Archive for the ‘IT Audit’ Category

What Would You Do If The Internet Went Dark?

Tuesday, October 25th, 2016
Data Security Planning - Ohio CPA Firm

Once again, weak usernames and passwords were to blame although, unlike in the past, individual users weren’t the primary culprits. According to United States security researchers, hackers utilized common electronic devices, such as DVRs, webcams and digital recorders, to execute a complex internet-wide attack. Read on to find out what you can do to protect your devices, your cloud-based data and yourself.

These days it’s not uncommon for our lives and our businesses to be managed almost entirely online. From our communications and calendars to our thermostats and security systems, while the internet may have made us more efficient, it has also made us more vulnerable. And these days, the safety of our networks and databases are never guaranteed – a lesson that was made abundantly clear after last week’s massive cyberattack.

Weak Usernames, Passwords Are (Once Again) To Blame

As most of you already know, some of your favorite websites took a hit last week. And as much as you may have wanted to take to Twitter to vent your frustration – you couldn’t. So, what happened? Once again, weak usernames and passwords were to blame although, unlike in the past, individual users weren’t the primary culprits. According to United States security researchers, hackers utilized common electronic devices, such as DVRs, webcams and digital recorders, to execute a complex internet-wide attack. The massive distributed denial-of-service (DDOS) attack was made possible thanks to weak default usernames and passwords found in the internet-connected hardware. This attack was the result of a Mirai botnet attack, which is specifically designed to scan the internet for poorly secured products and then access them through easily guessable passwords like “admin” or “12345.” Earlier this month, after security experts gained access to the botnet’s source code, which was released to the hacker community, it was discovered that the botnet was designed to try a list of more than 60 combinations of user names and passwords. Officials with Level 3 Communications, a provider of internet backbone services, estimates this recent attack was also the result of a Mirai malware attack that infected more than 500,000 devices.

Read Also: Cloud-Based Data Storage Solutions Aren’t Risk-Free

Unlike botnets that typically rely on PCs, Mirai malware targets internet-connected devices that have weak default passwords, making them easy to infect, said Michel Kan a correspondent for PCWorld. More botnets like Mirai will appear unless the hardware industry can move away from default passwords. Hangzhou Xiongmai Technology Co Ltd, a Chinese electronics component manufacturer, said because its products inadvertently played a role in last week’s cyberattack the manufacturer will recall some of the products it sold in the U.S. The Chinese company said the security flaws associated with its products were patched in September 2015 and that its devices now ask customers to change the default password when used for the first time. However, products running older versions of the firmware are still vulnerable. Users with older versions of the company’s products can still protect themselves by updating their product’s firmware and change the default username and passwords or simply take their products offline by disconnecting them from the internet.

Protect Your Devices

Do you own a device that connects to the internet? Take the following precautions to prevent a hacker from infiltrating your system:

  • Check for updates regularly.
  • The first time you pull your device out of the package, change the password.
  • Disable features and services that you don’t need or won’t use.
  • Turn off your devices when they aren’t in use.
  • Pay close attention to your privacy settings.

Protect Your Cloud-Based Data

A lot of times, individuals and businesses will consider cloud-based data storage solutions to be more secure, but the way I see it, if it’s online, it can be hacked – regardless of how many safety protocols you may have in place. Criminals continue to look for new ways to infiltrate our online devices therefore, it is reasonable to assume, that they are looking for cracks in the cloud-based security solutions as well. This article will give you more insight into the risks you may be taking on if you were to move all your data to the cloud.

Protect Yourself

For more information and insight about protecting yourself online, read my comprehensive whitepaper: Cybercrime: The Invisible Threat That Haunts Your Business. By Joe Welker, CISA (New Philadelphia office)

Check out these articles for more helpful cybersecurity insight:

Top 5 Reasons Why Every Business Should Have A Business Continuity & IT Disaster Recovery Plan

How To React To A Data Breach

Can A Cybercriminal Crack Your Company’s Network?

Share Button

Help The FBI Find A Defense Against Ransomware

Monday, September 19th, 2016
Help Fight Ransomware - Ohio CPA Firm

The FBI recommends users consider implementing prevention and continuity measures to lessen the risk of a successful Ransomware attack. Keep reading to find out how you can help the FBI combat the threat of Ransomware.

The FBI recently released a public service announcement urging victims of Ransomware attacks to come forward and report these cyber infections to federal law enforcement. Doing so, the FBI said in a statement, will “help us gain a more comprehensive view of the current threat and its impact on U.S. victims.

Read Also: Could Your Company Be Ransomware’s Next Victim?

A Closer Look At Ransomware

A computer infection that has been programmed to encrypt all files of known file types on your computer and your server’s shared drive and making them inaccessible until a specified ransom is paid; Ransomware is a very real threat to all businesses nationwide. Once a computer is infected, which usually happens once a user clicks on a malicious link, opens a fraudulent email attachment or unknowingly picks up a high-risk automatic download while surfing the web, it’s all but impossible to regain access to the data that has been infected. Upon discovering that your computer has been infected, you have two choices. You can either:

1)     Restore the machine by using backup media, or

2)     Accommodate the hacker’s demands and pay their ransom.

And both options are less than ideal.

What To Do If Your Company’s Network Becomes Infected

Ransomware infections were at an all-time high in the first several months of 2016, according to various cybersecurity companies, and because new Ransomware variants are emerging regularly, the FBI needs your help to determine the true number of Ransomware victims.

“It has been challenging for the FBI to ascertain the true number of Ransomware victims as many infections go unreported to law enforcement,” the agency stated in its recent announcement. “Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment. Additionally, those who resolve the issue internally either by paying the ransom or by restoring their files from back-ups may not feel a need to contact law enforcement.”

Read Also: How Much Is Your Data Worth To Criminals?

Reporting a Ransomware attack on your company’s network is not only beneficial for you, the information you provide will help the FBI as it works to identify ways to prevent future attacks. Your reports will:

  • Provide law enforcement with a greater understanding of the threat
  • Help justify Ransomware investigations
  • Contribute relevant information to ongoing Ransomware cases

Help Arm The FBI With Information

The recent PSA released by the agency requests that all Ransomware victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center. Be sure to have the following details available and ready to provide to the respondent when prompted (if applicable).

  1. Date of Infection
  2. Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  3. Victim Company Information (industry type, business size, etc.)
  4. How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
  5. Requested Ransom Amount
  6. Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  7. Ransom Amount Paid (if any)
  8. Overall Losses Associated with a Ransomware Infection (including the ransom amount)
  9. Victim Impact Statement

The FBI recommends users consider implementing prevention and continuity measures to lessen the risk of a successful Ransomware attack. Click here to read the FBI’s complete announcement.

To learn more about protecting your business from cybercrime, download the free whitepaper, “Cybercrime: The Invisible Threat That Haunts Your Business.”

Share Button

Summer May Be Over But Top Blog Posts Are Always In Season

Friday, September 2nd, 2016

I don’t know about you, but September seemed to come out of nowhere! But fear not. Even though summer is officially over, we still have a lot to celebrate – like all those great blog posts we featured on Dear Drebit last month?! So, before we officially make the leap into fall, join me as I take a look back at some of the top posts business owners were reading in August.

  1. Get Ready, Get Set, Get Shopping! Were you one of the many shoppers flooding stores the first weekend in August in search of some great back-to-school bargains? If so, then you were able to take advantage of this year’s Sales Tax Holiday. Missed it? That is ok, read on to learn more about it and how you can take advantage of these savings next year.
  2. How To React To A Data Breach It was 2013 when a medium-sized library in Ohio found itself in the midst of a data breach that would later serve as a powerful case study warning against the very real threat of electronic fraud. While originally developed by the Ohio Auditor of State’s office as a tool for government entities throughout the state, Cash Management 240: Financial Fraud – A Case Study, has found usefulness beyond just the government sphere. Read more about it now!
  3. Did Fraudsters Counterfeit Your Organization’s Checks?The internet can be a valuable tool for so many honest, well-meaning people. Unfortunately, it can also be a playground for fraudsters. Keep reading to find out how fraudsters are counterfeiting checks.
  4. How Can You Track Use Tax in QuickBooks?Do you filed for use tax amnesty with QuickBooks? How are you going to track it daily going forward? The answer is as simple as 1-2-3.
  5. Could An FSA Bring Value To Your Business’s Benefit Plan? Does your company’s benefit package feature access to a Flexible Spending Account? Have you considered adding one in the past but still have questions? As health costs continue to rise, we continue to learn more and more about how this pre-tax health benefit can help level the playing field for employees. But in order to get maximum benefit from this incentive, your team needs to know what it’s capable of doing. Read on to learn more.

Did we leave you wanting more? Great! We love to hear from you about what information or updates you are looking forward to seeing this month. Just reach out to us with your question or topic and one of our accounting and business consulting experts may pick it up for a future post!

Share Button

How To React To A Data Breach

Tuesday, August 2nd, 2016
Data Breach | Columbus Cybersecurity Series | Ohio CPA Firm

Would you be able to effectively manage the fallout of a data breach? If you aren’t sure, keep reading.

It was 2013 when a medium-sized library in Ohio found itself in the midst of a data breach that would later serve as a powerful case study warning against the very real threat of electronic fraud. While originally developed by the Ohio Auditor of State’s office as a tool for government entities throughout the state, Cash Management 240: Financial Fraud – A Case Study, has found usefulness beyond just the government sphere.

Leaders of not-for-profit organizations and for-profit business owners would also find value in this resource, which outlines:

  • the events that resulted in the occurrence of the data breach,
  • the reaction of entity officials during and after the breach was detected, and
  • the short- and long-term outcomes that resulted from the breach.

While I strongly recommend that you read the entire case study, I provide a brief overview of the story below.

How would you respond to a data breach?

Library officials were notified of the occurrence of fraudulent activity impacting the entity’s checking account in March of 2013. According to the bank, the fraudulent activity appeared to be limited to three transactions, totaling $144,743. Fortunately, bank officials were proactive in their efforts to recall the transactions.

In an effort to avoid further fraudulent activity, library officials decided to disconnect the accounting workstations from the entity’s network and proceeded to contact their technology vendor, who advised the library proceed with reformatting both accounting workstations immediately. Soon thereafter, library officials contacted the local police station to report the incident, closed the entity’s existing bank accounts and opened new ones, and notified employees of the data breach as well as the board of directors.

Due to the nature of the breach, it didn’t take long before the Ohio Auditor of State’s office and the FBI were notified of the incident as well. And, in an effort to try and reclaim some of the money that was stolen, a claim was filed with the entity’s insurance carrier. Finally, the library’s bank was able to successfully recover $54,910 of the amount that was stolen. In 2014, when the case study was released, the library was still in the process of negotiating with the bank regarding $89,833 that was still missing.

So, what do you think? Would you say that the library officials were effective in their management of the data breach? What would you do if your company or nonprofit found itself in a similar situation?

Well, according to the FBI, the library could have handled the situation better. For example, the library should have not reformatted the workstations. The FBI and local police force should have been contacted immediately. And finally, the entity should have followed all instructions mandated by the bank to eliminate the possibility of such fraudulent activity.

Since it’s 2013 data breach, the library:

  • Is now required by the bank to follow the ACH Originator Agreement.
  • Has designated one stand-alone PC to be used for online banking.
  • Has requested online access from only one IP address
  • Has purchased a cybercrime policy.
  • Revisited its banking RFP to include a section regarding online banking security minimums.

Do you have a plan to help deter cybercrime?

The above scenario is just one of the countless cybercrimes that occur every day and every type of businesses, entity and organizations are being impacted. If you don’t have a plan in place to help prevent cybercriminals from infiltrating your network and stealing your data for financial gain, or a strategy to recover once a breach has been identified, you are in a very vulnerable position.

I believe that in order to protect against a cybercrime attack, it’s important to be armed with as much knowledge as possible. On Sept. 7, 2016, FBI Agent David Fine will be the featured presenter of part two of the Columbus Cybersecurity Series. During this portion of the presentation, attendees will hear real-life examples of attacks on businesses, including what schemes are prevalent today. Audience members will also discover the very real impact these attacks have on companies and what they can do to deter an attack from occurring in their own business or organization.

The Columbus Cybersecurity Series is free to attend, but registration is required. You can RSVP here.

By Joe Welker, CISA (New Philadelphia office)

Share Button

Join The Fight Against Identity Theft & Income Tax Fraud

Friday, January 29th, 2016

Income tax identity theft and refund fraud has become a huge problem over the last few years; and while billions of dollars are finding their way into the pockets of fraudsters, the IRS is working hard to shut down these schemes.

The IRS paid roughly $5.8 billion dollars in fraudulent refunds to identity thieves over the course of the 2013 filing season. While that is a huge number, it could have been a lot worse. During the same time period, the amount the IRS successfully prevented or recovered totaled around $24.2 billion. But these statistics only take into consideration the fraud we know about.

Identity theft isn’t just a threat during tax season, scammers are exploiting a lot of cracks in your armor. Listen to episode 12: the great data saver on unsuitable on Rea Radio for insight from Joe Welker, CISA, Rea’s IT Audit Manager

The Unknown Number

While it is nice to know that the IRS is working hard to prevent identity theft and refund fraud, the truth is that we don’t yet have all the information to determine how bad the income tax fraud epidemic really is. This means that we continue to be at risk of becoming a fraud victim again this tax season. Perhaps if we knew how many fraudulent tax returns went on to be processed and how many billions of dollars were paid out to scammers looking to make a quick buck we could finally make some educated assumptions about the likelihood of being defrauded out of your refund check.

I don’t like not having all the necessary information.

Read Also: Ohio Department of Taxation Stops Thieves From Stealing Millions

This year, income tax fraud is expected to be higher than ever. This video, produced by abc6 out of Columbus, Ohio, shines more light on the topic of identity theft in Ohio.

Calling In Reinforcements

The IRS has realized that identity theft and refund fraud are threats that are showing no signs of going away. So the agency has requested help. The Internal Revenue Service, in cooperation with state tax administrators and tax industry leaders, has formed a public-private sector partnership to identify and test more than 20 new data elements on tax return submissions that will be shared with the IRS to detect and prevent fraudulent filings. The software industry is doing its part by putting enhanced identity validation requirements in place to protect customers and their personal information from identity thieves.

As of October 2015, 34 state departments of revenue and 20 tax industry members have signed memorandums of understanding regarding coalition’s roles, responsibilities and information sharing measures. More states are expected to sign on later.

Taxpayers Are Encouraged To Fight Back Against Fraud

Over the last 3 years, the IRS has initiated more than 3,000 fraud investigations. Those investigations have gone forward to convict and sentence close to 2,000 thieves to around 40 months in prison apiece. But there is still much to be done. They are doing their part.  We as taxpayers have to do ours.

In January, the IRS launched the “Taxes. Security. Together.” initiative to educate taxpayers on income tax identity theft and ways they can safeguard their information and protect themselves. According to the agency, there are several ways you can protect yourself from identity theft – especially during tax season:

  • Keep your computer secure
  • Avoid phishing email and malware
  • Protect your personal information

Above all, choose your tax preparer wisely and make sure they take their responsibility to safeguard your information very seriously. A tax preparer can also help if you do encounter a situation in which your information could be compromised.

By Ashley Matthews, CPA (Dublin office)

Want to take steps to ensure that you won’t be a fraud victim this year? These articles feature information that can help.

Should I still be concerned about identity theft and tax fraud?

How can you protect yourself from tax fraud

Identity Theft Prevention: Tips To Reduce Your Risk of Becoming a Victim

How To Recover From Identity Theft & Refund Fraud

Share Button

Dude, You’re Getting … Hacked

Wednesday, January 20th, 2016

Could Your Computer Make You A Target For Fraudsters?

Dell Computer Hack | Rea & Associates | Ohio CPA Firm

Learn how to keep your computer safe from this new scam.

There is a new scam making the rounds and if you have a Dell computer you could be at risk.

KnowBe4 recently published a blog informing users of the newest security issue, which has apparently left owners of Dell computers vulnerable to scammers who have been able to capture their computer’s unique tag ID (the unique sticker on your desktop or laptop) from Dell’s database.

Read Also: WARNING: Tis The Season To Practice Safe Online Shopping Habits

Fraudsters proceed to call potential victims and attempt to gain access to their personal computer by claiming that there is a problem with their computer – the stolen information is then used to establish credibility. Once the fraudster convinces their victim to grant them remote access to their desktop or laptop to “fix” the problem, the scam is complete and the security of your personal information has been compromised. In other words, your personal information (such as credit card numbers, banking information, Social Security number, contact information, etc.) is no longer personal.

Dell has said that the company is investigating the issue but, at this time, offers little to no explanation for the alleged breach. Rather, the company is quick to point customers to this October 2, 2015 post advising of tech support phone scams.

According to the KnowBe4 blog post, this scam is similar to a Microsoft tech support scam where fraudsters call PC users with a similar request – to be allowed to gain remote access to a computer to fix an alleged problem.

“End-users gullible enough to give access to their workstations (usually via remote software), are billed hundreds of dollars on their credit card but the scammers, of course, don’t fix anything – in some cases their PC’s are infected with ransomware until they pay up.”

Protect Yourself

This is a great time to educate yourself and your employees about ways to keep your company’s data, computers and other devices safe. For example, if you do get a suspicious call, refrain from providing any information to the caller. Instead, insist that you will call them back. When you do return the call, use a phone number you know to be accurate or visit the company’s website for the phone number. Never call back the number that shows up on your caller ID. Another way to determine if the number is legit is to search the number in Google. This is a fairly accurate way to determine the validity of the call.

Have you been a victim of identity theft? Read on to start recovering today.

It seems that a new scam pops up every week. Fortunately, education and a little common sense is the key to your ensuring your safety.

Would you like help putting controls in place to protect your business from becoming victimized by a opportunistic hacker? Email Rea & Associates and request to speak with a member of our IT audit team. For more tips and insight, take a look at the related articles below,

By Steve Roth, IT Director (New Philadelphia office)

Want more security tips for your business, check out these posts:

Stop Criminals From Hijacking Your Identity With These Top 5 ID Theft Prevention Posts

Then And Now: Data Security In America Since The Target Breach

Who Is That Email Really From?

Share Button

Egg Nog & Tax Tips: Top 5 Posts In December

Wednesday, January 6th, 2016

December is such an exciting time. Shopping, baking, decorating and spending time with family and friends celebrating keeps a frog busy. But, in-between the office parties and family gatherings, the team and I were still able to address some of your end-of-the-year questions and concerns.

From the updates we received from our pals over on Capital Hill to year-end tax tips, there was certainly a lot to write about this month. These were the top-read posts in December

  1. Easy Year-End Tax Tips For Business Owners: There’s no doubt about it, this time of year is busy! I’m willing to be that sitting down at the computer to research tax deductions is the last thing on your mind. You’re in luck! We’ve done the work for you. Click here for some great tips, deductions and insight that will help you keep more of your hard-earned money in your bank account.
  2. Employers: Are You Ready To Change The Way You Withhold Municipal Tax Payments?:  Ready or not, all Ohio municipalities will be welcoming a slew of new provisions designed to bring about a unified system of income tax reporting. House Bill 5 was signed into law by Gov. Kasich on Dec. 19, 2014. The bill, which was championed by the Ohio Society of CPAs and supporters, helped streamline several key measures that help establish meaningful municipal tax reform. Per the legislation, many key provisions are scheduled went into effect Jan. 1 of this year. Read on for Four facts about the changes you need to know.
  3. Congress Gives Taxpayers An Early Christmas Present: Year after year, Congress promises to address the future of many expired tax provisions, and year after year they fail to make a definitive decision – opting only to pass legislation that extends the provisions for another year. In the meantime, taxpayers are expected to take on the impossible task of navigating the terrain amidst legislative uncertainty. Happily, things are about to change. Read on to learn why.
  4. How Far Back Can The IRS Go For Tax Auditing? – As a CPA I’m frequently asked, “How far back can the IRS look to audit my tax return?” That’s a great question. Can the IRS go back and audit your tax return from five years ago? 10 years ago? 25 years ago? Before you start to panic, rest assured that the IRS has a statute of limitations in place that generally puts a limit on the time allowed to audit you and assess additional tax. Keep reading to find out how far back they can go.
  5. Cyber Crime: It Can Happen To You: Fraudsters don’t take holidays. In fact, they tend to be more active this time of year because they believe we are more likely to let our guards down. I don’t intend on falling for any of their traps, and I encourage you to do the same. Check out what you can do to protect yourself.

Now that December is history, let’s look forward to a great 2016. Stay tuned as we provide you with the latest and greatest news in the business and financial world. While you’re at it, don’t forget subscribe to our blog to receive email reminders when new stories are posted.

You can also ask your own question by filling out the simple form at the top, right side of this page.

Finally, remember that the team at Rea is always available to discuss your specific business issues in more depth. All you have to do is email Rea & Associates and we would be happy to set up a time to talk more.

Share Button

Business Leaders Were Reading What?!

Monday, December 28th, 2015

2015’s Most Popular Blog Posts

Best Business Blog Posts 2015- Ohio CPA FirmIf you take a moment to scroll through the list of categories, authors and archives on the right-hand side of this page, it’s pretty clear to see just how active Rea’s team of experts are when it comes to providing leaders in the business community with accurate, timely and easy to digest content. We are fortunate to have so much experience and expertise on our staff, and their eagerness to serve you better has allowed us to maintain a bi-weekly electronic newsletter, a quarterly print newsletter, three blogs and a handful of electronic segment specific newsletters. That’s a lot of content – but we are not even thinking about slowing down! I hope you hang around my lily pad for awhile. I’m pretty sure you’ll find a lot of great little tidbits to read about in 2016 too. Until then, I want to invite you to take a look at some of our most popular blog posts and articles. And, if you haven’t already, take a moment to look through the newsletters we offer and sign up to have news, tips and valuable information delivered to your inbox all year long!

Top 5 Dear Drebit Posts In 2015

Dear Drebit is updated every few days with timely information and advice. In addition to covering current trends and issues, readers are also invited to ask financial and business questions on the page, which will be answered by one of Rea’s industry experts. Here are last year’s top posts:

  1. How Far Back Can The IRS Go For Auditing?
  2. Theft Safeguards To Cause Tax Return Delays In Ohio
  3. Six Things 401K Plan Sponsors Need To Do Now
  4. New Adjustments Will Affect Your 2015 Tax Return
  5. File Faster With This Tax Prep Checklist

5 Most Popular Posts On Brushing Up Blog

Brushing Up: The Dental Accounting Blog features a variety of finance and business advice specifically tailored to dental professionals. From purchasing a practice, knowing what to expect from a career in dentistry and hiring the best staff for your practice to general accounting advice, tips for cashing out at retirement and tax tips, this blog is a valuable tool for dental professionals who are looking for ways to secure long-term success in their career. The year’s most-read blog posts are:

  1. How Sales & Use Taxes Apply To Ohio Dental Practices
  2. 6 QuickBooks Tips Every Dentist Should Know
  3. Could A Crown Be A Tax Deduction?
  4. 10 Year-End Tax Planning Strategies For Dentists
  5. Buying An Established Dental Practice? Master The Changeover 

Cultivating Your Business Readers Choose Top 5 2015 Posts

The Cultivating Your Business blog is a resource provided to clients and visitors on the firm’s Know & Grow website. Updated a few times per month, business owners have access to advice, tips and general insight into how to grow their businesses and realize an optimal return on their investment upon retirement. Here are the top blog posts from last year:

  1. Bad Buy-Sell Agreement Claims Another Family Dinner
  2. Will Your Summer Reading List Make You A Better Business Owner?
  3. WARNING: Free Business Valuation Offer Is Unbelievable
  4. Uncover The Secrets To Cashing In On Your Business
  5. How To Communicate To Your Employees That You’re Selling Your Business

Top 10 Articles In Rea’s Library In 2015

In addition to our blogs, the Rea team publishes a lot of other valuable content in print and electronic newsletters. We make sure that all these articles are easily accessible in our article library. This is where you will find many of our niche pieces as well as a lot of general accounting tips and insights. Take a look at some of our most popular posts over the last year.

  1. What Is The Mid-Quarter Convention?
  2. Dangers Of Paying Under The Table
  3. Revenue Recognition Changes Are Coming
  4. Football Ticket Deductions
  5. 401K Loans And Keeping Your Plan In Compliance
  6. Take Control Of Your Vendor Master In Nine Steps
  7. Why Your Traditional Employee Management Method Is Failing
  8. The Birth Of The Taxpayer’s Estate
  9. Parting Is Such Sweet Sorrow: But What About Your 401K?
  10. Purchasing Cards Compromise Business Security
Share Button

National ID Theft Awareness Month: Get in the Know

Saturday, December 26th, 2015

Stop Criminals From Hijacking Your Identity With These Top 5 ID Theft Prevention Posts

ID Theft Awareness | Rea & Associates | Ohio CPA Firm

Identity theft is a scary thing and you don’t want to become a victim. Take some steps now to protect yourself in the future.

December is National ID Theft Awareness Month and the fraud prevention team at Rea is a wealth of information when it comes to sharing great tips to help taxpayers protect their identities from fraudsters. Instead of scrolling past posts in our expansive article library or award-winning blog, we’ve compiled this Top 5 list to make your search for information easier. Read on to discover how you can prevent cyber criminals from hijacking your identity all year long.

Read Also: Let’s Talk About The F-Word

  1. WARNING: Tis The Season To Practice Safe Online Shopping Habits: While it may be the most wonderful time of the year, cyber criminals are looking for ways to stuff their own stockings – at your expense. The holiday season is also a busy time of the year for scammers because, in general, more money is being spent and more people are clicking through cyberspace for the best deals and tracking their purchases. Find out what you can do to keep your identity safe this Holiday season.
  2. Cyber Crime: It Can Happen To You: Fraudsters don’t take holidays. In fact, they tend to be more active this time of year because they believe we are more likely to let our guards down. I don’t intend on falling for any of their traps, and I encourage you to do the same.
  3. Malware Threat Spreads To Smart Phones: Researchers and IT security experts from ESET, a global IT security company, recently announced that they had discovered a malware application that is designed to encrypt files and change PINs on Android devices in the United States. In return, victims are demanded to pay up to the tune of $500. Only then will hackers provide users with the recover key. Keep reading to learn how you can protect yourself.
  4. Should I Still Be Concerned About Identity Theft And Tax Fraud?: Identity theft and tax fraud are problems that show no signs of stopping. In 2015, in an attempt to provide an added layer of protection, taxpayers in Ohio had the opportunity to get up close and personal with the Ohio Department of Taxation’s (ODT) newest fraud safety measure – the Identification Confirmation Quiz. Read on to see how this quiz has helped reduce fraud in Ohio.
  5. How To Recover From Identity Theft & Refund Fraud: Suspecting, and then confirming, that you’ve had your identity stolen is a nightmarish scenario. It combines one of your worst fears, losing your wallet or purse, with all of the work of replacing the things that were lost. It can be so overwhelming you might be wondering: “Where do I even start?” We can help you answer that question.

Identity theft is a scary thing and you don’t want to become a victim. Take some steps now to protect yourself in the future.

Want to learn more about keeping your identity safe? Email the team at Rea & Associates, our fraud prevention specialists can be an important of keeping your information protected.

By Joe Welker, CISA (New Philadelphia office)

Looking for tips to secure your business from fraudsters? Check out these posts:

Fraudulent Credit Card Transactions Will Become Merchant’s Problem On Oct. 1

Who Is That Email Really From?

Businesses Beware: Sloppy Data Security Could Cost You

Share Button

WARNING: Tis The Season To Practice Safe Online Shopping Habits

Tuesday, November 17th, 2015
Cyber Security - Ohio CPA Firm

Keep your online Holiday shopping secure with these five tips from KnowBe4.

While it may be the most wonderful time of the year, cyber criminals are looking for ways to stuff their own stockings – at your expense. The holiday season is also a busy time of the year for scammers because, in general, more money is being spent and more people are clicking through cyberspace for the best deals and tracking their purchases. KnowBe4 recently published a blog about the top five scams shoppers should be on the lookout for, and I wanted to pass these on to our readers. Consider the following information to be an early gift from me to you, and hopefully your bank account can welcome the New Year unscathed.

Read Also: Malware Threat Spreads To Smart Phones

1. Post-Thanksgiving Madness (otherwise known as Black Friday and Cyber Monday)

Thanksgiving is just around the corner, which means shoppers are already planning their early-morning shopping strategies. Sure there are great deals up for grabs, but there are also scammers looking forward to feeding on the hype in the hopes that you will let your guard down. Believe it or not, it can be pretty easy to mistakenly fall for those offers that appear to be too good to be true simply because we have become conditioned to believe that these deals are part of the overall allure. Tip: Before completing the transaction, visit the retailer’s actual website to make sure the deal is valid. 

2. Don’t Miss This Deal – Your Facebook Friend Didn’t

Just because one of your friends shared a coupon or voucher on Facebook or another social media site, doesn’t mean it’s legit. In fact, hacked social media accounts are pretty common. Scammers like this approach because they know that you are more willing to take the bait if the scam comes from somebody you trust. If one of your friends is guilty of passing along some of these not-so-helpful posts, give them a call or send them a text to find out more. Chances are, you will be the one helping them out by letting them know that their account has been compromised. 

3. What Do You Mean ‘There’s A Problem’?! 

You’ve shopped, dropped and paid for two-day shipping and it looks like you will have your gifts in time for the next family gathering. But then your inbox gets hit with an urgent message from UPS or FedEx notifying you that there may be a problem with the delivery of your package. Fortunately, the email includes a link for you to click on to get the issue resolved. STOP! This is a common phishing scam. Scammers will often use this tactic in the hopes that you will click on the link. Before you know it, your computer has been infected with a virus … or worse – ransomware.

4. Click Here For A Refund 

Similar to the UPS/FedEx scam identified above, this tactic is another attempt to get the unsuspecting consumer to click on an infected link. In this scenario, you might receive an email from a major online retailer – Amazon, eBay, etc. – with the message that there’s a “wrong transaction,” which requires you to click on a link to secure your refund. Instead of a refund, when you click on the link you will receive the gift of a security breech instead. Clicking on these links simply opens the door for scammers to access to your personal information, which will then be sold to the highest bidder and used against you later.  

5. Use The Force Against Phishing Scams 

Wouldn’t it be nice to win tickets to see Star Wars: The Force Awakens when it is released on Dec. 18? Sure, but given what you know now, would you be willing to take the risk and click on the link in your email to find out if the offer is real? Scammers use a variety of tactics to get you to make a mistake. This scam, for example, is another way popular culture is being used against unsuspecting victims. 

Remember, whether it’s a deal, contest, sale, or any other type of offer, if it looks unbelievable or questionable (even if it appears to have been sent from a trusted source), don’t click on the link or open an attachment. If you have doubt, delete! KnowBe4 also offers readers two other great tips to keep your private information and your bank account safe 365 days a year:

  1. Never use a debit card online. Cyber criminals can (and will) wipe out your bank account in seconds once they gain access. You can protect yourself by using a credit card.
  2. Never use your credit card to shop when your computer is connected to an insecure public Wi-Fi. All online shopping should always be done on over a secure, private internet connection.

By Steve Roth, IT Director (New Philadelphia office)

Want to learn more ways to keep your computer and personal information safe? Check out these articles:

Who Is That Email Really From?

Who’s Phishing Your Data Today?

How Much Is Your Data Worth To Criminals?

Share Button

Drebit’s Top 5 Insights In September

Friday, October 2nd, 2015

Sharing top financial and business news keeps a frog busy. In September he helped get the word out about new changes within the credit card industry, fraud, cyber security … and even shared a little bit of personal finance advice.

Top 5 Insights

But, what were you reading? Great question! Below is a quick recap of the top blog post from September. If you haven’t already, take a look. Some of these tips could save you and your business a lot of money!

  1. Fraudulent Credit Card Transactions Will Become Merchant’s Problem On Oct. 1 – As of Oct. 1, 2015, the liability for fraudulent transactions will no longer be assumed by the credit card issuing institution. Instead, if you (the merchant) fail to adopt EMV technology, your business will be responsible for any loss that results from a fraudulent transaction. Is your business ready?
  2. Who Is That Email Really From? – E-mail Account Compromise (EAC) is a sophisticated scam that uses legitimate email accounts that have been compromised to target unsuspecting victims, oftentimes tricking even the most tech-savvy individuals. Want to know how to protect your email? Read on.
  3. 5 Financial Secrets Of Successful Business Owners – After following through with a 13-week cash flow for almost a year, you will have better insight into how to spend your profits to help your business generate additional cash and sales. Want to learn more? Check out Rea’s podcastUnsuitable on Rea Radio.
  4. Will EMV Technology Change The Online Payment Option? –  Does a company that doesn’t physically swipe credit cards have to worry about increased liability when the new EMV rules are implemented in October? The answer might surprise you.
  5. How Far Back Can The IRS Go For Tax Auditing? – As a CPA I am frequently asked, “How far back can the IRS look to audit my tax return?” That’s a great question. Can the IRS go back and audit your tax return from five years ago? 10 years ago? 25 years ago? Before you start to panic, rest assured that the IRS has a statute of limitations in place that generally puts a limit on the time allowed to audit you and assess additional tax. Keep reading to find out how far back they can go.

Drebit is glad that you’ve been finding the tips and insight shared on his blog to be valuable and we want to keep providing you with the information and advice that matters most to you. So, if you’ve got a burning financial or business question? Ask away, Drebit – and the bright team at Rea – is here to help!

Share Button

Will An Audit Find Fraud In My Business?

Thursday, September 10th, 2015
Fraud in My Business - Ohio CPA Firm

Your annual audit isn’t designed to detect fraudulent activity, but if across suspicious transactions are discovered a fraud detection expert should be called in.

For the same reason you wouldn’t expect your eye doctor to repair your tooth, you shouldn’t depend on your annual audit to detect occupational fraud in your business. A financial statement audit validates your financial records and provides reasonable assurance that they are materially accurate. It does not look for fraudulent activity.

Of course, if your auditor comes across suspicious transactions or questionable information, they will certainly share their findings with you. In addition, a good auditor will be able to recommend a fraud detection expert to help you dig deeper into the questionable activity.

So, if your audit won’t detect fraud, how will you know if it’s happening in your organization? 

According to the Association of Certified Fraud ExaminersReport to the Nations on Occupational Fraud and Abuse, only 3 percent of the nearly 1,500 reported cases of occupational fraud were detected by an external audit. According to the study, employee tips continue to be the most common way in which fraudulent activity is reported – usually through a fraud reporting hotline.

Your employees are likely honest, hard-working individuals who would never do anything to jeopardize your business. But until you empower them with a secure, anonymous outlet to tip off this behavior, you will never truly know for sure.

Are you serious about protecting your business from fraud? Learn more at www.reacpa.com/red-flags or contact me directly.

This article was published in the September 2015 issue of Columbus Business First – Ask The Expert.

Share Button

Businesses Beware: Sloppy Data Security Could Cost You

Wednesday, August 26th, 2015

Defend Against A Data Breach - Ohio CPA FirmAs if you didn’t have enough keeping you up at night, the topic of data security continues to send collective shivers up the spines of business owners worldwide. Unfortunately, the Aug. 24, ruling by the United States Court of Appeals for the Third Circuit didn’t make matters any better (or less expensive) for businesses guilty of failing to protect their customers’ data. In fact, companies that utilize poor security practices that ultimately lead to a breach of consumer data are at risk of facing further disciplinary action and penalties.

Read Also: How Prepared Is Your Business For A Potential IT Disaster?

What does the FTC’s Courtroom Win Mean To Business Owners?

If you haven’t taken data security seriously in the past, it’s time to get real serious about it real quick.

Prior to the ruling, companies at the center of a data breach had to battle with lawsuits while working to rebuild their reputations. Now, in addition to litigation and negative headlines, your organization must also risk being fined by the Federal Trade Commission (FTC). Businesses can no longer operate with a subpar data security infrastructure. Those that do are at risk of losing everything.

The court upheld the FTC’s 2012 lawsuit against Wyndham Worldwide, a company known for operating hotels and time-shares. Records show that the FTC filed complaints against Wyndham for three data breaches occurring in 2008 and 2009, which resulted in more than $10.6 million in fraudulent charges. In its decision, the appeals court reaffirmed previous rulings that found Wyndham to be responsible for implementing better security practices, which would have helped prevent such breaches from occurring in the first place.

According to the FTC’s argument, software used at Wyndham-owned hotels stored credit card information as readable text, hotel computers lacked a system for monitoring malware, there was no requirement for user identification and or to make password difficult for hackers to guess, the company failed to use firewalls and, ultimately, failed to employ reasonable measures to detect and prevent unauthorized access to the computer network or to conduct security investigations.

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

Next Steps For Businesses

With regard to the case between the FTC and Wyndham, the next chapter of the story is uncertain. While the win in the courtroom has helped put some wind in the FTC’s sails, the commission has yet to levy any penalties or assertions against the defendant. What is clear, however, is that a data security breach is a very real threat – one that is felt by nearly every business in the world. Furthermore, as technology continues to advance and hackers adapt, the security procedures businesses deploy must be top-notch to avoid further complications and costs associated with a sloppy security infrastructure.

Will you be ready when disaster strikes? Email Rea & Associates today to learn what you can do to protect your business from unforeseen threats.

By Joe Welker, CISA (New Philadelphia office)

Want to learn more about how to protect your business from a data security crisis? Check out these articles:

Could Your Company Be Ransomware’s Next Victim?
Don’t Turn A Blind Eye To PCI Compliance
How Much Is Your Data Worth To Criminals?

Share Button

Don’t Turn A Blind Eye To PCI Compliance

Thursday, July 2nd, 2015
PCI Compliance and Data Security - Rea & Associates - Ohio CPA Firm

Although you may employ a vendor to process credit card payments, it is still your client’s data and the ultimate need to protect that data is assumed by you.

You probably don’t have a lot of spare time on your hands. Between managing your business and employees, to ensuring your clients’ needs are being met. The last thing you might be concerned about is adhering to Payment Card Industry (PCI) Data Security compliance standards. But hold up. If your business (or any of your vendors) deals with client cardholder data or stores this information anywhere in your business’s IT systems, PCI standards are not something to ignore. It could be the difference between your business surviving and thriving or going down the drain.

PCI Data Security Best Practices

In November 2013, the Payment Card Industry (PCI) Data Security Standard version 3 was released. There were five requirements defined as “best practices.” And as of June 30, 2015, these requirements are mandatory and may affect your organization.

The Payment Card Industry (PCI) Data Security Standard v3.0 data sheet describes the need for compliance as: “All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, including applications that have been validated to PA-DSS.”

The two requirements that could most affect your organization are Requirements 12.9 and 9.9.

  • Requirement 12.9 – Additional requirements for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
  • Requirement: 9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

So what exactly do these requirements mean for you (and your vendor)? In essence, Requirement 12.9 requires third parties to provide in writing the details of its role in providing PCI compliancy, as well as any requirements of your organization. Requirement 12.9 is relevant to Requirement 9.9 as it relates to devices used to scan or input credit card information. The vendor’s compliancy requirements could require the entity to adhere to Requirement 9.9 by protecting and monitoring devices used by the entity to scan or input credit card information. And because it’s ultimately the responsibility of your organization to protect client credit card information, it is important that your business obtain the PCI requirements of any vendors you work with and adhere to the requirements of their PCI Compliancy Standards.  It is always best practice to document in detail when testing for PCI or communicating with your vendor.

Remaining Three Best Practice PCI Compliance Requirements

The other three PCI compliance “best practice” requirements are listed below. These may or may not be items to be addressed by your organization depending on your current PCI classification. It’s best to review and determine if your entity needs to add to your current PCI testing procedures.

  • Requirement: 6.5.10 – Broken authentication and session management. Secure authentication and session management prevents unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.
  • Requirement: 8.5.1 – Service providers with remote access to customer premises (for example,  for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
  • Requirement: P. 93 11.3 P. 55 6.5 – Implement a methodology for Penetration testing.  See P. 93 of the Payment Card Industry (PCI) Data Security Standard v3.0 data sheet for details.

The End of Outdated Secure Sockets Layer Encryption Protocol

Finally, in April 2015 the PCI Security Standards Council published a new version of the Payment Card Data Security Standard that calls for ending the use of the outdated Secure Sockets Layer (SSL) encryption protocol. The new standard requires that the use of SSL be discontinued and replaced by the use of the more secure Transport Layer Security (TLS) protocol. The deadline for this change has been set at June 2016.

Remember, although you may employ a vendor to process credit card payments, it is still your client’s data and the ultimate need to protect that data is assumed by you.

We hear of new breaches daily, so it’s in the best interest of your organization to know the responsibilities of your organization for PCI Compliancy.  Don’t assume that all the responsibility is on a third party vendor because it is all of our responsibility to maintain security and keep the integrity of our data secure.

By Joe Welker, CISA (New Philadelphia office)

 

Related Articles

Do You Know Who Has Access To Your IT Network?

How Can I Protect My Business From A Data Security Breach?

How Much Is Your Data Worth To Criminals?

Share Button

How Much Is Your Data Worth To Criminals?

Friday, March 13th, 2015
Ransomware

There is no way to completely protect yourself and your network, but there are ways to preempt an attack against you and your business.

How much would you pay to regain access to your company’s network if it was compromised and held for ransom? Are you willing to shell hundreds of dollars to take your information back from a cybercriminal, or are you willing (and able) to just walk away and start anew? I wish I were asking hypothetical questions but, unfortunately, the increased popularity of Ransomware has made the risk of such an attack a very, very real possibility.

Sandra Ponczkowski, a manager of the IT security company KnowBe4, recently shared Your Money or Your Life Files, a whitepaper that details the history and real threat of Ransomware, a computer infection that encrypts all files of known file types on your local computer and server shared drives. Once infected, it becomes impossible for you to access your documents or applications that use these encrypted files. The only way to recover from such an infection is to either restore your machine by using backup media, or accommodating the hacker’s demands and paying their ransom.

Unfortunately, I know of several situations where the businesses involved in a Ransomware attack had no choice but to pay ransom demands to the cybercriminal. The silver lining for these companies was that, upon paying the ransom, they were able to obtain the assailant’s encryption key code, which allowed them to unencrypt their data and regain access to their data.

Long-term protection, however, cannot be guaranteed and there is a chance that your data can be held for ransom again.

The literature provided by KnowBe4 details the fluency with which the popular Ransomware infection CryptoLocker changes and adapts once a solution to unencrypt infected data files becomes available. When this happens, the CryptoLocker infection will evolve into a new strain, thus making the previous solution unusable.

While there is no way to completely protect yourself and your network, there are ways to preempt an attack against you and your business. I recommend the following best practices.

  1. Train yourself and your employees about computer safety practices.
  2. Complete a yearly review of your employee’s access rights to company-owned computers, server folders and backup media. For example, only a few, strategic employees should have access to the company’s folders and data. As a general rule, employee access should be restricted to include only the programs and software required for them to do their jobs. This also applies to work-from-home employees who typically attach a USB drive to their machines for backup protection.
  3. If you don’t already, put a disaster recovery in place and test it ever year to ensure accuracy and completeness.

Following these practices should make your business’s Ransomware prevention and recovery much easier. Email Rea & Associates to learn find out more about the importance of protecting your company’s online security.

By Joe Welker, CISA (New Philadelphia office)

 

Related Articles

Who’s Fishing For Your Data Today?

Beware Of Small Business Wire Transfer Scam

Could A Cyber-Attack Cripple Your Business In 2015?

Share Button

Who’s Fishing For Your Data Today?

Monday, February 23rd, 2015
Computer company Lenovo informed the public that  desktop and laptop devices it sold between September 2015 and January 2015 may have arrived to users loaded with an extra (and unwelcome) feature - SuperFish.

Computer company Lenovo informed the public that desktop and laptop devices it sold between September 2015 and January 2015 may have arrived to users loaded with an extra (and unwelcome) feature – SuperFish. Users should not enter secure information on their device until they are certain that their security was not compromised.

If you purchased a Lenovo desktop or laptop between September 2014 and January 2015 you could be susceptible to “SuperFish” – adware that can be found lurking in the depths of your device.

Capable of hijacking Internet traffic data typically used for securing Internet transactions, SuperFish was installed on Lenovo devices by the manufacturer per an agreement with Superfish Advertising, a third-party software developer based out of Palo Alto, Calif.

“In our effort to enhance our user experience, we pre-installed a piece of third-party software … on some of our consumer notebooks. The goal was to improve the shopping experience using their virtual discovery techniques,” said the company in a prepared statement. “In reality, we had customer complaints about the software. … We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January), and we are providing online resources to help users remove this software.”

Until you are certain that your Lenovo system is safe from adware, refrain from online banking, making online purchases or engaging in any other online activity were security is critical.

To determine if SuperFish is present on your device and how to remove it, Lenovo released step-by-step SuperFish Uninstall Instructions on its website.

Unfortunately, in his article about the Lenovo crisis, Zack Wittaker cites ZDNet’s Chris Duckett as saying that “the only confirmed way of completely removing SuperFish appears to be reinstalling Windows … or moving to another operating system entirely” as simply uninstalling the adware may not remove the root certificate authority.

According to reports from IDC Worldwide Quarterly PC Tracker and Gartner, Lenovo shipped more than 16 million desktops and notebooks worldwide during the fourth quarter of 2014. Lenovo’s statement indicates that following models may have been effected:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45, G40-80
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70, Y40-80, Y70-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70, Z70-80
  • S Series: S310, S410, S40-70, S415, S415Touch, S435, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 Pro, Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11, MIIX 3 1030
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11, YOGA3 Pro
  • E Series: E10-30

Email Rea & Associates to learn more about the importance of protecting your virtual assets against cyber threats.

By Joe Welker, CISA (New Philadelphia office)

 

Related Articles

Could A Cyber-Attack Cripple Your Business in 2015?

How Prepared Is Your Business For A Potential IT Disaster?

How Can I Protect My Business From A Data Security Breach?

Share Button

Beware Of Small Business Wire Transfer Scam

Thursday, January 29th, 2015

Late last week, the Federal Bureau of Investigation (FBI) issued a wire transfer scam alert for all small businesses in the United States. According to the FBI alert, between October 2013 and December 2014 a total of 1,198 complaints from U.S.- based companies were received dealing with wire transfer scams. Losses from these incidents totaled more than $179 million. The FBI also reports that the scams can follow a Ransomware incident, and may involve a fraudster contacting a vendor and requesting a change of payment to an alternate fraudster-controlled bank account.

How To Mitigate This Type of Scam

If you’re a small business owner, you may be at risk for this kind of scam. The FBI recommends the following mitigation steps for these types of scams:

  • Keep all of your anti-virus software up-to-date.
  • Educate your workforce about security best practices.
    • Be sure that any changes to payments via electronic transfer are verified with an employee of the bank and at a phone number that you utilize for assistance.
    • Don’t use alternate phone numbers provided via email or by a bank representative contacting you.
    • Always call the institution back and verify that you are communicating with your bank.
  • Monitor all of your business’s financial transactions on a daily basis. Suspected electronic fraud must be reported in a single business work day.
  • Use two-party authorization access to complete all wire transfer transactions.
  • Utilize biometric authentication to verify the identity of authorized users.
  • Use online bank portals that require strong fraud controls to complete all wire transfer transactions.

You can find more information about the FBI’s scam alert here. This site also provides detailed samples of how the scams will be run against unsuspecting businesses.

If you have any specific questions about how this scam might impact you or if would like more information on IT security best practices, email Rea & Associates.

By Joe Welker, CISA (New Philadelphia office)

Related Articles

Could A Cyber-Attack Cripple Your Business In 2015? 

How Prepared Is Your Business For A Potential IT Disaster? 

New Form of Malware Catching Retailers Off Guard

 

Share Button

Could A Cyber-Attack Cripple Your Business In 2015?

Tuesday, December 30th, 2014

As we embark on a new year, many of us will set personal goals for ourselves or renew commitments to objectives that may have eluded us over the last year – and if you are a business owner you probably have a whole other list of initiatives to conquer in 2015. But before you dive into a new campaign, product launch or acquisition, take a moment to reassess your business’s disaster recovery and business continuity planning. Doing so could save you from unforeseen financial hardships that could devastate your bottom line.

From eBay’s server breach early in 2014 to the recent Sony Pictures hack, this year major U.S. companies found out that even the best defenses cannot guard against attacks carried out by a determined hacker (or hackers). And if these large-scale businesses are vulnerable, how is your small to midsize business expected to recover? In addition to building up a solid defense to these types of threats by employing firewalls and antivirus software, businesses with a solid business continuity plan are more likely to recover if (and when) a disaster does strike.

Plan For The Best – Expect The Worse

Could you recover from a cyber-attack or data breach? Do you have a plan in place to not only shield yourself from threats, but to swiftly respond and recover? The ISACA, an organization that engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems, encourages business owners to take a proactive stance when guarding against disasters – online and offline. If you are unsure whether your business could recover, ask yourself these questions.

  1. Do you have a thorough understanding your business’s activities, including which ones are critical to support your overall operations while satisfying your customer’s expectations?
  2. Do you know what data you need to support your business’s critical operations and do you know where this data is kept?
  3. Do you have a clear understanding of the effects of downtime within your business and, using this information, are you able to identify where you are most vulnerable?
  4. Do you have current infrastructure in place to protect your business and data against hackers and viruses?
  5. Do you consider business continuity to be a priority to your business?
  6. Do you have a documented plan in place to guide all aspects of your business through a major emergency? How about smaller disruptions like organizational, process and technology changes?
  7. If a disaster were to strike today would you be able to recover quickly while protecting the best interests of your customers and business stakeholders?

If you answered no to any of these questions your business may find itself susceptible to risk and unable to recover from a cyber-attack or data breach. Make business continuity a priority in 2015. Email Rea & Associates for more information on how you can protect your business against countless internal and external threats.

By Joe Welker, CISA (New Philadelphia office)

 

Related Articles

How Prepared Is Your Business For A Potential IT Disaster?

How Can Heartbleed Affect You And Your Business’s Online Identity?

How Can I Protect My Business From A Data Security Breach?

Share Button

How Prepared Is Your Business For A Potential IT Disaster?

Tuesday, September 9th, 2014

Natural disasters. Hardware meltdowns. New variants of viruses and malware. Unfortunately, we live in a day and age where anything can happen. It’s critical that your business is on its toes, ready to tackle any potential disaster or crisis that may come your way. But is it? If your business’s computer systems crashed tomorrow, how easy (or even possible) would it be for your business to recover? Has your business ever given thought to a disaster recovery (DR) plan? Do you have one of these plans?

It’s National Preparedness Month. A month where government agencies and businesses alike work to educate companies and organizations about the importance of being prepared whatever may come your business’s way. In honor of this month, below are five reasons why your business should create (if you don’t have one) a disaster recovery plan

Top 5 Reasons For A IT Disaster Recovery Plan

A Gartner report estimates that only 35 percent of small- to medium-sized businesses (SMBs) actually have a working and comprehensive DR plan. And from its research, Gartner also found that 40 percent of SMBs that manage their networks and Internet usage in-house will have their networks hacked, and more than 50 percent won’t know they were hacked. Pretty sobering statistics, right? There are many reasons why having a DR plan is a wise business move. In fact, here are the top five reasons why a DR plan is imperative to the success of your business:

  1. You can’t control when a disaster happens – it can happen at any time. Disasters can be natural or man-made – either way, you don’t have control over when it could happen. A DR plan will help you be prepared for anything at any time.
  2. A DR plan can help you save thousands, possibly even millions, of dollars in the event of a disaster. When a disaster strikes, it’s usually not a cheap fix. Depending on its severity, many businesses’ budgets are hit quite hard. And if this is an unexpected expense, it’s that much harder to make a complete recovery.
  3. You can mitigate your losses with a DR plan. Money isn’t the only thing at stake during a disaster. Don’t forget about the trust and confidence of your customers, employees, investors, vendors – the list goes on. A DR plan can help you retain your critical audiences during a disaster.
  4. A DR plan can help you reduce confusion among your staff and audiences. When a disaster hits, imagine the confusion and uncertainty that comes with it. In some cases, it may seem like you have no control over the situation. A DR plan can help you have an organized approach to resolving the disaster.
  5. The government may require businesses within your industry to develop and utilize a DR plan. If your business handles sensitive customer information or other information that could be critical if lost, the government may require you to have a formal DR plan, which should include yearly testing of offsite back-up recovery data.

Does your business have a DR plan? If not, you need to create one. Email Rea & Associates for more information about what to include in your plan. If you already have one in place, first pat yourself on the back, and then review it to ensure that it reflects your business’s current environment. Detailed and tested plans are imperative to the successful recovery and even for the longevity of your business.

Author: Joe Welker, CISA (New Philadelphia office)

 

Related Articles

New Form Of Malware Catching Retailers Off Guard

How Do You Protect The Value Of Your Business

What Are Some IT Audit Tips That Can Keep You Off Santa’s Naughty List?

Share Button

New Form of Malware Catching Retailers Off Guard

Monday, August 25th, 2014

Last week, UPS announced that 51 of its stores were infected by point-of-sale (POS) malware that has been affecting other retailers across the U.S. In total, UPS estimates that approximately 105,000 POS transactions were comprised in the data breach, leaving many customers’ financial and contact information exposed, increasing their risk of identity theft and fraud.

POS malware, known as Backoff, was identified last week as having targeted a New Orleans restaurant, a much smaller retailer than UPS. On July 31, several government agencies sent out an alert about Backoff. The alert explained the risks that Backoff posed to U.S. businesses, including smaller merchants, and that this new form of malware was found to infect POS systems via access to a remote-access portal.

And just a few days ago, the U.S. Secret Service announced that an estimated 1,000 businesses have been infected by Backoff. Now the Department of Homeland Security is encouraging all businesses – no matter the size – to scan their POS systems to check for a possible compromise.

While these recent incidents may not affect you or your business directly, the discovery of this new form of malware should cause you to stop and assess your business’s IT security situation. Do you have the right security protocols in place to protect your business – and your customers – from a potential data breach?

How To Protect Your Business From A Data Breach

Your mind may be far from thinking about your business’s IT environment. You’re probably focused more on the day-to-day operations of your business and serving your customers. But think of protecting your business’s IT environment as one way of serving your customers. By protecting your IT systems, you are helping ensure that your customers’ personal and financial data is safe. Here are some ways you can protect your business’s IT environment:

  • Use End Point Protection monitoring to verify that all workstations are current on their virus definition files and OS patches.
  • Make sure all servers are patched with the most current operating system security patches.
  • Employ a vendor to complete penetration testing to find any open avenues to your network.
  • Consider implementing Intrusion Detection Systems (IDS) or Security Information & Event Management (SIEM) applications. Many companies utilize IDS/SIEM to monitor their incoming and outgoing network traffic. If the expense is too great or you don’t have qualified personnel, then consider a vendor to provide the service. Many vendors provide these services at a very reasonable price.
  • Review the Mitigation and Prevention Strategies of the Department of Homeland Security July 31, 2014, announcement of the Backoff malware.

The Cost of Protecting Your Customers

What cost is too much to protect my customers’ data? Only you can answer this question. UPS and the restaurant have chosen to pay for identity theft and credit monitoring services for customers who may have been affected from their data breaches (a data breach-related expense many companies don’t consider). But take that one step further. What cost is too much to protect my business’s reputation? In order for your company to survive in today’s digital world, it’s critical for your business to cultivate a culture of trust with your customers. Many businesses find that they’ll do what it takes to prevent security breaches. What will you do?

Want more IT tips? Check out other articles that provide best practices on how to secure your business’s IT environment.

Author: Joe Welker, CISA (New Philadelphia office)

 

Related Articles:

8 Tips For Crafting A Strong Password

Do You Know Who Has Access To Your IT Network?

How Can I Protect My Business From A Data Security Breach?

Share Button

Is Your Business Running On Microsoft 2003 Servers? It’s Time To Update

Wednesday, July 16th, 2014

As a business owner, you have a lot to be concerned about. Ensuring that your business is bringing in revenue. Providing quality customer service. Retaining quality employees. The list goes on and on. Is maintaining and keeping your IT systems anywhere near the top of your list? If not, you might want to think again.

Microsoft To Stop Supporting Microsoft 2003 Servers

Back in April, Microsoft announced it was no longer supporting its Windows XP workstation software … this means that Microsoft is not providing any security patches or upgrades to computers using Windows XP software. Despite this news, many companies are still using the non-supported operating system. This leaves a huge hole in your operating system security. While many entities are planning to replace their XP workstations, we now find that Microsoft has some additional changes coming.

Microsoft recently announced that it has posted end of life for its Microsoft Server 2003 and Server 2003 R2 systems. These two server operating systems will no longer be supported after July 14, 2015. So if your business uses these systems, you have a little under a year to plan and implement a replacement strategy for these servers. The consequence for not replacing? Serious security issues.

In many industries the use of these operating systems on servers could lead to non-compliance issues.  When looking at your upgrade options, consider using virtualization software such as VMWare or Hyper V or server operating systems like Linux, UNIX, Windows Server 2008 and Windows Server 2012.

What You Can Do To Prepare For The Microsoft 2003 Server Expiration

It’s important you work with your application vendors to make sure that your current applications will transfer over and operate correctly on the replacement server operating system you decide upon. It is recommended that your entity do an analysis of critical business applications currently being used on Microsoft Windows 2003 and Windows 2003 R2 servers and determine the best replacement option as well as conversion process.

IT Audit Help

Not sure what server(s) your business is running on? Or are you unsure how this Microsoft server expiration will affect your business? Contact Rea & Associates. Our IT audit team can assess your business’s IT systems and help you determine how these changes will affect you moving forward. Don’t delay in updating your servers. It could be the difference between a safe IT environment and an unsecured one.

Author: Joe Welker, CISA (New Philadelphia office)

 

Looking for more information on how you can keep your business environment safe? Check out these blog posts:

8 Tips For Crafting A Strong Password

Do You Know Who Has Access To Your IT Network?

How Can I Protect My Business From A Data Security Breach?

 

Share Button

8 Tips For Crafting A Strong Password

Thursday, June 12th, 2014

eBay Inc. recently recommended its users to change their passwords. Why? If you guessed there was a cyberattack on one of eBay’s databases, you are correct! Cyberattacks have been in the news almost daily, and unfortunately they seem to be increasing in number. While companies are busy trying to stave off any attacks, there are ways you can protect yourself.

Treat Passwords With Care

Like with other items, you should consider your passwords to be sensitive material. Treat them no differently than you treat your credit cards. Make sure your passwords are secure and change them regularly – as often as four times a year, or sooner if you believe it has been compromised.

A standard eight-character password with moderate security can be hacked within two to four hours. In comparison, passwords or passphrases of 12 characters with high complexity would take 17,000 years to breach.

8 Tips To Keep Your Passwords Strong and Safe

Here are eight tips and best practices you can implement to help keep your passwords strong and safe:

  1. Use passphrases instead of passwords or a string of characters and digits. Passphrases can be easier to remember. For example: “Myd0gisSamm@”
  2. Use upper and lower case letters, numbers and special characters in passphrases.
  3. Never use complete words within a passphrase.
  4. Change passphrases routinely.
  5. Never share passphrases with others.
  6. Be cautious of shared computers that do not have current virus detection programs installed on them, such as hotel data centers, publicly used computer kiosks.
  7. Change passphrases after using a shared public access computer.
  8. Use two-step verifications when available.

Password and IT Audit Help

Need some additional advice on how to create strong passwords that will protect you and your business? Contact Rea & Associates. Our IT audit professionals can help you determine where you can strengthen your IT security.

Author: Joe Welker, CISA (New Philadelphia office)

 

Share Button

How Can Heartbleed Affect You and Your Business’s Online Identity?

Friday, April 11th, 2014

The Internet is a powerful tool – something that can make our lives (and businesses) easier. But it also can be our worst nightmare at times. If you keep up on the news, you may recall within the past few days hearing something about “Heartbleed.” No, this isn’t the name of a new rock-n-roll band. It’s the latest threat to your security on the Internet. News sites started reporting on this newest Internet threat earlier this week. But as more and more has become known about this Internet defect, it’s becoming clear that everyone with an online identity needs to be concerned about it.

Heartbleed is an exploit that basically allows malicious users to run a tool that will gain them access to a Web server and provide them with usernames and password from that server. What can this defect potentially affect? Every website on the Internet. Bank websites, social media sites, online merchant sites … the list goes on.

Within the past couple days, a Heartbleed defect was discovered that allows hackers to access chunks of a server’s memory that could contain Personally Identifiable Information (PII). Sites that integrate a Secure-Socket Layer (SSL) encryption certificate are now at risk of this new defect.

Steps For Protecting Your Online Identity

So what should you do to protect you and your business from this risk? Follow these steps:

  1. Take inventory of all of your online accounts and make a list of your accounts.
  2. Before changing your online passwords, contact the businesses of any accounts that may have SSL certificates to ensure that the company has issued new certificates. To check the “grade” of an SSL-secured site, you can visit Qualys SSL Labs website and input the URL of the site you’re checking. Sites are graded (A through F) on how secure they actual are.
  3. Change your passwords for each of your online accounts.
  4. Clear your Web browsers’ cache, cookies and history. Check out this ZDNet article for step-by-step instructions on how to do this.
  5. Closely monitor your bank and credit card statements to make sure there’s no unusual or suspect activity.
  6. If you receive emails or other online communication that promises a solution to your Heartbleed woes, don’t buy it. These communications are more than likely spam connected to dangerous malware or pointing you to malware. Heartbleed is a very complex online security threat, and there’s not a simple, quick fix for it.

Need Advice On Protecting Your Online Identity?

Following the steps outlined above will hopefully help lessen your chances of becoming a victim of identity theft and fraud. If you have questions or need additional guidance on how to protect your business, contact our IT audit professionals at Rea & Associates.

Author: Joe Welker, CISA (New Philadelphia office)

 

Looking for other blog posts about protecting your business’s online identity? Check these posts out:

Do You Know Who Has Access To Your IT Network?

How Can I Protect My Business From A Data Security Breach?

How Can You Prepare For The Retirement of Microsoft Windows XP?

 

Share Button

Do You Know Who Has Access To Your IT Network?

Thursday, March 20th, 2014

You may find that your business relies heavily on the technical support provided by third-party hardware and software providers. But have you ever considered whether your vendors have direct access to your business’s internal IT network without having to gain permission from someone within your business? If you’re not positive about how to answer, then it’s probably time to do some digging to see if that’s the case or not. It’s possible that your vendor(s) has access to your business’s sensitive data and devices.  (more…)

Share Button

How Can You Prepare For The Retirement of Microsoft Windows XP?

Thursday, January 16th, 2014

You’ve probably heard by now about the Target data breach, but just this week other retailer data breaches during the 2013 holiday season have become known. In light of these broad, major data breaches, this is a great time to ask yourself: When was the last time you evaluated your business’s IT network? If this has been an area of your business that you’ve let slide, then let it slide no more!  (more…)

Share Button

How Can I Protect My Business From A Data Security Breach?

Thursday, December 19th, 2013

We live in an ever-increasing digital world. And with that comes risk – and lots of it. The number of stolen debit/credit card numbers continues to grow every day. Today’s news story about how nearly 40 million Target customers had debit or credit card information stolen is the most recent example of the kind of risky, digital world we live in.  (more…)

Share Button

What Are Some IT Audit Tips That Can Keep You off Santa’s Naughty List?

Thursday, December 19th, 2013

The end of the year is near, and it’s easy to get caught up in the excitement of the holidays. But don’t let that be an excuse to forget about your entity’s security and information technology (IT) operations. As you close out your year, here are seven areas and tips that can help you strengthen and further secure your entity’s IT environment – and keep you off Santa’s naughty list!  (more…)

Share Button

Why Should You Upgrade Your Business’s Windows XP Software?

Thursday, September 5th, 2013

If you missed it… you should know that Microsoft recently announced that effective April 8, 2014, it will no longer release any security patches or extend support for its Windows XP operating system. You may be thinking, “So what?” Well, if your organization is running its IT systems on Windows XP, your organization could open itself up to security issues. Furthermore, if your organization is in the healthcare industry and using Windows XP, it could be held liable and found non-compliant with Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) laws.  (more…)

Share Button