Pratum Blog

SOC 2 Question Mark

How do you prepare for a SOC 2 audit? Unless your company has a client requesting a SOC 2, or some type of compliance report, you probably don’t know much about them. That’s okay!

Many businesses come to Pratum looking for help with SOC 2, and with years of experience in the area we can help guide you to have a smooth preparation and audit. Here’s an overview of our process, and what you as a company need to have prepared to be successful.

Common Questions:

What is SOC 2?
Very simply, SOC 2 is a compliance report. Many times, a company will be asked by a client to provide some sort of compliance report to prove the company has adequate security measures in place to protect any data shared between the two businesses.

SOC 2 reports must be completed by an AICPA firm. The CPA will conduct the audit over several months and deliver the report at the end. There are two Types of SOC 2 reports, Type I and Type II. Type 1 examines the design of controls at a specific point in time. Type II addresses the operating effectiveness of controls over a period of time.

Where to begin?
Once you decide to pursue SOC 2, there are a few things to keep in mind before getting started. You need to first determine if you want assistance preparing for the audit. Pratum offers readiness assessments to examine whether your business is adequately prepared for a SOC 2 engagement as well as assistance with getting there.

Timeframe for SOC 2?
One big misconception around SOC 2 is the amount of time it will take. While this varies depending on your business’s size and the scope of the audit, the typical Type II audit usually takes a minimum of 8 months for the entirety of the engagement. This includes the opinion period, audit fieldwork, and time for the auditors to develop and deliver the report. The readiness process with Pratum before the audit can also take an additional 2 to 3 months, depending on the preparedness of the company. If your company is looking for a quicker turn around, starting with a Type I audit may be the best path.

Readiness Steps:

At Pratum, we have a process established to make the experience smoother for you. Here’s a brief overview of what you can expect from the first call to the final report.

Step 1: Initial Inquiry & Discovery Call
During the initial conversations, our Client Engagement team will get to know your business and walk you through the basics of a SOC 2 report. A Consultant may also join the call to ask more detailed questions and help with scoping the engagement. Some initial questions we may ask include: What all is required in any contracts you’re trying to fulfill? What is the timeframe you’re working with? What is the scope of the SOC 2 you need? How many and which employees have access to the areas being audited? Where is your data stored and how does it flow across the organization?

Step 2: Statement of Work
After we get all the information needed, Pratum’s Client Engagement and Consultants come together to build the customized plan for your business. That includes the details for the readiness process, what it will cost, and a timeline for the work.

Step 3: Pre-Engagement Forms
Once the Statement of Work form is signed, we can begin the process of preparing your company for a SOC 2. That means getting into some more detailed questions about what will be included in the SOC 2 and who needs to be prepared within your business. The consultant will hold a kick-off call with your company to discuss the process, set expectations and answer any initial questions. Pratum will request any supporting documentation you have at this time as well. If you haven’t selected a CPA firm to perform the audit yet, Pratum can provide recommendations of firms we have close relationships with. If you already have a firm in mind, we’re happy to work with the auditor of your choice as well. The earlier you can get the auditors involved, the better.

Step 4: Readiness Fieldwork
The fieldwork during your SOC 2 preparation is how our Consultants get a first-hand look at the work ahead. The consultant assigned to your project will be hand selected based on their expertise and how it can benefit you. During the fieldwork phase, interviews are conducted with the necessary staff and current security controls are reviewed to determine maturity level. Where any gaps are identified, the consultant will provide guidance on what should be in place, and how to get there. This is more than just a yes or no Q&A; it’s a conversation. The Consultant will ask detailed questions to fully understand the operations and needs of the organization. At the end of the engagement, Pratum will deliver a control listing with the status of each control, supporting documentation and audit evidence needed, as well as recommendations where appropriate.

Step 5: Contact Auditor & Set Up Audit
After preparation for the audit is complete and your company and Pratum feel confident in your readiness, the audit opinion period can begin. Most audit firms prefer a minimum of a 6-month opinion period. If not already in communication with the auditors, this is the time to reach out to them to discuss timelines and schedules.

Step 6: Audit Fieldwork
During fieldwork of the audit, the Pratum Consultant will be present with the auditors to answer any questions and help mediate any concerns that may arise. The Consultant is there as a representative for your company and will ensure the auditors stay within scope and reason. The fieldwork for the audit can take several months to complete. The more prepared and dedicated your team can be, the faster the process will go and the sooner you’ll receive the report.

Keeping Up Your Compliance

Now that you’ve completed your SOC 2 audit, the work isn’t finished. You’ll need to keep that up with yearly audits to re-validate your controls. The best way to ensure continual compliance is to maintain your security standards and evaluate and adapt to any changes within your business. SOC2 isn’t a one and done. Continual monitoring and activity are needed to continue to be successful.

Preparing for a SOC 2 may seem daunting, but it doesn’t have to be! Pratum is ready to help make the process less stressful for you. Just contact our representatives for a free consultation today.

FBI Building Shield

An Overview of the FBI Internet Crime Report

The FBI has released the 2019 Internet Crime Report. This annual analysis highlights the internet-enabled crimes and scams reported to the FBI’s Internet Crime Complaint Center (IC3). In the nearly 20 years the IC3 has been in existence, 2019 had the highest number of complaints and the most money reported lost. We’re going to look at where these attacks are happening most frequently, and what you should be on the lookout for in 2020.

Where Complaints are Highest

The Internet Crime Report not only shows which crimes are happening most frequently, it details where in the world they are being reported. Perhaps unsurprisingly, the highest number of complaints in the U.S. came from states with the highest populations. California, Texas, Florida, and New York had more than 20,000 complaints each in 2019. South Dakota had the lowest number of victims with 473. You can see where each state ranked on the chart below.

FBI IC3 US Map

While those states had the most complaints, that doesn’t necessarily mean they had the most money lost. For example, Ohio had fewer than 10,000 complaints. However, they ranked higher in losses than most states with more than $200 Million gone. California residents and businesses lost the most overall with more than $500 Million in losses.

On an international scale, the United States outpaces the rest of the world for internet crime reports. The United Kingdom had just over 93,700 victims. Canada was next on the list with more than 3,700. The state of Illinois alone had more victims than Canada, with over 10,000 reported in 2019.

How Much Was Lost

The number of people impacted by cybercrime was higher than ever in 2019, but so was the amount of money lost. Worldwide, an estimated $3.5 Billion was lost by individuals or businesses within the year. The path of getting that money varied. Using social media, scammers were able to access more than $78,775,000. Virtual currency losses made up over $159,329,000.

While some states had a lower number of complaints, they still lost a substantial amount of money. As we mentioned above, South Dakota had the lowest number of victims in the United States. Despite that low ranking, they still lost more than $3,086,000 to cybercrimes in 2019.

Who’s Being Targeted

Looking at the Internet Crime Report, it’s not hard to see who’s getting hit the hardest with online scams. People over the age of 60 years old make up the majority, with more than 68,000 victims. The total losses for that age group was over $835,164,000.

As the age range decreases, so do the number of victims. However, even the youngest group of under 20 years old still has 10,724 victims, with $421,169,232 lost. This bolsters the point IC3 tries to drive home, which is that anyone at any stage in life could fall victim to a cyber-attack as criminals become savvier.

IC3 Chart with Victim Ages

Which Scams to Lookout For

Which cybercrimes are causing the most trouble? According to IC3 Chief, Donna Gregory, the center didn’t see an increase in the types of fraud coming out. Rather, there were new tactics used and techniques changed to carry out the existing scams.

“Criminals are getting so sophisticated,” Gregory said. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”

Emails are a prime example of this. Phishing scams are not new, but the way criminals are executing the crime is changing. In the past, scams would come in the form of a legitimate looking email address, from a business executive many times, asking for a payment of some type to complete a business transaction. While that’s still being used today, there are new Business Email Compromises (BEC).

In 2019, IC3 saw an increase of complaints related to the diversion of payroll funds. In this scenario, a Human Resources employee or Payroll Department receives an email that looks like it came from an employee, asking to update their direct deposit information. Instead of the employee who appears to be sending the email, the money starts being transferred into a cyber criminal’s account.

This sort of crime was very prevalent in 2019. The IC3 recorded more than 23,000 BEC complaints and more than $1.7 Billion lost.

In addition to email, scammers are also utilizing texting and pharming scams. A common method for text scams is a message claiming to be from your bank, asking you to verify your account. Once you hand over that private information, the scammer has free reign over your finances. With pharming, you could be searching for a legitimate site and end up on a fraudulent webpage. That fake site will gather your bank or credit card information, while you assume it’s safe.

Overall, the most financially harmful complaints were BEC, romance or confidence fraud, and spoofing.

How to Report Cyber Crimes

With more than 1,200 complaints per day, on average, the FBI sees a wide range of attack methods. With this knowledge, they are becoming better equipped to help victims of cybercrimes. The FBI’s Recovery Asset Team was able to recover more than $300 Million for victims in 2019.

Reporting cybercrimes quickly not only helps law enforcement possibly track down the fraudulent transactions before money is gone forever, it also helps the FBI spot trends and learn more about which crimes are most used and how to approach them.

When reporting a crime to IC3, make sure you have as much information as possible. Include everything from email addresses used, account information given, phone numbers scammers called from, and anything else that may help officials track down who’s behind the cyberattack.

To report a cyber threat or tip, you can file a complaint with IC3 online. Click here for a direct link. (https://www.ic3.gov/complaint/default.aspx) The page will prompt you to read the information they require and establishes that submitting a complaint to the IC3 is not the same as notifying your credit card company. You will need to notify your financial institution and any businesses or organizations involved separately from this complaint form. Also note, that you may not receive any additional information or communication from the IC3 regarding your submission but know that you have put the effort forth to help alert on potential scams or other types of fraud.

The next time you face a suspicious email or unwarranted text, check the source and make sure it’s coming from a reliable outlet. Don’t become another statistic for the IC3 to report in 2020.

(Source: https://pdf.ic3.gov/2019_IC3Report.pdf)

Validating Vendors' Cybersecurity Practices

How much is too much? The biggest mistake many organizations make is spending too much money on things they don’t need when reviewing their cybersecurity. While tools like technology can be valuable at times, cybersecurity should be focused on the business.

In cybersecurity, there are a lot of security options available to help protect your business. Trying to keep up with all the latest and greatest trends can be expensive, and often unnecessary. Instead, try to focus on what makes your business secure!

A good first step is to assess the make-up of cybersecurity.

Three Pillars of Cybersecurity:

  • Confidentiality – Keeping things safe and secure. Determine what’s on a need to know basis.
  • Integrity – Is the data you saved the same data you come back to? Have unauthorized changes been made that aren’t known or detected?
  • Availability – Is data available to those who need it, when they need it?

The three pillars help you determine which cybersecurity controls to put in place. What happens to your business if the system is offline, data is corrupted, or secrets are exposed? How you answer these questions will determine the next steps in your cybersecurity plan, and whether you need to spend money on more security.

Find the biggest risk to your business.

First, look at your business and see what would happen if the three pillars are impacted? Find the area you have the greatest likelihood of being attacked, and where the biggest impact would be. That’s where you need to begin to address what is necessary to keep your business secure.

Defense in depth is a cybersecurity best practice. You should create a plan to deter, prevent, detect and respond to security incidents. Think of it this way, – “Can I deter an attck? If not, can I prevent it? If I stop the problem at one level, a threat might still get through. If that happens, how do I detect the attack and then recover? Where could it go next, and how do I address it from there?”

You should think of your cybersecurity in layers. Each layer has different controls in place to address the threat potential at that point in the process. That means your process should be adapting over time to match any changes to your company. When your business grows or evolves, so should your cybersecurity plan.

What’s worth the investment?

Investing in cybersecurity is all about prioritizing your risk versus the cost. When you analyze security expenses for technology or process or personnel, you need to be able to show a return on that investment. If something is reducing your risk of being hacked, or gives you an edge over the competition, it’s probably worth the investment. If it’s not helping you earn or keep money, don’t waste resources on it. It’s all about perspective.

While you want to be critical of where your money is spent, you should be investing in your cybersecurity. One efficient use of money is investing in the people who work for you.

Teaching your employees how to handle situations like a phishing email or a suspicious person in the building will protect your security interests. Once people learn how to respond to threats and why cybersecurity is important, proper security processes and awareness will continue to protect your business.

Focus less on technology and more on business.

The goal of most businesses is to generate profits. If a process or technology does not provide or protect profit, it should not drive your business decisions. What you should strive for is decision-making based on business objectives, the technology will follow.

As your business evolves, so should your cybersecurity. Constantly evaluate what is happening in your business to decide what investments should be made. Don’t just throw money at one thing, expecting it to fix all your problems. Understanding what the problem is, how it should be handled, and who should be involved will help you decide if technology investments are needed.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.