same.

Large businesses tend to discover breaches sooner; they have more resources to identify they’re being breached.

Section 174 has been a popular topic for manufacturers, as changes to the amortization of certain expenses can affect the R&D credit and other aspects of a company’s tax return. Manufacturers have been anxiously watching for legislation to see if a repeal or delay to the amortization requirement is passed. Join HBK Manufacturing Solutions and Source Advisors to learn more about the amortization of Section 174 expenses and an update on pending legislation.

Watch on demand.

Section 174 has been a popular topic for manufacturers, as changes to the amortization of certain expenses can affect the R&D credit and other aspects of a company’s tax return. Manufacturers have been anxiously watching for legislation to see if a repeal or delay to the amortization requirement is passed. Join HBK Manufacturing Solutions and Source Advisors to learn more about the amortization of Section 174 expenses and an update on pending legislation. Watch on demand.

Highlights of the May 24, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, and featuring Justin Krentz, Principal, Business Development, Vertilocity, and Chris Bowman, Director of Security Service, Vertilocity

Watch webinar on-demand.

Purposes of a cybersecurity risk assessment:

Identify threat sources.

Identify threat events.

Identify vulnerabilities: where are the blind spots?

Determine the likelihood of exploitation: low or high risk for an attack.

Determine probable impact of an attack on business or operations.

Calculate risk as a combination of likelihood and impact.

Start with a framework:

Establish a common language so everyone in the organization is using the same controls and terminology, thereby eliminating confusion.

Have a cybersecurity framework that is a system of standards, guidelines, and best practices to manage risk. Has to be updated regularly, on a recurring cadence, to stay current with changes in your organizations.

Standards should be flexible, repeatable, and cost-effective to promote protection and resilience.

Framework should support communication between technical and non-technical employees, all individuals within the organization.

Need to be able to benchmark and know where you stand relative to previous periods.

Cybersecurity risk assessment refers to the process of identifying, estimating, and prioritizing security risks. Covers technology but also includes policies, processes, and employee training used to protect users and data. Involves a deep dive into how are the organization is accessing data, who is accessing data—all the components that make up a risk posture.

Network assessment includes:

Internal systems: Critical to know what you are measuring; have to identify that first. Assess your internal systems, the machines in your networks, servers that are system-critical, the computers in your system, the mobile devices that are connecting into your system.

Backup and recovery plan: How you backup data to protect against data loss; if a server fails, have a plan around restoring services. Includes employee roles and who is in charge of various aspects of the system, who controls access, and coordination with HR on how roles define access to files and systems.

System stability: Determine the criticality of a system and if it is worth the effort to ensure higher guaranteed uptime. Some systems are mission critical and no downtime can be tolerated, so need additional functionality in place to allow those systems to continue to function in the event of a failure.

Use policies: Define what behaviors are permitted while employees are using company assets and networks. Include policies around use of personal devices, when and how they can be used.

Security assessment includes:

Attack surface: Includes anything a user can access, a way someone could get into and exploit a system. There are many in any network and it is important to identify risks associated with attack surfaces.

Points of entry: Includes attack surfaces that specifically allow remote activity from outside into the organization, like VPNs, desktop tools, web portals. Need to define the level of risk for each.

User habits: Users often share account information, which can be a huge problem because it becomes impossible to audit exactly who is doing what in the event of a cyber incident. It is particularly important with users working from home and at different times, or for groups operating outside the U.S. (geo-blocking solutions)

Security policies: Review the policies of the organization to determine if they are following industry best practices or are if there are gaps. Identify gaps and develop policies to protect the organization.

HR procedures: HR needs to be involved in defining security by job role and access, and building procedures around asset retention, such as a policy for returning equipment when an employee leaves the organization.

Legal impact: Determine if the organization is required to have documentation for security or around auditing user activity, such as with financial and medical organizations, which are required to comply with industry regulations and standards.

Vulnerability assessment includes:

Review applications for flaws. A tendency is that once they’re deployed to rarely perform updates, patches. Have to periodically review and ensure patches are employed.

Operating system flaws: Application that run computer servers have so much control over environment, so have to maintain patching.

Computer system flaw: There can be design limitations within a computer that allows exploitation where information can be extracted. Often simply have to acknowledge that risk is there and wait for a vendor to develop a solution.

Enabled ports, processes and services: Need controls over who is allowed to run what on systems and to ensure that old software is removed from systems.

Databases: They should be configured according to best practices, encrypted, and protected from external access?

Human errors: Identify ways human errors are likely to happen in order to build controls around them.

The dark web is where hackers exchange information they’ve stolen from an organization. Need to determine if information or credentials have been stolen and close those gaps.

Integration of people, processes, and technology:

Need all three in place to secure the organization, or there is no defense.

Have to make sure people are following the processes you have put in place and using the technology.

Have to get buy-in from the executive team and they need to champion the efforts.

Risk assessment outcomes:

Should have a road map: Identify the risks, the impact scores of each risk, and a plan to start closing security gaps according to priorities.

Components of a well-designed cybersecurity solution: Risk assessment is first, the key to creating a solution. Other components include security training for users, advancing detection responses, cyber insurance policies (insurers are telling companies they need to do a better job of risk assessment, identifying and quantifying their risks).

Recovery Plan:

Have to have a policy that defines recovery objectives: the impact on the business, the time it takes to get systems back online, the farthest point back in time you can tolerate a loss of data.

Define dependencies and criticality of applications, including the systems that need to be brought back on line before applications can be.

Obtain licensing information: It is critical to understand the licensing requirements around software in a disaster scenario and how to get licensing back after detecting a problem. Document the process.

Any risk assessment should include a disaster recovery plan and testing the plan to ensure you understand all the implications of a recovery if it needs to be done, including how it actually happens, what can be expected, and who is in charge of what.

Recovery testing:

Review the plan for outdated or missing items.

Conduct a recovery scenario simulation or restoration.

The standard is to have backups in three places, one on premises and two offsite.

Document issues and encounters.

Review with management.

Cybersecurity culture refers to the people in the organization and their behavior relative to cybersecurity. Make sure that individuals are taking a defensive posture and have the tools to recognize threats. It involves continuous education for every part of the organization.

Why do I need to do a risk assessment?

Ever-evolving cyber threat landscape

Changes in business objectives or business model

Changes in infrastructure

Changes in resources

Improvement and course corrections in the cyber roadmap to be able to pivot, adjust, and be nimble

Summarily, know where you stand and never become complacent. Make a point to go through this risk assessment exercise minimally on an annual basis.

Highlights of the April 26, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, and featuring Greg Kelley, BS, EnCE, DFCP, Chief Technology Officer and Founder, Vestige Digital Investigations.

Watch On Demand.

Today’s Cybersecurity landscape:

Over 37 billion records exposed in 2020; typically someone’s name, address, email account, or more secretive information like a Social Security number.

Until recently the U.S. military protected four domains: air, land, sea, and space. They have added cyber as another domain, which indicates the seriousness and pervasiveness of the issue.

The U.S. is the most targeted country because we have more wealth than anywhere else—and we are the most online nation: Average cost of a compromise/breach: $3.9 million and 95 percent of breaches caused by human error

With the Russia-Ukraine war, there was an increase in cyber attacks, most of which on each other. There was a dip in Russia attacks on the U.S., but they are back up.

63 percent of confirmed breaches involved weak, default, or stolen credentials.

30 percent of recipients open phishing emails and 12 percent click on attachments within an average of 4 minutes.

Typically hackers will capitalize on an exposed vulnerability, such as something in Microsoft Windows, within 10 to 100 days. But we’re seeing attacks that are exploiting vulnerabilities that were discovered in 2007. People are still not patching their systems. Once they have stolen your credentials and they are in your environment, it’s a matter of exploiting the machines in that environment and enhancing their credentials to become administrators in that environment.

You are a target just because you are on the internet.

Top 10 threats

Social networks: Common practices like getting someone to respond to a survey.

Third-party attacks: From such activity as sharing data with vendors and other trusted connections, as well as by employees using their home computers to tie into your network.

Internet: Through applications not designed to be attentive to security, such as for the home.

Open sessions: Live connections not turned off, which hackers can use to get information and steal credentials. Advice is to always log off when you’re done.

Failure of MFA/2FA (multi-factor and two-factor authentication): One way to circumvent protection is spoofing. Another is MFA bombing, repeat notifications to enter a code that allows the hacker to gain access and compromise your password. “Trust this device”: never click to trust, but enter using your MFA.

Account takeovers: hackers are adept at taking over one account then jumping to another, for example, your email address, which you use to log it to other accounts, like banks, investment funds. They can issue passwords resets once they have taken over your email account.

Business email compromises: Spoofing of a known connection of yours to get you to pay money, buy something, divert account payments.

Ransomware: Can result in the shutdown of your entire network. Costs include getting your network back up and running, buying back your data, damage to your reputation, and loss of business.

Phishing: Plays on unaware victims who fail to scrutinize where email is coming from.

Can appear to be from vendor, like Apple or Microsoft.

Common ploy: Tell you that you have emails you didn’t yet receive and need to download; but it will steal your credentials and have access to your mailbox if you connect.

Updates: Telling you that you need you to confirm your credentials on an account.

Have to understand how to read the URL. It is important to identify the top level domain, the last set of characters after the period like “.org” or “.com,” etc. Everything ahead of the domain is a location, a server.

Spelling and grammar errors are an indication of an attack email.

Hover over the email address to identify fake emails. Hackers will generate a domain that looks similar by use of character substitutions, like a number for a letter.

Poor passwords/credential stuffing: Use complex, long passwords with uppercase, lowercase, symbols, and numbers.

Don’t use same password over and over again. By having your password for one account, they’ll get into other accounts with the same password.

How to remember them all: Use password managers, password vaults that let you use one password for safe access to all your other account passwords.

Good cyber hygiene

Think before you click; look at the URL.

If it seems too good to be true, it probably is.

Check your social media privacy settings to make sure they are secure.

Use multiple passwords and change default passwords.

Use two-factor authentication; it’s a life saver.

Traveling? Be careful with Wi-Fi. Consider using a dedicated laptop and cell phone. Connect with your company via the VPN.

Don’t download unapproved or unknown software.

Perform software updates on a regular basis.

Perform and test backups and keep important information on the server.

Report anything suspicious.

Relative to financial and identity theft, do a credit freeze at credit report agencies; monitor and reconcile bank accounts frequently.

9-step program for good cyber hygiene

Change in attitude: you must accept that you are a target just because you are on the internet. They are shopping randomly; once they’re in, they look for what is of value to them.

The price of not being secure: Hard costs: remediation, investigation, notification, litigation. Soft costs: loss of reputation and business

It isnt’ easy: Give up the belief that cybersecutity is easy, can be solved with money, and is a one-time initiative. You have o build a culture and understand that human error is the biggest source of access to hackers.

Commit to becoming vigilant: question the out-of-the–ordinary.

Establish a cybersecurity program, top down, to understand and prioritize risks. Ensure people are following the program. Usually involves input of outside resource to scrutinize the environment and your protection.

Hold people accountable: it’s everyone’s issue.

Educate your people on good cyber hygiene and why it’s important.

Provide resources for cybersecurity.

Plan for the inevitable. Don’t wait for the incident to happen to plan. Need to know what steps to take when there is an incident, and create an incident response/data breach plan, including your first points of contact.

Highlights from the April 26, 2023, HBK Manufacturing Solutions webinar featuring Brian Sommers, Principal, Chief Investment Officer of HBKS Wealth Advisors; and hosted by James Dascenzo, CPA, Principal, National Director of HBK Manufacturing Solutions, and Amy Reynallt, MBA, CMA, HBK Senior Manager, Regional Director of HBK Manufacturing Solutions.

Banking Crisis Background

In March 2023, the Federal Deposit Insurance Company (FDIC) took control of three banks – Silicon Valley Bank (SVB), Signature Bank, and Silvergate Bank. Around the same time, Credit Suisse, the second largest bank in Switzerland, also failed and was purchased by a competitor. The failures were all exposed by similar issues, including narrowly focused customer markets or exposure to cryptocurrency. However, one common factor is critical in each situation – each bank was mismanaging its balance sheet. Therefore, it is unlikely that we will see a large number of additional banks fail.

However, we may see broader consequences of these recent failures. For instance, the banking industry is tightening lending standards and maintaining higher levels of liquidity. This may lower loan volumes which could make it more challenging to borrow. Note: Since the airing of this webinar, First Republic bank was also shut down and subsequently purchased by JPMorgan Chase.

Manufacturers Action Items

Manufacturers may consider:

Evaluating their FDIC insured deposits versus uninsured deposits.

Working with investment managers, such as HBKS, to balance your risk tolerance versus desired return.

Ensuring adequate liquidity to support ongoing operations, and taking actions to improve liquidity such as paying down expensive debt, monitoring return on assets, and ensuring pricing is appropriate.

Assessing your lender and financial advisor relationships to ensure both relationships are supporting your business goals.

Watch Now!

For more information on this topic, contact us as follows:

Brian Sommers, Principal, Chief Investment Officer – HBKS Wealth Advisors – bsommers@hbkswealth.com

Jim Dascenzo, Principal, National Director – HBK Manufacturing Solutions – jdascenzo@hbkcpa.com

Amy Reynallt, Senior Manager, Regional Director – HBK Manufacturing Solutions – areynallt@hbkcpa.com

Highlights of the March 22, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director

Watch On Demand.

The webinar opens by defining terms associated with risk assessment:

Risk – the combination of the probability of an event and its consequence (Risk is not necessarily bad, as taking a risk can produce a positive risk outcome.

Asset – something of either tangible or intangible value (e.g., your company’s reputation, or the money in your bank account) that is worth protecting

Threat – something that can act against an asset in a manner than can cause harm

Vulnerability – a weakness in the design, implementation, operation, or internal control of a process that could expose the system to adverse threats from threat events (One of the weakest links in any business is their employees.)

Residual risk – remaining risk after the implementation of a risk response (You can’t protect against all risks.)

Inherent risk – the level of risk present without taking into account the actions that were or could be taken for mitigation

Why do a risk assessment?

To satisfy a regulatory requirement

To reduce operational risk: You need to understand what your risks are.

To improve safety performance

To improve the probably of achieving organizational objectives

Steps to take if you decide to do a risk assessment (ISO 27001 steps)

Establish a framework

Conduct assessments at regular intervals.

Make sure your process is consistent so you can repeat it.

Retain documentation regarding the process.

In order to establish baseline security criteria

There are two approaches to assessments: asset based – more logical approach and scenario based

Build an asset-based register: Compile an asset inventory list (desktops, laptops, printers, etc.) and include each asset’s owner and risk owner.

Identify the risks: add threats and vulnerabilities for each inventory item.

Analyze risk: determine risk appetite and scale and do a calculation, which is: risk equals impact multiplied by likelihood.

Evaluate risks: the number on the scale that refers to the level of damage that can be done gives you a picture of what needs to be addressed.

Put controls in place:

Security awareness training

Vulnerability management

Security log monitoring

Two biggest steps to stay ahead of hackers: Make sure you train your employees and patch your systems.

Apply Risk Management Options

Risk reduction: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels. Keep in mind that you will not be able to get to zero risk.

Risk avoidance: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels.

Risk transfer or sharing of avoidance: contract with a third party to share risk via a contractual agreement, or buy a cybersecurity insurance policy (carriers want risk assessments).

Risk acceptance: assume the risk and plan to absorb the loss, if the risk is within tolerance or the cost of the mitigation is more than the potential loss.

What action should you take?

Develop a risk assessment policy, a game plan that requires an annual assessment.

Build your asset register.

Determine your threats and vulnerabilities. Consult information that keeps tabs on current threats.

Conduct your risk assessment.

Risk treatment plan: put controls in place to mitigate your most vulnerable risks as much as possible.