Mar 23, 2017 10:03:00 AM

Cyber Security for the Road Warrior

In my previous columns, I’ve been describing the benefits of having offense-oriented testing performed on your company’s network. This time around, I want to give some advice for the road warriors among you. Many of you have to travel for work, and present an attractive target to cyber criminals that want to steal trade secrets, customer information, or even infect your system in a way that puts your network at risk when you return to the office. You can, however, work on the road in a much more secure way, armed with some basic precautions and awareness.

Topics: Executive Insight, cybersecurity

Mar 9, 2017 9:42:19 AM

Why "I'm Just Not Technical" is No Longer an Excuse in the C-Suite

I cannot tell you how many board presentations and meetings I have been in and heard "I am just not technical". Not being “tech savvy” is no longer a valid excuse to not understanding the threats your organization faces and what needs to be done to provide protection. If you are in the budgeting, decision making or approval process of technology in your organization, you have no choice.

Topics: Executive Insight, cyber risk

Mar 2, 2017 10:00:00 AM

How Much Should You be Spending on Cybersecurity?

We often hear clients and prospective clients asking “how much should I be spending on cybersecurity?” That is a very complex question and one that is not easily answered without first having an understanding of what is meant by cybersecurity. There are many different versions of cybersecurity being pushed in the market and there is no "one size fits all" solution despite what your vendor may tell you. The key is in spending for what is right for your organization, not simply deciding that a set percentage should be spent on these solutions. Below are some key questions that you should ask of yourself:

Topics: Executive Insight, IT Budget, Budget Allocation

Feb 23, 2017 10:05:00 AM

Their Breach is Your Breach

When you’re catching up on the news, it’s become all too common to see stories about new breaches that have occurred, resulting in the theft of customers’ personal and financial information from businesses of all sectors. If you’re a regular reader of my column, you’re probably gotten past the fallacy of thinking “that can’t happen to me”, but there’s still something very detached about it all. Even when you get a letter or email notifying you that your information has been stolen from an online service you use, it happens so often you have a hard time seeing the urgency.

Topics: Executive Insight, password reuse, password security

Feb 21, 2017 9:15:37 AM

R.I.P. VCRs: Lessons in Disruption for the Audit Industry

I was shocked to learn the last VCR rolled off the assembly line in July 2016. I remember my family buying our first VCR – the magic of being able to watch any one of our 6 cassette movies at any time, pausing when you needed a break, fast forwarding through the boring parts. It was a miracle and changed how we watched. As I reflected, I’m even more shocked that VCRs were still being made as recently as last year. Movies, television, “content” are all available on any live streaming device. I watch movies on my phone from the air when I travel. It’s a far cry from the good old days of Betamax. The accounting profession is facing the same type of changes as VCR manufacturers. Tax services have already seen the impact of technology with the advent of tax return software. Audit has been a little slower to be impacted – but believe me when I say change is coming. Technology is currently available that allows for automation of a lot of what our staff accountants did as recently as last year. Lead sheets, roll forwards, analytics and even financial statements can be prepared with a click of a few buttons.

Topics: Executive Insight, Audit of the Future

Feb 16, 2017 10:25:45 AM

Don't Let Cyber Risk Derail Your M&A Deal

Headlines around hacking and data breaches have become a regular occurrence over the last few years. When a business loses the trust of its customers, it can be nearly impossible to win it back. Cybersecurity, or the lack thereof, can famously destroy existing companies, but could it also be killing future business deals? The obvious example is Verizon’s potential acquisition of the deeply troubled Yahoo. Despite the flaws at the former tech behemoth, the deal seemed to be progressing forward nicely until it was revealed that one billion Yahoo users had their accounts compromised in 2013.

Topics: Executive Insight, risk management, M&A

Feb 9, 2017 9:50:52 AM

You've Been Breached. Think It Won't Happen Again?

There’s a popular saying in the cybersecurity space, “There’s two types of organizations, those that have been breached and those that don’t know they’ve been breached.” In working with organizations that know they’ve been breached, I’ve noticed a very alarming fact. It’s not their first breach! This left me wondering why and how? How can an organization suffer from one breach and have a second or third similar breach? What did they not learn from the initial breach that would leave them vulnerable to similar subsequent breaches? One of the common themes we see is that they “handled” the first breach themselves or they hired a security consultant with little to no experience in incident response that focused on recovery and not fully understanding how the attack was carried out. This is a very scary reality that we are seeing more and more daily. 

Topics: Executive Insight, incident response

Feb 2, 2017 10:00:00 AM

The Victims of Cyber Security Training

It’s harder than you think to identify good talent in cyber security. Whether you’re trying to fill full-time security positions within your organization, or partner with service providers and vendors that can identify vulnerabilities and help maintain resilience, there is an ocean of “get rich/smart quick” schemes that make things more difficult for you. They target up-and-coming information security professionals, and, in turn, leave you with less qualified staff and vendors.

Topics: Executive Insight, cybersecurity training

Jan 26, 2017 10:01:00 AM

An Internet of Hackable “Things” Threatens Your Business

In this column, I try to avoid “buzz words” and jargon. Information security is complex enough without them. The security industry is overrun with companies that intend to confuse you with marketing bullet points, wrapped up as new concepts and trends, in the hopes that you will cut them a check. Meanwhile, you are the one that will bear the ultimate responsibility for risks they know you don’t understand.

Topics: Executive Insight, IoT Security, Internet of Things

Jan 19, 2017 10:00:00 AM

Vendor Management: Ignore at Your Own Risk

In this busy, ever changing business world, management has so many things to worry about that some key business responsibilities often get overlooked.  One key area that is front and center on a daily basis, but is often ignored by businesses of all sizes is the topic of vendor management. It’s hard to identify a business that doesn’t have some form of relationship with vendors. A vendor could be as simple as the person who brings the daily coffee to as complex as the offsite company that manages the servers on which key patient and financial data resides. Though the coffee guy may not have access to any information while on site that could harm the business, vendors that have access to key data for a business could see their names in the headlines if proper security protocols aren’t followed.

Topics: Executive Insight, VENDOR MANAGEMENT

Jan 16, 2017 10:00:00 AM

Being a Compliant Victim of Cybercrime

When I discuss cybersecurity with business leaders, the most common misconception I see involves the role of security compliance. In my last column, I described the reality of cybercrime, a wild frontier of advanced attackers that can critically damage your business with impunity. In this dangerous environment, it’s important to realize that compliance alone will not protect you.

Topics: Executive Insight, cybersecurity

Jan 10, 2017 9:07:34 AM

A Dangerous Shift in Ransomware Targeting

There’s good news for commentators that really “phoned it in” on their 2017 predictions: ransomware is becoming even more of problem. While you’ll be hard pressed to find analysts who thought otherwise, the reason that malware has become more dangerous may be less obvious to those not in the trenches. It’s time to put the forecasts for 2017 aside and start looking at the reality of what’s being perpetrated against the victims of cybercrime this year.

Topics: Attack Surface, cybersecurity, ransomware

Jan 5, 2017 10:07:00 AM

Why 2017 Could Be the Year of Cyber-Espionage

In this digital age where most businesses are focusing on the disrupt or be disrupted ethos, it seems that most are ignoring an even bigger trend that will affect their organization. In 2016, cybersecurity or the lack thereof played a significant role. The fact that even presidential campaigns were affected by hacking scandals and data leaks illustrates how the question is no longer if you will be breached, but when.

Topics: Executive Insight, cybersecurity, cyber espionage

Dec 29, 2016 3:31:39 PM

Malware Removal Software Company Identified as Acting on the Behalf of Russia: What Does it Mean for You?

President Obama issued an executive order recently in response to address Russia’s cyberattacks against the United States. There are sanctions against Russian individuals and entities, and a number of Russian diplomats have been ordered to leave the US within 72 hours. This order is representative of the huge impact that cyber security has on international relations, but less immediately apparent are the implications this has for businesses and individuals.

Topics: Attack Surface

Dec 22, 2016 10:00:00 AM

What Can the C-Suite Learn from the Latest Companies to Suffer Data Breaches?

2016 is ending with another round of major data breaches with online companies such as PayAsUGym, Lynda, and Yahoo.

Topics: Executive Insight, cybersecurity, cyber risk

Dec 16, 2016 10:03:00 AM

The Reality of Cybercrime

Computer networks have given us the ability to operate, communicate, and conduct business more easily today than ever before. It is, however, hard to imagine a more dangerous time for businesses to operate than right now. While technology has provided us with great opportunities, it has also exposed us to attacks that threaten our business operations. At no other time in history has a business stakeholder faced as many criminal threats on a daily basis as we face today.

Topics: Executive Insight

Dec 8, 2016 10:00:00 AM

What Should You Learn From Your Penetration Test?

Having a true advanced penetration test performed on your organization’s infrastructure is one of the fastest ways to gain valuable insight on the state of your security posture. It provides quick situational awareness around where your weaknesses are and *should* provide you with a roadmap on how to approach remediation. In working with clients, one thing we are realzing is that many of our clients believe they have been getting an "advanced penetration test" for years, when in fact they have not. Below are a few hints on how to know if you are truly getting a penetration test worth value to your organization. 

Topics: Executive Insight, Penetration Testing, cybersecurity, advanced penetration testing

Dec 1, 2016 10:01:00 AM

Compliance Alone Won’t Save You: The Next Attack Will Hit Harder Than the Last

This past weekend, the San Francisco Municipal Transportation Authority (SFMTA) was hit with a ransomware attack that left it unable to process payments for rides. The SFMTA was forced to continue providing service, for free, as they repaired the systems that were damaged in the attack. Even in an incident where the ransomware author was not successful in extorting a payment, the financial impact on the victim can be significant.

Topics: Attack Surface, cybersecurity, cyber risk

Nov 22, 2016 10:00:00 AM

FFIEC Cybersecurity Assessment Tool Frequently Asked Questions

This past month the FFIEC issued a statement to provide clarification on several questions the FFIEC recieved for the Cybersecurity Assessment Tool (CAT). Since the release of the CAT and with the statement issued last month, I have recieved numerous questions from clients that I wanted to share with you to provide you insight on its value and use to your management team. So, here are our FAQs:

Topics: Executive Insight, cybersecurity, FFIEC, cybersecurity assessment tool

Nov 10, 2016 10:30:00 AM

Staying Ahead of the Threat

Forrester Research released a report recently which predicted that our President-elect Donald Trump will face a major cyber crisis within the first 100 days of being president. Who knows if that will come to fruition but one thing is for sure, with the major DDoS attacks recently and the cyber attacks surrounding our election, we are a major target. By we – I mean me, you, American businesses, and America as a whole.

Topics: Executive Insight, cybersecurity, cybersecurity operations center, the threat

Nov 1, 2016 10:00:00 AM

GAO Audit: Can We Learn From Their Mistakes

The old saying “if it ain't broke, don’t fix it” immediately came to mind as I began to look at the audit report from the Government Accountability Office regarding Federal Agency Security. The reason this quote came to mind is that in information security, there are some serious breaks in need of very intentional fixing. It is evident from the amount of information security incidents that have occurred over the past several years that there is much in disrepair. In fact, since 2006, the number of incidents that we know about has risen from 5,503 to 67,168 according to the recent GAO Federal Information Security report. If this isn’t cause for concern I’m not sure what is.

Topics: Executive Insight, Cybersecurity Risk Management, cybersecurity, GAO Audit

Oct 25, 2016 10:00:00 AM

Under the Surface Cyber Risk

Part of my role as a Cyber Risk Analyst is to help companies think through their cybersecurity threats. Like most threats, they lie under the surface and most of the time remain unseen until it's too late.

Topics: Executive Insight, cyber risk

Oct 18, 2016 10:01:00 AM

Where is Your Data? Why Performing a Data Inventory is Integral for Companies in this Digital Age

There’s no denying that the days of printed documents are a distant speck in the rearview. Industries are becoming much more reliant on automated systems and processes versus the manual ledgers and manila files of yesteryear.

Topics: Executive Insight, data security, data storage

Oct 11, 2016 10:00:00 AM

AICPA Exposes Guidance for Cybersecurity Risk Management Examinations

The American Institute of Certified Public Accountants (AICPA) recently released two exposure drafts on criteria for cybersecurity.  The first Proposed Description Criteria for Management's Description of an Entity's Cybersecurity Risk Management Program is entirely new.  This draft gives organizations guidelines on how to create and document their cybersecurity risk management program.  This guidance also sets forth standards for public accounting firms to report on such programs.  In other words, this provides clear guidance for CPAs to provide assurance on cybersecurity.

Topics: Executive Insight, Cybersecurity Risk Management, AICPA Guidelines

Oct 4, 2016 10:00:00 AM

Alphabet Soup: Understanding the Qualifications of Risk Management Professionals

You’ve just gotten an email from a potential vendor looking to make a connection.  In their signature, following their name is a list of five abbreviations, all intended to make them appear qualified, reputable, and knowledgeable.   But what do they actually mean?  Are they relevant to the service you are trying to procure?  A pilot’s license is crucial for a commercial airline pilot but irrelevant for practicing law.  Similarly, technical certifications are outstanding for your IT department, but not so relevant when looking for someone to issue a Service Organization Control (SOC) Report.  If you need to provide a SOC Report  to your clients or customers, no matter the version you need, you’ll need a CPA.  Other organizations may require very specialized certifications, such as Pulse and STAR requiring a CTGA (Certified TR-39 Auditor) to perform ATM and PCI Pin compliance audits.  

Topics: Executive Insight, risk management