There’s a lot to consider when choosing an audit partner. What does their audit process look like? What kind of services do they offer? How will they help you reach your audit objectives? How much do they charge? Will they perform a remote audit or an onsite assessment? While these are all valid concerns, organizations also have to consider their own intentions behind pursing compliance: is it required to partner with new business partners? Is it to help strengthen your security posture? Is it just another item to check off on a to-do list? If an organization is looking to partner with a firm that doesn’t come onsite because it’s “easier” or cheaper, KirkpatrickPrice won’t be a good fit for you. At KirkpatrickPrice, we want to partner with organizations to help them meet their compliance objectives, and part of that is performing our due diligence and conducting an onsite visit. Why do many other audit firms advertise that they can effectively conduct an audit 100% remotely? Why do so many organizations loathe an onsite visit? Is there really that big of a difference between a remote and onsite audit?

Why the Difference Matters

For organizations that are just starting out on their compliance journey or for organizations looking for a new audit firm to work with, there’s one critical component that needs to be kept in mind: the audit firm you choose should always perform an onsite assessment. Why? Audit firms who promote remote-only audits are doing you a disservice. And we would know – in 2006, we were the pioneers of the remote audit. However, our remote audit methodology was never intended to eradicate the onsite visit. Instead, we positioned ourselves as a trusted audit partner for helping our clients streamline the audit process and complete 80% of the audit before going onsite.

Licensed CPA firms also have an ethical obligation to perform their due diligence while conducting audits, and we take that obligation very seriously. We are committed to delivering quality audits, which would not be possible if we did not perform onsite visits. Without an onsite visit, an auditor can’t personally experience a company’s culture and integrity, processes, or physical security. For example, when our auditors have gone onsite in the past, they’ve gained access to “secure” locations, plugged into network jacks “hidden” in public spaces, found “protected” cardholder data printed out and stacked into piles in offices, and even found physical holes in walls of data centers due to construction. So, when you’re choosing an audit partner, ask yourself: what are you willing to risk so that your auditor doesn’t come onsite?

Controls that Require an Onsite Assessment

We know that undergoing audits requires a financial, personnel, and time investment from our clients, and we want to help them get the most out of their compliance efforts. Even more so, we want our clients to actually remain compliant, and performing an onsite visit assists us in doing that. Information security frameworks require that an auditor verifies that physical controls are in place to safeguard sensitive data. For example, PCI Requirement 9 says that entities should “restrict physical access to cardholder data.” How will an auditor be able to determine if an organization has implemented physical safeguards to protect their cardholder data environment if they don’t come onsite?

Getting Over the Fear of the Onsite Assessment

The onsite assessment versus remote audit debate really comes down to this: getting over the fear of the onsite visit. Because the audit process can be so rigorous and intimidating, many organizations fall into the trap of fearing the audit process altogether. This has resulted in organizations seeking out those audit firms that “guarantee” that they can deliver “quality” audits without coming onsite. Many of our clients  that come to us after working with other information security firms actually enjoy our onsite visits because they can feel good about knowing their auditor. While you may want a remote audit, you need an onsite assessment – it’s critical for ensuring compliance and strengthening your security posture.

If your audit partner isn’t currently performing an onsite assessment, it’s time to rethink that partnership. We know audits can be hard, but don’t take the easy way out. Contact us today to learn more about our commitment to quality, thorough audits and how we can overcome the fear of the onsite together.

More Assurance Resources

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Getting Executives On Board with Information Security Needs

Why Quality Audits Will Always Pay Off: You Get What You Pay For

Independent Audit Verifies Whil’s Internal Controls and Processes

San Francisco, CA – Whil, a SaaS solution provider, today announced that it has completed its SOC 2 Type II audit. This attestation provides evidence that Whil has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Whil’s controls to meet the standards for these criteria.

Whil’s founder and CEO, Joe Burton, shared, “Meeting SOC 2 and other enterprise requirements is a high priority for Whil. As the only enterprise grade solution for helping employees improve their mental wellbeing, everything we do has to start with this level of trust and integrity.”

“The SOC 2 audit is based on the Trust Services Criteria. Whil has selected the security, availability, processing integrity, confidentiality, and privacy categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Whil delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Whil’s controls.”

About Whil

Whil is the leading digital solution to help employees reduce stress, increase resilience and improve their mental wellbeing. Introduce your employees to 250+ digital programs and over 1,800 micro-learning sessions in mindfulness, stress resilience, emotional intelligence skills, sleep and more. With 250+ clients and users in over 100 countries, Whil covers all aspects of employee mental, emotional and physical wellbeing.

Whil now integrates into all leading corporate wellness, LMS, and EAP solutions.

Learn more at whil.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Independent Audit Verifies OneCloud’s Internal Controls and Processes

New York, NY – OneCloud, a SaaS solution provider, today announced that it has received their annual SOC 1 Type II and SOC 2 Type II attestation reports. This attestation provides evidence that OneCloud has a strong commitment to delivering high-quality services to its clients by demonstrating they have the necessary internal controls and processes in place to deliver quality and secure services to their clients.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of OneCloud’s controls that may affect its clients’ financial statements. SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type II audit report includes OneCloud’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

“Many of OneCloud’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, OneCloud has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by OneCloud.”

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of OneCloud’s controls to meet the standards for these criteria.

“Upholding security regulations is critical as a service provider. Completing the SOC 1 Type II and SOC 2 Type II audits provide validation to OneCloud customers that we’re committed to keeping our platform secure.  OneCloud will annually renew our SOC certification by maintaining the necessary controls and processes,” said Quin Eddy, Chief Executive Officer of OneCloud.

“The SOC 2 audit is based on the Trust Services Criteria. OneCloud has selected the security and availability categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “OneCloud delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on OneCloud’s controls.”

About OneCloud

OneCloud is an integration and automation platform designed for business users to bring simplicity and control to the enterprise application landscape. OneCloud seamlessly orchestrates complex handshakes across a hybrid mix of on-premise and cloud-based systems with a mix of robotic process automation and human integration workflow. OneCloud provides full support for business intelligence and performance management applications including, but not limited to Anaplan, Workday, Salesforce, NetSuite, Oracle Cloud EPM, Oracle Financials Cloud, Oracle Human Capital Management, Oracle Hyperion, IBM Planning Analytics, Tableau, Workiva and an array of relational technologies. For more information, visit www.onecloud.io or connect with OneCloud on LinkedIn.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Employees are often considered an organization’s weakest link, but remote employees create additional risks that businesses must be cognizant of. As more and more businesses opt to hire remote employees, they need to prepare for and stay ahead of these risks. What would happen if a remote employee used public WiFi and a malicious hacker gaining access to your organization’s sensitive files? What would be the impact if your remote employee opened a phishing email because they weren’t trained properly? How would you handle a remote employee losing a company laptop? Having processes in place to train employees on remote security best practices is crucial for any organization’s security. Are your remote employees working securely?

5 Steps to Ensure Remote Worker Data Security

Implement Security Awareness Training

A key component of ensuring that remote security best practices are followed is implementing security awareness training. It’s so important, in fact, that many of the most common information security frameworks, such as SOC, PCI, and HIPAA, require some sort of security awareness training in order to comply. While you can ensure that employees are equipped with the most secure, up-to-date technology, if the people using that technology aren’t well-versed in the many threats they face while using them, those security measures won’t be as effective.

Establish Thorough Usage Policies

Whether it’s desktops, laptops, tablets, or smartphones, employees must have a clear and thorough understanding of how they should use personal or company devices. Do you have a BYOD policy? Are employees able to access work emails on personal devices or vice versa? What are you doing to monitor usage? For employees that are working remotely, establishing these thorough usage policies is especially paramount to ensure that an organization’s security posture remains intact.

Create Effective Password and Encryption Policies

Along with having thorough usage policies, organizations must create an effective password and encryption policies in the event that a mobile device is lost or stolen. Malicious hackers often capitalize on employees’ weak passwords to infiltrate organizations’ networks and can easily access sensitive information if the proper encryption techniques aren’t in place. Educate your remote employees on the dangers of weak passwords, using the same password on work and personal devices, and sharing passwords with others to prevent data breaches or security incidents.

Monitor Internet Connections

Part of the allure of working remotely is just that: being able to work from anywhere. However, this poses major threats to an organization’s security posture. Remote employees are often notorious for falling into the trap of connecting to public or unsecured networks in airports, cafes, and other high-traffic public spaces. As part of the usage policies, organizations must have policies and procedures in place for monitoring internet connections of those working remotely. If your organization offers a BYOD policy, do you offer a reimbursement plan for employees who use their personal hotspot, or do you supply hotspots for your remote employees? Should remote employees use VPNs? If a remote employee is connecting to unsecured networks, they’re putting your organization at risk, and you need to know about it. Establishing monitoring policies and procedures will help keep you ahead of potential cyberattacks and ensure that employees are following remote security best practices.

Ensure Devices and Applications are Updated

For organizations that have many employees who are working remotely, it can be challenging to ensure that all of their devices and applications are updated with the latest antivirus, anti-malware, firewall, web filtering, and encryption needed to keep devices secure. Considering this, these organizations must make it a priority to review their processes for ensuring that devices and applications are updated regularly. Think of it this way: if just one employee misses or forgets to update their mobile device, an organization could experience catastrophic impacts, such as steep fines and penalties, lawsuits, loss of reputation, and/or loss of business.

Remote employees offer many benefits to organizations, but they also pose many threats. Whether employees are working remotely full time or just a few days a year, ask yourself: are your remote employees working securely? Don’t put your organization’s financial health, operations, and reputation on the line – implement these remote security best practices to safeguard your business from potential breaches caused by remote employees. Contact us today to learn about our policy and procedure development services, our security awareness training courses, and more.

More Resources

Top 5 Security Awareness Tips for Employees

5 Ways to Defend Your Business From Cyber Threats

3 Data Security & Privacy Best Practices for Your Employees

Who has the Legal Right to Employee Mobile Phones, Tablets, and Computers?

What is Ransomware?

Ransomware is the attack method that you’ve seen over and over again in the headlines and, unfortunately, it’s not going away. Global outbreaks like WannaCrypt, Petya/NotPetya, and BadRabbit have made ransomware a household name. The FBI reports that over 4,000 ransomware attacks occur daily. With its sophistication and frequency of attacks, it makes people think – why is ransomware successful? How can it be stopped? Let’s discuss how company culture, the workforce, malicious outsiders, and proper security configurations contribute to the success of ransomware.

How Does Ransomware Spread?

Culture of Apathy

I believe there is a growing apathy in our culture towards confidential data. Honestly, do people even believe data is confidential anymore? According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. It has become habitual to worry about data breaches, identity theft, and other privacy concerns.

It’s not just about hackers or human error – the apathy in our culture has led to a rise in malicious insiders. Verizon’s 2018 Data Breach Investigations Report includes that 28% of cyberattacks in 2018 involved malicious insiders. When Accenture surveyed 912 healthcare and payer employees in the US and Canada, they found that one in five (18%) would be willing to sell confidential data to unauthorized parties for as little as $500 to $1,000. Even more so, about a quarter of these healthcare and payer employees know someone in their organization who has sold their credentials or access to an unauthorized outsider. One out of five healthcare employees, who are responsible for protecting your data, will give it or give access to it away.

What is your organization’s culture as it relates to information security? Are you building a controlled environment that will embrace, monitor, and enforce ethical practices?

Workforce Challenges

If your organization, thankfully, hasn’t faced the challenges of malicious insiders and an apathetic culture, you will probably face an ill-prepared workforce. Some things just stay the same, and human error is one of those things.

Phishing is the primary method of attack when it comes to ransomware. In 2017, the Microsoft Office 365 security research team detected approximately 180-200M phishing emails every month. Although more and more organizations are incorporating strong security measures into their strategies, it’s still easy to phish. The Microsoft Security Intelligence Report explains, “An attacker sending a phishing email in bulk to 1,000 individuals just needs to successfully trick one person to obtain access to that person’s credentials…Phishing and other social engineering tactics can be more simple and effective than other methods, and they work most of the time for more human beings. If successful, phishing is an easier way to obtain credentials as compared to exploiting a vulnerability, which is increasingly costly and difficult.” The most successful phishing attempts impersonate popular brands, users, and domains.

You may think that because millennials are becoming a larger portion of our workforce, your organization is better protected. Millennials won’t fall for phishing emails, right? They’ll be wary and spot a social engineering attempt, won’t they? Unfortunately, the data shows that adults aged between 20-29 fall victim to more fraud than adults aged over 70.

Are you providing the necessary training to the newest members of our workforce? Is your workforce your weakest link or your first line of defense?

Malicious Outsiders

Organized criminal groups aren’t stopping; they’re only getting more sophisticated. There’s obviously financial motivation, but malicious outsiders could also be motivated by a political agenda, social cause, convenience, or just for fun. We predict that US cities and the public sector will continue to be a target for malicious attacks, especially nation-states. Nation-states have a goal of disrupting public services. Hospitals, airports, police departments, educational systems, court records, water services, payment portals, technology infrastructure – these cornerstones of the public sector are under attack every day from complex cyber threats and malicious outsiders.

What should the public sector invest in? Cybersecurity awareness to citizens and elected officials, use of forensic services after incidents or breaches, cybersecurity exercises, vulnerability scanning, and penetration testing, and competitive compensation for IT personnel.

Proper Security Configurations

Remote Desktop Protocol (RDP) has been called ransomware’s favorite access point – a place that’s commonly insecure and easily hacked. Even the FBI warned organizations that the use of RDP as an attack vector is on the rise. CrySiS, CryptON, Zenis, and SamSam ransomware have all used RDP to their advantage.

No type of malware completely fades away. Every threat that has ever been classified remains at large. The very first worms and malware are ever written still exist and are capable of system infection. Some remain actively developed, maintained, and deployed by proficient black hat hackers. Other older viruses just persist, allowed to continue by poorly maintained systems, old distribution networks, and user complacency. Even when not actively used for data destruction, malware can remain a threat to system stability and continuity.

Do those charged with governance maintain proper security configurations according to best practices? How are your security configurations being tested and validated?

Ransomware continues to be successful because organizations don’t create a culture of defense or a sense of responsibility for data, their workforce isn’t equipped to stand up against cyber threats, the threats from malicious outsiders only persist, and proper security configurations are not implemented. How is your organization preparing itself for a ransomware attack? How will you assure your clients that their sensitive data is protected? Contact us today to implement a plan for training your workforce, changing your company culture, and strengthening your cybersecurity practices.

More Ransomware and Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

Horror Stories – 5 Cities Victimized by Cyber Threats

Ransomware Alert: Lessons Learned from the City of Atlanta