July 2017 Newsletter – CyberSecurity

July 2017 Newsletter

To those of us who live in the good ol’ US of A, happy 241 years old, and welcome to our July Newsletter.

For our July Newsletter I wanted to talk about CyberCrime and Security.  Today there is a new way Newsletter Happy 4th of July to steal information from you, VISHING.  Read more about it further down the newsletter.

Additionally I just attended a seminar on CyberSecurity given by David P. Weber, JD, CFE.  Mr. Weber was the former Assistant Inspector General for Investigations at the U.S. Securities and Exchange Commission, and now is a Professor and Academic Director for the Fraud Management Programs at the University of Maryland Robert H Smith School of Business.

His watch words was a modification of  Ben Franklin; which is apropos since this is the July issue; that there are now three certainties of life:  Death, Taxes and being a victim of CyberTheft.

More about that later…


SBA * Consulting LTD


Note:  Wayne Spivak, President of SBA * Consulting has been quoted in the Bloomberg BNA three times in the last six weeks:

Rule Affects Public Companies with Private Company Investments
Companies Filing IPOs Shouldn’t Underestimate Accounting Challenge
Companies Confused About Upfront Fees for Cloud Services Rule

You will be hacked!


You can spend the money now and both prepare for, protect yourself against, and mitigate the outcome or wait until the inevitable happens and suffer far greater consequences.

With the recent 47 state consent decree between the States and Target a new “norm” or benchmark has been created on what companies need to do to show they prepared.

Failure to show that you lived up to this “norm” will have grave consequences, from insurance companies outright refusing claims to affirmative defense by plaintiff’s when they bring suit in a court of law. And you know you will be sued!

You will be hacked!

As I said earlier, according to Mr. Weber, you will be hacked. Whether they break through your firewall, through the firewall of a SaaS based vendor or it is an inside job, you’ll be hacked.

An example was one of our clients. We were acting as the interim controller. Our consultant was there less than a week and got an email requesting money be wired to a vendor. The email was allegedly sent by the CEO.

Our consultant, who was sitting in the same area as the CEO; and who had no ability to write or authorize any money transaction, just asked the CEO. The reply was “they got to you that fast!” Interesting they used Office 365. Catastrophe averted…. This time!

Who is going to hack you?

Odds have it, it will be from the inside.  It may be with malice and aforethought or just someone who got sloppy.  It may be that you didn’t spend the time and money to train your staff on what not to do in the IT realm.

Examples is using unkown USB drives or openning just any e-mail attachment.  Anti-Virus software won’t know about the latest greatest virus, so assuming it does is not a safe assumption.

Do you have a plan?

Do you have a plan on protecting your infrastructure? Is your plan benchmarked to similar types of organizations? Did you test your plan? Do you test it on a regular basis? Is every employee trained on CyberSecurity so they don’t become a victim, personally or for the business?

Do you backup offsite? Is the backup at least hourly? When  you patch all your computers and servers daily? How do you handle legacy systems and computers? The recent WannaCry malware was extremely successful in Europe and Asia mainly because those countries have a culture of either not adhering to IP laws, so they have bootleg copies of software or of applying patches. Here in the US there were very few instances of WannaCry, because we do update our software.

If you have Windows 95 machines, stop using them!!!!

In the final analysis

The list of what you should, could, and actually do is based on a full analysis of both your information technology structure, your budget and the level of risk aversion you believe in. Remember YOU WILL BE HACKED!

We can review your CyberSecurity plan and or assist you when you get hack with our Incident/Crisis Management (I/CMAT) teams!

Vishing Attacks be-aware!

published 5/30/17 https://www.sbaconsulting.com/vishing-attacks/


Vishing Definition

The fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

“many victims of vishing are people who are not tech-savvy

Vishing Protection

Please take the following measures to protect  yourself from vishing attacks:


  • If you see a missed call from an unknown number on your personal or professional device, do not call back. Your account could be charged if you return the call.


  • Hang up if you hear no response after a few seconds of picking up the phone.


  • Do not trust your caller ID. Be aware that even if your caller ID displays the phone number and/or name of a legitimate person or company, the call is not necessarily coming from that number.


  • Never provide credit card information or other private information to anyone who calls you.


  • If you receive a phone call and someone immediately asks, “Can you hear me?” hang up. This recent scam uses your recorded “yes” response to authorize purchases.