Local Office Blogs

Feel free to peruse our blog or search for posts based on a specific term.

April 15, 2015

The Kansas City office of CBIZ MHM will host a special event, Hacking The Human – How Secure is your Organization?  The event will take place at 3:30 p.m. on Thursday, April 23rd at The Dark Horse Distillery.
This event is presented by the KC CFO Group, in addition to their calendar of quarterly breakfast events. This afternoon event will feature the CBIZ Business and Technology Risk experts who will discuss the increasing social engineering treats impacting organizations today. The discussion will include:
- Social engineering attacks
- Identifying information security weaknesses within your organization
- Mitigating your risk of falling victim to social engineering attacks
- Cybersecurity insurance

If you are an Owner, CFO or CIO of an organization that retains proprietary and/or sensitive customer information, the information and your reputation is at risk!

If you would like to attend, please click here to be directed to our Eventbrite registration page.

July 8, 2014

The 2013 Verizon Data Breach Investigation Report (DBIR) told us that guessing, cracking or reusing passwords led to approximately 80% of data breaches involving hacking and the 2014 Verizon DBIR report remains full of caution related to passwords.

Convinced that we need to work on improving our passwords, consider the advancement in technology: Cyber criminals have programs that automate their ability to guess passwords which is commonly referred to as a brute force attack. As technology advances, processing power increases which makes brute-force password cracking programs able to guess longer passwords in a shorter amount of time. In order to protect yourself, your job is to make your  password difficult to guess yet easy for you to remember.

Our advice? Passwords such as 12345678 or Password or Computer1 are easy to remember but are also easy targets for hackers. Use the first letter of each word in a sentence that is easy for you to remember but results in a long and more complex password. Capitalize some of the letters and include symbols and numbers.  For example, My grandson Was born at 6:10am in August.  MgWb@6:10amiA is a long password (more than 12 characters) that would be difficult to guess but easy to remember. For highly confidential information The SANS Institute recommends a minimum of 15 characters.  Do not use personal information easily found on the internet and social media websites such as your pet’s name.

A common way for cyber criminals to steal your password is to infect your computer. Make sure your computer is protected with anti-virus and automatic updating is enabled to ensure you have the latest anti-virus available.

Use different passwords for different accounts. For example, never use the same passwords for your work or bank accounts as your Facebook, YouTube or Twitter accounts. If you use only one password everywhere and someone gets the password, you have a problem. If you use different passwords and one of your passwords is hacked your other accounts are still safe.

Never share your password. Remember it is a secret.

If you have further questions regarding data security or risk advisory, please don't hesitate to contact me, Brenda Brigman, at bbrigman@cbiz.com or (901) 685.5575.

July 1, 2014

The Florida House of Representatives passed a unanimous vote which Florida Governor Rick Scott signed into law.  The bill repeals the state's current data security breach law and replaces it with what some are calling the nation's broadest and most encompassing breach law. The Florida Information Protection Act of 2014, which becomes effective July 1, requires companies to take reasonable measures to protect and secure data containing personal information in electronic form and requires notice to individuals of data security breaches under certain circumstances.

Among other measures, the law will allow the Florida Attorney General to require a copy of the incident or forensic report, along with copies of the companies' policies and procedures at the time of the data breach. Requiring a company to provide this level of detailed sensitive information and repealing rather than amended existing law is ground-breaking.

Florida businesses are required to report electronic data breaches within 30 days of the breach. Fines of up to $500,000 for violations of the Act can be assessed.

Key highlights from the amended Act:

  • Expands the definition of “personal information” to now include medical information, health insurance number and online account information (i.e., username and password, e-mail address);
  • Expands the regulatory scope to state governmental agencies, which can now be held accountable for electronic data breaches;
  • Requires notification to the state attorney general if the breach involves over 500 Florida residents; and,
  • Requires both state governmental agencies and private businesses to implement proper data privacy and security protections.

In addition, the State Attorney General is now required to report annually to the State Legislature on data breaches by governmental agencies and to enforce the Act under the state’s Unfair and Deceptive Trade Practices Act. The Governor was quoted saying, “Cyber breach laws are only getting broader, and Florida is not likely to be the last to introduce and pass a broad law”.

Data security exploits are in the news daily. Some questions to consider about your data security include:

  • What are you doing to protect yourself and your customer?        
  • How will your organization respond if you suffer a breach of personally identifiable information or credit card information?
  • Are you concerned about liability and fines that you could incur resulting from a data breach?
CBIZ Security & Advisory Services, LLC has the capability to help you prevent data breaches, avoid fines, and stay out of the headline news. If you could benefit from an evaluation of your security posture or would like to discuss these questions further, email us at pcihelp@cbiz.com to set up a time to talk, or contact me at bbrigman@cbiz.com at (901) 685-5575. 

May 13, 2014

In a February 24, 2014 Federal Register Notice, Department of Health and Human Services Office for Civil Rights (HHS OCR) announced its plan to survey 1200 organizations – 800 covered entities and 400 business associates – as the first step in selecting organizations for the next round of OCR HIPAA audits.  OCR auditors will use an updated protocol that includes the omnibus rules.  Any covered entity and business associate of a covered entity are subject to the audits.

The next round of HIPAA audits is expected to focus on OCR hot buttons including timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training, and policies and procedures. Covered entities and business associates will have two weeks to respond to initial data requests, which will be less time to respond than those audited during the first round of OCR audits.

OCR has indicated that auditors will not seek clarification or additional data, and only data submitted on time will be considered. OCR Director, Leon Rodriguez, provided insight during a Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Forum last December in Boston on the structure that the permanent HIPAA audit program would take:

The other thing is we’re going to look at how we make our audit program permanent. I’ve mentioned before how patients only see a small part of the overall compliance picture. The audit program is critical to seeing the entire picture. We did our audit pilot this year and have an evaluation contract that’s going to go for the next 6-8 months. The idea after that is to have a permanent program, part of which will need to be funded by the proceeds of enforcement. I saw these articles out there that said “More audits are coming” and “Are you ready for audits?” and that’s a smart question because that is really what’s ahead for us. (via healthitsecurity.com)

Failure to comply with HIPAA can result in criminal and civil penalties, with covered entities and business associates liable for penalties ranging up to $1.5 million per violation.OCR found that smaller healthcare providers, i.e., community pharmacies and practices with revenues of less than $50 million per year, were generally vulnerable and non-compliant in all three-audit areas -- privacy, security and breach notification. Healthcare providers that fell into this category accounted for 65% of all policy violations.

If you have further questions concerning HIPPA audits or compliance, contact Brenda Brigman at bbrigman@cbiz.com or (901) 685.5575.  

April 29, 2014

The 2014 Verizon Data Breach Investigations Report has been finalized and released to the public. Nine basic patterns were identified that describe 94% of the confirmed data breaches in 2013. The same nine patterns describe 95% of breaches over the last three years.  Point of Sale (POS) intrusions, web application attacks, cyber-espionage and card skimmers makeup the top concerns related to data disclosure. No surprise here.

However, particularly interesting is the correlation between incident patterns and industries. Readers can use associations provided in the report to draw conclusions and recognize which patterns apply to their own organization.  Figure 19, illustrated on page 15 of the report, allows a reader to identify the frequency of each pattern according to their industry type.  Another graph, Figure 70, maps critical security controls to incident patterns and prioritizes the controls by industry. This figure is especially useful because the control references are linked to the source of defense. These defined controls show which security measures to take in order to better protect data from a breach in specified environments.

Click here to view the report in its entirety. Don’t miss the “Recommendations for Consumers” in Appendix B, page 54. Didn't catch last year's report? View our blog post, "An Overview: Verizon 2013 Data Breach Investigation Report" here.

If you have further questions concerning the payment card industry, data security standards, and/or PCI compliance, contact me at bbrigman@cbiz.com or (901) 685.5575.

April 25, 2014

If you accept Payment Card Information (PCI) on your website, an attacker using the Heartbleed Open Secure Sockets Layer (SSL) Bug can capture this information directly.  Additionally, SSL Virtual Private Network (VPN) attackers can use this bug to obtain information sent over the VPN connection.

Tips for Responding:

  • Almost all vulnerability scanners have updated their plugins to check for this issue. Scan all your public facing IP addresses that expose an HTTPS service (websites, SSL VPNs, remote logins, etc.) using your currently updated vulnerability scanner.
  • Patch your systems immediately.  All vendors are releasing patches. Contact your load balancer, VPN, network device, or server vendor for the fix.
  • If a third-party manages your servers, require them to confirm what actions they have taken.
  • Affected users should upgrade to OpenSSL 1.0.1g.
  • All Web Application Firewalls and Intrusion Prevention Systems have released signatures for this issue. Update your signatures immediately and ensure they are in Block mode. Expect a performance impact to blocking the heartbeat requests of TLS, but you may be willing to accept the impact given the exposure that exists until you apply the patch.

The vulnerability leaves no trace of exploitation, so if you even suspect that you may have been compromised take the following steps to recover your security:

1.   Patch your systems immediately

2.   Change your SSL certificate

3.   Issue a warning to all customers and ask them to change their passwords immediately

4.   Change all system passwords on the affected server (The vulnerability also compromises in-memory passwords)

If you have any further questions concerning the Heartbleed Open SSL Bug, PCI Data Security Standards, or  CBIZ Security and Advisory Services, contact Brenda Brigman at bbrigman@cbiz.com or (901) 685.5575.

March 18, 2014

CPAs: The question is not if your client will incur a data breach but when your client will incur a data breach.

As a trusted advisor to your clients, you should be discussing and reviewing your clients’ cyber security postures throughout the year. The last thing you want to see is a data breach that lands your client on the front page of the news.  As we have learned recently with Target and Nieman Marcus, data breaches can be very costly. Many merchants are still not aware of their Payment Card Industry (PCI) compliance requirement and, therefore, have never reported their PCI status. Typically, when a merchant account is established, there is a legal statement on the Merchant Agreement that notes, “The merchant must maintain PCI compliance at all times.” Many merchants fail to recognize the importance of this legal statement. 

Today, failure to follow PCI compliance can lead the merchant to incur fines, or worst case, lose their ability to take credit cards. Those clients who have cyber insurance could also possibly jeopardize their policy coverage.

How can you help your clients avoid this fate?

As part of the year-in-review discussions with your clients, you should pay careful attention to identifying if they take debit/credit cards as a form of payment. Since any client who takes a debit/credit card must report their PCI compliance posture annually, this yearly touch presents an opportunity for you to ensure your clients are aware of the PCI compliance mandate. Take these proactive steps each year to reduce your clients’ risks of PCI non-compliance:

  1. Recognize whether your clients take debit/credit cards as a form of payment;
  2. Inform your clients that they must report their PCI compliance status annually, and failure to do so could result in fines or loss of ability to accept debit/credit cards.
  3. If your clients do need assistance with their PCI compliance, make sure to refer them to a Qualified Security Assessor Company certified by the PCI Security Standards Council.

Educating your clients is critical in limiting credit card data exposure and complying with the annual PCI mandate. The gamble of PCI non-compliance is not worth the risks.  

If you have further questions regarding PCI compliance or data security standards, visit www.cbiz.com/pci or email the CBIZ SAS team at pci@cbiz.com.

January 28, 2014

We are proud to announce the promotion of Karen Cassella, CICA to Managing Director in the Memphis office of CBIZ MHM. Karen has more than 20 years of experience in accounting, internal audit, and consulting services. Her expertise is in risk management with her most recent concentration in the payment card industry, particularly with data security assessment and compliance. She excels at designing and documenting internal controls, lean accounting and business processes, financial and operational policies and procedures, and developing formal risk assessments involving finance, information technology and fraud.

“Karen has been an asset to our organization, as well as a national leader in the CBIZ Security & Advisory Services division,” said Steve Dunavant, Senior Managing Director, CBIZ MHM, Memphis. “Her promotion is well deserved, and we anticipate her new role as Managing Director to be one of great influence in our company.”

She received her Executive MBA from the University of Memphis and her bachelor’s in accounting from Christian Brothers University. She is a Certified Internal Control Auditor (CICA) and a member of the Association of Certified Fraud Examiners (ACFE), the Institute of Internal Auditors (IIA), and the Accounting & Financial Women’s Alliance (AFWA). Karen served as President of the Memphis Chapter of Financial Executives International (FEI) from 2011-2013.

December 19, 2013
Today, Target cites evidence from investigators that a data breach extending over a few weeks, beginning Black Friday through December 15, 2013, potentially compromised debit and credit cards used in nearly all of their 1,797 stores in the United States. Target is partnering with a forensics firm to investigate the matter further, but the unknown number of customers affected by this payment card breach could possibly rank as the largest in history. Target CEO, Gregg Steinhafel, made a statement this morning regarding maintaining trust in the brand:
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause. We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”

Karen Cassella, Executive Vice President of CBIZ Security & Advisory Services, LLC, recommends taking the following steps if you are concerned that your information may have been hacked:

1. Find out exactly what information was stolen

2. Cancel your credit/debit cards that were compromised immediately (if you're bank didn't do so automatically)

3. Monitor your credit and debit card transactions daily and watch for any unauthorized changes

4. Talk with your bank representative to see what they can do 5. Pull your free credit reports

Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com) at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.    

October 24, 2013

The Payment Card Industry Security Standards Council (PCI SSC) has announced that the data security standard (PCI DSS) Version 3.0 is expected to be released in November. In a press release, PCI SSC Chief Technology Officer, Troy Leach, said that PCI DSS 3.0 will "provide organizations with the framework for assessing the risk involved with their technologies and platforms." He also noted that the changes will also provide the flexibility to apply these principles to their unique payment and business environments.

The new guidelines, which encourage organizations to focus on security rather than compliance, were created to:

  • Clarify PCI DSS requirements;
  • Build greater understanding on the intent of the requirements and how to apply them;
  • Improve flexibility for all entities implementing, assessing, and building to the Standards;
  • Drive more consistency among assessors;
  • Align with changes in industry best practices;
  • Clarify scoping and reporting; and
  • Eliminate redundant sub-requirements and consolidate documentation.

Some of the more significant changes are still under review before the final version is released. All entities that process, store or transmit cardholder data are expected to comply with Version 3.0 by December, 2014. We expect to see sub-section requirements recommended as a best practice until July, 2014.

This post was written by Brenda Brigman, Executive Vice President of CBIZ Security & Advisory Services, LLC. Brenda is responsible for performing Payment Card Industry Data Security Standard compliance assessments (PCI-DSS), IT SOX testing, HIPAA, ISO, network security reviews and IT risk assessments including assessing and testing the level of IT security over infrastructure components and application integrated controls. Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com), Executive Vice President, CBIZ SAS at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.    


Phoenix tax Accounting affordable care act Alex Elliott anna howell Audit audit and assurance Award Awards awards and recognition BEPS Best Places to Work Betty Isler Bill Tapp BizJournals biztips bizwomen Blog Brad Hale brenda brigman bryan koch CBIZ CBIZ Kansas City CBIZ KC CBIZ MHM CBIZ MHM Memphis CBIZ MHM Tampa Bay cbiz security and advisory services CBIZ Women's Advantage CBIZBlog CBIZKC CBIZMHM CFO CFO & Controller Conference cfo conference CFO of the Year CFO of the year awards Charity Community Involvement Conference Construction Controller Conversation With country club plaza Craig Gilman cwa Dave Enick DOL EBP EBP Audits Ed Rataj Employee Benefit Plan Audits Employee Benefits employee engagement EmployeeBenefits entrepreneur EntreprenurialServicesGroup ESG Eustis Corrigan events Food Drive healthcare HR Human Resources Innovation International Tax Jenny Matasic Josh Finfrock Joyce Farris Kansas City KansasCity karen cassella KC CFO Breakfast Series KC Events KCEvents Linda Lauer Lloyd Grissinger Local Managing Director Manufacturing Mark Baricos MBJ Megan Murdock memphis Memphis Business Journal Memphis Daily News memphis super women in business mentoring monday mergers and acquisitions moira house Networking NFP Not-for-profit Paul Dunham pci compliance Phoenix promotions real estate Revenue Recognition SALT Service Social Committee sonya daniels Sponsorships Start Up Start Ups State and Local Tax steve dunavant Success Super Women in Business Tampa Bay Tampa Bay Business Journal tangible property regulations Tax Tax Incentives tax reform The Daily News Top Workplaces Tracey McDonald transaction advisory services Transfer Pricing UMB Bank University of Memphis Volunteer workplace award