Print Friendly, PDF & Email
 

2020 Cyber Crime, Cyber Security Awareness Month

In recognition of National Cyber Security Awareness Month and to foster client awareness of cyber hazards, AAFCPAs’ IT Security professionals have outlined cybersecurity risks and mitigation strategies applicable to 2020 current events.

COVID-19 has changed business operations resulting in increased IT security risks, especially risks from the abrupt shift to support remote work. Even when we are able to freely go back to the office, there will be many employees who continue to realize the benefits of remote work and will choose to remain remote. While remote working has been going on for months, AAFCPAs still advises clients to assess cybersecurity risks related to their remote workforce and determine a strategy and timeline to mitigate these risks. These risks include the usage of an employee’s computer for both work and home use, visiting non-work related web sites, connecting to an employee’s home network, and physical security.

November 3rd is the US presidential election. Events like elections provide a unique opportunity for bad actors such as opposing political parties, adversarial countries, and others to use social media profiling and social engineering attacks to affect the integrity of the election process or attempt to collect personal information. It is difficult for people to distinguish which information should be trusted, because the messages play on emotions. AAFCPAs advises clients to be wary of information received or served, avoid clicking links in suspicious messages, and check the facts with at least one other trusted source before forwarding or sharing confidential information. IT departments should continue to make employees aware of the evolving risks associated with social engineering and use phishing and vishing tools to identify and train those employees.

Your vendors may also pose a weakness to your security posture. Back in May, Blackbaud, an enterprise resource planning cloud software company focused on not for profits, disclosed that they had been the victim of an attempted ransomware attack. AAFCPAs reminds clients that outsourcing may expose your organization to risk and underscores the need for effective vendor due diligence including requesting Systems and Organization (SOC) reports, ISO 27000 certification, or other compliance attestation reports.

As the Coronavirus pandemic forced millions of people to stay home over the past few months, and Zoom became the video meeting service of choice, Zoom’s security issues quickly became front page news. It may come as no real surprise that Zoom and its users were targeted based on the spiking demand for their solution. AAFCPAs encourages clients to configure collaboration and web conferencing tools with security in mind, and fortify your web applications, which includes conducting Web Application Vulnerability Assessments, evaluating your processes related to change management and software development life cycle, and to review the Open Web Application Security Project (OWASP) to review the most prominent vulnerabilities in web-based applications.

Your best line of defense in protecting your organization against cyberattacks is employee awareness. October is National Cyber Security Awareness Month, but AAFCPAs advises clients to remain vigilant year-round, assess your cyber security risks regularly, and maintain a cyber-aware community by educating users throughout the year on the risks and consequences of the constantly evolving IT security landscape.

AAFCPAs’ Cyber Security & Technology Assessments help identify risks that could potentially cause information loss and/or financial and reputational harm to your organization. Our assessments also determine if planned technology acquisitions comply with federal and state laws and company policies for protecting critical data before they are implemented. If you have questions, please contact Vassilis Kontoglis at 774.512.4069, vkontoglis@nullaafcpa.comJames Jumes at 774.512.4062, jjumes@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Vassilis Kontoglis
Vassilis is a highly-skilled IT professional with proven expertise in: business process improvement and change management, information systems gap analyses, cyber security and IT risk assessments, systems selection & implementation, IT auditing, and special attestation reporting (SSAE 18 and SOC 2). Vassilis performs comprehensive and thorough reviews of technology systems and environments, and advises clients on how to use technology to best achieve business goals and objectives.  He elicits input from stakeholders at all levels of the organizational hierarchy in order to thoroughly evaluate business performance across functional boundaries.  He analyzes current and potential business and IT processes to identify clear opportunities for improvement, which may include streamlining and automation, productivity increases, strategic alignment and cost reductions.