the invisible threat that haunts your business

CYBERCRIMEby Joe Welker, CISA

IT Audit ManagerRea & Associates

Rea & Associates, Inc. is a regional CPA and consulting firm with 225 bright professionals in 11 offices throughout Ohio. Since 1938, Rea has provided a wide range of accounting services to businesses, individuals with means and those with dreams. Today, the firm is the go-to resource for thousands of businesses and individuals

nationwide. Rea offers a brighter way to its clients in the construction, government, health care, manufacturing, oil & gas and not-for-

profit industries – as well as family businesses – through innovative accounting, audit, tax and consulting services.

For more information about Rea & Associates, please call 614.889.8725 or visit www.reacpa.com.

4-5 Then & Now: Data Security In America Since The Target Breach

5 A Moving Target

6 Sloppy Data Security Could Cost You

7 Defend Against A Data Breach

7 Password Best Practices

8 Social Engineering Red Flags

8 Who Is That Email Really From?

9 How Much Would You Pay To Get Your Data Back?

10 Are You Ransomware’s Next Victim?

11 Payroll, HR Departments Targeted By Cybercriminals

12 Bonus Material: The Great Data Saver

13 Meet Joe Welker

CYBERCRIMEthe invisible threat that haunts your business

It’s hard to remember a time when reports of data breaches, ransomware attacks and business email compromises weren’t part of our daily lives. In fact, not so long ago we were pretty content to believe that the controls companies had in place were enough to protect us from the invisible threat of hackers and cybercriminals. But that was just a dream – and it wasn’t long before that dream manifested into a nightmarish scenario for one of the nation’s largest retailers.

Two years ago, cybercriminals gained access to the point-of-sale systems belonging to Target. Authorities later learned that the hacker(s) gained access to about 11 GB worth of data (including highly-sensitive personal and credit card information). When the dust settled, about 70 million consumers nationwide were left vulnerable to identity theft and credit card fraud. The magnitude of this breach was huge and, as a result, companies everywhere made an effort to buckle down and implement a slew of “best practices.” But what has really changed since December 2013?

What Have We Learned From Target?The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think

about fraud in terms of if it will happen – it’s when it will happen. But instead of becoming more vigilant about data security practices, it appears as though consumers have chosen a more desensitized reaction. These days we are content with trusting the credit card companies to notify us of any suspicious activity occurring on our account rather than implementing safer payment practices in our daily lives.

Retailers and credit card companies, on the other hand, have worked hard to make it more difficult for hackers to access their customer data. Since the breach, Target has:

• Installed Europay, Mastercard and Visa (EMV) compliant point-of-sale (POS) terminals in all stores to allow for transactions to be processed using a token instead of actual credit card numbers.

• Joined two cybersecurity threat-sharing organizations in order to share and retrieve valuable information concerning data breaches and the source of those breaches.

• Implemented more stringent firewall rules and governance procedures.

• Constantly monitors and logs system activity.• Applied whitelisting technology, an

administrative process that allows only preapproved applications to execute in a system, on the store’s POS systems.

Then & Now:Data Security In America Since The Target Breach

Rea & Associates, Inc.www.reacpa.com4

As long as there are fraudsters willing to pay for stolen names, addresses, credit card numbers and expiration dates, phone numbers, email addresses, dates of birth, Social Security numbers, etc., there will be cyber criminals looking for a way to hack into your company’s system to gain access to your consumer data or intellectual property. But if you are really serious about keeping your data safe, there are additional measures you can take.

1. Reinforce Your Firewall

Firewalls should be securely configured and continuously monitored. There are many providers that perform 24-7 firewall monitoring services to protect your company from

attacks and or to alert you to signs of a possible breach. Moreover, providers are also coupling these services with the use of whitelists or blacklists, which triggers an immediate response if a potential threat is identified. Another great reinforcement for companies with experienced IT staff, would be the implementation of Security Information and Event Management or Intrusion Detection System software.

2. Take Your VIP List Seriously

Not everybody should have access to your company’s domain – especially outside groups, and you should take care to review your employee and vendor access accounts routinely. The 2013

Target breach was a result of a breach that was intended for one of Target’s vendors. But, once in, the hacker was able to work his way into the Target Vendor Portal and infiltrate the Target POS systems.

3. Don’t Take Your Passwords For Granted

While doing so, be sure to verify that these credentials, in particular, require complex passwords, a limit on the number of attempts allowed before automatically disabling the account, and that they are required to be changed regularly. (Believe it or not, the most common password continues to be “123456” – proving that we are still not learning from past mistakes.)

• Disabled or placed limited access on vendor accounts.

• Deployed 2-factor authentication.

• Established password vaults and required the use of more complex passwords.

• Thoroughly reviewed and revised its process on how to determine which employees and contractors would have access to consumer data.

With the exception of the first two points, the measures Target has taken since its 2013 data breach are

considered best practices, which means that if your business doesn’t have these security measures in place, you shouldn’t wait any longer. And, with regard to EMV technology, most businesses were expected to install and activate the new technology before Oct. 1, 2015, to avoid liability for losses resulting from fraudulent transactions.

“Then & Now: Data Security In America Since The Target Breach,” was originally published on Dec. 16, 2015, on Dear Drebit, Rea & Associates’ business advisory blog.

A MOVING TARGET

Rea & Associates, Inc.www.reacpa.com5

As if you didn’t have enough keeping you up at night, the topic of data security continues to send collective shivers up the spines of business owners worldwide. Unfortunately, the Aug. 24, 2015, ruling by the United States Court of Appeals for the Third Circuit didn’t make matters any better (or less expensive) for businesses guilty of failing to protect their customers’ data. In fact, companies that utilize poor security practices that ultimately lead to a breach of consumer data are at risk of facing further disciplinary action and penalties.

What does the FTC’s Win Mean To Business Owners?

If you haven’t taken data security seriously in the past, it’s time to get real serious about it real quick.

Prior to the ruling, companies at the center of a data breach had to battle with lawsuits while working to rebuild their reputations. Now, in addition to litigation and negative headlines, your organization must also risk being fined by the Federal Trade Commission (FTC). Businesses can no longer operate with a subpar data security infrastructure. Those that do are at risk of losing everything.

The court upheld the FTC’s 2012 lawsuit against Wyndham Worldwide, a company known for

operating hotels and time-shares. Records show that the FTC filed complaints against Wyndham for three data breaches occurring in 2008 and 2009, which resulted in more than $10.6 million in fraudulent charges. In its decision, the appeals court reaffirmed previous rulings that found Wyndham to be responsible for implementing better security practices, which would have helped prevent such breaches from occurring in the first place.

According to the FTC’s argument, software used at Wyndham-owned hotels stored credit card information as readable text, hotel computers lacked a system for monitoring malware, there was no requirement for user identification and or to make password difficult for hackers to guess, the company failed to use firewalls and, ultimately, failed to employ reasonable measures to detect and prevent unauthorized access to the computer network or to conduct security investigations.

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC

Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

Next Steps

With regard to the case between the FTC and Wyndham, the next chapter of the story is uncertain. While the win in the courtroom has helped put some wind in the FTC’s sails, the commission has yet to levy any penalties or assertions against the defendant. What is clear, however, is that a data security breach is a very real threat – one that is felt by nearly every business in the world. Furthermore, as technology continues to advance and hackers adapt, the security procedures businesses deploy must be top-notch to avoid further complications and costs associated with a sloppy security infrastructure.

“Businesses Beware: Sloppy Data Security Could Cost You,” was originally published on Aug. 26, 2015, on Dear Drebit, Rea & Associates’ business advisory blog.

Sloppy Data Security Could Cost You

Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data.

Edith RamirezFTC Chairwoman

“

Rea & Associates, Inc.www.reacpa.com6

Rea & Associates, Inc.www.reacpa.com7

How many sites do you log in to with a username and password each day? How about apps on your smartphone or tablet? If you were to count how many accounts you have online – between personal and business logins for email, online banking, loyalty programs and social media sites – is it 10? 50? 100?

You should consider your passwords to be sensitive material. Treat them no differently than you treat your credit cards. Make sure they are secure and change them regularly – as often as four times a year, or sooner if you believe it has been compromised. Changing your passwords quarterly is especially important for email, domain login and online banking.

A standard eight-character password with moderate security can be hacked within two to four hours. In comparison, passwords or passphrases of 12 characters with high complexity would take 17,000 years to breach.

• Use passphrases instead of passwords or a string of characters and digits. Passphrases can be easier to remember. For example: “Myd0gisSamm@”

• Use upper and lower case letters, numbers and special characters in passphrases.

• Never use complete words within a passphrase.

• Change passphrases routinely.• Never share passphrases with others.• Be cautious of shared computers that

do not have current virus detection programs installed on them, such as hotel data centers, publicly used computer kiosks.

• Change passphrases after using a shared public access computer.

• Use two-step verifications when available.

Be sure to take ownership of your data and guarantee the security of that data.

Password Best Practices

FROM:• I don't recognize the sender's email address as someone I ordinarily communicate with.• This email is from someone outside my organization and it’s not related to my job responsibilities.• This email was sent from someone inside the organization or from a customer, vendor, or partner and is very unusual or out of character.• Is the sender's email address from a suspicious domain? (like micorsoft-support.com)• I don't know the sender personally and they were not vouched for by someone I trust.• I don't have a business relationship nor any past communications with the sender.• This is an unexpected or unusual email with an embedded hyperlink or an attachment from someone I hadn't communicated with recently.

SUBJECT:• Did I get an email with a subject line that is irrelevant or does not match the message content?• Is the email message a reply to something I never sent or requested?

HYPERLINKS:• I hover my mouse over a hyperlink that’s displayed in the email message, but the link to address is for a different website. (This is a big red flag.)• I received an email that only has long hyperlinks with no further information and the rest of the email is completely blank.• I received an email with a hyperlink that is a misspelling of a known web site. For instance, www.bankofarnerica.com - the “m” is really two characters – “r” & “n”.

ATTACHMENTS:• The sender included an email attachment that I was not expecting or that makes no sense in relation to the email message. (This sender doesn’t ordinarily send me these types of attachment(s).)• I see an attachment with a possibly dangerous file type. The only file type that is always safe to click on is a .TXT file.

CONTENT:• Is the sender asking me to click on a link or open an attachment to avoid a negative consequence, or to gain something of value?• Is the email out of the ordinary, or does it have bad grammar or spelling errors?• Is the sender asking me to click a link or open up an attachment that seems odd or illogical?• Do I have an uncomfortable gut feeling about the sender’s request to open an attachment or click a link?• Is the email asking me to look at a compromising or embarrassing picture of myself or someone I know?

DATE:• Did I receive an email that I normally would get during regular business hours, but it was sent at an unusual time like 3 a.m.?

TO:• I was cc’d on an email sent to one or more people, but I don’t personally know the other people it was sent to.• I received an email that was also sent to an unusual mix of people. For instance, a seemingly random group of people at my organization whose last names start with the same letter, or a whole list of unrelated addresses.

Social Engineering Red Flags

© 2016 KnowBe4, Inc. All rights reserved. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies.

We hear it a lot and often – be careful when clicking on the links in your email (especially if you don’t know the sender.)

But what if the email is from someone you know, like your boss? And what if the email appears to come from their work account?

E-mail Account Compromise is a sophisticated scam that uses legitimate email accounts that have been compromised to target unsuspecting victims, oftentimes tricking even the most tech-savvy individuals.

So that email your “boss” sent that asked you to click on a link to wire them money because they lost everything while on vacation in France may actually look authentic, but in reality it’s a scam that could have a impact on your business’s network.

Criminal actors are getting very skillful at making their emails look like the real thing. KnowBe4.com recently developed a guide for determining if an email is legit or a scam (above).

Recently, the FBI reported a 270

percent spike in victims and cash losses due to these scams. The numbers are scary, but educating yourself on what to be on the lookout for can help eliminate the scams.

“Who Is That Email Really From?” was originally published on Sept. 1, 2015, on Dear Drebit, Rea & Associates’ business advisory blog.

Who Is That Email Really From?

Rea & Associates, Inc.www.reacpa.com8

How much would you pay to regain access to your company’s network if it was compromised and held for ransom? Are you willing to shell hundreds of dollars to take your information back from a cybercriminal, or are you willing (and able) to just walk away and start anew?

I wish I were asking hypothetical questions but, unfortunately, the increased popularity of Ransomware has made the risk of such an attack a very, very real possibility.

Sandra Ponczkowski, a manager of the IT security company KnowBe4, recently shared Your Money or Your Life Files, a whitepaper that details the history and real threat of Ransomware, a computer infection that encrypts all files of known file types on your local computer and server shared drives.

Once infected, it becomes impossible for you to access your documents or applications that use these encrypted files. The only way to recover from such an infection is to either restore your machine by using backup media, or accommodating the hacker’s demands and paying their ransom.

Unfortunately, I know of several situations where the businesses involved in a Ransomware attack had no choice but to pay ransom demands to the cybercriminal. The silver lining for these companies was that, upon paying the ransom, they were able to obtain the assailant’s encryption key code, which allowed them to unencrypt their data and regain access to their data.

Long-term protection, however, cannot be guaranteed

and there is a chance that your data can be held for ransom again.

The literature provided by KnowBe4 details the fluency with which the popular Ransomware infection CryptoLocker changes and adapts once a solution to unencrypt infected data files becomes available. When this happens, the CryptoLocker infection will evolve into a new strain, thus making the previous solution unusable.

While there is no way to completely protect yourself and your network, there are ways to preempt an attack against you and your business. I recommend the following best practices.

• Train yourself and your employees about computer safety practices.

• Complete a yearly review of your employee’s access rights to company-owned computers, server folders and backup media. For example, only a few, strategic employees should have access to the company’s folders and data. As a general rule, employee access should be restricted to include only the programs and software required for them to do their jobs. This also applies to work-from-home employees who typically attach a USB drive to their machines for backup protection.

• If you don’t already, put a disaster recovery in place and test it ever year to ensure accuracy and completeness.

“How Much Would You Pay To Get Your Data Back?” was originally published on March 13, 2015, on Dear Drebit, Rea & Associates’ business advisory blog.

How Much Would You Pay

To Get Your Data Back?Is Your Business Ready To Battle Ransomware?

Rea & Associates, Inc.www.reacpa.com9

Ransomware is a computer infection that’s been programmed to encrypt all files of known file types on your local computer and your server’s shared drives. Once it takes hold, it’s all but impossible for you to regain access to the data that’s been infected.

Once this happens, you have one of two choices. You can either restore the machine by using backup media, or accommodate the hacker’s demands and pay up.

As a direct result of my experience as an IT audit manager, I have been made aware of several situations in which businesses were left with no choice but to succumb to the demands of malicious cybercriminals carrying out Ransomware attacks.

While the companies I have worked with were finally able to obtain their assailant’s encryption key code to unencrypt and regain access to their data after the ransom was paid, others are not as lucky – after all, the FBI has reported $18 million worth of losses in just over a year. Furthermore, there are no guarantees that you won’t be targeted again in the future.

Preempt A Crisis

While there is no surefire way to prevent a Ransomware attack on your data, it’s wise to implement the following best practices to reduce the possibility of infection or reinfection.

• Implement mandatory computer safety training for all employees and implement and test an IT Disaster Recovery Plan in place.

• Always use reputable antivirus software and a firewall and be sure to keep both up to date.

• Put your popup blockers to good use. Doing so will help remove the temptation to click on an ad that could infect your computer.

• Limit access to company’s data by ensuring that only a few employees have access to certain folders and data. You can facilitate this type of action by conducting annual reviews of your company’s employee access rights.

• Backup all company-owned content. Then if you do become infected, instead of paying the ransom, you can simply have the Ransomware wiped from your system and then reinstall your files once it’s safe again to do so.

• Never click on suspicious emails or attachments, especially if they come from an email address you don’t recognize. And actively avoid websites that raise suspicion.

Shut Down The Attack

If you are surfing the Web and a popup ad or message appears to alert you that a Ransomware attack is in progress, disconnect from the Internet immediately. Breaking the connection between the hacker and your data could help stop the spread of additional infections or data losses. In addition to informing your company’s IT department about the threat or occurrence, be sure to file a complaint with your local law enforcement agency.

“Don’t Be Ransomware’s Next Victim,” was originally published on July 8, 2015, on Dear Drebit, Rea & Associates’ business advisory blog.

Are You Ransomware’s Next Victim?

Rea & Associates, Inc.www.reacpa.com10

Over the last few years, the threat of refund fraud and identity theft has become a very real concern, and criminals have proven that they will go to great lengths to get the information they need to complete their scams.

The IRS recently alerted payroll and human resources professionals of an “emerging phishing email scheme that purports to be from company executives and requests personal information on employees.”

IRS Commissioner John Koskinen said that this particular tactic appears to be “a new twist on an old scheme.” Cyber criminals are using the cover of tax season to trick people into sharing confidential data.

“If your CEO appears to be emailing you for a list of company employees, check it out before you respond,” said Koskinen. “Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

According to the IRS, a criminal investigation is already in place and several cases in which people have been tricked into sharing social security numbers and other

sensitive information with criminals are being reviewed. Officials report that criminals regularly use the stolen personal information to file fraudulent tax returns for refunds.

Be Alert

To avoid becoming a victim of this particular scam, encourage your employees to pay attention to emails that contain the following information:

• The actual name, title and contact information of somebody in the company. Oftentimes, criminals will use the name of the company’s CEO to enhance the message’s legitimacy.

• A request to provide sensitive information, such as: the names of employees along with their Social Security Numbers, date of birth, address, and/or salary or a PDF of an individual’s 2015 W-2 or an earnings summary of all the company’s W-2s.

Only The Beginning

Unfortunately, businesses appear to have seen an increase of cyberattacks – especially over the last year.

Last June, the Financial Services Information Sharing and Analysis Center, the FBI and the United States Secret Service issued a fraud alert in response to a scam dubbed the “Business Email Compromise,” in which fraudsters compromise “legitimate business email accounts for the purpose of conducting an unauthorized wire transfer.”

Also, in response to a nearly 400 percent increase in phishing and malware incidents so far during this tax season, the IRS also renewed its wider consumer alert for email schemes.

These emails are designed by scammers to trick taxpayers into believing they are being sent directly from the IRS, other tax industry professionals and/or software companies.

The best thing to remember when it comes to protecting your business, and yourself, from becoming a victim of fraud is that if something seems a little out of the ordinary, it’s worth checking it out before you act.

“Payroll, HR Departments Targeted By Criminals,” was originally published on March 4, 2016, on Dear Drebit, Rea & Associate’s business advisory blog.

WARNINGPayroll, HR Departments Targeted By Cybercriminals

Rea & Associates, Inc.www.reacpa.com11

Bonus MaterialListen to ‘The Great Data Saver’ on unsuitable on Rea RadioOn episode 12, “The Great Data Saver,” data and online security expert Joe Welker, CISA, shines some light on new IT threats and offers some insight into data protection techniques individuals and businesses can use to prevent disasters, destruction, and the tampering of your critical information.

You’ll hear some of the valuable insight Joe has gleaned from his 32 years of IT experience, including the importance of using intrusion detection systems, password protection, implementing IT protocols and properly qualifying cloud providers through scrutinized security risk assessments.

You can scan the QR code with your smartphone to start listening now or you can find the episode and additional resources at www.reacpa.com/episode-12.

The podcast, unsuitable on Rea Radio, is the unique financial services and business advisory show that challenges your old-school business practices and the traditional business suit culture. You’ll hear from industry professionals who think beyond the suit and tie to offer meaningful, modern solutions to help you enhance your company’s growth. Join host Mark Van Benschoten to learn how to make your business the best it can be.

Mark Van Benschoten, CPA, CGMA, host of unsuitable on Rea Radio, interviews Joe Welker, CISA, about data security for episode 12 of podcast, “The Great Data Saver.”

start listening now >>>

Subscribe to unsuitable on Rea Radio on iTunes & SoundCloud

Rea & Associates, Inc.www.reacpa.com12

As the IT audit manager at Rea & Associates, a regional accounting and business consulting firm, Joe Welker, CISA, is responsible for reviewing client infrastructure, verifying entity compliance and managing analytical data mining projects for clients throughout the state. Before he began working closely with the firm’s assurance team about five years ago, Joe worked as an IS specialist responsible for overseeing the administration and backup processes of the firm’s business critical systems.

Prior to joining Rea, Joe was responsible for overseeing the training and data verification of more than 60 successful credit union installations and served in various leadership positions. He has also helped lead the investigation and prosecution assistance of five separate fraud related incidents. Joe currently serves as the Board President of Golden Circle Credit Union, Inc., in Massillon, Ohio.

Joe, a certified information systems auditor (CISA), is a member of the international and local chapters of the Information Systems Audit Control Association. He is frequently sought out for his PCI compliance and disaster recovery expertise as well as for his knowledge about using analytical controls to prevent fraudulent activity. In addition to coauthoring a chapter in The Executive’s Survival Guide, a book designed to help prevent the occurrence corporate fraud, Joe was recently featured on an episode of unsuitable, a financial services and business advisory podcast for business owners.

Joe Welker, CISAIT Audit ManagerRea & Associates

330.339.6651joe.welker@reacpa.com

Meet Joe Welker

Rea & Associates, Inc.www.reacpa.com13