Date: May 25, 2022

Time: 10:00 – 11:00 am ET

Host: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director

On May 25, our webinar will feature a review of Verizon’s 2022 Data Breach Investigations Report (DIBR). This is Verizon’s 15th annual DIBR and our third consecutive year dedicating a webinar to discussing this annually updated tool businesses use to evaluate cybersecurity threats they face and determine ways to mitigate them.

We will cover:

• DBIR terminology
• Key takeaways from this year’s report
• Industry highlights
• Inputs to your IT risk assessment
• Risk mitigation recommendations

The Verizon DBIR provides valuable and actionable information. It is relied upon by cybersecurity experts across the globe. Our webinar will provide information you can use during the “Identify Risks” and Analyze Risks” steps of your IT Risk Assessment process.

Register today!

Helping you analyze, act, and automate your data

Highlights of the April 26, 2002, HBK Risk Advisory Services webinar featuring Justin Krentz, Senior Manager, Vertilocity; and Tyler Mains, Consultant, Vertilocity

What is digital transformation?

Digital transformation is the adoption of technology with the goal of improving efficiency, value, and innovation.

• Why digital transformation? We need to go faster, to expedite processes, or innovate at a faster pace. And we already have the data, the information we need to integrate this wealth of knowledge.

– to optimize IT performance and reduce backlogs

– to replace or update legacy apps and platforms

– to unify data across a single platform

– to reduce time and costs by optimizing everyday tasks

• Challenges:

– budget constraints

– time and resource constraints

– business expectations

– paper processes

– complex process: not easy to change how things are being done

• More than half the companies in the Fortune 500 in 2000 are no longer in business. Have to find ways to be disruptive in your industry. At some point, staying the course and not finding ways to innovate will be a business’s downfall.

• Expected gains through modernizing processes with the Power Platform:

Helps you update or replace legacy apps to optimize IT performance, reducing both time and cost and power your team for secure remote collaboration by integrating apps and automating workflows, and build a resilient supply chain with intelligent tools and end-to-end visibility.

– 73 percent of organizations feel they are not able to accurately plan because of siloed teams

– 37 percent still use paper to manage critical business processes

– 67 percent of CIOs and technology leaders say IT skills shortages are preventing them from keeping up with the pace of change

The technical side of Microsoft Power Platform

Three main standalone components or solutions:

• Power BI – visualizing your data: cloud-based business analytics that enables anyone to visualize and analyze any of your data with greater speed and understanding. Monitor your data in real-time from nearly any device across all major operating systems; set up mobile alerts to your phone when your data changes; share reports and dashboards with ease.

– quick and confident decisions because of real-time visualizations

– spend less time wrangling with data

– use a single, unified platform to give every employee access to insights

– seamless integration of apps and dashboards

– drag and drop design

– artificial intelligence to reveal trends and recommend visualizations

– accommodates the unlimited amount of data

• Power Apps – application development

Low-code technology reduces barriers to low-cost development and empowers employers to turn bright ideas into applications.

– low-code: from web to tablet to mobile to read and write data

– collaboration: can be published by anyone in the organization and work together with others in the organization

– support any platform

– share apps like documents

– seamless integration with other apps

– drag and drop design

– data connectivity: connect with hundreds of other services

– built-in data platform: consolidate and standardize the data

• Power Automate – process automation

– automate and model business processes across your apps and services

– from simple automation to advanced scenarios with branches, loops, and more

– trigger actions, grant approvals and get notifications where you work

– a workflow process for each flow allowing services to communicate with each other and take action based on the data in separate services

– start with a template and build more complex processes from there

– hundreds of triggers: manual buttons, scheduled triggers

– share flows like documents

– intelligent automation – additional actions recommended based on your actions

– thousands of actions based on each of the hundreds of triggers

– data connectivity with hundreds of services

– built-in data platform: consolidate and standardize the data

Vertilocity success stories:

• Ice cream retailer uses Power BI dashboard to address the challenge of forecasting demand, which is driven by weather. Store managers have real-time access to make informed decisions quickly forecasting sales and staffing.

• Employee benefits program provider uses MS Office 365 Forms, Power Automate, and SharePoint online to automate and track incidents. Tracks miscellaneous end-user requests, the onboarding and termination of users, and privacy incidents and breaches.

• Made-to-order equipment manufacturers for various industries used SharePoint, Power Automate, and Power BI Pro to track orders from order to ship. Created workflows of required input, data, triggers, and uses BI dashboards to present information on the entire process.

Date: April 27, 2022

Time: 10:00 – 11:00 am ET

Host: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director

Was it Covid, or simply technological evolution? Regardless of how it happened, the way we do business has changed fundamentally, the new business model a far cry from how companies used to get their products and services to market. Business leaders who want to be more responsive to their customers’ demands must find ways to connect remote, siloed teams, as well as improve forecasting and other mission-critical processes.

In our April 27 Risk Advisory Services webinar, “Using the Microsoft Power Platform to Build Agile Business Processes,” we will explain how to add value to your business through analysis, action, and data automation.

We will cover:

• Challenges preventing businesses from keeping up with the pace of change
• Recognizing the need for digital transformation
• The components and features of the Power Platform for Office 365
• What the Microsoft Power Platform can help you learn from your data
• Examples of organizations that benefit from using the Microsoft Power Platform

Join me for insights on how the Microsoft Power Platform can add value to your business.

Register today!

Highlights from the April 20, 2022 webinar featuring Bruce Nelson, president, and Justin Krentz, account executive, of Vertilocity, an HBK Company.

Your information technology systems are a critical piece—and increasingly an interconnected piece—of your manufacturing infrastructure. Their effectiveness and security are key to your day-to-day operations as well as your plans for the days, months, and years ahead. “Top IT Considerations for Manufacturers in 2022” addresses ways to improve your IT processes, security posture, disaster recovery planning, and ERP.

Recognizing cyber threats

Manufacturing is a targeted industry by cyber attackers because they can see that the disruption of a breach can be devastating to a manufacturer and that the threshold for downtime for manufacturers is practically zero. Manufacturing jumped from eighth in 2019 on the most targeted industry list to second in 2021. And according to the IBM Security Index, it is currently the most targeted industry.

NIST cybersecurity framework

The NIST cybersecurity framework helps organizations manage and reduce cybersecurity risks through a set of cybersecurity activities. The core elements of the framework: identify, protect, detect, respond, and recover.

Cybersecurity Maturity Model Certification

CMMC Model 2.0: Three levels—foundational, advanced, and expert. The level required is currently based on the level of interaction with the Department of Defense, but requirements will be rolled out to the entire manufacturing industry.

Cybersecurity Infrastructure & Security Agency

The government agency whose purpose is to collect and analyze events from all industries. It works closely with all major publishers, such as Amazon, and are actively publishing industry-specific known threats and best practices. Takes a collective effort of software, hardware and cybersecurity firms to identify and publish threats and inform on different topics. Familiarize yourself with the website: www.cisa.gov

16 critical items for your organization’s security posture

• Ways to protect your organization from a cyber attack:

– security assessment

– span email

– passwords

– security awareness

– industry expertise

– advanced endpoint detection

– multi-factor authentication

– computer updates

– dark web research

– log management

– web gateway security

– response plan

– firewall

– encryption

– backup

How can a Managed Service Provider (MSP) help?

• IT security is an increasingly collaborative effort. There are too many elements, technology is too ingrained in every aspect of the organization, to make a third party vendor solely responsible. So the trend is a co-managed model.

• MSP services include:

– Monitoring & maintenance support: Are we managing this proactively; automated systems should be in place.

– Technical services: The people part of it: how are we supporting the teams responsible for cybersecurity activities?

– Executive reporting: How are we reporting to management to show that we can identify and detect? Might not have the expertise in-house or bandwidth to do this without external support.

– Network documentation: Document IT assets, site detail, and implement secure password management. Need to be sure these things are in place and up to date.

– Recurring business reviews: Hold weekly or bi-weekly meetings for ticket review and forecasting. Are unknowns planned for? Can we adapt to address them?

• Security services include: advanced threat protection, multi-factor authentication, dark web monitoring, enterprise mobility management, and disaster recovery planning

Elements in the general framework of disaster recovery planning:

– Implement full network discovery.

– Define recovery objections.

– Define applications, dependencies, and criticality.

– Obtain licensing information.

– Define physical location document call tree.

– Document insurance contact information.

– Test.

Hot topics we’re seeing related to Enterprise Resource Planning (ERP):

• Clients need to adapt and better align with partners. Focus used to be on getting data into systems, now it is how to get the data out, how to make it usable, how to get it from machines on the floor for better insights, how to plan better for supply chain deficiencies, and how to do more for less.

• Process and workflow automation: there is an abundance of tools to automate IT systems, and to integrate people and processes. Solutions include Microsoft Dynamics 365 and Sage Intact, as well as five or six other top-tier solutions to build your foundation off of.

• Elements of a power platform include:

– Power BI: putting data-driven insights into everyone’s hands

– Power Apps: custom apps that solve business challenges

– Power Automate: the ability to automate organizational processes

Highlights of the April 8, 2022 webinar hosted by Christopher Marrie, Director HBK Cannabis Solutions, and Warren Harasz, VP of Compliance, Cannaspire

As the cannabis industry grows and matures, better practices in operations and costing are necessary to remain competitive, balance quality with compliance needs, and keep your organization ready for long-term objectives, such as exits, expansion, and sustained profitability.

Webinar content includes:

• How to better identify commonly overlooked cost savings opportunities in your cultivation’s operations

• Achieving the goals of product quality and product compliance without sacrificing one for the other

• Lowering unexpected tax and compliance risks with better systems and SOPs

• Effective and time-efficient costing methods to identify inefficiencies and make better decisions than your competition

General cultivation costing issues

For cultivators in startup mode

• New Jersey is the most active state on the East Coast in licensing

• Key is being involved in the municipalities where you will be located; will need their verification to get licensing; attend municipal meetings

• Due to IRS rules on deductions for cannabis companies, you will not be able to deduct costs you incur getting licensing; also remember that in the pre-revenue stage, you can only deduct your cost of goods sold (COGS)

• IRS has mandated using full absorption GAAP accounting for your COGS, and your books must match your tax return in terms of accounting method.

• Some companies strategize positions like an agriculture business to stay out of the plant-touching side of the business as long as possible before they are licensed and ready to begin operations.

• In terms of startup costs, you can start small and build your way up easier with an outdoor facility. Indoor facilities, typically for mass distribution, are more costly. For example, some New Yorkers are converting CBD farms convert to cannabis licensing at minimal costs. Cost to get an outdoor product up and running may be limited to securing the license, start tracking as required, the labor to run it, and some marketing initiatives. Indoor involves a lot more moving pieces through facility which affects costs.

• Seed-to-sale software won’t suffice for tracking, like yield per strain, yield per square foot, cost per gram. None of that will be covered by seed-to-sale software.

• The overhead of the facility, while you’re ramping up, is COGS.

• Better to start with reasonable realistic production projections: under promise and over deliver. Need to anticipate startup cost through the entire life-cycle of the plant: ultimately an entire life cycle of 60 to 70 days through harvest, plus time to produce those clones, then the labor for the flip.

• There is going to be some period of trial and error where costs will be greater than anticipated. It takes two or three harvests in the indoor space.

• Have to track and quantify costs or you can’t make good business decisions, such as which genetics to choose. You have to track metrics to know what your costs are in case you need to change management, like a master grower. Need to work with an accounting firm to help with that; there are no good IT solutions. Seed-to-sale software is set up like the regulators are the clients, not the growers. It doesn’t really do costing – you can enter it but you have to calculate it.

• There are ways to track, especially with modern facilities set up with SOPs, handbooks, operating procedures and policies. You can track labor time for specific project assignments and check the job for satisfactory work. A key point is that time is of the essence when you’re talking about your crop. Tracking all costs will get you a realistic price of pounds per production down to the price per gram.

• It is best to implement cost tracking from the beginning. Once it is set up, it can be built on and maintained. It’s a good business practice in general, especially in the cannabis business where you are going to be audited by the IRS.

Out of startup space and into a fully functional facility – challenges to costing in real-time

• Industry is aplenty with master growers, but turnover is frequent, so the biggest challenge is having something like SOPs in place in case your management changes.

• Capital requirements are high, cash flow is always tight, margins are slim, labor intensive—sometimes SOPs fall by the wayside in the effort to get product out.

• Many master growers from the traditional industry are skilled but without resumes.

• Should you build out or retrofit a building? That is one example of the challenges for people moving from the traditional industry to legal development. Another is getting the number of employees you need, and what that involves, such as benefits packages. There is typically a disconnect between people who know the work side of the business and understanding the costing issues related to ensuring a profit.

• Have to proactively track your costs to make key decisions, such as whether to use labor to accomplish a task or invest in technology that will reduce your need for labor.

• You might want to let the distributors do the packaging.

• You have to diversify. You don’t want to do the same strain forever. Have to find your niche and determine what the market wants.

• Have to get cost accounting down to an SKU level. Knowing your costs of genetics and your return on that investment: if you can track that and gauge profitability by strain, you can maximize the value of your facility. But it is difficult to get there.

• We see people struggle with labor studies and equipment usage.

• How many watts of light are you using? You would like to know that on a daily basis. Need to keep a daily journal of light required, heat intensity, and humidity. It comes down to how tightly you are parameterizing your operations.

• Historically we’ve seen year-end costing being done. But the decisions that need to be made to improve the process are missed when you do it in hindsight. Setting up systems can be time-consuming but if you don’t have that expertise, it’s worth bringing in a consultant to take developing tracking SOPs off your master cultivator’s plate. By identifying inefficiencies you can save much more time and money in the long run as opposed to looking back at the end of the year to recognize costing issues.

• Operators are embracing opportunities to button up their business practices. Things are changing extremely fast, including production technology. Tracking is how you stay current on up-to-date practices and don’t get left behind by someone who can produce better quality and higher yield.

• Tracking will be essential to change from traditional cultivation to getting into the legal industry and complying with those requirements.

Highlights of the March 23, 2022 webinar hosted by Bill Heaven, CPA, CISA, CITP, CSCP, Senior Director IT Development

Third-party risk is on the rise, through email/supply chain threats, third-party breach costs, and breach due to a third party.

How do your vendors rate?

Every organization should be able to answer that question, should have obligations their vendors have to meet via:

• Contract
• Security requirements
• Privacy regulations at the state level, like California Consumer Privacy Act, a landmark law that gives consumers the right to know about the personal information a business collects about them and how it is used and shared, and the right to have it deleted.

Attack vectors

Ransomware is getting more dangerous; attackers are doing two relatively new things:

• Infiltrating data from your systems before they encrypt it, then threaten to post customer data on websites.
• Getting into systems and attacking the backup so you can’t revert to that to avoid paying a ransom.

Code signing – getting into systems, such as with certificate checks to match codes, long enough to make the credential check match up so that you’re loading malware that you think is from a legitimate vendor

Compromising open-source code – harder to get malware into an open-source code as opposed to code signing

Who’s responsible for vendor risk?

Confusion on responsibility: like the misnomer that responsibility for cybersecurity is IT’s, so the same thing happens with vendor risk; it needs to be owned at upper levels of management for procurement and information security.

Third-party risk management steps

Discover:

• Have a data classification process by sensitivity to know what types of data you have and what’s most important.
• Know what vendors will do with your data, what type of data, and their access.
• Need a framework to evaluate vendor access objectively, including controls vendors should have in place based on what kind of information they are accessing.

Analyze:

• It’s important to evaluate how the vendor is going to integrate into your business processes.
• It’s your job to be as responsible as possible with your customers’ data.

Manage and quantify:

• Assign a risk quantification score.
• Document it to allow mitigation when necessary.
• Need an objective process, regardless of size of vendor organization, like a SOC report or from an independent security firm to ensure information is valid.

Prioritize and treat:

• Put in as many controls as you can in your vendor contracts to make sure you are creating a secure environment, enough to keep a business on the up and up

Monitor continuously:

• Have to keep tabs on what’s going on.
• It is most important to risk management to have a formalized process, steps that have to be followed.
• Assess regularly, at least annually.

Third-party risk is on the rise

• Email/supply chain threats – 80 percent of cyber attacks result from phishing – sad to say, but it does work.
• Supply chain threats are relatively new and more sophisticated, typically by nation-states, like the Solar Winds attack.
• The average cost of a third-party breach across all industries is up by $370,000; 53 percent of organizations have experienced a third-party breach.

Suggestions/ best practices

• Put policies in place to minimize access to systems to whatever people need to do their jobs.
• Monitor regulations on privacy and security requirements, which are typically set at a state level.
• Monitor vendors to maintain their obligations relative to your business and data.
• Visit www.cisa.gov for resources on such as risk assessment, the latest phishing scams, etc.
• Make sure someone at the highest levels of the organization, such as the chief operating officer, owns vendor risk.

Date: March 23, 2022

Time: 10:00 – 11:00 am ET

Host: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director

As computing landscapes continue to broaden, organizations are finding themselves exposed to greater risk from third-party vendors. According to a major governance, risk, and compliance firm, only 52 percent of companies have security standards governing their relationships with third parties, despite an average of 89 vendors accessing those companies’ networks on a weekly basis.

In our March 23 Risk Advisory Services webinar, “Establishing a Third-Party Risk Management Program,” we will explain why third-party risk is on the rise, current trends, and how to establish your own third-party, or vendor, risk management program.

We will cover:

• Current trends in third-party risk management
• The various types of obligations that impact a vendor’s rating
• Common cybersecurity attack vectors used against third parties
• Steps in a third-party risk lifecycle
• Suggestions for assigning responsibility for your vendor risk protection process

Join me for insights on mitigating your exposure to third-party cybersecurity risks.

Register Today!

Highlights of the February issue of the monthly HBK Risk advisory Services Webinar Series, February 23, 2022, hosted by Bill Heaven, CPA, CISA, CITP, CSCP, Senior Director IT Development

Background

Changes to the IT Footprint: IT footprints have been changing due to:

Insider Threats:

Increased Credential Theft

Infrastructure Oversights

Preventing Business Interruption<

The Risks

Changes to the IT Footprint

Insider Threats

Increased Credential Theft

Infrastructure Oversight

Suggestions (best practices, controls, suggestions)

Changes to the IT Footprint

Insider Threats

Preventing Business Interruption

Date: February 23, 2022

Time: 2:00 – 3:00 pm EST

Host: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director

As computing technology evolves, organizations are finding themselves exposed to higher risk levels due to poor cybersecurity hygiene. We are seeing repeated examples of lax IT security controls leading to cybersecurity incidents and/or breaches.

In our February 23 Risk Advisory Services webinar, “Cybersecurity Hygiene: Strategies for Securing Your Business,” we will explain why these incidents are increasing and how to improve your cybersecurity posture—and share some shocking statistics that will encourage you to take action toward better cybersecurity hygiene.

We will cover:

Join me for insights on limiting your risk exposure while enhancing your business’s cybersecurity posture.

REGISTER TODAY!

Highlights of the January 26, 2022 webinar hosted by Bill Heaven, CPA, CISA, CITP, CSCP, Senior Director IT Development and featuring Damon Hacker, MBA, CISA, CSXF, CMMC-RP, President & CEO, Vestige Digital Investigations

A Case Study: HAFNIUM Exchange Vulnerability

• Surfaced in early 2021.

• Affected many companies and 125,000 servers around the world: on-premises exchange services (such as email) for companies housing them themselves, not cloud-based services.

• Allowed access to emails without authentication.

• Some attackers installed viruses and some installed backdoors that allowed access to servers for an extended period of time.

• Exploited four vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.

• Became aware of vulnerability in March 2, 2021. Was initially discovered in December 2020 and reported to Microsoft in early January 2021. Three hacker groups picked up on it in late February and started their exploitation.

A Case Study: Log4j/Shell exploit

• Discovered December 9, 2021.

• Zero-day exploit is an exploit that becomes available before vulnerability is widely known.

• Allowed remote code execution: someone in another location can execute an arbitrary code on your system to carry out their purpose.

• Is a java application (library); a login utility – a very powerful library everything you can conceive of doing from a login standpoint.

• Is embedded in all kinds of applications, software that relies on other software that has been infected.

• Nearly half of all corporate networks had been already targeted by days after it became known.

• Hundreds of million of devices are at risk.

• Hackers use the exploit to add cryptomining malware, cobalt strike, ransomware, credential theft.

You might become a victim via:

• A crime of opportunity: hackers are testing for vulnerabilities 24/7.

• Collateral damage: someone else’s system or email gets compromised.

• Part of an unlucky targeted group: if you see others in your peer group getting attacks, it’s time to start paying attention.

• Could be purposefully targeted: perhaps if you were a previous victim.

• Tools available to hackers allow them to rise to the same sophistication as state-sponsored espionage and weaponization.

The APT (Advanced Persistent Threat) life cycle:

• Can start with intelligence gathering, background research.

• An initial attack: hackers find some vulnerability and can get in; they enable persistence so they can get back in.

• Once in, they conduct enterprise reconnaissance.

• They might move laterally to other systems.

• They look to escalate privileges.

• They gather and exfiltrate data.

• Average time an attacker is inside the organization before the organization finds out is 7.5 months, and is usually discovered by someone outside the organization.

Vulnerability Management

• How to combat attacks: Need a program to identify the vulnerabilities before the attacker gets in.

• Log4j is ubiquitous: developers need to be aware; can’t blindly accept that products are good to bring into their environments, especially open source software where anybody could add something to it.

• Need a succinct process or system, a security practice designed to proactively prevent exploitation of vulnerabilities.

• Identify assets and the vulnerabilities, then mitigate and fix known vulnerabilities.

• Good vulnerability management programs:

-Promote consistent processes over a wide range of threats

-Align with risk appetite of the organization

-Are easy to understand and conduct

-Have high visibility among decision makers

• Vulnerability management options:

-Vulnerability scanning – simply identifying the vulnerabilities that exist in an environment and determine if they are exploitable.

-Formal process of risk analysis of frameworks

-Best approach: a combination of the two

• Recommendations for conducting a risk assessment:

-Do a NIST 800-30 formal risk assessment.

-Decide on frequency and scope.

-Decide on objective or subjective scoring for likelihood of occurrence and potential impact.

-A formal risk assessment provides a picture of where you need to start and priorities.

-Vulnerability scan: an automated process or tool run across an environment to test hundreds and thousands of devices.

-Vulnerability scan does not identify whether someone can get in or how.

-Has to be inside as well as from outside to identify all locations where there are vulnerabilities.

-Will produce a deluge of vulnerabilities, which need to be prioritized; finding the core problem spread across systems can reduce the workflow many times.

-Create and update a risk register to help ensure issues are being addressed.