accountants and business advisers
13 Jan 2020
The 21st century holiday Grinch is now a “smart” TV (or any other “smart” household product) nosing into your family’s privacy. The new Scrooge is represented by ransomware cybercriminals trying to waste your resources and/or steal your money. Enter, the Elf on a Shelf. He’s watching everything ‒ while reading Cyber Roundup ‒ and suggesting that you remain tech vigilant and get us involved. We can keep you alert to cybercrimes and, if asked, can provide your organization with our expertise in risk assessment and mitigation.
Joy and peace to all our readers.
The following is a rundown of what happened during the month of November 2019. We welcome your comments, insights and questions.
The FBI offers a number of considerations to protect yourself and your family at this link here.
Tom’s Takeaway: While the FBI article specifically focuses on smart TVs, we should take this time to remind ourselves that any device that is “smart” poses a risk. If connected to the internet in any way, there are specific considerations you should have not only from a security perspective but a privacy perspective. The smartwatch is a prime example of that consideration. While I think smart technology is certainly interesting, I personally am still OK with having to use a remote to change the TV channel. You ‒ as a consumer, now armed with the awareness of the risk ‒ will also have to make the determination of how smart and exactly what smart devices you are comfortable with in your home used by you and your family.
Tom’s Takeaway: As we have noted throughout our Roundups this year, the cyber criminals have made cloud providers and IT managed service providers (MSPs) focal points. As with anything, cloud providers and IT MSPs can offer a lot of value and help better manage certain risk; however, they also introduce new types of risk. What is critical is that the users of these services identify and account for that risk. When we work with any health care provider and facilitate risk assessments, part of our approach is to evaluate any critical dependencies on third parties and determine the reasonableness of the plans, should they exist, in continuing without those third parties. While operations may certainly slow down, what is important is that they continue. In the context of healthcare providers, that can be a life or death situation.
Tom’s Takeaway: If you are a covered entity under HIPAA (i.e., you are required to be in compliance with HIPAA), we can’t overemphasize the importance of completing a true risk assessment. One of the key conversations we often have with our health care clients is whether or not they have done a true risk assessment that will meet the requirements set forth by the OCR. Should you be subject to a breach or an audit, OCR will push heavily on the existence and completeness of the risk assessment. Should you need assistance in evaluating the sufficiency of your risk assessment or in conducting a vigorous risk assessment, we would be happy to help.
Tom’s Takeaway: If you operate a business that requires the handling of sensitive data, you have not only a legal responsibility, but a moral and social responsibility to protect that data. This lawsuit by the FTC makes the legal aspect clear. While I understand that cybersecurity is not traditionally considered core to a business, in many cases, it needs to be. Whether operating a business that is for profit or not-for-profit, there needs to be an understanding and management of the risk of the data processed and the dependency on the systems you utilize. Security doesn’t necessarily need to be expensive, it needs to be effective. But before you can manage the risk, you need to understand it. If, as a board member, a senior executive, or an IT provider, you need assistance in understanding and managing that risk, we are here to help.
Source: PKF O'Connor Davies
For more information on how our services can help your business get in touch.