Hochul proposes more funding for state’s cybersecurity efforts

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

ALBANY, N.Y. — Efforts to support cybersecurity enhancements across New York state may get a funding boost in 2023. Gov. Kathy Hochul on Jan. 10 proposed $35.2 million in new funding as part of her State of the State address. The enhancements include the expansion of shared services to local governments that help identify security […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

ALBANY, N.Y. — Efforts to support cybersecurity enhancements across New York state may get a funding boost in 2023.

Gov. Kathy Hochul on Jan. 10 proposed $35.2 million in new funding as part of her State of the State address.

The enhancements include the expansion of shared services to local governments that help identify security gaps that could be “exploited by an adversary,” Hochul’s office said. The effort is building upon the legislation that Hochul recently signed to protect against cyberthreats to the state’s energy grid.

The New York State Division of Homeland Security and Emergency Services (DHSES) will also establish an industrial control system (ICS) assessment team to help protect critical infrastructure and manufacturing systems across the state and make those systems more resilient to cyberattacks.

“The frequency, magnitude, and impact of cyber-attacks have increased, but we will continue to take bold measures to secure and protect New York’s critical infrastructure,” Hochul contended. “The Industrial Control Systems assessment team, coupled with record investments, will support physical security and cybersecurity assessment programs to help facilities improve their cybersecurity posture, creating a safer and more secure Empire State.”

The $35.2 million increase would build upon Hochul’s nearly $62 million cybersecurity spending in the fiscal year (FY) 2023 budget, her office noted.

New York’s finance, energy, transportation, health care, semiconductor, and other industry sectors makes the state “a target” for cyberattacks and other cyber threats, and the “frequency, magnitude, and impact of these events continue to increase,” the governor notes. Ransomware attacks — in which hackers hold data and systems hostage — rose 13 percent nationwide in 2021. Since 2017, more than 3,600 state, local, and tribal governments across the country have been attacked, Hochul’s office said.

The DHSES’ Office of Counterterrorism will create the industrial control systems (ICS) assessment team to better protect residents from cyberattacks and their effects. Working with the agency’s physical security and cybersecurity-assessment programs, the team will help energy, transportation, manufacturing, and other infrastructure systems to “improve their overall security posture” and make their industrial control systems more resilient to cyberattacks.

“As the threats to our digital infrastructure continue to evolve and grow in sophistication, it is more important than ever that we invest in the resources to protect New Yorkers from cyber threats,” Colin Ahern, New York’s chief cyber officer, said.

The proposed funding will also support the provision of cybersecurity services to county and local governments in FY 2024 and beyond, building upon the creation of the first New York State Joint Security Operations Center (JSOC).

These shared services help county and local governments assess and remedy gaps in their cyber defenses. The shared services complement the state’s ongoing efforts to build a “common picture” of cyber threats shared by cybersecurity teams from federal, state, city and county governments; publicly and privately owned critical infrastructure; and state agencies including the Division of Homeland Security and Emergency Services, Office of Information Technology Services, New York State Police, and others, Hochul’s office said.

“These historic investments in cybersecurity advanced by Governor Hochul will build on the progress we made in the last year establishing JSOC and implementing effective endpoint detection technology for awareness and action, and is consistent with our whole of state approach, where the state and local governments face down these challenges together,” New York State Chief Information Officer Angelo (Tony) Riddick said.

VIEWPOINT: Health Care and Cybersecurity CIRCIA’s Potential Effect on Health-Care Entities

Business Mentors, Health Care, Subscriber Only, Technology

Welcome to 2023. As in 2022, we are likely to see continuing escalation of cyber-intrusion threats to health-care entities and their data. Health-care data breach already is far from a trivial matter. According to one expert, there have been more than 4,400 breaches during the span of 2009 to 2021 — involving 500 or more

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Welcome to 2023. As in 2022, we are likely to see continuing escalation of cyber-intrusion threats to health-care entities and their data.

Health-care data breach already is far from a trivial matter. According to one expert, there have been more than 4,400 breaches during the span of 2009 to 2021 — involving 500 or more records and the disclosure of health-care records topping 300 million in number.

At Bond, we will be tracking how our federal cybersecurity structure changes and adapts to these increased risks, what that means for health-care providers and the regulations that apply to them, and how these changes aim to protect health-care data integrity.

In March 2022, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. Covered entities under CIRCIA include some health-care organizations . As part of its rulemaking process, CISA issued a request for information last fall intended to inform its development of regulations that fundamentally may change the regulatory landscape. Review of the request for information is underway — and the implications of the results could be vast.

At a high level, CIRCIA ups the ante by indicating companies operating in the health-care space and in other “critical infrastructure” sectors report cyber incidents within 72 hours — and ransomware payments within 24 hours. In addition, by CIRCIA giving CISA the authority to develop those regulations, CISA may potentially include further compliance requirements beyond what is currently required of health-care entities. This important rulemaking development will continue throughout 2023, but it will not be implemented until after CISA’s rulemaking becomes final.

How does CIRCIA mesh with HIPAA and the various reporting requirements within that law? For instance, although CIRCIA seems to provide some allowance for avoidance of duplicative reporting if there already is a functionally similar reporting requirement in place (e.g., HIPAA), it may end up that the existing reporting requirements under HIPAA, (e.g., concerning breach notification, as enforced by the HHS Office for Civil Rights), will fall below the bar and CIRCIA will require more. CISA will have a lot of say on that, and this is the first major rulemaking that this relatively new agency is taking on.

The public comments that were submitted on CIRCIA by health-care entities are particularly telling. Organizations spell out concerns about duplication and unnecessary confusion — a number stressed the importance of cleanly implementing the CIRCIA provision that precludes CISA from requiring duplicative reporting (see CIRCIA at Section 2242(a)(5)(B)). Others emphasized that required reporting only should comprise data absolutely necessary for governmental operations, so as to protect data integrity wherever possible and to, where necessary, allow ongoing “ransom” negotiations to continue out of the limelight when that benefits data-retrieval efforts.

As CISA develops CIRCIA regulations during 2023, Bond will be watching closely. In the meantime, we encourage readers to avail themselves of useful health-care cybersecurity resources, including those of the “405(d)” task group (of which this author is a member). And for those readers in New York state, the New York Healthcare Cyber Alliance (which this author co-chairs) continues its work of linking health-care delivery organizations to the resources that can improve their cyber posture.

Gabriel S. Oberfield, Esq., M.S.J. is a senior counsel in the New York City office of Syracuse–based Bond, Schoeneck & King, PLLC. As an experienced health-care attorney with health-care management expertise, Oberfield guides C-suite leaders on matters ranging from regulatory and legislative affairs to strategic planning, as well as legal issues affecting their organizations. This article is drawn and edited from the law firm’s Cybersecurity and Data Privacy Information Memo.

Dannible senior audit manager earns information systems auditor credential

Employee Benefits & Human Resources, Law, Accounting & Taxes, People on the Move, Subscriber Only, Technology

SYRACUSE, N.Y. — Dannible & McKee, LLP — a certified public accounting and consulting firm with offices in Syracuse, Auburn, Binghamton, and Schenectady — recently announced that Kevin M. Didio, CPA has earned the certified information systems auditor (CISA) credential from the Information Systems Audit and Control Association (ISACA). The CISA certification is a globally

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

The CISA certification is a globally recognized standard for information-systems audit control, assurance, and security professionals. The designation showcases an individual’s audit experience, skills and knowledge, and demonstrates expertise in assessing vulnerabilities, reporting on compliance, and instituting controls in an enterprise environment, according to a Dannible & McKee release. To receive a CISA certification, candidates must pass a comprehensive exam and satisfy industry work-experience requirements.

Didio, a senior audit manager at Dannible & McKee, has more than 10 years of experience in accounting, assurance, and advisory experience — providing services to both private and publicly held domestic and foreign companies. He is responsible for planning and managing multiple engagement teams through the performance of audits, reviews, and compilations for the firm’s clients. With his CISA certification, Didio will focus on strengthening internal controls for clients in a variety of industries and implementing comprehensive risk management across their full technology infrastructure, Dannible & McKee said.

Didio graduated from Ithaca College in 2011 with a bachelor’s degree in accounting. He earned a master’s degree in professional accounting from Syracuse University in 2012.

Founded in 1969, the nonprofit, independent ISACA advocates for professionals involved in information security, assurance, risk management, and governance. The association has 225 chapters worldwide.

Dannible & McKee offers audit, tax, accounting, and financial management advisory services to clients nationwide. The firm says it focuses on major industry lines and specializes in multi-state taxation review, business valuation, litigation support, and fraud prevention and detection.

Syracuse University Athletics announces sponsorship agreement with Hidden Level

Health Care, Nonprofits, Small Business, Sports, Entertainment & Tourism, Technology

SYRACUSE, N.Y. — Syracuse University Athletics on Wednesday announced a multi-year sponsorship agreement with Hidden Level, a Syracuse–based firm that provides an airspace-monitoring service. The

Avoid cybersecurity risks during tax season

Business Mentors, Law, Accounting & Taxes, Subscriber Only, Technology

“Tax season is really just another opportunity for the bad guys,” says Michael Polce, CEO of M.A. Polce Consulting in Rome. Businesses need to be proactive all year, but especially during tax season when the scammers ramp up activity. “All the rules still apply,” he says, but awareness should be enhanced this time of year.

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Be skeptical of things you receive via email, text, and sometimes even by regular mail, says Emily Mosack, a security consultant with FoxPointe Solutions at The Bonadio Group, which is based in Rochester and has offices across Upstate, including Syracuse.

“That’s an easy way for people to get scammed,” Mosack says. In particular, be wary of anything received via email, text, or even a phone call saying it’s from the IRS. When the IRS does actually reach out, it’s through regular mail, she adds.

Unfortunately, people are more likely to fall for things when it’s about taxes, Mosack says, and the scammers to pick up on it being tax season. “It’s one of the highest times of the year for scammers,” she says.

Tax-related identity theft is a huge cyber issue, Polce says. That’s when cybercriminals gain access to enough of your information and file a tax return in your business name, or even personal taxes in your name. They can file taxes showing a refund due and have that money sent directly to their account, he explains.

Victims typically find out when they go to file their actual taxes and the IRS rejects them with a notice that they’ve already been filed.

The easiest way to safeguard this from happening is to request a Personal Identification Number (PIN) from the IRS. “It’s like two-factor authentication,” Polce says. That way, no one is able to file anything without that PIN. Speaking of multi-factor authentication, Polce adds, it’s still one of the best components of a good cybersecurity policy.

He also recommends never emailing any type of sensitive information without encryption. Even better is if that information can be conveyed in person, Mosack says.

She suggests a few other steps to help keep things secure including having a corporate password policy for all accounts and advising all employees to never use public Wi-Fi when doing secure work.

Advise employees to never click links in emails. “If you think you’re receiving a scam email or even if you’re unsure, you should send it to the IT department,” Mosack adds.

Training for all employees from the CEO and CFO on down is also important, Polce notes. Often the highest-ranking employees are the biggest targets for scammers, so everyone needs to receive security-awareness training, he adds.

Aside from the usual steps like multi-factor authentication and strong passwords, Polce says that if something just doesn’t seem right, trust your gut. If you aren’t sure the callers are actually from where they say they are — your bank or your accounting firm, for example — simply hang up and call the business back directly, he says. “We have to be on guard these days more than ever before.”

Mosack agrees and adds that the consequences of being careless can be significant. Along with losing money, businesses that get hacked also risk exposing their clients’ information. “It’s not just a business,” she says. “Now, it’s everyone else who was involved with that business.”

It’s truly a case where the best defense is a good offense. “Just being aware is the best thing,” Mosack says.

VIEWPOINT: This year resolve to improve your cybersecurity

Business Mentors, Subscriber Only, Technology

While keeping New Year’s resolutions can prove to be challenging, there is one resolution worth focusing on, and that is improving your organization’s cybersecurity. The new year is a perfect time to clear out the clutter in your company’s digital house and start new habits that will protect your business data and information. Cyberthreats are

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

While keeping New Year’s resolutions can prove to be challenging, there is one resolution worth focusing on, and that is improving your organization’s cybersecurity.

The new year is a perfect time to clear out the clutter in your company’s digital house and start new habits that will protect your business data and information. Cyberthreats are ever-present, and criminals adjust to new security protocols, which means that constant vigilance is necessary.

Here are some steps you can take in your resolve to be cyber-safe in 2023.

Improve your passwords by creating ones that are unique and strong. Don’t reuse official business-account passwords or individual staff passwords across multiple sites and software program. And never use the same password for personal and business purposes. If there’s a breach at one, your other accounts become vulnerable. By “unique,” we’re talking about the dictionary definition of the word — meaning, one and only, not the more relaxed definition of “unusual.” In addition to being unique, passwords should be strong, using a mix of UPPER-CASE and lower-case letters, numbers, and characters.

Be critical of links. One area that cybercriminals have become adept is at phishing emails — they are everywhere, becoming more sophisticated, and targeting individual employees. Remind your team to exercise caution when clicking links in emails and examine them carefully. Does the tone of the email sound off? Be particularly attentive to any communications saying they are from a banking institution or accounts-payable vendor. Your bank will never ask you to disclose information, such as your account information or passwords. If something seems suspect, make sure your employees know to notify you immediately, so that you can report it to your financial institution.

Enable multi-factor authentication (MFA) wherever and whenever possible. MFA is one of the best available tools to prevent fraud and protect your accounts — when it’s used properly. By setting up MFA on your organization’s accounts, you add an extra layer of protection against unauthorized access. When you log in, the account sends an additional code, typically to your cell phone or your employee’s cell phone. You enter this code when prompted, and the login isn’t completed until the code is verified. This means that code is the key to accessing your organization’s accounts, so it’s critical that your employees know that they must never provide it to anyone — and no one from your financial institution will ever ask you to provide this code to them over the phone. If you receive a code that you didn’t initiate by logging in, or if you receive a phone call from someone requesting your MFA code, these are warning signs that someone is attempting an unauthorized login, and you should change your password.

Work improved security into your everyday activities. This step might require a change in your organization’s normal routine, and as a habit change, the key is being consistent about the changes so that they stick. At work, when employees leave their desks, make sure they know to lock their computer workstations. Do the same with other electronic devices, such as smartphones and tablets. Don’t leave papers with account numbers out where they can be accessed, at work or at home. Protect paperwork with sensitive data — anything with a Social Security number, a bank account number, or login details should be tucked away, out of sight and secured. This includes having confidential information visible in the background during video calls. Invest in a shredder for your office as well as for home use — or if sensitive paperwork has piled up, check with your financial institution to see if it sponsors safe shredding events.

Being aware of the changing face of cybersecurity threats is only half the battle. All of us need to take steps to stay ahead of online threats at work and at home. By implementing these new habits in your organization and in your personal life, you can begin the year with more-secure accounts and reduce the risk of becoming a victim of cybercrime.

Terra Carnrike-Granata is senior VP and senior director of information security at NBT Bank, where she designs and implements sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyberthreats.

Utica University board, faculty clash over recommendation to eliminate majors

Construction, Design & Real Estate, Employee Benefits & Human Resources, Health Care, Law, Accounting & Taxes, New York News, Nonprofits, Regional News

UTICA, N.Y. — A recent recommendation by Utica University President Laura Casamento to eliminate 15 majors at the university and modify several others has sparked

OPINION: Judicial Nomination Turned Into Another Albany Fiasco

Opinion, Subscriber Only

As in so many instances in Albany, basic, fundamental democratic processes are frustrated by political agendas and needless dysfunction. This unfortunate reality is again playing out as Judge Hector LaSalle, Gov. Kathy Hochul’s choice to lead the Court of Appeals, was summarily dismissed as a candidate, despite enormous support from lawmakers and legal experts across

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

[Recently], Judge LaSalle was forced to endure an hours-long Senate Judiciary Committee hearing with an outcome decided before he even sat down to answer a single question. Weeks before the hearing, several senators had already publicly stated they would not support Judge LaSalle before speaking with him, interviewing him, or hosting a nomination hearing. LaSalle deserved an objective and fair process but was instead forced to participate in a political sideshow.

After Judge LaSalle’s nomination was announced, Senate Democrats arbitrarily changed the composition of the Judiciary Committee. What had been a 15-member committee was expanded to 19 members, allowing for more LaSalle opponents to be added. Essentially, the deck was stacked against him before he had a chance to discuss his career, accomplishments, and judicial decisions. The chief judge of the Court of Appeals is an important position at the top of the judicial branch of our state government. The nominee is not a political pawn, nor should the vote to confirm such a nominee be used to advance a particular agenda. The nominee should be judged on his or her merits — nothing else.

The future of Judge LaSalle’s nomination is now uncertain. Gov. Hochul has stated that she is exploring options, which includes the possibility of taking legal action against the Senate majority. Without question, what happens next will be a significant moment for state government and the direction in which New York is headed.

The decision to obstruct Judge LaSalle’s nomination is a textbook example of the one-party dysfunction that has hindered New York. Judge LaSalle has earned a reputation as a fair, effective jurist. His distinguished career earned him the nomination and the hearing. It is a shame a small faction in the Senate majority has ignored his qualifications while it continues to pull New York further from rational, reasonable policy.

The people of New York deserve a government that works, and what we are seeing here is evidence some lawmakers are more concerned with making a statement than making New York a better, safer place. Mainline New York Democrats must look in the mirror and ask themselves what is more important, picking the best candidate for the job or letting their party continue to be highjacked by woke extremists.

William (Will) A. Barclay, 53, Republican, is the New York Assembly minority leader and represents the 120th New York Assembly District, which encompasses all of Oswego County, as well as parts of Jefferson and Cayuga counties.

OPINION: House dysfunction is cause for alarm

Opinion, Subscriber Only

Like many Americans, I watched with dismay [in early January] as the U.S. House of Representatives struggled through 15 votes over four days to select a new speaker. The sense of dysfunction was remarkable. Anyone watching might well have wondered about our ability to govern ourselves. For a week, there was no speaker to call

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

For a week, there was no speaker to call the House to order. Elected members couldn’t take the oath of office and start conducting business. One house of the Congress was effectively AWOL. Finally, Rep. Kevin McCarthy, R–California, secured enough votes to become Speaker of the House. But the chaos and divisions do not bode well for his leadership.

I served in the House for 34 years, and I never witnessed anything like this. In fact, it had been 100 years since the House majority took more than one vote to select a speaker. The last time it took more than 15 votes was in 1859, when Congress and America were bitterly divided on the eve of the Civil War.

Reportedly, McCarthy won only after granting concessions to hard-right conservatives who demanded rules changes and committee assignments to amplify their power. That’s a dangerous posture for our system of government, when an extreme minority can effectively dictate terms to the majority.

It also makes it less likely the House will compromise with the Democratic-controlled Senate to pass legislation. Government shutdowns may be looming when must-pass spending bills come due. It may be difficult, later this year, for Congress to raise the federal debt limit and prevent a default on U.S. financial obligations.

It would be bad enough if the deadlock over House leadership were the only sign that our democracy is fragile, but it’s not. There’s also the fact that Trump refused to recognize the results of the 2020 election, and that many Americans still believe that it was rigged.

These blows to our system accumulate. According to the Economist Intelligence Unit annual democracy index, the United States has been a “flawed democracy,” not a full democracy, for several years. It cites Trump’s election denial, the nation’s “extremely low levels of trust in institutions and political parties,” and “deep dysfunction in the functioning of government” as reasons for the mediocre rating.

Some of this reflects the politics of the day. We Americans have become increasingly partisan and suspicious of each other. Republicans and Democrats seem to inhabit different universes. Gerrymandered election districts and partisan media outlets have pushed elected officials to the extremes.

Today, an occasional display of bipartisanship can seem almost poignant, as when Biden and Senate Republican leader Mitch McConnell traveled to Kentucky this month to celebrate infrastructure funding.

Partisanship isn’t always bad, of course. In our two-party system, it’s part of how government works. But it can be overdone to the point where it brings the whole enterprise to a halt. Political parties should compete for power but compromise when needed for the good of the nation.

We Americans are deeply fortunate. Our nation’s founders devised a system of government that has served us well for more than 200 years. But it isn’t written in the stars that the U.S. will always prosper, or even exist as a democratic republic. Maintaining a functioning democracy is a big challenge, and it’s up to all of us to ensure our representatives perform their job seriously and make the system work.

Lee Hamilton, 91, is a senior advisor for the Indiana University (IU) Center on Representative Government, distinguished scholar at the IU Hamilton Lugar School of Global and International Studies, and professor of practice at the IU O’Neill School of Public and Environmental Affairs. Hamilton, a Democrat, was a member of the U.S. House of Representatives for 34 years (1965-1999), representing a district in south-central Indiana.

MEGHAN K. BANKOWSKI

People on the Move, Subscriber Only

MEGHAN K. BANKOWSKI, CPA has been admitted into the partnership at Fust Charles Chambers LLP, a certified public accounting firm in Syracuse. She is a partner in the firm’s audit department and within the firm’s health-care consulting company, Microscope. Bankowski has more than 15 years of experience providing accounting, audit, and advisory services to many

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

Get our email updates

What's New

Upcoming Events

Project Homecoming Job & Career Fair 2025

Annual Nonprofit Conference 2026

2026 CenterState CEO Economic Forecast Breakfast

CNYBJ Job Board

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get our email updates