How Information Security Audits can Lead to New Opportunities in the Printing Industry

What would it cost you if your printing business compromised client data because of a printing error? How would your organization be impacted if your printers were hacked? As service organizations and third-party vendors, organizations in the printing industry cater to a variety of organizations such as financial, government, or healthcare and are likely to interact with personally identifiable information (PII) on a regular basis. Because of this, it’s critical that printing organizations ensure that they are secure vendors, and they can do this by undergoing information security audits.

Common Frameworks for the Printing Industry

While there needs to be policies and procedures in place to govern product development, printing companies need to undergo regular information security audits to find and mitigate vulnerabilities found in their processes, assure their clients that they are secure, and get assurance by a third-party auditing firm that they are doing everything they’re supposed to be doing to protect PII. So, what types of information security audits would a printing organization need?

  • SOC 1: Do you print financial information such as billing statements or invoices? If so, a SOC 1 audit would be necessary for your organization.
  • SOC 2: How do you secure the information you’re printing? What internal controls do you have to protect the privacy of the information you’ve been given to print? Even if you aren’t printing PII, a third-party may still ask you to undergo a SOC 2 audit to verify that the internal controls you have in place won’t impact their security.
  • SOC for Cybersecurity: What risk management processes are in place at your organization? While a third-party might not ask you to pursue SOC for Cybersecurity compliance, your board of directors or management might want to conduct an internal assessment of your cybersecurity risk management program.
  • PCI: Does your organization print credit card numbers, statements, or collection notices? If so, how does your organization limit access to payment card information? What policies and procedures do you have in place to prevent employees from stealing that information? Undergoing a PCI DSS assessment allows printing businesses to validate their policies and procedures regarding the protection of PII and assure their clients that the payment card information they are printing is secured.
  • NIST Risk Management: Are you partnering with federal organizations? Have you been asked to use the NIST 800-53 framework to assess your security controls? While using the NIST framework is a great way to validate your security controls, because most printing companies are non-federal organizations, using the NIST 800-171 framework would be a more appropriate choice.
  • HIPAA & HITRUST: Do you print healthcare billing statements or list of benefits? As a business associate, printing companies must ensure that they comply with the HIPAA Security and Breach Notification Rules.

Benefits of Information Security Audits for the Printing Industry

Engaging in regular information security audits helps any organization demonstrate that they are committed to improving and maintaining their security posture. For the printing industry, though, it goes a step further and gives organizations a competitive advantage. For example, if a printing company is looking to partner with a publicly traded company, chances are they’ll be asked to provide a SOC report, because the company wants to ensure that the organization has mature systems and will be able to protect the information they are going to print. If the printing business does not have a SOC audit performed, the publicly traded company’s audit firm will advise that they do not partner with the printing company because of the liability of engaging with a business that can’t demonstrate the effectiveness of its internal controls. In short, undergoing information security audits gives printing organizations the competitive advantage of being the most secure company in their industry.

Regardless of the type of information printing companies print, securing the people, processes, and technologies used must be a top priority. Every device connected to the Internet is a gateway for a possible cyber attack. This means that even the printing industry is susceptible to the increasing cyber threats and must perform their due diligence to ensure that the vulnerabilities in their systems are identified and mitigated. Don’t put your or your business partners’ reputation, finances, or operations at risk. Contact us today to learn how KirkpatrickPrice can help you protect your business and assure your business partners that you’re performing your due diligence.

More Resources

When Will You See the Benefit of an Audit?

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

5 Questions to Ask When Choosing Your Audit Partner

Why Quality Audits Will Always Pay Off: You Get What You Pay For

What would be the impact to your organization if your information security auditor did not conduct a thorough audit? How would it impact your organization if you partnered with an auditing firm whose quality of services and integrity was questioned by industry regulators? Too often, organizations must deal with the aftermath of receiving an audit that wasn’t thorough enough. This could mean public-facing S3 buckets, active director policies do not reflect written policies, failure of physical safeguards, cardholder data that is inadvertently exposed to the public, or worse. These organizations have to deal with breaches, fines and penalties, and in extreme cases, losing their business altogether. At KirkpatrickPrice, we want to make sure that your organization never faces these consequences, and we do this by delivering quality audits. But what does that mean? Let’s discuss what a quality audit looks like and why it will always pay off.

What is a Quality Audit?

A quality audit can mean different things depending on the intention of the organization receiving the audit. If a business seeks out an audit firm for the sole purpose of checking a box off a to-do list, they probably aren’t looking for what we believe to be a quality audit. We want to partner with organizations who are committed to improving their security posture, finding and mitigating vulnerabilities in their systems, and collaborating with an auditor to ensure that the audit process is effective. To us, a quality audit has the following qualities:

  • The audit firm is qualified. This means that members of leadership have extensive experience in information security and the firm itself as the appropriate qualifications. For SOC 1 and SOC 2 audits, that would be a CPA firm. For a PCI audit, that would be a QSA. For a HITRUST CSF assessment, that would be a validated HITRUST CSF Assessor.
  • The audit will be conducted by senior-level information security specialists who hold industry certifications and are regarded as experts. If a junior-level auditor or an auditor with no relevant information security certifications has been assigned to perform your audit, consider how that lack of experience could impact your organization.
  • The organization has appropriate communication. If you have little to no communication with your audit team during the audit, this should be a red flag. If you are suspicious that any step in your process is being outsourced (penetration testing, report writing, etc.), this should be a red flag. How can an auditor conduct a thorough audit if they aren’t speaking with you about your systems? How can they understand your business without analyzing it firsthand?
  • There should absolutely be an onsite visit. If an audit firm offers to conduct an entire audit remotely, they are going to miss physical security vulnerabilities that could greatly impact your security posture. When our auditors go onsite, they’ve gained access to “secure” locations, plugged into network jacks “hidden” in public spaces, found “protected” cardholder data printed out and stacked into piles in offices, and even found physical holes in walls of data centers due to construction. What would your auditor miss if they didn’t come onsite?
  • The audit firm would have a quality assurance program in place to ensure that auditors’ work is consistent and thorough. If there is no quality assurance program, how can you be sure that the auditor performed their due diligence?

The Cost of a Quality Audit

When it comes to an information security audit, it’s critical that those approving budgets for information security audits understand that you get what you pay for. If you’re being pressured to find the lowest-cost audit, ask yourself what you’re willing to give up in order to save money. If you see a quote that is significantly lower than the others, will the cheap price be worth a lack of thoroughness? How shocked would your supervisor be if you were considered to be, for example, PCI compliant, but then an undiscovered vulnerability was breached, and your organization’s reputation was compromised? Would a cheap audit be worth the aftermath of an expensive breach? Being able to explain the value of a quality audit to your team is crucial.

Misconceptions About Quality Audits

While financial considerations play a major role in why organizations partner with certain firms, there’s one other quality that many businesses look for in an audit firm: name recognition. Many organizations fall into the false perception that firms like the Big Four, who have names that are recognized across industries, deliver the most credible reports. That isn’t always the case. In fact, in recent years, the Financial Reporting Council (FRC) has investigated the Big Four due to significant decreases in the quality of their auditing practices. They’ve even gone so far as introducing harsher penalties for insufficient audit practices, because even after multiple fines and warnings, the Big Four still showed a lack of quality and integrity in their audits.

Ensuring that your organization receives a quality audit doesn’t have to be a difficult process; a little due diligence on your part can go a long way when vetting information security auditing firms. Don’t fall into the trap of engaging with firm that won’t be able to deliver the kind of thorough audit that you need. Protect your organization’s financial stability, reputation, and operations and gain assurance by partnering with KirkpatrickPrice to receive a quality audit. Contact us today to begin learning about our quality guarantees.

More Resources

5 Questions to Ask When Choosing Your Audit Partner

Getting Executives on Board with Information Security Needs

When Will You See the Benefit of an Audit?

What is the Ohio Data Protection Act?

During an age when information and data fuels businesses, understanding the value of cybersecurity in protecting data is crucial. Lawmakers and business owners are continuously recognizing the new, complex risks that come from doing business in cyberspace every day. That’s why on August 3, 2018, Ohio Governor John Kasich signed Senate Bill No. 220, the Ohio Data Protection Act. This legislation makes Ohio the first state to enact a law that incentivizes businesses to implement a cybersecurity program by providing a safe harbor to businesses that do so. Let’s discuss what the Ohio Data Protection Act requires of businesses and how it can protect them.

What the Ohio Data Protection Act Is and Isn’t

This legislation is a part of CyberOhio, an initiative led by Mike DeWine, Ohio’s Attorney General. CyberOhio aims to help businesses defend themselves against the ever-changing cyber threats. Legislation like the Ohio Data Protection Act is a major component of the CyberOhio initiative. It’s a way to protect businesses and consumers from the harm that data breaches cause.

The law clearly states that the Ohio Data Protection Act is not meant to be a minimum cybersecurity standard that must be achieved by businesses in Ohio. Unlike other states’ cybersecurity laws (like New York’s regulation for financial services companies), the Ohio State Data Protection Act is voluntary. It gives businesses a reason to be proactive with their cybersecurity program instead of introducing additional regulations required of them to follow.

The law does not alter any of Ohio’s current breach notification laws, but it does establish a legal safe harbor to be pled as an affirmative defense when a business is accused of failure to implement reasonable information security controls that resulted in a data breach.

Requirements of the Ohio Data Protection Act

A business seeking to comply with the Ohio Data Protection Act must do the following:

  • Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal and/or restricted information and that reasonably conforms to an industry-recognized cybersecurity framework
  • Design a cybersecurity program that protects the security and confidentiality of personal and/or restricted information
  • Design a cybersecurity program that protects against any anticipated threats or hazards to the security or integrity of personal and/or restricted information
  • Design a cybersecurity program that protects against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or fraud to the individual to whom the information relates

Because there are so many types of businesses in Ohio, the law does take scalability seriously. In 2018, the U.S. Small Business Administration reports that there are over 944,000 small businesses based in Ohio; those businesses must have the same opportunity for compliance as any other size business. The law states that the scope of a business’ cybersecurity program depends on the following factors:

  • Size and complexity of the business
  • Nature and scope of the activities of the business
  • Sensitivity of the information being protected
  • Cost and availability of tools to improve information security and reduce vulnerabilities
  • Resources available to the business

Basis for a Cybersecurity Program

The Ohio Data Protection Act has selected five industry-recognized cybersecurity frameworks that businesses should model their cybersecurity programs after. These frameworks include:

The law also says that if a business is subject to any other regulations, like HIPAA, FISMA, or PCI, its cybersecurity program must also be compliant.

When a revision to any of the frameworks listed above is released, businesses complying with the Ohio Data Protection Act have one year to conform to the revised edition.

If you are interested in complying with the Ohio Data Protection Act or want to learn more, contact us today. We’d be happy to discuss how your current or future compliance efforts could align with this legislation.

More Cybersecurity Resources

What is Cybersecurity?

How to Lead a Cybersecurity Initiative

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

How to Hire a CPA Firm for Information Security Audits

What Type of CPA Firm is Right for You?

Before choosing an audit firm to work with, you must understand why, for some types of audits, you need a CPA firm to perform the services. Clients and prospects ask us all the time why accountants are allowed to perform information security audits. We understand the confusion behind this sentiment and want to provide some clarity.

The AICPA’s SOC suite – SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity – specifically require a CPA firm to perform the audit. Why a CPA firm? To name just a few reasons: integrity, independence, and accountability. There are so many different types of CPA firms, though – bookkeeping, forensic, risk, tax, full-service, and audit firms. You specifically want to think about choosing a qualified CPA firm who specializes in information security auditing. We know it’s not a simple choice, though. When winning a new client, complying with regulations, or your business continuity depends on an audit, you want to make the right choice about who performs that audit. Let’s talk about five steps you can take when choosing a qualified CPA firm to partner with on your information security audits.

Steps to Choosing a Qualified CPA Firm

  1. What makes someone an expert in information security? You don’t want to hire just a CPA firm; you need a firm where most employees hold more than one information security certification and have extensive experience. It may seem daunting to find this information, but a little due diligence can go a long way. Look on the firm’s website, ask for an auditor’s bio or resume, or research what certain certifications mean. What information security certifications do their members of leadership have? What information security certification do their auditors have? At KirkpatrickPrice, our average auditor has 17 years of experience and we require specific certifications upon hire. Why would you let someone who doesn’t specialize in information security, IT, or cybersecurity audit your IT department, systems, data, infrastructure, and processes? Your auditor must have the relevant experience to perform this service in a quality way.
  2. Does the firm really specialize in information security? When choosing a qualified CPA firm, you want a firm that can help you reach all of your compliance goals. Let’s say the firm only offers SOC 2 services – what happens if you need help with policy and procedure writing, penetration testing, or SOC for Cybersecurity? Research the rest of their services to ensure you choose a CPA firm that can meet all of your needs.
  3. Does the firm have a peer review and quality assurance program? If the CPA firm doesn’t undergo a peer review, you’ve already caught a flaw; CPA firms are required to undergo peer reviews. The firm you choose should also have a quality assurance team or process to ensure that testing results meet timely, repeatable, accurate, and retainable standards.
  4. Is the firm committed to quality? You want to work with a CPA firm that has a proven track record of delivering thorough, quality audits; no shortcuts, no outsourcing. You’ll want to find information on how many services they offer, how many audits they perform on a yearly basis, if they can deliver multiple audits, and if there are any reported complaints against the firm.
  5. Do the firm’s values align with yours? When choosing to a business partner, you want someone whose principles and values support yours, someone who values your time and money, and someone you can have a positive relationship with. These same qualities can apply when choosing an audit firm. You don’t have to choose the firm with stereotypical auditors, the cheap firm, or one of the Big Four. You can find a CPA firm that wants to partner with you to help you reach your compliance goals. At KirkpatrickPrice, we want to educate, empower, and inspire your organization to greater levels of assurance.

Working with a CPA Firm

Choosing a qualified CPA firm to perform your organization’s information security audits can be a difficult choice for some. It may be more expensive, it may require a deeper level of due diligence, and it may require putting your compliance into the hands of a firm you haven’t heard of before. But a thorough, quality audit performed by someone who has the experience to do so will pay off in the end. What would it cost you if your top client was not satisfied with the quality of your audit? In the current threat landscape, it’s absolutely crucial for organizations to find CPA firms that take risk factors, security and privacy obligations, information security, and cybersecurity seriously. We know you need validation of your security methods. We know you need someone to make information security more approachable. We know you need someone to uncover the risks and security vulnerabilities that you don’t know about. In a day and age when security controls must be strong and effective against advanced threats, KirkpatrickPrice’s mission is to deliver quality services.

More Resources for Choosing a Qualified CPA Firm

5 Questions to Ask When Choosing Your Audit Partner

When Will You See the Benefit of an Audit?

Getting Executives on Board with Information Security Needs

Hackers vs. Consumers: 6 Best Practices for Safe Online Holiday Shopping

Best Practices for Safe Online Holiday Shopping

While businesses are gearing up for the busiest shopping season of the year and consumers are anxiously awaiting the best online deals, malicious hackers will be prepping to get their hands on valuables as well. This makes it increasingly important that consumers practice due diligence while online shopping. Clicking on random links, buying products from unsecure websites, and inputting personally identifiable information where it’s unneeded will put them at greater risk for their information to be compromised.

What are best practices for online holiday shopping? Cyber Monday is one of the heaviest online shopping days of the year, while Thanksgiving and Black Friday will continue to be leading online shopping days as well. What does this mean for consumers? Cybersecurity is going to be a key concern during the online holiday shopping season as consumers increasingly move toward shopping online, especially on mobile devices. We suggest following these six steps to ensure safe online holiday shopping.

1. Limit Personally Identifiable Information

When signing up for email lists, promotional discounts, and store accounts, be sure that you’re only providing companies with the least amount of information necessary. Many online store accounts require a first name and email address, but they might also have fields for last name, age, date of birth, or phone number. If these are not required, don’t provide them. This only makes it easier for malicious hackers to learn more about individuals and potentially wreak havoc on them.

2. Use Secure Websites

Shopping on unsecure websites is a major way that malicious hackers can steal your personally identifiable information. Because of this, you need to be cognizant of the websites you’re using. Does the website use HTTPS in the URL? Websites that use HTTPS encrypt the data transferred between your browser and the website you’re using. This keeps your data confidential from malicious hackers and will prevent hackers from modifying your data without your knowledge.

3. Stay Off Public WiFi

While it’s tempting to connect to public WiFi while online shopping – perhaps to make a purchase or download a coupon – it can put your personal data at greater risk. Public WiFi is generally not password protected and cannot protect your information from malicious hackers. Malicious hackers often utilize public WiFi, especially in crowded areas like airports and malls, that consumers are likely to automatically connect to. Instead of using public WiFi, opt to use your personal hotspot.

4. Differentiate Your Passwords

It’s critical for consumers to remember to utilize various passwords, especially during the holiday season. Using the same password for email, store accounts, and bank accounts could increase the likelihood of being hacked.

5. Think Before You Click

As the retail industry booms during the holiday season, consumers must be aware of suspicious links. Links in emails or on social media advertisements can be a form of social engineering and leave consumes vulnerable for a phishing attack. Using caution before clicking on links is paramount for safe online holiday shopping.

6. Monitor Your Payment Cards

As a final form of due diligence, monitoring your credit and debit cards for suspicious activities is crucial during the holiday season. While you can implement as many best practices for protecting your personal data as possible, there are no guarantees that a cunning malicious hacker hasn’t already compromised your data. You should sign up for text or email notifications if your bank offers them. By regularly monitoring your credit and debit cards, you’ll be more likely to identify and alert your bank about suspicious activity in a timely manner.

Don’t let malicious hackers make your holiday shopping experience more stressful. Make sure you’re implementing these six best practices for safe online holiday shopping. You can never be too vigilant in protecting your personal data.

More Resources

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

What is Cybersecurity?

5 Things The Grinch Teaches Us About Information Security