•  

Local Office Blogs

rss
Feel free to peruse our blog or search for posts based on a specific term.





April 29, 2014

The 2014 Verizon Data Breach Investigations Report has been finalized and released to the public. Nine basic patterns were identified that describe 94% of the confirmed data breaches in 2013. The same nine patterns describe 95% of breaches over the last three years.  Point of Sale (POS) intrusions, web application attacks, cyber-espionage and card skimmers makeup the top concerns related to data disclosure. No surprise here.

However, particularly interesting is the correlation between incident patterns and industries. Readers can use associations provided in the report to draw conclusions and recognize which patterns apply to their own organization.  Figure 19, illustrated on page 15 of the report, allows a reader to identify the frequency of each pattern according to their industry type.  Another graph, Figure 70, maps critical security controls to incident patterns and prioritizes the controls by industry. This figure is especially useful because the control references are linked to the source of defense. These defined controls show which security measures to take in order to better protect data from a breach in specified environments.

Click here to view the report in its entirety. Don’t miss the “Recommendations for Consumers” in Appendix B, page 54. Didn't catch last year's report? View our blog post, "An Overview: Verizon 2013 Data Breach Investigation Report" here.

If you have further questions concerning the payment card industry, data security standards, and/or PCI compliance, contact me at bbrigman@cbiz.com or (901) 685.5575.




April 25, 2014

If you accept Payment Card Information (PCI) on your website, an attacker using the Heartbleed Open Secure Sockets Layer (SSL) Bug can capture this information directly.  Additionally, SSL Virtual Private Network (VPN) attackers can use this bug to obtain information sent over the VPN connection.

Tips for Responding:

  • Almost all vulnerability scanners have updated their plugins to check for this issue. Scan all your public facing IP addresses that expose an HTTPS service (websites, SSL VPNs, remote logins, etc.) using your currently updated vulnerability scanner.
  • Patch your systems immediately.  All vendors are releasing patches. Contact your load balancer, VPN, network device, or server vendor for the fix.
  • If a third-party manages your servers, require them to confirm what actions they have taken.
  • Affected users should upgrade to OpenSSL 1.0.1g.
  • All Web Application Firewalls and Intrusion Prevention Systems have released signatures for this issue. Update your signatures immediately and ensure they are in Block mode. Expect a performance impact to blocking the heartbeat requests of TLS, but you may be willing to accept the impact given the exposure that exists until you apply the patch.

The vulnerability leaves no trace of exploitation, so if you even suspect that you may have been compromised take the following steps to recover your security:

1.   Patch your systems immediately

2.   Change your SSL certificate

3.   Issue a warning to all customers and ask them to change their passwords immediately

4.   Change all system passwords on the affected server (The vulnerability also compromises in-memory passwords)

If you have any further questions concerning the Heartbleed Open SSL Bug, PCI Data Security Standards, or  CBIZ Security and Advisory Services, contact Brenda Brigman at bbrigman@cbiz.com or (901) 685.5575.




March 18, 2014

CPAs: The question is not if your client will incur a data breach but when your client will incur a data breach.

As a trusted advisor to your clients, you should be discussing and reviewing your clients’ cyber security postures throughout the year. The last thing you want to see is a data breach that lands your client on the front page of the news.  As we have learned recently with Target and Nieman Marcus, data breaches can be very costly. Many merchants are still not aware of their Payment Card Industry (PCI) compliance requirement and, therefore, have never reported their PCI status. Typically, when a merchant account is established, there is a legal statement on the Merchant Agreement that notes, “The merchant must maintain PCI compliance at all times.” Many merchants fail to recognize the importance of this legal statement. 

Today, failure to follow PCI compliance can lead the merchant to incur fines, or worst case, lose their ability to take credit cards. Those clients who have cyber insurance could also possibly jeopardize their policy coverage.

How can you help your clients avoid this fate?

As part of the year-in-review discussions with your clients, you should pay careful attention to identifying if they take debit/credit cards as a form of payment. Since any client who takes a debit/credit card must report their PCI compliance posture annually, this yearly touch presents an opportunity for you to ensure your clients are aware of the PCI compliance mandate. Take these proactive steps each year to reduce your clients’ risks of PCI non-compliance:

  1. Recognize whether your clients take debit/credit cards as a form of payment;
  2. Inform your clients that they must report their PCI compliance status annually, and failure to do so could result in fines or loss of ability to accept debit/credit cards.
  3. If your clients do need assistance with their PCI compliance, make sure to refer them to a Qualified Security Assessor Company certified by the PCI Security Standards Council.

Educating your clients is critical in limiting credit card data exposure and complying with the annual PCI mandate. The gamble of PCI non-compliance is not worth the risks.  

If you have further questions regarding PCI compliance or data security standards, visit www.cbiz.com/pci or email the CBIZ SAS team at pci@cbiz.com.




December 19, 2013
Today, Target cites evidence from investigators that a data breach extending over a few weeks, beginning Black Friday through December 15, 2013, potentially compromised debit and credit cards used in nearly all of their 1,797 stores in the United States. Target is partnering with a forensics firm to investigate the matter further, but the unknown number of customers affected by this payment card breach could possibly rank as the largest in history. Target CEO, Gregg Steinhafel, made a statement this morning regarding maintaining trust in the brand:
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause. We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”

Karen Cassella, Executive Vice President of CBIZ Security & Advisory Services, LLC, recommends taking the following steps if you are concerned that your information may have been hacked:

1. Find out exactly what information was stolen

2. Cancel your credit/debit cards that were compromised immediately (if you're bank didn't do so automatically)

3. Monitor your credit and debit card transactions daily and watch for any unauthorized changes

4. Talk with your bank representative to see what they can do 5. Pull your free credit reports

Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com) at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.    




October 24, 2013

The Payment Card Industry Security Standards Council (PCI SSC) has announced that the data security standard (PCI DSS) Version 3.0 is expected to be released in November. In a press release, PCI SSC Chief Technology Officer, Troy Leach, said that PCI DSS 3.0 will "provide organizations with the framework for assessing the risk involved with their technologies and platforms." He also noted that the changes will also provide the flexibility to apply these principles to their unique payment and business environments.

The new guidelines, which encourage organizations to focus on security rather than compliance, were created to:

  • Clarify PCI DSS requirements;
  • Build greater understanding on the intent of the requirements and how to apply them;
  • Improve flexibility for all entities implementing, assessing, and building to the Standards;
  • Drive more consistency among assessors;
  • Align with changes in industry best practices;
  • Clarify scoping and reporting; and
  • Eliminate redundant sub-requirements and consolidate documentation.

Some of the more significant changes are still under review before the final version is released. All entities that process, store or transmit cardholder data are expected to comply with Version 3.0 by December, 2014. We expect to see sub-section requirements recommended as a best practice until July, 2014.

This post was written by Brenda Brigman, Executive Vice President of CBIZ Security & Advisory Services, LLC. Brenda is responsible for performing Payment Card Industry Data Security Standard compliance assessments (PCI-DSS), IT SOX testing, HIPAA, ISO, network security reviews and IT risk assessments including assessing and testing the level of IT security over infrastructure components and application integrated controls. Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com), Executive Vice President, CBIZ SAS at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.    



October 3, 2013

Our blog has been up and running since early spring (our first blog post was published March 26, 2013), bringing you tax and accounting news, industry updates, expert insight, and a small glimpse into our company culture. Hopefully, through all the heavy subject matter, you've learned we like to have fun both inside and outside of the office.

As we move into the Fall season, though the weather still needs to catch up, we'd like to share our list of the Top 5 Most Popular Blog Posts as a refresher on all that's good at CBIZ MHM Memphis:

1.   The Health Insurance Marketplace: Model Notice to Employees

2.   Top 10 Reasons to Work at CBIZ MHM Memphis

3.   CBIZ Memphis to Host CFO/Controller Conference Series (watch out for similar posts featuring the speakers of our upcoming November 2013 CFO/Controller Conference)

4.  An Overview: Verizon 2013 Data Breach Investigations Report

5.   Is Employee Satisfaction Enough? Time to Rethink Employee Enagagement Strategies

Have a topic you would like to see covered on our blog? Click "Leave a reply" to post a question or concern.




September 26, 2013
Advocate Medical Group has experienced a theft of four encrypted computers which may have exposed information of 4 million of their patients. A class action lawsuit has been filed against the group, stating that the data breach has put its victims at risk for identity theft and fraud, though no evidence shows that any patient has been subject to ID fraud. This suit alleges that Advocate's failure to safeguard and secure their data has put these individuals at risk. It is important to note that there is no evidence any patient has been subject to fraud and the class action lawsuit was filed based on victims being put at risk.

The organization has published statements, including this one on their website, that include deeply regretting inconvenience caused to the patients who entrusted them with their care.

Under Section 13402(e)(4) of the HITECH Act, breaches of unsecured protected health information affecting 500 or more individuals must be posted on what has become known as the “wall of shame." Advocate Medical Group will regretfully make the cut.

This post was written by Brenda Brigman, Executive Vice President of CBIZ Security & Advisory Services, LLC. Brenda is responsible for performing Payment Card Industry Data Security Standard compliance assessments (PCI-DSS), IT SOX testing, HIPAA, ISO, network security reviews and IT risk assessments including assessing and testing the level of IT security over infrastructure components and application integrated controls. Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com), Executive Vice President, CBIZ SAS at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.

 



August 27, 2013

Harbor Freight Tools reported a cyber-attack in late July after it was discovered by credit card companies. With over 400 brick-and-mortar stores, online retail capabilities and catalog sales, the amount of data breached could qualify it as one of the largest retail breaches of 2013.

This data breach follows a long line of other data breaches from earlier this year. In the spring, large convenience chain, Mapco, alerted customers of a breach which affected multiple locations in seven states and a data breach of the Presbyterian Anesthesia Associates' website of Charlotte, N.C., affected nearly 10,000 people.

2012 saw 621 confirmed data breaches. 66% of those took months or more to discover and 69% were discovered by external parties. These reports were taken from the 2013 Verizon Data Breach Investigations Report, which studied eighteen organizations around the world to perform their analysis.

Correspondence went out to customers in a letter July 20th noting, "Harbor Freight Tools was advised by credit card companies that it may have been the target of a cyber attack against our payment processing system similar to attacks being reported by other national retailers." Though an exact number of customers affected by this particular breach has not been released by Harbor Freight, Data Breach Today reports "one card issuer says more than 10,000 of its cardholders have so far been impacted; another issuer estimates more than 20,000 of its cardholders have been affected."

One thing is for certain, data security attacks are becoming more common with the increase in online collection and processing of card data. Companies must take charge of their own payment card systems and make sure they are compliant with data security standards. In fact, the National Association of Federal Credit Unions (NAFCU) is proposing to hold merchants more accountable for data security breaches with their 5-point plan for regulatory reform. It is now more important than ever that the controls your business has in place adequately protect consumer information.  

For the full Harbor Freight Tools story visit Data Breach Today's website. 

Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com), Executive Vice President, CBIZ SAS at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.




July 23, 2013

The National Association of Federal Credit Unions (NAFCU) is proposing to hold merchants accountable for data security breaches. The banking group recommends Congress create national standards for retailers and processors to uphold when they collect and process payment card data. The legislation would create uniform security practices for the protection of all financial information.  The NAFCU has been actively working to gain support for this issue.

Fred Becker Jr., President & CEO of the NAFCU,  described in a recent letter to Congressional leaders the organization's Five-Point Plan for Regulatory Relief. He notes:

"Our nation's credit unions are struggling under an ever-increasing regulatory burden that must be immediately addressed. A survey of NAFCU members late last year found that 94% have seen their regulatory burden increase....Credit unions, many of which have very small compliance departments, and in some cases only one compliance officer, must comply with the same rules and regulations as our nation's largest financial institutions that employ armies of lawyers."

The 5 points outlined in the plan include the following:

  • Administrative Improvements to the National Credit Union Administration (NCUA)
  • Capital Reforms
  • Structural Improvements
  • Operational Improvements
  • Data Security Reforms

For more information on the NAFCU's Five-Point Plan for Regulatory Relief click here.

Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com), Executive Vice President, CBIZ SAS at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.




June 11, 2013

The PCI Security Standards Council (PCI SSC) responsible for developing and maintaining the payment card security standards has announced the start of the PCI Special Interest Group (SIG) proposal period for 2014 projects. During this time, beginning June 1st and running through July 25th, participating organizations can submit ideas and voice concerns to the Council through their website. Results in the past have shown this collaboration is key in addressing challenges and making significant changes in the PCI industry.

"The real value in Special Interest Groups is that they are driven by the community at large. The ideas come from those who are living and breathing payment card security every day, representing a variety of industries and job functions," said Bob Russo, General Manager of the PCI Security Standards Council, earlier this month in a release.

The PCI community will have the opportunity to vote in the SIG election in November, selecting up to three projects they would like the Council to pursue over the coming year. For the full PCI Security Standards Council press release click here.

Visit www.cbiz.com/pci for more information regarding CBIZ Security & Advisory Services, LLC and contact Karen Cassella (kcassella@cbiz.com), Executive Vice President, CBIZ SAS at (901) 685-5575 or email the CBIZ SAS team at pci@cbiz.com.




Tags

Phoenix tax Accounting affordable care act Alex Elliott anna howell Audit audit and assurance Award Awards awards and recognition BEPS Best Places to Work Betty Isler Bill Tapp BizJournals biztips bizwomen Blog Brad Hale brenda brigman bryan koch CBIZ CBIZ Kansas City CBIZ KC CBIZ MHM CBIZ MHM Memphis CBIZ MHM Tampa Bay cbiz security and advisory services CBIZ Women's Advantage CBIZBlog CBIZKC CBIZMHM CFO CFO & Controller Conference cfo conference CFO of the Year CFO of the year awards Charity Community Involvement Conference Construction Controller Conversation With country club plaza Craig Gilman cwa Dave Enick DOL EBP EBP Audits Ed Rataj Employee Benefit Plan Audits Employee Benefits employee engagement EmployeeBenefits EntreprenurialServicesGroup ESG Eustis Corrigan events Food Drive healthcare HR Human Resources Innovation International Tax Jenny Matasic Josh Finfrock Joyce Farris Kansas City KansasCity karen cassella KC CFO Breakfast Series KCEvents Linda Lauer Lloyd Grissinger Local Managing Director Manufacturing Mark Baricos MBJ Megan Murdock memphis Memphis Business Journal Memphis Daily News memphis super women in business mentoring monday mergers and acquisitions moira house Networking NFP Not-for-profit Paul Dunham pci compliance Phoenix promotions real estate Revenue Recognition SALT Service Social Committee sonya daniels Sponsorships Start Ups State and Local Tax steve dunavant Success Super Women in Business Tampa Bay Tampa Bay Business Journal tangible property regulations Tax Tax Incentives tax reform The Daily News Top Workplaces Tracey McDonald transaction advisory services Transfer Pricing UMB Bank University of Memphis Volunteer workplace award