Local Office Blogs

Feel free to peruse our blog or search for posts based on a specific term.

July 8, 2014

The 2013 Verizon Data Breach Investigation Report (DBIR) told us that guessing, cracking or reusing passwords led to approximately 80% of data breaches involving hacking and the 2014 Verizon DBIR report remains full of caution related to passwords.

Convinced that we need to work on improving our passwords, consider the advancement in technology: Cyber criminals have programs that automate their ability to guess passwords which is commonly referred to as a brute force attack. As technology advances, processing power increases which makes brute-force password cracking programs able to guess longer passwords in a shorter amount of time. In order to protect yourself, your job is to make your  password difficult to guess yet easy for you to remember.

Our advice? Passwords such as 12345678 or Password or Computer1 are easy to remember but are also easy targets for hackers. Use the first letter of each word in a sentence that is easy for you to remember but results in a long and more complex password. Capitalize some of the letters and include symbols and numbers.  For example, My grandson Was born at 6:10am in August.  MgWb@6:10amiA is a long password (more than 12 characters) that would be difficult to guess but easy to remember. For highly confidential information The SANS Institute recommends a minimum of 15 characters.  Do not use personal information easily found on the internet and social media websites such as your pet’s name.

A common way for cyber criminals to steal your password is to infect your computer. Make sure your computer is protected with anti-virus and automatic updating is enabled to ensure you have the latest anti-virus available.

Use different passwords for different accounts. For example, never use the same passwords for your work or bank accounts as your Facebook, YouTube or Twitter accounts. If you use only one password everywhere and someone gets the password, you have a problem. If you use different passwords and one of your passwords is hacked your other accounts are still safe.

Never share your password. Remember it is a secret.

If you have further questions regarding data security or risk advisory, please don't hesitate to contact me, Brenda Brigman, at bbrigman@cbiz.com or (901) 685.5575.

July 1, 2014

The Florida House of Representatives passed a unanimous vote which Florida Governor Rick Scott signed into law.  The bill repeals the state's current data security breach law and replaces it with what some are calling the nation's broadest and most encompassing breach law. The Florida Information Protection Act of 2014, which becomes effective July 1, requires companies to take reasonable measures to protect and secure data containing personal information in electronic form and requires notice to individuals of data security breaches under certain circumstances.

Among other measures, the law will allow the Florida Attorney General to require a copy of the incident or forensic report, along with copies of the companies' policies and procedures at the time of the data breach. Requiring a company to provide this level of detailed sensitive information and repealing rather than amended existing law is ground-breaking.

Florida businesses are required to report electronic data breaches within 30 days of the breach. Fines of up to $500,000 for violations of the Act can be assessed.

Key highlights from the amended Act:

  • Expands the definition of “personal information” to now include medical information, health insurance number and online account information (i.e., username and password, e-mail address);
  • Expands the regulatory scope to state governmental agencies, which can now be held accountable for electronic data breaches;
  • Requires notification to the state attorney general if the breach involves over 500 Florida residents; and,
  • Requires both state governmental agencies and private businesses to implement proper data privacy and security protections.

In addition, the State Attorney General is now required to report annually to the State Legislature on data breaches by governmental agencies and to enforce the Act under the state’s Unfair and Deceptive Trade Practices Act. The Governor was quoted saying, “Cyber breach laws are only getting broader, and Florida is not likely to be the last to introduce and pass a broad law”.

Data security exploits are in the news daily. Some questions to consider about your data security include:

  • What are you doing to protect yourself and your customer?        
  • How will your organization respond if you suffer a breach of personally identifiable information or credit card information?
  • Are you concerned about liability and fines that you could incur resulting from a data breach?
CBIZ Security & Advisory Services, LLC has the capability to help you prevent data breaches, avoid fines, and stay out of the headline news. If you could benefit from an evaluation of your security posture or would like to discuss these questions further, email us at pcihelp@cbiz.com to set up a time to talk, or contact me at bbrigman@cbiz.com at (901) 685-5575. 

May 13, 2014

In a February 24, 2014 Federal Register Notice, Department of Health and Human Services Office for Civil Rights (HHS OCR) announced its plan to survey 1200 organizations – 800 covered entities and 400 business associates – as the first step in selecting organizations for the next round of OCR HIPAA audits.  OCR auditors will use an updated protocol that includes the omnibus rules.  Any covered entity and business associate of a covered entity are subject to the audits.

The next round of HIPAA audits is expected to focus on OCR hot buttons including timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training, and policies and procedures. Covered entities and business associates will have two weeks to respond to initial data requests, which will be less time to respond than those audited during the first round of OCR audits.

OCR has indicated that auditors will not seek clarification or additional data, and only data submitted on time will be considered. OCR Director, Leon Rodriguez, provided insight during a Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Forum last December in Boston on the structure that the permanent HIPAA audit program would take:

The other thing is we’re going to look at how we make our audit program permanent. I’ve mentioned before how patients only see a small part of the overall compliance picture. The audit program is critical to seeing the entire picture. We did our audit pilot this year and have an evaluation contract that’s going to go for the next 6-8 months. The idea after that is to have a permanent program, part of which will need to be funded by the proceeds of enforcement. I saw these articles out there that said “More audits are coming” and “Are you ready for audits?” and that’s a smart question because that is really what’s ahead for us. (via healthitsecurity.com)

Failure to comply with HIPAA can result in criminal and civil penalties, with covered entities and business associates liable for penalties ranging up to $1.5 million per violation.OCR found that smaller healthcare providers, i.e., community pharmacies and practices with revenues of less than $50 million per year, were generally vulnerable and non-compliant in all three-audit areas -- privacy, security and breach notification. Healthcare providers that fell into this category accounted for 65% of all policy violations.

If you have further questions concerning HIPPA audits or compliance, contact Brenda Brigman at bbrigman@cbiz.com or (901) 685.5575.  

April 29, 2014

The 2014 Verizon Data Breach Investigations Report has been finalized and released to the public. Nine basic patterns were identified that describe 94% of the confirmed data breaches in 2013. The same nine patterns describe 95% of breaches over the last three years.  Point of Sale (POS) intrusions, web application attacks, cyber-espionage and card skimmers makeup the top concerns related to data disclosure. No surprise here.

However, particularly interesting is the correlation between incident patterns and industries. Readers can use associations provided in the report to draw conclusions and recognize which patterns apply to their own organization.  Figure 19, illustrated on page 15 of the report, allows a reader to identify the frequency of each pattern according to their industry type.  Another graph, Figure 70, maps critical security controls to incident patterns and prioritizes the controls by industry. This figure is especially useful because the control references are linked to the source of defense. These defined controls show which security measures to take in order to better protect data from a breach in specified environments.

Click here to view the report in its entirety. Don’t miss the “Recommendations for Consumers” in Appendix B, page 54. Didn't catch last year's report? View our blog post, "An Overview: Verizon 2013 Data Breach Investigation Report" here.

If you have further questions concerning the payment card industry, data security standards, and/or PCI compliance, contact me at bbrigman@cbiz.com or (901) 685.5575.

April 25, 2014

If you accept Payment Card Information (PCI) on your website, an attacker using the Heartbleed Open Secure Sockets Layer (SSL) Bug can capture this information directly.  Additionally, SSL Virtual Private Network (VPN) attackers can use this bug to obtain information sent over the VPN connection.

Tips for Responding:

  • Almost all vulnerability scanners have updated their plugins to check for this issue. Scan all your public facing IP addresses that expose an HTTPS service (websites, SSL VPNs, remote logins, etc.) using your currently updated vulnerability scanner.
  • Patch your systems immediately.  All vendors are releasing patches. Contact your load balancer, VPN, network device, or server vendor for the fix.
  • If a third-party manages your servers, require them to confirm what actions they have taken.
  • Affected users should upgrade to OpenSSL 1.0.1g.
  • All Web Application Firewalls and Intrusion Prevention Systems have released signatures for this issue. Update your signatures immediately and ensure they are in Block mode. Expect a performance impact to blocking the heartbeat requests of TLS, but you may be willing to accept the impact given the exposure that exists until you apply the patch.

The vulnerability leaves no trace of exploitation, so if you even suspect that you may have been compromised take the following steps to recover your security:

1.   Patch your systems immediately

2.   Change your SSL certificate

3.   Issue a warning to all customers and ask them to change their passwords immediately

4.   Change all system passwords on the affected server (The vulnerability also compromises in-memory passwords)

If you have any further questions concerning the Heartbleed Open SSL Bug, PCI Data Security Standards, or  CBIZ Security and Advisory Services, contact Brenda Brigman at bbrigman@cbiz.com or (901) 685.5575.

October 24, 2013

The Payment Card Industry Security Standards Council (PCI SSC) has announced that the data security standard (PCI DSS) Version 3.0 is expected to be released in November. In a press release, PCI SSC Chief Technology Officer, Troy Leach, said that PCI DSS 3.0 will "provide organizations with the framework for assessing the risk involved with their technologies and platforms." He also noted that the changes will also provide the flexibility to apply these principles to their unique payment and business environments.

The new guidelines, which encourage organizations to focus on security rather than compliance, were created to:

  • Clarify PCI DSS requirements;
  • Build greater understanding on the intent of the requirements and how to apply them;
  • Improve flexibility for all entities implementing, assessing, and building to the Standards;
  • Drive more consistency among assessors;
  • Align with changes in industry best practices;
  • Clarify scoping and reporting; and
  • Eliminate redundant sub-requirements and consolidate documentation.

Some of the more significant changes are still under review before the final version is released. All entities that process, store or transmit cardholder data are expected to comply with Version 3.0 by December, 2014. We expect to see sub-section requirements recommended as a best practice until July, 2014.

This post was written by Brenda Brigman, Executive Vice President of CBIZ Security & Advisory Services, LLC. Brenda is responsible for performing Payment Card Industry Data Security Standard compliance assessments (PCI-DSS), IT SOX testing, HIPAA, ISO, network security reviews and IT risk assessments including assessing and testing the level of IT security over infrastructure components and application integrated controls. Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com), Executive Vice President, CBIZ SAS at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.    

September 26, 2013
Advocate Medical Group has experienced a theft of four encrypted computers which may have exposed information of 4 million of their patients. A class action lawsuit has been filed against the group, stating that the data breach has put its victims at risk for identity theft and fraud, though no evidence shows that any patient has been subject to ID fraud. This suit alleges that Advocate's failure to safeguard and secure their data has put these individuals at risk. It is important to note that there is no evidence any patient has been subject to fraud and the class action lawsuit was filed based on victims being put at risk.

The organization has published statements, including this one on their website, that include deeply regretting inconvenience caused to the patients who entrusted them with their care.

Under Section 13402(e)(4) of the HITECH Act, breaches of unsecured protected health information affecting 500 or more individuals must be posted on what has become known as the “wall of shame." Advocate Medical Group will regretfully make the cut.

This post was written by Brenda Brigman, Executive Vice President of CBIZ Security & Advisory Services, LLC. Brenda is responsible for performing Payment Card Industry Data Security Standard compliance assessments (PCI-DSS), IT SOX testing, HIPAA, ISO, network security reviews and IT risk assessments including assessing and testing the level of IT security over infrastructure components and application integrated controls. Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com), Executive Vice President, CBIZ SAS at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.


April 4, 2013

CBIZ Security & Advisory Services (SAS), LLC has expanded its payment data security service offering by obtaining the prestigious Qualified Security Assessor Designation (QSA) from the Payment Card Industry Security Standards Council. This designation enables CBIZ SAS, which specializes in data security, risk management and consulting services, to assess compliance and validate adherence to the PCI Data Security Standard.

This achievement will allow CBIZ Security & Advisory Services to expand their services, increasing its capability to perform a variety of tasks, and help them to become more cost-effective and operationally efficient. "Information security is an ever-evolving field that requires an understanding of both technical solutions and business process controls to secure confidential information," says Brenda Brigman, Executive Vice President. "This accreditation places CBIZ Security & Advisory Services among a select group of providers."

In order to become a certified QSA company, CBIZ Security & Advisory Services undertook a thorough review process to provide evidence that the company delivers PCI assessments in accordance with the PCI Data Security Standards at the highest level of performance and industry standards.

Karen Cassella, Executive Vice President of CBIZ Security & Advisory Services, states, "We can now provide clients with Qualified Security Assessors (PCI QSA) who have been certified by the Council to validate PCI DSS compliance. This is required when going through a PCI compliance audit."

The goal of PCI DSS standards is to minimize the risk of credit card fraud and to prevent other data security risks. Both large and small organizations that store, process or transmit payment card data via the five major payment card providers -- Visa, MasterCard, American Express, JCB and Discover -- must meet the standards to maintain the ability to accept payment cards. If not, they could face acquirer penalties and impair customer confidence and trust in doing business with them.

To find out more about our PCI Team and the services we offer visit: www.cbiz.com/pci.


Phoenix tax Accounting affordable care act Alex Elliott anna howell Audit audit and assurance Award Awards awards and recognition BEPS Best Places to Work Betty Isler Bill Tapp BizJournals biztips bizwomen Blog Brad Hale brenda brigman bryan koch CBIZ CBIZ Kansas City CBIZ KC CBIZ MHM CBIZ MHM Memphis CBIZ MHM Tampa Bay cbiz security and advisory services CBIZ Women's Advantage CBIZBlog CBIZKC CBIZMHM CFO CFO & Controller Conference cfo conference CFO of the Year CFO of the year awards Charity Community Involvement Conference Construction Controller Conversation With country club plaza Craig Gilman cwa Dave Enick DOL EBP EBP Audits Ed Rataj Employee Benefit Plan Audits Employee Benefits employee engagement EmployeeBenefits entrepreneur EntreprenurialServicesGroup ESG Eustis Corrigan events Food Drive healthcare HR Human Resources Innovation International Tax Jenny Matasic Josh Finfrock Joyce Farris Kansas City KansasCity karen cassella KC CFO Breakfast Series KC Events KCEvents Linda Lauer Lloyd Grissinger Local Managing Director Manufacturing Mark Baricos MBJ Megan Murdock memphis Memphis Business Journal Memphis Daily News memphis super women in business mentoring monday mergers and acquisitions moira house Networking NFP Not-for-profit Paul Dunham pci compliance Phoenix promotions real estate Revenue Recognition SALT Service Social Committee sonya daniels Sponsorships Start Up Start Ups State and Local Tax steve dunavant Success Super Women in Business Tampa Bay Tampa Bay Business Journal tangible property regulations Tax Tax Incentives tax reform The Daily News Top Workplaces Tracey McDonald transaction advisory services Transfer Pricing UMB Bank University of Memphis Volunteer workplace award