Cybersecurity Resources | LBMC https://www.lbmc.com/blog/category/cybersecurity/ Tue, 30 Jun 2026 13:50:28 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 /wp-content/uploads/2025/07/cropped-LBMCLogo-32x32.jpg Cybersecurity Resources | LBMC https://www.lbmc.com/blog/category/cybersecurity/ 32 32 CCPA and CPRA Risk Assessments https://www.lbmc.com/blog/ccpa-and-cpra-risk-assessments/ Tue, 26 May 2026 17:42:56 +0000 https://www.lbmc.com/?p=74700 What California’s New Privacy Rules Mean for Healthcare Employers By Teddy Ansink, LBMC Cybersecurity Manager Key Takeaways California’s evolving CCPA/CPRA […]

The post CCPA and CPRA Risk Assessments appeared first on LBMC.

]]>
What California’s New Privacy Rules Mean for Healthcare Employers

By Teddy Ansink, LBMC Cybersecurity Manager

Key Takeaways

  • California’s evolving CCPA/CPRA requirements are shifting privacy compliance from a policy-focused exercise to an operational governance responsibility, with formal privacy risk assessments beginning in 2026.
  • Healthcare employers, especially those managing sensitive employee and operational data across multiple systems and vendors, must establish documented data inventories, governance processes, vendor oversight, and risk assessment procedures.
  • Organizations that proactively build scalable privacy governance now will be better prepared for future regulatory scrutiny, workforce expectations, and expanding data privacy requirements nationwide. 

California Privacy Compliance Is Entering a New Phase

For years, many organizations approached California privacy compliance as a disclosure exercise. Publish a privacy notice. Update policies. Create a process for handling consumer requests.

That’s changing.

Under evolving California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) requirements, organizations are moving into a more operational and defensible compliance environment. Regulators increasingly expect businesses to demonstrate how personal information is collected, used, protected, retained, and governed across the organization.

The next major shift is formal privacy risk assessments.

According to the California Privacy Protection Agency and census-based workforce estimates, thousands of multi-state employers — including many healthcare systems — are expected to fall under CPRA employee-data governance requirements beginning in 2026.

Beginning in 2026, certain businesses subject to CCPA/CPRA will be required to perform documented privacy risk assessments for higher-risk processing activities. In addition, starting April 1, 2028, organizations will need to submit attestation and summary-level reporting to the California Privacy Protection Agency (CPPA).

This is more than a policy update. It is a governance and operational readiness issue.

For healthcare organizations, particularly behavioral health providers managing large workforces, sensitive employee records, patient-adjacent data, and complex vendor ecosystems, the time to prepare is now.

Organizations operating across multiple facilities and programs often maintain significant volumes of employee and operational data across HR platforms, payroll systems, benefits providers, workforce management applications, recruiting tools, and third-party vendors. Regulators increasingly expect organizations to understand and document how that information moves throughout the enterprise.

What Businesses Are Subject to CCPA and CPRA?

Any company that does business in California and meets certain thresholds may fall under CCPA/CPRA. Some of the parameters include those:

  • Having annual revenues over $25 million
  • Handling large volumes of personal information (e.g., 100,000+ consumers or employees)
  • Deriving revenue from selling or sharing personal data

With the expansion of CPRA to fully include employee data, many organizations that weren’t considering compliance will now need to formalize their privacy programs, perform risk assessments, and prepare for upcoming reporting requirements.

That means many healthcare organizations that historically focused privacy efforts primarily on HIPAA compliance must now evaluate broader workforce and operational privacy obligations. Below is a high-level summary of what should be established and maintained, especially in preparation for a regulatory inquiry or audit:

Items that should be ready and available (audit/inquiry readiness):

  • Inventory of employee personal information (PI) and sensitive personal information (SPI), including data flows (collection, use, storage, sharing, retention, and deletion)
  • Identification of all systems and third parties that process employee data (e.g., HR systems, payroll, benefits providers, workers’ compensation vendors)
  • Formal privacy risk assessment evaluating how employee data is processed and associated risks
  • Documented vendor agreements with appropriate data protection and use limitations
  • Internal policies and procedures, including:
    • Data retention and deletion standards
    • Data subject rights request (DSR) procedures (access, deletion, correction, etc.)
    • Privacy-related incident response processes
  • Evidence of operational execution, such as:
    • Logs of privacy requests and responses
    • Employee training records
    • Enforcement of access controls and retention practices
  • Security controls aligned with the sensitivity of employee data (leveraging existing HIPAA safeguards where applicable)

Items that must be actively maintained (regardless of audit):

  • Employee privacy notice provided at or before data collection
  • Public-facing privacy policy outlining data collection, use, and sharing practices
  • Defined method for submitting privacy/data subject requests
  • Documented determination regarding whether “selling” or “sharing” of data applies
  • Handling and justification for the use of sensitive personal information (SPI)

However, the organization must be able to demonstrate compliance through documentation and evidence if requested.

This requirement is evolving. Based on the California Privacy Protection Agency’s recent announcement, organizations will be required to perform formal risk assessments beginning in 2026 and submit an attestation and summary of those assessments to the CPPA starting April 1, 2028. Organizations need to provide executive-level attestation and summary-level reporting of the assessment. Also, it must be maintained and made available upon request.

To qualify as a CCPA/CPRA compliant risk assessment, the assessment should:

  • Evaluate specific data processing activities (e.g., employee onboarding, HR systems, benefits administration, workers’ compensation)
  • Identify and document categories of personal information (PI) and sensitive personal information (SPI) involved in each processing activity
  • Clearly define the purpose of the processing and how the data is being used
  • Assess the necessity and proportionality of the processing (i.e., whether the data collected and used is appropriate and not excessive for the stated purpose)
  • Analyze potential risks to individuals (in this case, employees), including risks related to privacy, misuse, unauthorized access, or over-collection
  • Include a risk vs. benefit analysis, weighing the business need for the processing against the potential impact to individuals
  • Document safeguards and controls in place to mitigate identified risks (administrative, technical, and physical)
  • Specifically address the handling and use of sensitive personal information (SPI), particularly where higher-risk data is involved
  • Be formally documented, version-controlled, and repeatable, with clear ownership and approval
  • Be structured in a way that supports future reporting and attestation requirements (e.g., summary-level outputs for regulatory submission)

For many healthcare employers, CPRA readiness is becoming less about privacy policies and more about proving operational governance over employee data across complex vendor ecosystems.

Why Privacy Risk Assessments Matter Now

California regulators are now signaling a different expectation: organizations must proactively evaluate risk.

The upcoming rules require businesses to formally assess how personal information is processed and whether those activities create risks to consumers or employees.

Organizations will also need to maintain evidence supporting those conclusions.

For healthcare leadership teams, this creates a new operational reality. Privacy compliance is no longer solely a legal or IT issue.

California Is Leading, but Other States Are Moving in the Same Direction

While California remains the most aggressive privacy regulator, it is not alone. States such as Virginia and Colorado already require privacy risk assessments for certain processing activities. Today, those assessments generally must be maintained and produced upon request rather than proactively submitted.

Still, the trend is clear.

Regulators increasingly expect organizations to prove they understand their data environments and associated risks.

Preparing for 2026 and Beyond

Organizations do not need to wait for formal submission deadlines to begin preparing.

Strong preparation now can reduce future disruption and position organizations to respond more effectively to regulatory inquiries, workforce expectations, and evolving privacy standards.

Privacy Compliance Is Becoming a Business Operations Issue

The organizations that respond most effectively to these evolving requirements will not treat privacy compliance as a checkbox exercise.

They will approach it as part of operational maturity.

Employees, regulators, business partners, and patients increasingly expect transparency around how organizations handle data. That expectation will continue to grow as AI, automation, workforce analytics, and digital transformation accelerate across healthcare.

The organizations that build strong governance now will be better positioned to scale responsibly later.

How LBMC Can Help

LBMC helps organizations evaluate privacy readiness, strengthen governance processes, assess operational risk, and prepare for evolving regulatory expectations.

Our teams work alongside leadership, legal, HR, cybersecurity, compliance, and operational stakeholders to help organizations create practical, scalable privacy compliance strategies aligned with business objectives.

If your organization is evaluating CCPA/CPRA readiness or preparing for future privacy risk assessment requirements, connect with an LBMC professional to discuss your current environment and next steps.

Content provided by Teddy Ansink, LBMC Cybersecurity Manager. Contact him at teddy.ansink@lbmc.com.

CCPA and CPRA Risk Assessment FAQs

When do California privacy risk assessment requirements take effect?

Formal privacy risk assessments are expected to begin in 2026, with attestation and summary reporting requirements starting April 1, 2028.

Which organizations may be subject to CCPA/CPRA requirements?

Businesses operating in California that meet certain thresholds, such as annual revenue over $25 million or handling large volumes of personal information, may be subject to compliance obligations.

Why are healthcare employers particularly impacted by these rules?

Healthcare organizations often manage extensive employee and sensitive operational data across HR, payroll, benefits, and third-party systems, increasing compliance and governance expectations.

What should a compliant privacy risk assessment include?

A compliant assessment should evaluate processing activities, identify risks, document safeguards, assess proportionality, and support future regulatory reporting requirements.

Are other states adopting similar privacy requirements?

Yes. States such as Virginia and Colorado already require privacy risk assessments for certain data processing activities, signaling a broader national trend toward stronger privacy governance.

The post CCPA and CPRA Risk Assessments appeared first on LBMC.

]]>
Why CMMC Strategy Matters Before You Start https://www.lbmc.com/blog/cmmc-compliance-strategy/ Mon, 06 Apr 2026 17:26:28 +0000 https://www.lbmc.com/?p=69995 For many organizations working with the Department of Defense (DoD), Cybersecurity Maturity Model Certification (CMMC) initially feels like another compliance […]

The post Why CMMC Strategy Matters Before You Start appeared first on LBMC.

]]>
For many organizations working with the Department of Defense (DoD), Cybersecurity Maturity Model Certification (CMMC) initially feels like another compliance checklist. Install the tools. Document policies. Pass the assessment.

But the organizations that struggle the most with CMMC usually start with the wrong assumption: that compliance is a technical project.

In reality, CMMC is a business strategy decision first and a cybersecurity program second. A well-defined CMMC compliance strategy helps organizations avoid costly missteps and align certification with long-term goals.

Your choices early in the process — how you scope your environment, interpret contract requirements, and structure governance — can determine whether CMMC becomes a manageable program or a costly disruption.

Before implementing controls or purchasing software, organizations should step back and answer one fundamental question: What role does CMMC play in our long-term business strategy?

Who CMMC Actually Applies To (Hint: It’s Broader Than You Think)

One of the most common misconceptions is that CMMC only applies to prime contractors. That’s not the case.

CMMC requirements flow down through the entire defense industrial base, meaning organizations may be affected if they are:

  • Prime contractors
  • Subcontractors
  • Service providers supporting DoD work
  • Technology vendors handling contract data

If your organization touches defense contract data at any level, CMMC may determine whether you remain eligible to compete for future work.

For many firms, the question isn’t whether CMMC applies. It’s how strategically they approach it.

Compliance vs. Security vs. Audit Readiness

Another misconception is that strong cybersecurity automatically leads to successful certification. Unfortunately, that’s not how assessments work.

Many organizations already operate secure environments. However, security alone does not guarantee audit readiness.

Assessors evaluate:

  • Documented system security plan and policies
  • Consistent control execution
  • Evidence demonstrating operational effectiveness

In other words, good intentions or informal practices don’t count.

If you can’t prove a control consistently operates, it may not pass an assessment — even if the security practice itself exists.

This is why organizations that delay documentation or evidence collection often find themselves scrambling during certification.

Understanding the Difference Between FCI and CUI

A critical strategic decision in CMMC begins with identifying the type of information your organization handles. Two categories drive your certification requirements:

Federal Contract Information (FCI): Information generated during contract performance that is not intended for public release.

Handling FCI typically triggers CMMC Level 1 requirements.

Controlled Unclassified Information (CUI): Sensitive government information that requires protection but is not classified.

Handling CUI generally triggers CMMC Level 2 requirements, often including third-party certification.

The challenge? CUI is not always obvious.

Organizations often assume they don’t handle CUI because they don’t receive engineering drawings or classified materials. However, CUI can appear in:

  • Technical specifications
  • Test results
  • Manufacturing instructions
  • Project communications
  • Derived documentation created internally

Once CUI enters an environment, it can propagate through collaboration tools, files, and operational workflows. Understanding where CUI exists — and where it may spread — is one of the most important steps in a successful CMMC strategy.

The Strategic Cost of Getting It Wrong

Organizations often make one of two mistakes early in their CMMC journey.

Over-scoping

Some organizations include their entire enterprise in scope to avoid missing something. While this approach feels safe, it often creates unnecessary complexity and dramatically increases cost.

Under-scoping

Others attempt to minimize scope to remain at Level 1 or reduce implementation effort. If assessors later determine that CUI exists in the environment, organizations may face:

  • Re-scoping requirements
  • Additional assessments
  • Delays in contract eligibility

Both scenarios create avoidable operational friction. A well-designed CMMC strategy balances compliance, cost, and business objectives.

Avoid common CMMC mistakes before they cost you.

Use this checklist as a quick self-assessment when building or reviewing your CMMC program.

Start With Strategy, Not Technology

Before implementing cybersecurity tools or frameworks, organizations should focus on three strategic questions:

  1. What data do we actually handle?
  2. Where does that data move across our organization?
  3. What level of CMMC certification aligns with our future contract strategy?

These answers shape everything that follows — from architecture to governance to compliance costs.

The way you structure your CMMC program can determine whether it becomes a burden or a competitive advantage. Organizations that treat CMMC as a strategic initiative rather than a technical obligation are far more likely to build sustainable programs that support growth.

Ready to schedule a CMMC assessment? Reach out to Robyn Barton, Shareholder, LBMC Cybersecurity, robyn.barton@lbmc.com.

The post Why CMMC Strategy Matters Before You Start appeared first on LBMC.

]]>
Simplifying ISO Certification: A More Integrated Approach for Growing Organizations https://www.lbmc.com/blog/integrated-iso-certification-services/ Fri, 03 Apr 2026 16:18:09 +0000 https://www.lbmc.com/?p=70152 As regulatory scrutiny increases and enterprise customers demand stronger third-party assurance, many organizations are rethinking how they approach ISO certification. […]

The post Simplifying ISO Certification: A More Integrated Approach for Growing Organizations appeared first on LBMC.

]]>
As regulatory scrutiny increases and enterprise customers demand stronger third-party assurance, many organizations are rethinking how they approach ISO certification.

LBMC’s expansion of its accredited certification platform to include ISO 9001:2015 Quality Management System (QMS) certification reflects a broader shift in the market. Organizations are no longer treating quality, security, and privacy as separate initiatives. They are looking for a more connected, efficient way to manage them together.

Why ISO Certification Is Gaining Momentum

ISO certifications have increased significantly in recent years, driven by growing expectations from customers, regulators, and procurement teams.

For many middle-market and growth-stage organizations, ISO certification is no longer optional. It has become a requirement for enterprise contracts, government engagements, and participation in regulated markets.

That shift is changing how companies think about certification. It is not just about compliance. It is about enabling growth.

Moving Beyond Siloed Certification Efforts

Reducing Complexity Through Integration

Organizations pursuing ISO 9001, ISO 27001, and ISO 27701 often run into the same challenges. Overlapping requirements, duplicated documentation, and limited internal resources can slow progress and create unnecessary friction.

LBMC’s integrated certification approach is designed to simplify that process. By aligning audit cycles and coordinating evaluation activities across standards, organizations can reduce duplication and improve visibility across their management systems.

This approach helps organizations:

  • Reduce redundant effort across quality, security, and privacy programs
  • Consolidate oversight under a single accredited certification body
  • Improve internal governance and accountability
  • Accelerate readiness for enterprise procurement requirements

“Executive teams are feeling the increased pressure of demonstrating compliance with multiple frameworks and standards that demand both operational excellence and effective risk management,” said Brian Willis, Cybersecurity Shareholder at LBMC. “An integrated ISO certification strategy allows organizations to strengthen their quality, security, and privacy programs simultaneously while reducing disruption to daily operations. We find that the competencies established for one standard translate quite well to the others as does the audit process for each. Our role is to equip our clients for success by bringing structure, clarity, and efficiency to that process.”

Common Challenges Organizations Face

Even with clear goals, many organizations encounter obstacles when pursuing certification. These often include:

  • Unclear scope definition
  • Gaps between documented policies and actual practices
  • Inconsistent implementation across departments
  • Resource constraints during audit preparation

LBMC’s certification approach emphasizes:

  • Strategic audit planning – Coordinated scheduling across multiple standards to reduce operational disruption.
  • Practical focus on system effectiveness – Concentrating on controls and processes that materially impact compliance and performance.
  • Experienced audit professionals – ISO-certified auditors with backgrounds in cybersecurity, quality systems, and regulatory compliance.
  • Structured communication and oversight – Clear timelines, defined milestones, and executive-level visibility throughout the certification lifecycle.

The Business Value of ISO 9001

ISO 9001 is the internationally recognized standard for quality management systems. It provides a structured framework for improving consistency, strengthening customer confidence, and supporting continuous improvement.

While commonly associated with manufacturing, ISO 9001 is also highly relevant for industries such as engineering, software development, hosting services, and customer support operations.

For many organizations, ISO 9001 serves as the operational foundation that supports broader security, privacy, and regulatory initiatives.

When integrated with ISO 27001 and ISO 27701, it becomes part of a broader governance framework that supports enterprise risk management and long-term scalability.

Certification can also:

  • Support eligibility for regulated contracts
  • Strengthen differentiation in competitive bids
  • Reduce third-party assessment burdens
  • Improve visibility into operational controls
  • Enhance valuation readiness for private equity-backed organizations

A Strategic Decision for Leadership Teams

For executive leaders, ISO certification is evolving into more than a compliance milestone. It is increasingly tied to revenue growth, risk management, and overall business strategy.

Before moving forward, leadership teams should be asking:

  • Are we missing opportunities due to a lack of ISO certification?
  • Are our quality, security, and privacy programs operating in silos?
  • What is the cost of duplicated audit efforts across the organization?
  • Are our systems prepared for investor or regulatory scrutiny?
  • How could certification impact valuation or exit readiness?

To help executive teams answer these questions, LBMC is offering a limited number of Executive ISO Integration Assessments for organizations planning 2026 certification cycles.

This working session provides:

  • A high-level maturity gap overview across quality, security, and privacy domains
  • Identification of overlapping controls to reduce redundant audit effort
  • A procurement-readiness analysis aligned to enterprise RFP expectations
  • Executive-level roadmap with timeline, resource requirements, and risk exposure indicators
  • Financial impact modeling for integrated vs. standalone certification pathways

For many middle-market and private equity-backed companies, this session clarifies whether ISO certification is simply a compliance requirement or a strategic lever for accelerating enterprise sales and strengthening governance maturity.

Executive leaders interested in evaluating the ROI of an integrated ISO strategy may request an assessment briefing.

Supporting Regional Growth and Regulated Industries

LBMC’s expanded ISO certification services support organizations across the Southeast and beyond, including healthcare providers, technology companies, manufacturers, financial services firms, and government contractors seeking globally recognized assurance frameworks.

By combining ISO certification with LBMC’s broader cybersecurity, risk advisory, and compliance capabilities, organizations gain a strategic partner capable of supporting both certification and ongoing management system maturity.

Preparing for 2026 Certification Cycles

Organizations planning to pursue ISO 9001, ISO 27001, or ISO 27701 certification in 2026 are encouraged to begin readiness assessments and scope definition early to align with procurement and regulatory timelines.

Looking to simplify your certification process?

Explore LBMC’s integrated ISO certification services to see how a more connected approach can support your organization’s growth and compliance goals.

The post Simplifying ISO Certification: A More Integrated Approach for Growing Organizations appeared first on LBMC.

]]>
How to Take Over a PCI Compliance Program  https://www.lbmc.com/blog/how-to-take-over-a-pci-compliance-program/ Thu, 13 Nov 2025 20:27:27 +0000 https://www.lbmc.com/?p=65120 Key Takeaways:  Clarify Scope and Current State Early: Begin by reviewing existing documentation like the ROC or SAQ, network diagrams, […]

The post How to Take Over a PCI Compliance Program  appeared first on LBMC.

]]>
Key Takeaways: 

  • Clarify Scope and Current State Early: Begin by reviewing existing documentation like the ROC or SAQ, network diagrams, and gap assessments to understand where cardholder data resides and who owns each system. This foundational clarity shapes your entire PCI compliance strategy.
  • Establish Ownership and Year-Round Accountability: Build an internal matrix mapping each PCI DSS requirement to a responsible owner, track evidence, and maintain visibility year-round — not just during audit season. Even a basic Excel tracker can support this process.
  • Treat Your QSA as a Strategic Partner: Manage assessments like projects with structured timelines and clear communication. Collaborate with your QSA to proactively address control gaps and strengthen security, not just to “pass” an audit.

A QSA’s Guide for New GRC Professionals 

Stepping into a GRC role responsible for PCI DSS compliance can be both exciting and daunting. Many organizations experience turnover in this function; a prior compliance manager moves on, and suddenly a new person inherits the PCI program. Sometimes that person has deep PCI experience; other times, they’re learning the framework from scratch.

What we often see is that documentation is scattered, key processes live in the heads of a few people, and there’s no centralized GRC or compliance tool in place. In these situations, the organization may rely heavily on its assessor’s tools and workflow — convenient in the short term, but risky in the long term. If personnel or assessors change, critical institutional knowledge can disappear overnight.

Having worked as a Qualified Security Assessor (QSA) across hundreds of PCI DSS assessments, I’ve seen how quickly a PCI program can drift and how strong leadership and structure from the GRC function can turn it around. Here’s how to effectively manage a PCI program when you’re the new face in the compliance seat.

Step 1: Understand Your PCI DSS Scope and Current State of Compliance 

Your first task is to get clear on PCI DSS scope and the current state of your compliance program. Request copies of the latest Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ), network diagrams, and any gap assessments or scope validation reports.

Map out:

  • Where cardholder data is stored, processed, or transmitted
  • What segmentation controls isolate that environment
  • Which vendors and third parties handle cardholder data
  • Who owns each system and process 

This foundational understanding will guide every PCI activity you manage. If you need help getting started, LBMC’s PCI Flash or Gap Assessment service helps new GRC leaders rapidly identify gaps and build a roadmap to compliance.

Step 2: Build Ownership and Accountability for PCI Requirements 

Even if your QSA provides a robust evidence management platform, your organization needs its own internal PCI tracking process. You should be able to answer, at any time:

  • Who owns each PCI DSS requirement?
  • When was it last tested or reviewed?
  • Where is the supporting evidence stored?
  • What was last year’s QSA feedback?

Create a living matrix mapping each requirement to internal owners — IT, Security, DevOps, Finance, or Compliance. Track status, due dates, and evidence collection cycles.

Even without a GRC tool, a simple Excel-based tracker can work. The key is maintaining visibility and accountability throughout the year — not just during audit season.

Step 3: Manage the PCI DSS Assessment Like a Project (and a Partnership) 

Most PCI DSS assessments follow a structured process:

  1. Collect core scoping evidence (network diagrams, system inventories, segmentation documentation, third-party lists).
  2. Conduct working sessions to observe controls and interview control owners.
  3. Review documentation and validate results.
  4. >Generate reports.

Your role as the GRC professional is to project manage this process from your organization’s side — scheduling sessions, coordinating evidence, and maintaining communication between your QSA and internal teams.

But here’s the real challenge: control owners are busy. PCI might not be their top priority. Your job is to make participation as easy as possible, provide clear instructions, send calendar holds for working audit sessions, and explain >why their evidence matters.

If engagement becomes difficult, escalate for executive support. Leadership reinforcement that “PCI is a business priority” can make all the difference.

Pro tips:

  • Brief control owners before each session to clarify topics and expectations.
  • Capture action items and deadlines after every discussion.
  • Communicate proactively with your QSA about scheduling, readiness, and constraints.

This keeps the assessment efficient, minimizes rework, and establishes a professional rhythm with your assessor — one that strengthens each year.

Step 4: Maintain Continuous PCI Compliance Year-Round 

Under PCI DSS v4.0, organizations must demonstrate continuous compliance, not just point-in-time certification. That means recurring activities — such as scans, training, and reviews — must be executed consistently and well-documented.

A mature PCI program operates on a compliance calendar that tracks:

  • Quarterly internal and external vulnerability scans
  • Wireless access point scans
  • User account and access reviews
  • Incident response tests
  • Firewall rule reviews
  • Annual policy and training updates and more!

LBMC’s PCI Continuous Compliance Program helps organizations operationalize this approach with quarterly QSA reviews and ongoing advisory support. Even if managed internally, make it a habit to review your PCI compliance status every quarter — not just before audit time.

Step 5: Collaborate with Your QSA to Strengthen Security

When audit week arrives, remember: it’s not a test to “pass” — it’s a process to validate and improve controls.

A strong QSA partnership is built on transparency and collaboration. Be upfront about control gaps or exceptions; address them early to avoid last-minute issues. Encourage your teams to ask questions — these sessions often surface valuable security improvements beyond compliance itself.

With PCI DSS v4.0, you can also leverage customized approaches that provide flexibility while maintaining compliance. If you go this route, engage your assessor early to define success criteria and required evidence.

LBMC provides comprehensive advisory and compliance support. Connect with a local expert today. With offices in Chattanooga, Memphis, Louisville, Nashville, Knoxville, Philadelphia, and Charlotte, plus remote support, the firm supports clients across the Southeast.

Key Takeaways for New GRC Professionals Managing PCI DSS

  • Start with clarity: Understand PCI DSS scope, data flows, and system ownership early.
  • Own your matrix: Map every PCI requirement to internal stakeholders and evidence owners.
  • Stay proactive: Build a quarterly compliance calendar to avoid last-minute fire drills.
  • Educate and engage: Help control owners understand their PCI responsibilities.
  • Partner with your QSA: Treat the assessor relationship as a collaboration, not an audit test.

Building a Sustainable PCI DSS Compliance Program

Taking over a PCI program is no small task, but it’s also a great opportunity to modernize documentation, strengthen collaboration, and establish sustainable PCI DSS compliance processes.

Start with clear scoping, build internal ownership, manage the assessment like a project, and engage leadership along the way. When PCI becomes part of your organization’s operational DNA, the annual assessment transforms from a stressful event into a simple, repeatable validation.

And if you’re looking for a partner to guide you through it, LBMC can help. Our experienced QSAs provide hands-on PCI compliance guidance, quarterly reviews, and structured programs designed to make compliance manageable and repeatable.

Contact Stewart Fey to learn how LBMC can help you build and sustain a successful PCI compliance program.

New to PCI compliance? Learn how to manage your organization’s PCI DSS program, build accountability, and work effectively with your QSA. Get practical steps from LBMC’s experienced PCI assessors.

Content provided by Stewart Fey, Shareholder, LBMC Cybersecurity. Contact him at stewart.fey@lbmc.com.

Take the next step toward a more resilient and efficient compliance function. Talk with LBMC’s advisors for tailored support.

Frequently Asked Questions 

What is the first step when taking over a PCI compliance program?

Start by reviewing your most recent ROC or SAQ, along with network diagrams and gap assessments. Understanding scope and current compliance posture sets the foundation for everything else.

How can I keep my PCI DSS compliance program on track year-round?

Establish a recurring PCI compliance task checklist calendar that includes quarterly scans, user access reviews, and incident response exercises. Continuous visibility helps maintain readiness between audits.

What if my organization doesn’t have a GRC tool?

That’s okay. Start with a structured Excel tracker that assigns PCI requirements to owners, due dates, and evidence locations. You can scale to tools later for automation and reporting.

How can I make PCI assessments easier for control owners?

Prepare them in advance, communicate expectations clearly, and schedule meetings efficiently. Remind them that PCI compliance supports the business by protecting customer data and reducing risk.

The post How to Take Over a PCI Compliance Program  appeared first on LBMC.

]]>
PCI Compliance Guidelines Thoroughly Explained https://www.lbmc.com/blog/pci-compliance-guidelines-explained/ Thu, 06 Nov 2025 21:18:23 +0000 https://www.lbmc.com/?p=33298 Protecting Cardholder Data in the Era of PCI DSS 4.0.1 Key takeaway: PCI DSS 4.0.1 goes beyond annual audits — […]

The post PCI Compliance Guidelines Thoroughly Explained appeared first on LBMC.

]]>
Protecting Cardholder Data in the Era of PCI DSS 4.0.1

Key takeaway: PCI DSS 4.0.1 goes beyond annual audits — it’s about embedding compliance into your daily operations and governance framework to strengthen trust and security across your organization.

Stay ahead of evolving PCI standards.

Download the PCI Compliance Guidelines Thoroughly Explained to understand how PCI DSS 4.0.1 reshapes compliance for merchants, service providers, and technology-driven organizations. This guide breaks down what’s new, what’s changed, and how to make compliance a business-as-usual practice that supports both security and governance goals.

 


If your organization stores, processes, or transmits payment card data, you are responsible for maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS). The latest version — PCI DSS 4.0.1 — represents a shift toward continuous compliance, executive accountability, and risk-based flexibility across all industries that handle cardholder data.

Whether you’re a retailer, service provider, SaaS platform, or healthcare organization, understanding and operationalizing PCI DSS 4.0.1 is essential to protecting sensitive data, building customer trust, and meeting evolving security expectations.

The PCI Compliance Guidelines Thoroughly Explained guide provides practical insights for compliance officers, IT leaders, and GRC managers on topics such as:

  • What PCI DSS 4.0.1 means for your organization and how it differs from version 3.2.1.
  • How merchants and service providers can demonstrate compliance through the Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).
  • The most significant new requirements, including multi-factor authentication for all access to the Cardholder Data Environment, targeted risk analyses, and authenticated vulnerability scanning.
  • How to define and validate PCI scope in modern, cloud-based environments.
  • Ways to integrate PCI compliance into governance and risk management programs as a business-as-usual activity.
  • How to reduce scope and simplify compliance through outsourcing, tokenization, and P2PE solutions.
  • Best practices for leveraging PCI SSC guidance and FAQs to stay ahead of evolving requirements.

The post PCI Compliance Guidelines Thoroughly Explained appeared first on LBMC.

]]>
Third-Party Reporting Made Smarter: The Case for Unified Attestation  https://www.lbmc.com/blog/third-party-reporting-unified-attestation/ Fri, 03 Oct 2025 00:00:00 +0000 https://www.lbmc.com/?p=64610 In today’s complex and highly regulated business environment, you’re faced with mounting pressure to demonstrate compliance across a growing array […]

The post Third-Party Reporting Made Smarter: The Case for Unified Attestation  appeared first on LBMC.

]]>
In today’s complex and highly regulated business environment, you’re faced with mounting pressure to demonstrate compliance across a growing array of standards and frameworks. These could include SOC 1, SOC 2, and SOC 3, as well as HITRUST, ISO 27001, FedRAMP, PCI DSS, MRC examinations, and WebTrust certifications.   

Navigating these frameworks individually can be a strain on both internal resources and budgets. That’s why more forward-thinking organizations are consolidating their efforts by engaging a single firm to oversee multiple third-party reporting needs. The result? Greater efficiency, less audit fatigue, and more consistent, actionable insights.  

Audit Once, Report Many: One Strategy with Many Benefits  

Centralizing attestation services with one firm allows you to streamline compliance using a shared set of controls, testing procedures, and documentation. This reduces duplicative efforts, lowers overall audit costs, and enhances the quality and consistency of reporting across frameworks. A unified control library supports governance, risk, and compliance efforts and allows your internal teams to focus on strategic priorities and business growth. The following examples illustrate how this strategy improves efficiency and consistency across SOC 1, SOC 2, SOC 3, and other reporting frameworks.  

SOC 1, SOC 2, and SOC 3 Reporting: Maximizing Value Through Integration  

SOC reports are the bedrock of third-party assurance for many service providers. As SOC 1, SOC 2 and SOC 3 share common goals, addressing them together reduces disruptions and streamlines the process of gathering evidence. Partnering with one firm facilitates better reporting across systems, so that a cohesive compliance story is shared with stakeholders and clients. 

Aligning ISO 27001 and HITRUST for Broader Assurance  

ISO 27001 and HITRUST are two of the most recognized frameworks for managing information security and data protection. ISO 27001 is the global standard for information security management systems. HITRUST is a comprehensive certification framework for the healthcare industry, incorporating parts of HIPAA, NIST, and ISO. 

Both ISO 27001 and HITRUST have commonalities with SOC 2, especially around security, privacy, and risk management. Aligning ISO 27001 and HITRUST assessments with SOC 2 efforts can reduce duplicate testing and streamline audit timelines. This process shows a developed, unified security posture across industries, including healthcare, financial services, and technology. 

An integrated approach results in stronger governance, improved compliance ROI, and comprehensive regulatory coverage while allowing teams to focus on higher-value initiatives. 

Strategic FedRAMP Integration: Reducing Risk for Cloud Service Providers  

FedRAMP is a framework for cloud service providers that work with U.S. federal agencies. FedRAMP has its strict security requirements and often overlaps with other frameworks like SOC 2, ISO 27001, and HITRUST, especially as they relate to access controls, encryption, and risk management. By integrating FedRAMP assessments with existing programs, organizations can streamline compliance and meet government standards more efficiently.   Aligning these processes can also raise the credibility of organizations, allowing them to go to market faster.   

Integrating PCI DSS with SOC 2 and ISO 27001  

Adhering to PCI DSS is required for any organization that stores, processes, or transmits cardholder data, as well as businesses that support these processes through infrastructure or services. PCI DSS is specialized in some areas, it shares some controls with SOC 2 and ISO 27001 related to information security, access control, and system monitoring. Aligning PCI requirements with existing compliance programs can help organizations cut down on audit redundancy, improve internal coordination, and establish a more efficient, secure posture for handling payment data.  

Incorporating Media Rating Council (MRC) Examinations and WebTrust: Coordinated Value 

MRC examinations are crucial for organizations in advertising and media, validating the accuracy and reliability of audience measurement. WebTrust, on the other hand, is tailored for digital trust—supporting online security for e-commerce platforms and certification authorities. Both frameworks emphasize data integrity and security, creating opportunities for coordination with broader attestation efforts. When integrated with assessments like SOC 2 and ISO 27001, MRC and WebTrust examinations can be conducted more efficiently, reducing audit fatigue while reinforcing trust in the systems that support digital and media transactions.  

Mapping Controls Across Frameworks: A Strategic Approach to Compliance Value  

Consolidating multiple attestation efforts under one firm offers measurable value by reducing the need for separate audits, eliminating redundant testing, and streamlining documentation. These efficiencies can lead to lower audit costs, better use of internal resources, and fewer operational disruptions.  

The table below illustrates how SOC 2 often acts as a foundational framework, with many other attestation standards mapping closely to it. Shared control areas, such as security, privacy, and data integrity, enable an audit once, report many approach that drives consistency, improves oversight, and maximizes the return on compliance investments.  

Reporting Framework  Maps to SOC 2  Key Overlap Areas  Additional Notes 
SOC 1  Yes (ITGC)  Financial reporting controls  Primarily focuses on controls relevant to financial reporting; limited overlap with IT general controls used in SOC 2 
SOC 2  Foundational  Security, availability, processing integrity, confidentiality, privacy  Core framework for service organization controls; commonly used as the baseline for aligning other reports 
SOC 3  Yes  Same as SOC 2 (general use)  General-use version of SOC 2; used for broader distribution and marketing purposes 
ISO 27001  Yes  Information security  Internationally recognized standard; closely aligns with SOC 2, HITRUST, and FedRAMP in areas of data protection and security management 
HITRUST  Yes  Information security, privacy controls  Framework tailored to healthcare and regulated industries; incorporates elements from HIPAA, NIST, and ISO 
FedRAMP  Yes  Security controls, risk management  Federal requirement for cloud providers; shares control areas with SOC 2, ISO, and HITRUST 
PCI DSS  Yes  Payment data security, access controls, risk management  Applies to any organization handling cardholder data; aligns with SOC 2 and ISO in information security domains 
MRC  Yes  Data integrity, security  Key for media and advertising organizations; validates accuracy in audience measurement and digital metrics 
WebTrust  Yes  Data integrity, e-commerce security  Designed for digital trust services; supports verification in online transactions and secure communications 

 

Frameworks like HITRUST, ISO 27001, MRC, WebTrust, FedRAMP, and PCI DSS all align closely with SOC 2 due to shared requirements for security, privacy, and data integrity.  

The strongest synergies appear between SOC 2, HITRUST, ISO 27001, FedRAMP, and PCI DSS, each emphasizing information security and risk management.  

For media and e-commerce organizations, MRC and WebTrust also reinforce this alignment through a shared focus on data integrity and trust assurance.  

Leveraging GRC Technology for Smarter Compliance  

Governance, Risk, and Compliance (GRC) technology is a game-changer. Platforms like Hyperproof enable organizations to automate evidence collection, manage control mappings across frameworks, and centralize reporting. When combined with a consistent attestation partner, these tools reduce administrative overhead and create a repeatable, scalable compliance process.  

The LBMC Advantage: Built for Today, Ready for Tomorrow  

LBMC provides more than audit reports. We serve as strategic advisors, helping organizations build and sustain efficient, integrated compliance programs. By aligning technology, talent, and expertise, we help clients turn regulatory requirements into business value. Our team brings deep industry experience, a pragmatic approach, and a people-first mindset that keeps your goals front and center. 

Simplify Compliance with a Unified Attestation Strategy That Builds Trust

If managing multiple audits feels overwhelming or your compliance requirements keep piling up, you don’t have to face it alone. At LBMC, we work alongside you to make the process smoother, give you clearer visibility into risks, and strengthen trust at every level of your business. Together, we’ll build a unified attestation strategy that not only reduces stress but also delivers stronger outcomes for your organization. 

 Content provided by Chrystal Blaskowski, Senior Manager, LBMC Cybersecurity. Contact her at chrystal.blaskowski@lbmc.com. 

The post Third-Party Reporting Made Smarter: The Case for Unified Attestation  appeared first on LBMC.

]]>
Cybersecurity Due Diligence for Investors in Acquisitions  https://www.lbmc.com/blog/cybersecurity-considerations-acquisition/ Thu, 02 Oct 2025 20:25:05 +0000 https://www.lbmc.com/?p=22603 In January 2025, Insight Partners, one of the world’s most active tech investors, admitted it had fallen victim to a […]

The post Cybersecurity Due Diligence for Investors in Acquisitions  appeared first on LBMC.

]]>
In January 2025, Insight Partners, one of the world’s most active tech investors, admitted it had fallen victim to a social engineering attack (Cybersecurity Dive). The breach exposed internal systems, leading Insight Partners to bring in forensic teams and alert law enforcement. If even a firm with stakes in companies like Wiz and Kaseya can get breached, what does that mean for private equity groups (PEGs) in the middle of a deal?

IBM’s 2024 Cost of a Data Breach Report puts the global average price tag of a breach at $4.88 million. McKinsey’s 2024 M&A Report goes a step further, revealing that deals lacking strong risk management, like cybersecurity, end up realizing 10–20% less value compared to those that tackle risks head-on. Cybersecurity due diligence helps protect returns, makes integration easier, and stays on top of stricter state regulations, like New York’s NYDFS Cybersecurity Rules.

Aligning Cybersecurity with Deal Value

How does security fit into why we’re buying this company?

Security adds value to the transaction by safeguarding the core components of the business, such as its technology, client information, or seamless platform integration.

Technology-Driven Acquisitions

The security of codebases, APIs, and data models is prioritized when a transaction is driven by proprietary software or advanced platforms. Weak encryption or unpatched systems aren’t just technical issues; they can lead to regulatory fines and mandatory fixes under New York’s NYDFS Cybersecurity Rules (23 NYCRR 500).

Market Share or IP Focus

If a target is mainly valued for its customer data or intellectual property, it’s crucial to have strong protections in place to prevent leaks and theft. The very assets that are driving the deal can quickly become liabilities if robust data-loss prevention measures are not in place.

Integration Strategy

When integrating a target into an existing business, it is essential that the security standards of the acquirer be met. When systems don’t match up and controls are inconsistent, it slows down integration, holds back synergies, and drives up costs.

Smart investors commission targeted assessments that connect security risks to the deal thesis, preserving core assets while keeping everything in line with regulatory requirements.

Driving Integration ROI

What does this mean for time, cost, and benefits after the deal is done?

Cybersecurity due diligence goes beyond just identifying risks before closing the deal. It also establishes the foundation for how quickly value can be realized and how smoothly the target integrates. Integration times can stretch, and costs can rise if you don’t have a clear understanding of the gaps, fixes that need to be made, and legal requirements.

Security Gaps and Remediation Costs

Most breaches are caused by patchable vulnerabilities. If a target enters the agreement with out-of-date systems or poor zero-trust measures, or even incompatible identity platforms, those flaws must be addressed immediately. The acquirer is commonly responsible for bearing the cost of filling in those gaps on their balance sheet.

State Regulatory and Compliance Risks

Along with the technology challenges, investors also take on the target’s regulatory stance. State-level rules, such as the NYDFS Cybersecurity Regulations, along with sector-specific requirements, bring in extra layers of scrutiny. Non-compliance can mean fines, audits, or even restrictions on how you operate. New York isn’t the only state taking action. Texas and Massachusetts are also stepping up, with Texas’s HB 4 requiring annual cybersecurity audits and breach notifications within 60 days. These rules definitely impact the ROI of integration.

Investors can keep integration on track and protect projected returns by fixing immediate security gaps, planning upgrades for the near future, and making sure that long-term compliance strategies are aligned. Cybersecurity accelerates deal value, not just defense.

Uncovering Hidden Liabilities

What risks could be hiding in the shadows?

You can often learn a lot about a target’s cybersecurity history, even beyond what management shares during the due diligence process. When breaches go undisclosed, incident response processes are weak, or vendor relationships are insecure, these issues can come back to haunt you after a deal closes.

Incident History and Liabilities

Past breaches, even if they were downplayed or kept under wraps, can signal lingering vulnerabilities.  Advanced persistent threats (APTs) may remain hidden inside a network post-acquisition, inflating costs for the acquirer.

Prevention and Response Capabilities

For investors, a target’s ability to detect and respond to threats directly affects post-close costs. Companies that have strong monitoring and incident response systems can keep disruptions under control, helping to maintain their value and stick to integration schedules. When companies lack strong capabilities, they can often pass hidden liabilities to the acquirer, leading to unexpected costs for fixing and upgrading things.

Third-Party and Supply Chain Risks

Vendors, cloud services, and software suppliers often create major blind spots. Compromised partners can open doors into otherwise secure environments, and state regulators increasingly require third-party risk assessments as part of compliance. According to Accenture’s 2024 Risk Study, 40% of utility executives view third-party risk as the fastest-growing issue since 2021, demonstrating its severity and prevalence. Regulators are doing the same thing, like making the NYDFS require third-party risk reviews that include SOC 2 reports. High-profile incidents like the MOVEit breach highlight how one vulnerable supplier can set off a chain reaction that impacts an entire portfolio.

Investors can find hidden risks by investigating event history, response readiness, and vendor relationships. Not only do these insights prevent unpleasant surprises, but they also safeguard long-term portfolio value and provide leverage in negotiations.

Why It Matters for Investors

Why should you care at a strategic level?

Cyber incidents aren’t just an IT issue; they really hit at the core of deal value. Just one breach can wipe out millions, slow down integration, and bring on regulatory scrutiny. The following case shows how quickly weak cybersecurity can turn an acquisition into an expensive lesson.

Case Study: Navigating Ransomware Risks in Acquisition

Just two months after a $150 million acquisition, a midsize manufacturer faced a ransomware attack. The new PE owner spent $1.2 million to unlock the systems and ended up losing millions more due to downtime and remediation (WSJ). The breach stemmed from outdated IT infrastructure that was ignored during the diligence process.

What Investors Should Keep in Mind

Many of those costs could have been avoided. Before closing the deal, cyber assessments could have pointed out the gaps, influenced the deal terms, and highlighted the fixes needed right from Day 1. For investors, weak cybersecurity isn’t just a call for attacks; it also chips away at valuation, slows down integration, and creates liabilities that can affect the entire portfolio.

Investor’s Cybersecurity Checklist

  • Pre-LOI: Identify previous incidents and breaches and conduct dark web scanning using publicly available sources.
  • Conduct a Cybersecurity Program Assessment and evaluate the target’s efforts to adopt and integrate a cybersecurity framework for the organization and it’s regulatory and customer compliance requirements.
  • Valuation Impact: Quantify remediation costs and potential liabilities to adjust purchase price.
  • Integration Plan: Develop a Strategic Roadmap and create a 12-month plan to align target security with portfolio requirements. Conduct penetration testing to validate program implementation is working. Consider external Attack Surface Monitoring for ongoing monitoring of externally accessible technologies.
  • Expert Engagement: Hire cybersecurity specialists to conduct code audits and third-party risk assessments.

Ready to Protect Your Next Deal?

Cybersecurity due diligence isn’t just a nice-to-have anymore; it can make or break a deal. LBMC’s Security Risk Management Advisory Services team partners with private equity groups and investors to spot vulnerabilities, boost compliance, and protect portfolio value.

Contact LBMC’s Cybersecurity team to make sure your next acquisition is built on a secure foundation.

Content provided by LBMC Cybersecurity experts Adam Nunn and Kurt Faires.

The post Cybersecurity Due Diligence for Investors in Acquisitions  appeared first on LBMC.

]]>
Cybersecurity in Manufacturing: Smart Use of Honeypots  https://www.lbmc.com/blog/cybersecurity-manufacturing-honeypots/ Fri, 26 Sep 2025 13:24:55 +0000 https://www.lbmc.com/?p=50850 Key Takeaways  Industry 4.0 brings growing cyber hazards for the manufacturing industry. Recent cyber events emphasize how urgently strong cybersecurity […]

The post Cybersecurity in Manufacturing: Smart Use of Honeypots  appeared first on LBMC.

]]>
{ "@context": "https://schema.org", "@type": "BlogPosting", "@id": "https://www.lbmc.com/blog/cybersecurity-manufacturing-honeypots/#blogposting", "mainEntityOfPage": "https://www.lbmc.com/blog/cybersecurity-manufacturing-honeypots/", "headline": "Cybersecurity in Manufacturing: Smart Use of Honeypots", "description": "Industry 4.0 has expanded the attack surface for manufacturers by blending OT and IT. This article explains why honeypots and honeytokens are effective tools for detecting and diverting attackers, highlights recent industry incidents, and outlines practical governance steps (e.g., NIST CSF), collaboration bodies, and best-practice deployment considerations.", "image": { "@type": "ImageObject", "url": "https://www.lbmc.com/wp-content/uploads/2024/07/honeypots.png" }, "author": { "@type": "Person", "name": "Adam Nunn", "jobTitle": "Senior Manager, Cybersecurity" }, "publisher": { "@type": "Organization", "name": "LBMC", "url": "https://www.lbmc.com/", "logo": { "@type": "ImageObject", "url": "https://www.lbmc.com/wp-content/uploads/2025/07/LBMC-logo.png" } }, "datePublished": "2025-09-26", "dateModified": "2025-09-26", "wordCount": 1440, "inLanguage": "en", "keywords": [ "Manufacturing cybersecurity", "Honeypots", "Honeytokens", "Industry 4.0", "OT/IT security", "NIST CSF", "SIEM integration" ], "articleSection": [ "Cybersecurity", "Manufacturing", "Risk Management" ], "about": [ "Deception technology", "Operational Technology (OT)", "Security governance", "Incident response", "Threat intelligence", "AI-driven honeypots" ], "isPartOf": { "@type": "Blog", "name": "LBMC Blog", "url": "https://www.lbmc.com/blog/" }, "mentions": [ { "@type": "Organization", "name": "Manufacturing ISAC (MFG-ISAC)" }, { "@type": "Organization", "name": "Cybersecurity Manufacturing Innovation Institute (CyManII)" }, { "@type": "Organization", "name": "NIST Manufacturing Extension Partnership (MEP)" }, { "@type": "Organization", "name": "U.S. Department of Homeland Security (DHS) / NCCIC" }, { "@type": "Organization", "name": "Cybersecurity and Infrastructure Security Agency (CISA)" }, { "@type": "Organization", "name": "Automotive Information Sharing and Analysis Center (Auto-ISAC)" }, { "@type": "Organization", "name": "National Association of Manufacturers (NAM)" }, { "@type": "Organization", "name": "National Defense Industrial Association (NDIA)" } ], "potentialAction": [ { "@type": "ViewAction", "name": "Read Full Article", "target": "https://www.lbmc.com/blog/cybersecurity-manufacturing-honeypots/" }, { "@type": "ViewAction", "name": "Contact LBMC Cybersecurity", "target": "https://www.lbmc.com/contact/" } ], "articleBody": "Key Takeaways: Industry 4.0 brings growing cyber hazards for the manufacturing industry. Recent cyber events emphasize how urgently strong cybersecurity policies are needed. Effective tools for spotting and reducing cyber risks are honeypots and honeytokens. Advancements have strengthened the ROI of honeypots, enhanced their adaptability using AI, and integrated them more deeply into enterprise security operations. Recognizing the Manufacturing Cybersecurity Scene: Manufacturing has accounted for a high share of cyberattacks in recent years as OT and IT converge under Industry 4.0. Recent events underscore the need for robust policies and integrated controls. Problems Manufacturers Experience: Expanding attack surfaces, skills gaps, and inconsistent governance. Approaches for Improving Program Efficiency: Establish governance charters and oversight committees, align to frameworks such as NIST CSF, create multi-year roadmaps and annual plans, implement standards, prioritize investments, measure programs, and build security culture. Increase visibility of OT assets, run targeted risk analyses, and deploy adaptive, AI-driven honeypots that evolve in real time. Collaboration: Engage sector groups such as MFG-ISAC, CyManII, NIST MEP, DHS/NCCIC, CISA, Auto-ISAC, NAM, and NDIA. How Honeypots and Honeytokens Help: Honeypots divert attackers and collect TTPs; honeytokens act as tripwires to detect insider or lateral movement. Integrate with SIEM to automate alerts and correlate activity. Strategic Implementation: Isolate honeypots from production, place purposefully, analyze data regularly, and update frequently. Challenges and Legal Considerations: Treat deception tech as part of a comprehensive program; address privacy, authorization, and data-handling requirements. Conclusion: Market adoption of honeypots is accelerating as organizations realize measurable reductions in breaches and faster response. LBMC helps manufacturers build resilient programs leveraging deception technologies to protect operations, IP, and data." }

Key Takeaways 

  • Industry 4.0 brings growing cyber hazards for the manufacturing industry.
  • Recent cyber events emphasize how urgently strong cybersecurity policies are needed.
  • Effective tools for spotting and reducing cyber risks are honeypots and honeytokens.
  • Advancements have strengthened the ROI of honeypots, enhanced their adaptability using AI, and integrated them more deeply into enterprise security operations. 

Recognizing the Manufacturing Cybersecurity Scene

Out of the top ten industries, the manufacturing sector accounted for 25.7% of cyberattacks for three years running. Combining operational technology (OT) with information technology (IT) under Industry 4.0 has produced fresh cyber threat possibilities.

The increase in cyberattacks on factories recently highlights the importance of robust cybersecurity policies. Our experience shows that manufacturers fall behind sectors like healthcare in terms of setting up and combining cybersecurity measures, which makes them simpler targets for hackers.

Recent Cybersecurity Events in Manufacturing

Cyber incidents have surged sharply in manufacturing companies during the past year. One significant incident saw attackers focusing on a top automobile manufacturer, pilfering confidential information and upsetting manufacturing operations with a ransomware assault.

Another major event occurred at a pharmaceutical company when private formulations and patient information leaked. This hack generated questions about corporate espionage and patient privacy.

Manufacturers having recorded events throughout the past year comprise:

  1. Brunswick Corporation had a cyberattack in June 2023 that cost $85 million and disrupted operations.
  2. Applied Materials was affected by a ransomware assault in 2023 with an estimated $250 million loss from a supply-chain.
  3. Western Digital suffered a major hack in March 2023 with over 10 gigabytes of data taken.

Problems Manufacturers Experience

The integration of OT and IT systems enhances the attack surface for cybercriminals, therefore posing unique cybersecurity challenges for manufacturers. The issue gets more severe with the demand for organized security procedures and qualified cybersecurity experts.

Approaches for Improving Program Efficiency in Cybersecurity

Manufacturers have to use a multi-faceted strategy to cybersecurity governance if they are to overcome these obstacles. A good program governance approach includes:

  • Drafting a cybersecurity governance charter.
  • Setting up a cybersecurity oversight committee.
  • Adopting a cybersecurity framework, such as the NIST CSF-manufacturing profile.
  • Building a multi-year strategic roadmap.
  • Creating annual tactical plans.
  • Implementing cybersecurity policies and standards.
  • Prioritizing a technology investment strategy.
  • Developing a program measurement and monitoring plan.
  • Fostering a security awareness work culture.

Increasing visibility of OT assets is one sensible approach. Manufacturers can then apply protective measures for technological assets by keeping precise inventories of them together with related hazards. Furthermore important are targeted risk analyses and application of priority-based enhancements. The rise of adaptive cybersecurity tools like AI-driven honeypots has enabled manufacturers to detect and deceive attackers targeting OT assets proactively. These honeypots evolve in real-time based on threat behavior, offering deeper insight into attacker techniques without compromising production environments. 

Matching corporate objectives with cybersecurity initiatives is still another important step. By combining these two areas, security becomes not only a consideration but also a major factor guiding operational decisions.

The Purpose of Collaboration

Manufacturers and cybersecurity professionals should absolutely collaborate. By means of sharing information and best practices, the industry can stay ahead of threats and create better security frameworks. Important establishments consist of:

  • Manufacturing ISAC (MFG-ISAC) lets companies work on cybersecurity concerns and exchange threat intelligence.
  • Cybersecurity Manufacturing Innovation Institute (CyManII) addresses cybersecurity challenges by means of collaboration and innovation.
  • NIST Manufacturing Extension Partnership (MEP) offers direction on cybersecurity best practices including the NIST Cybersecurity Framework.
  • U.S. Department of Homeland Security (DHS) works with manufacturers through programs like the National Cybersecurity and Communications Integration Center (NCCIC).
  • Cybersecurity and Infrastructure Security Agency (CISA) offers tools and supports information sharing.
  • Automotive Information Sharing and Analysis Center (Auto-ISAC) shares useful information for the automotive sector.
  • National Association of Defense Manufacturers (NAM) engages in cybersecurity projects and offering a forum for information exchange.
  • National Defense Industrial Association (NDIA) focuses on defense manufacturing and supports information sharing among defense contractors.

How Honeypots and Honeytokens Might Benefit Manufacturers

Cybersecurity systems known as honeypots are decoys meant to draw attackers away from approved targets. For human threat actors and malicious software including ransomware, think of them as lures or traps.

  • Honeypots resemble actual systems, networks, or services, to draw in and identify attackers, providing a comprehensive picture of hostile behavior.
  • Honeytokens are fake data bits that set off alarms when accessed, therefore enabling the tracking of harmful actors. They might be QR codes, documents, online links, or files.

Manufacturing Honeypots and Honey Tokens Roles

Manufacturing companies are using IoT and automation, which enlarge their attack surface, more and more. By guiding attackers and compiling data on their techniques, honeypots and honeytokens help safeguard digital resources.

A new emphasis on protecting interconnected IoT and OT systems under Industry 4.0 has made honeypots and honeytokens vital to defending high-value targets, especially in manufacturing environments.

Additionally, the adoption of honeytokens has grown beyond simple decoys, organizations now embed fake credentials and data trails across environments to detect insider threats or unauthorized lateral movement.

Benefits of Using Honeypots:

  • Divert cybercrime from legitimate targets to lower the possibility of a successful hack.
  • Gather useful knowledge about attackers’ strategies, tools, and approaches to guide more effective defense plans.
  • With AI capabilities, honeypots are no longer static, they adjust to attacker behavior and provide more credible deception tactics, increasing their detection and intelligence value.

Advantages of Honeytokens:

  • Track for illegal access in the digital surroundings of the manufacturing company.
  • As tripwires to signal a security breach, identify internal and external threats.

Concerning Cybersecurity Events

By use of honeypots and honeytokens, industrial companies can identify risks early on and react more successfully, therefore mitigating the damage of cybersecurity events. The data acquired with these instruments can enable improved security policies.

Manufacturers increasingly integrate honeypots into SIEM platforms to automate alerts and correlate honeypot activity with broader system events. This strengthens incident response and allows real-time correlation of threat behavior across the network.

Strategic Implementation

Honeypots and honeytokens should be positioned deliberately to appear like actual, valued items if maximum efficacy is sought. Regular data analysis from these instruments is vital.

Best practices have emphasized strong isolation between honeypots and production systems to prevent accidental exposure or compromise. Deployment strategies now prioritize purpose-driven placement, whether detecting ransomware, phishing, or insider threats.

Challenges and Considerations

Though they have value, honeypots and honeytokens should be component of a more comprehensive cybersecurity strategy. This strategy should call for frequent updates, staff training, and robust incident response techniques. Companies have to make sure using these instruments does not bring fresh legal problems or vulnerabilities.

Legal Considerations

Honeypot and honeytokens deployment calls for rigorous legal issue analysis including privacy regulations and authorization for deployment. Data has to be handled safely; corporate stakeholders—including legal counsel—should examine and approve deployment policies.

Creating Manufacturing’s Resilient Cybersecurity Foundation

The cybersecurity services offered by LBMC are catered to the particular difficulties facing the industrial industry. Combining OT and IT exposes manufacturers especially to cyberattacks. The World Economic Forum explores the part cybersecurity plays in advanced manufacturing resilience for more reading on the difficulties and techniques for safe production.

Market adoption of honeypots has accelerated. Organizations are seeing measurable reductions in breach occurrences and faster incident response, making the ROI more quantifiable and justifiable for leadership teams.

LBMC provides risk identification and reduction tools including honeypots and honeytokens. Our staff guarantees continued security for your operations, intellectual property, and client records. Work with us to keep ahead of cyberthreats and provide a strong cybersecurity basis for your manufacturing company.

Content provided by Adam Nunn.  

Adam Nunn is a Senior Manager in LBMC’s Cybersecurity division with extensive experience leading teams to enhance compliance and security. He transforms cybersecurity postures from reactive to proactive, aligning organizations with national and international security frameworks. As a respected advisor, Adam builds trust and fosters collaboration across all levels. 

The post Cybersecurity in Manufacturing: Smart Use of Honeypots  appeared first on LBMC.

]]>
Cyberaccountants Bridge the Gap Between Finance and Security https://www.lbmc.com/blog/cyberaccountants-drew-hendrickson/ Wed, 24 Sep 2025 20:42:03 +0000 https://www.lbmc.com/?p=64384 Originally Posted on IMAToday LBMC’s Drew Hendrickson Featured in Cybersecurity + Accounting Article Drew Hendrickson, CPA and Cybersecurity Practice Leader […]

The post Cyberaccountants Bridge the Gap Between Finance and Security appeared first on LBMC.

]]>
Originally Posted on IMAToday

LBMC’s Drew Hendrickson Featured in Cybersecurity + Accounting Article

Drew Hendrickson, CPA and Cybersecurity Practice Leader at LBMC, was recently featured in a national article highlighting the growing intersection of cybersecurity and accounting.

As cyber threats grow in frequency and sophistication, Hendrickson emphasized the unique role CPAs can play in protecting financial data and supporting compliance efforts. “Cyber threats outpace themselves every year,” he said. “Accounting firms and companies have looked to gain assurance around those risks, and CPAs are well equipped to give that assurance.”

Companies that lack cyberaccounting experts, he noted, could face lasting damage to both their bottom line and reputation. “It could lead to a costly breach, and it could impact reputation and customer confidence,” said Hendrickson, who sits on the cyber working group of the AICPA.

Tech and data have expanded in tandem with regulations, which, Hendrickson said, accelerated after the Sarbanes-Oxley Act (SOX) Section 404—a 2002 law that mandated internal controls over financial reporting to improve accuracy. Failure to comply can result in costly penalties and disruptive business impacts.

In the piece, Hendrickson also noted the importance of experience and community involvement for those entering the field. “Starting with a credential is great, especially if you’re new to the field or looking for a career change,” he shared. “But the credential itself is not going to get you where you need to be. You need to get experience.”

He also encourages professionals to connect locally: “This community is very willing to share and talk about what they’re seeing in their industry.”

As a member of the AICPA’s cyber working group, Hendrickson continues to help shape how firms nationwide approach cybersecurity risk and assurance.

LBMC Cybersecurity Services

LBMC Cybersecurity is part of LBMC, the #1 Tennessee-based professional services firm serving more than 11,000 clients nationwide across a spectrum of industries. Led by Drew Hendrickson, our cybersecurity team helps organizations protect what matters most—data, operations, and reputation. We provide practical, business-aligned security solutions to reduce risk, support compliance, and strengthen resilience. Our services include cybersecurity risk assessments, incident response, penetration testing, regulatory compliance, and advisory support across frameworks like HIPAA, HITRUST, PCI, and ISO.

With deep industry expertise in healthcare, financial services, manufacturing, and other regulated sectors, our cybersecurity professionals deliver proactive strategies tailored to today’s complex threat landscape. We partner closely with clients to navigate evolving risks, meet compliance requirements, and build secure, scalable environments that support long-term business goals.

LBMC has more than 1,000 team members, with offices in Nashville, Chattanooga, Knoxville, and Memphis, Tennessee; Louisville, Kentucky; and Charlotte, North Carolina and remote offices. For more information on LBMC’s experts and comprehensive services, contact us via our web form or call 615-377-4600. Discover career opportunities and learn more about how LBMC’s services and culture can support your business goals. Connect with us on LinkedIn for the latest insights on talent, client engagement, and business growth.

The post Cyberaccountants Bridge the Gap Between Finance and Security appeared first on LBMC.

]]>
Your Cybersecurity Program Under NYDFS Rules https://www.lbmc.com/blog/nydfs-cybersecurity-program-requirements/ Fri, 19 Sep 2025 20:11:59 +0000 https://www.lbmc.com/?p=64046 Key Takeaways Broad Applicability: The NYDFS Cybersecurity Regulation applies to any organization, regardless of physical location, that provides financial, insurance, […]

The post Your Cybersecurity Program Under NYDFS Rules appeared first on LBMC.

]]>
Key Takeaways

  • Broad Applicability: The NYDFS Cybersecurity Regulation applies to any organization, regardless of physical location, that provides financial, insurance, credit, or payment services to New York residents, which means many companies may be subject to it without realizing it.
  • Tiered Compliance Requirements: All covered entities must meet baseline cybersecurity controls, while Class A companies face enhanced requirements such as Privileged Access Management (PAM) and Endpoint Detection and Response (EDR); even small or exempt entities must protect nonpublic information (NPI) and file exemption notices.
  • Urgent Deadlines and Strict Enforcement: Final control implementation is due by November 1, 2025, with strict obligations like 72-hour incident reporting and annual compliance certifications; noncompliance can result in penalties determined by the NYDFS Superintendent.

Understanding the New Additions to the NYDFS Regulations

Your organization might be subject to the New York Cybersecurity Regulation without even realizing it. The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, first enacted in 2017, applies not only to entities based in New York but also to any organization that processes payments or provides insurance, credit, or financial services to New York residents, regardless of where the organization is located. First enacted in 2017, these pioneering rules positioned New York as a leader in mandating cybersecurity compliance for financial institutions like banks, credit unions, and Health Management Organizations (HMOs). To keep pace with the changing cyber threat landscape, amendments to the DFS Cybersecurity regulations were enacted in 2023. Implementation for the final set of controls is soon approaching and due by November 1, 2025.

Am I Required to Establish Controls Addressing These Requirements?

The NYDFS Cybersecurity Regulation mandates that covered entities, including small businesses and Class A companies, implement specific cybersecurity compliance controls. A covered entity is any person or organization operating under New York’s Banking, Insurance, and Financial Services Law, such as banks, credit unions, insurance companies, and Health Maintenance Organizations (HMOs). This includes organizations that are not physically located in New York but still conduct business with the state or its residents. According to Section 500.1(g), Class A companies — those with at least $20 million in gross annual revenue for the last two fiscal years and either over 2,000 employees or $1 billion in gross annual revenue from all operations — must implement a suite of baseline controls plus a list of enhanced controls. Even exempt entities must protect nonpublic information (NPI).

The NYDFS Cybersecurity Regulation defines small businesses as companies with fewer than 20 employees, less than $7.5 million in gross annual revenue for each of the last three fiscal years, or less than $15 million in total year-end assets. These small businesses may qualify for limited exemptions but must electronically file a Notice of Exemption on the NYDFS website within 30 days of determining eligibility. Exempt entities must still implement baseline protections for nonpublic information (NPI), such as encryption and access controls.

Does the category of organization affect what requirements I am subject to implementing?

Yes, depending on the type of organization, there are different sets of requirements. For example, one of the baseline requirements is that access controls are implemented. While annual risk-based access control reviews and Multifactor Authentication implementation are required for all three classifications of organization, Class A organizations must also implement automated password blocking and Privileged Access Management (PAM) (Title 23, Part 500.2 through 500.18).

Despite the enhancements for Class companies, all covered entities must comply with baseline requirements under the NYDFS Cybersecurity Regulation to ensure cybersecurity compliance. These include:

  • Appointing a Chief Information Security Officer (CISO) to oversee the cybersecurity program.
  • Developing incident response and notification plans, including 72-hour reporting for significant incidents.
  • Maintaining asset inventories to track systems and data.
  • Conducting regular cybersecurity training for employees.
  • Implementing third-party vendor oversight to ensure secure partnerships.
  • Using encryption to protect nonpublic information (NPI).
  • Performing vulnerability management to address security gaps.
  • Submit an annual compliance certification to NYDFS.
  • Retaining cybersecurity records for three years.

Requirements vary by organization type, with Class A companies facing additional controls like endpoint detection and response (EDR). For full details, review the New York Code of Rules and Regulations Title 23, Part 500 or visit the NYDFS Cybersecurity Resource Center.

What do the requirements for the various categories of organizations have in common?

They all require that organizations maintain a cybersecurity program to protect the confidentiality, integrity, and availability of nonpublic information (NPI). Despite the size and classification of your organization, this cybersecurity program must identify both internal and external cybersecurity risks through periodic risk assessments. The results of these risk assessments must be formally documented and actively used to update the organization’s cybersecurity program and policies. It should be noted that these risk assessments should also be conducted in accordance with the organization’s policies and procedures.

So, cybersecurity policies and procedures must explicitly call out the requirement for risk assessments. Are policies and procedures required for other areas of the cybersecurity program?

Yes, under 23 NYCRR 500.2, all covered entities must maintain a cybersecurity program with documented policies and procedures, including explicit requirements for periodic cybersecurity risk assessments. Other areas that require documented policies and procedures include, but are not limited to, data retention, remote access controls, security awareness training, incident notification and vulnerability management.

Another critical requirement under 23 NYCRR 500.17 mandates that covered entities notify the Superintendent of Financial Services within 72 hours of determining a cybersecurity incident has occurred, whether internally or through affiliates and third-party providers. The 2023 NYDFS amendments also require reporting ransomware payments within 24 hours. Cybersecurity incidents are defined as events that impact, have a reasonable likelihood of harming, or materially disrupt normal operations, or involve ransomware deployment within information systems.

When must my organization implement the NYDFS required controls?

The original regulation took effect on March 1, 2017, with additional implementation deadlines added through amendments. Additional requirements were mandated by December 1, 2023, and the final set of controls, including multi-factor authentication (MFA) and asset inventory, must be implemented by November 1, 2025. For detailed information on specific control deadlines, we recommend you visit the NYDFS Cybersecurity Resource Center.

Penalties for noncompliance with the law are decided upon by the Superintendent of Financial Services, appointed by the Governor of New York. Key factors that will be considered include, but are not limited to, cooperation with the superintendent, good faith of the entity, history of prior violations, extent of harm to consumers, and if the violation was a failure to respond to previously examined matters.

While this article has covered some of the information regarding the current and upcoming NYDFS rule changes, there are many other detailed requirements, such as the requirement to submit a notice of compliance annually to the superintendent. Please visit the New York Code of Rules and Regulations Title 23, Part 500, and review sections 500.00 through 500.24 for detailed requirements.

Close Cybersecurity Gaps with LBMC Risk Assessments

Ready to evaluate your cybersecurity program to identify potential gaps? Consult a cybersecurity expert who can assess your security posture and shore up your program. This includes assistance in fulfilling the explicit requirement to conduct a documented risk assessment for your organization and developing mandated policies and procedures. Maintaining compliance is not just a best practice; it’s a requirement that contributes to keeping your business secure and ready in the face of auditors.

Content provided by Van Steel, Shareholder, and Anthony Lynch, Senior Security Consultant, LBMC Cybersecurity. Contact them at van.steel@lbmc.com and anthony.lynch@lbmc.com.

The post Your Cybersecurity Program Under NYDFS Rules appeared first on LBMC.

]]>
Hospitals Should Ban Meta Ray-Ban Smart Glasses https://www.lbmc.com/blog/meta-rayban-smart-glasses-hospital-ban/ Tue, 09 Sep 2025 19:55:36 +0000 https://www.lbmc.com/?p=63750 Key Takeaways Patient Trust Is on the Line: Meta Ray-Ban Smart Glasses can secretly record sensitive moments, putting privacy — […]

The post Hospitals Should Ban Meta Ray-Ban Smart Glasses appeared first on LBMC.

]]>
Key Takeaways

  • Patient Trust Is on the Line: Meta Ray-Ban Smart Glasses can secretly record sensitive moments, putting privacy — and the trust patients place in their caregivers — at serious risk.
  • Everyday Tech Creates New Dangers: Unlike medical devices designed for healthcare, these glasses feed data into social media platforms, leaving hospitals vulnerable to leaks and security breaches.
  • A Clear Policy Protects Everyone: Banning smart glasses sends a strong message: hospitals are committed to protecting patient privacy, safety, and peace of mind.

Imagine a patient undergoing a deeply personal and vulnerable moment: receiving a life-altering diagnosis, giving birth, or recovering from surgery. Now imagine that same moment being unknowingly captured, recorded, or livestreamed by an employee or visitor wearing a pair of stylish Meta Ray-Ban smart glasses. A small white recording indicator. No red light. No shutter sound. Just a silent breach of one of the most sacred aspects of healthcare: trust. This is not a futuristic dilemma; it is today’s reality. As wearable technology becomes more discreet and powerful, healthcare facilities must respond swiftly. One urgent step? Banning Meta Ray-Ban smart glasses from hospitals.

These smart glasses are a collaboration between Facebook (“Meta”) and Ray-Ban, offering hands-free photo and video capture, livestreaming to social platforms, and an integrated AI assistant. While they may be novel for tech enthusiasts and social media creators, their presence in clinical environments introduces profound risks that healthcare organizations cannot afford to ignore.

A Clear Threat to Patient Privacy and HIPAA Compliance

Hospitals are legally and ethically obligated to protect patient privacy. The Health Insurance Portability and Accountability Act (HIPAA), while outdated, details clear rules about safeguarding protected health information (PHI), including verbal, written, and visual data. Meta smart glasses, with their inconspicuous camera and microphone, present a direct threat to this mandate. Unlike smartphones, digital cameras, or GoPros, which have clear screens and visible user intent, these glasses do not provide obvious cues to indicate they are recording. A patient or clinician might never realize they are being watched, or worse, streamed to an audience of followers in real-time.

Any inadvertent capture of PHI, whether a patient’s face, name on a chart, lab or scan results, or conversation about treatment, could trigger a HIPAA violation. And it wouldn’t just be the individual wearing the glasses at fault. Hospitals could face legal liability and significant fines if they fail to create a secure environment.

Disruption of the Clinical Environment

Smart glasses do more than just pose privacy risks; they erode the clinical integrity of healthcare settings. The presence of a wearable recording device in an exam room or ICU could change behavior, increase anxiety, and undermine trust.

Healthcare providers may feel hesitant to speak freely or conduct sensitive procedures. Patients may decline treatment or be less forthcoming out of fear that they are being recorded. Even if the glasses are not actively capturing content, their very presence can alter the patient-provider dynamic. The relationship depends on a sense of safety and confidentiality. Introducing a device with hidden surveillance capabilities, even if not intentional, compromises that very foundation.

Cybersecurity and Data Leakage Concerns

Meta Ray-Ban smart glasses are gateways into Meta’s data ecosystem. That ecosystem is not designed with HIPAA-level safeguards in mind. HIPAA requires third parties who access PHI to sign a Business Associate Agreement. However, Meta does not sign BAAs. They also have a history of not protecting protected health information (RE: BetterHelp Data Breach).

Without a BAA in place, Meta is not contractually obligated to safeguard a company’s PHI. These glasses can upload data directly to Meta’s servers, share content on Facebook or Instagram, or integrate with Meta AI. Hospitals have no control over how, where, or with whom that data is shared. Unlike regulated medical devices or enterprise-grade tools, Meta’s consumer wearables bypass IT governance and visibility entirely. These glasses leverage Bluetooth to connect to smartphones and transport the data through the cellular connection of the mobile device or the Wi-Fi it is currently connected to.

What if a patient’s photo ends up in a social media post? This is not a theoretical risk. It is a plausible cybersecurity event with real-world consequences. It wouldn’t be the first time that connected smart devices leaked sensitive information, either. Back in 2018, fitness tracking app Strava inadvertently gave away locations of secret US Army bases.

Legal and Reputational Exposure

Hospitals that permit the use of Meta smart glasses within their walls open themselves up to legal, regulatory, and reputational damage. One viral incident could shatter a facility’s public image and result in regulatory scrutiny. Even if the hospital itself is not directly responsible for the content, the public will not make those distinctions.

Implementing a ban now is not just a compliance checkbox; it is a reputational safeguard. It signals to patients and staff alike that the institution takes privacy seriously and is proactive in addressing emerging risks.

The Case for a Proactive Ban

Healthcare organizations must stay ahead of this and move decisively to prohibit Meta Ray-Ban smart glasses and similar wearable tech before a significant incident forces their hand.

The defense approach should include:

  • Policy Language: Explicitly prohibit the use of any wearable recording devices within clinical spaces by patients, visitors, and even staff unless approved for specific clinical purposes.
  • Signage and Communication: Post rules at entry points and in waiting rooms.
  • Training and Awareness: Educate staff on how to recognize smart glasses and how to address violations respectfully but firmly.
  • Visitor Screening: Encourage security or front-desk staff to ask about smart devices as part of standard screening.

Some may argue that enforcement will be difficult or inconsistent. But the alternative is far more dangerous. Even if a policy is not perfectly enforced, it sets the tone and expectations.

Addressing Common Objections

“They are just glasses. What is the harm?”

  • That is exactly the problem. Their inconspicuous nature makes them easy to misuse and hard to detect. The potential for covert recording is precisely what makes them dangerous in sensitive settings.

“Hospitals already deal with smartphones.”

  • Yes, but smartphones are more visible, easier to manage, and more clearly understood. Smart glasses are more subtle, more insidious, and harder to regulate without specific policy language.

“There could be clinical uses in the future.”

  • But that future would hopefully involve carefully vetted, hospital-owned medical devices with strict controls and compliance frameworks, not consumer-grade wearables directly linked to social media platforms.

Protecting Patients Means Saying No to Smart Glasses

Hospitals are safe places of healing, trust, and privacy. In a time when technology is evolving faster than regulation, healthcare organizations must lead by example. Banning Meta Ray-Ban smart glasses is not about being anti-technology. It is about being pro-patient, pro-privacy, and pro-safety. Healthcare leaders must act now before patient trust is eroded, before a privacy incident goes viral, and before regulators come knocking. This is not the first time a technology company has attempted smart glasses, but the rate of adoption for these stylish ones is increasing rapidly due to Meta and Ray-Ban creating a product people actually want to wear; however, they should not be worn in hospitals.

LBMC is pleased to talk about how you can strengthen your organization’s cyber defenses. Contact us to learn more about the services our experts can provide to protect your company from potential cyber threats.

Content provided by LBMC Cybersecurity professional Garrett Zickgraf. He can be reached at garrett.zickgraf@lbmc.com.

The post Hospitals Should Ban Meta Ray-Ban Smart Glasses appeared first on LBMC.

]]>
LBMC Joins PECB for Enhanced Cybersecurity Training Courses https://www.lbmc.com/blog/pecb-cybersecurity-training-courses/ Wed, 03 Sep 2025 21:50:42 +0000 https://www.lbmc.com/?p=63489 Key Takeaways Cybersecurity training is no longer optional — it’s essential. The LBMC and PECB partnership delivers flexible, self-paced programs […]

The post LBMC Joins PECB for Enhanced Cybersecurity Training Courses appeared first on LBMC.

]]>
Key Takeaways

  • Cybersecurity training is no longer optional — it’s essential. The LBMC and PECB partnership delivers flexible, self-paced programs that help professionals strengthen skills and respond effectively to real-world cyber threats.
  • Courses are built for practical results. Participants gain hands-on knowledge in areas like risk assessment, incident response, and regulatory compliance, preparing them to lead cybersecurity improvements across their organizations.
  • Certified professionals fuel long-term resilience. With globally recognized credentials, they not only secure better career opportunities but also help companies boost compliance, protect assets, and build lasting trust in their security frameworks.

Cybersecurity threats are escalating across modern business environments, necessitating more skilled professionals within various industries. Threat actors are scaling faster than potential solutions that can protect organizations. Professional skills are at a premium and better technology will only widen the gap. Recognizing this critical need, LBMC forged a partnership with PECB, a global leader in professional certification, to offer comprehensive cybersecurity training courses across North America. The collaboration looks to push organizations towards a more fortified cybersecurity stance, equipping them with the right tools and knowledge crucial to enforce their cybersecurity frameworks and ensure consistent compliance. 

Regulatory standards are changing. Secure digital environments provide peace of mind to business leaders while building a roster of high-quality training programs for every business size. The training courses empower professionals with the right skills. Whether it’s to identify vulnerabilities, implement robust security measures, or respond to cyber incidents, this partnership can benefit organizations all over North America. 

Building Better Access to Cybersecurity Training

The partnership between LBMC and PECB significantly broadens the availability of cybersecurity training. LBMC brings hands-on expertise through its network of cybersecurity professionals, helping organizations address real-world challenges. PECB, on the other hand, provides certification expertise, creating a more accessible, high-quality cybersecurity training regimen. Organizations benefit from the opportunity to upskill their workforce, especially in response to the growing sophistication of cyber threats. 

The training programs include coverage of infosec management systems and other similar tools. They further cover methods that foray into risk assessment and incident response frameworks. Participants receive knowledge that directly translates into a stronger cybersecurity stance within their organizations. Courses are designed to support both foundational learners and experienced professionals looking to refine their expertise. Every course builds toward practical application and measurable outcomes.

Flexible learning options include in-person, hybrid, and online formats to meet varying professional demands. Professionals can complete training without compromising existing business operations or responsibilities. Learning formats support retention, accessibility, and application across sectors. 

Professionals can finish the cybersecurity training programs and, in turn, lead their organization towards better cybersecurity postures. Teams become more resilient in detecting and managing threats. Cybersecurity becomes embedded in day-to-day operations as knowledge spreads across departments. Risk management efforts are improved through a deeper understanding of cyber hygiene and defense.

Training Toward Industry Standards and Best Practices

Training programs within the LBMC and PECB partnership reflect alignment with globally accepted standards. Following compliance frameworks like ISO/IEC 27001 and NIST ensures the credibility and applicability of the training material. Course content prepares participants to evaluate security measures against known benchmarks. 

Participants learn how to apply standard-driven approaches to their unique organizational contexts. Benchmarking becomes a strategic advantage when paired with knowledgeable leadership. Adherence to international best practices signals organizational maturity to clients, regulators, and partners. Confidence in internal systems grows with each layer of reinforced practice.

Cybersecurity programs in general also foster a culture of accountability and continuous improvement. Participants can work towards evaluating existing security processes for inefficiencies and outdated practices regularly. Leaders receive support in adopting scalable improvements to better respond to threat intelligence. Security becomes a shared objective across all levels of an organization.

In addition, professionals benefit from clarity around their role. Implementing and complying with business best practices can ensure proper business execution. Clear expectations support stronger execution of governance and compliance. Organizations achieve greater control over regulatory exposure and threat surfaces. Risk assessments improve in precision, supported by frameworks discussed throughout the training programs.

Empowering Professionals Through Cybersecurity Certification

Certifications validate field expertise and commitment to excellence within the cybersecurity space. Holding a PECB certification provides a sign of credibility across professionals, showing recognized technical leadership within cybersecurity initiatives.

Certified professionals enjoy access to career opportunities involving leadership, strategy, and high-impact technical roles. Organizations often prefer to staff mission-critical roles with employees who have the right certifications and similar qualifications. Certification can also lead to greater organizational investment in cybersecurity programs. Talented employees often become drivers of organizational improvement when properly supported.

Credentials earned through the LBMC and PECB partnership reflect rigorous training and practical capability. Standardized certifications contribute to clearly defined cybersecurity career paths. Job descriptions align more easily with recognized qualifications, improving hiring and development strategies. Professionals gain a clearer understanding of advancement opportunities. Organizations build succession plans with confidence using certified staff as key contributors.

Supporting Organizational Resilience and Compliance

Training equips employees in cybersecurity management, allowing teams to be more confident in identifying early warning signs and responding to active risks. Operational continuity improves with greater awareness and preparedness.

Compliance becomes more achievable when professionals understand both regulatory expectations and how to meet them. Training provides clarity around evolving requirements such as HIPAA, GDPR, and CMMC. Organizations reduce risk by staying ahead of audit and reporting obligations.

Workplace culture improves when cybersecurity is viewed as a shared responsibility. Employees at all levels become active participants in risk mitigation efforts. Employees contribute meaningfully to overall compliance initiatives when properly trained.

Training outcomes extend beyond technical improvements to include business-wide resilience and adaptability. Leaders are able to plan, budget, and execute cybersecurity strategy with measurable returns. Trust in operations grows with demonstrated commitment to security and compliance.

Maximize Your Cybersecurity Training With the Right Partnership

Modern cybersecurity threats demand an informed and certified workforce. They need to be ready to lead resilience efforts across industries. The LBMC and PECB partnership delivers high-impact training aligned with industry standards and designed for practical implementation. Organizations and professionals gain access to the knowledge, skills, and certifications required to protect assets and meet compliance demands. Learn more about how these training opportunities can benefit your business by visiting LBMC’s Cybersecurity Trainings.

Content provided by Brian Willis, Shareholder, LBMC Cybersecurity.

The post LBMC Joins PECB for Enhanced Cybersecurity Training Courses appeared first on LBMC.

]]>