Daily Archives: December 2, 2019

Webcast: Group Policies That Kill Kill Chains

On this webcast, we’ll guide you through an iterative process of building and deploying effective and practical Group Policy Objects (GPOs) that increase security posture. Download slides: https://www.activecountermeasures.com/presentations/ 0:45 Introducing what a kill chain is and general background you need for this webcast 15:53 Getting into group policies, best practices, group policies that we’re not covering […]

The post Webcast: Group Policies That Kill Kill Chains appeared first on Black Hills Information Security.

IDG Contributor Network: What is the California Consumer Privacy Act of 2018? Influencers in the know break down the details

It was only a matter of time before US created their own version of the EU’S General Data Protection Regulation (GDPR). However, unlike the EU who addresses digital privacy protection on a national level, the US is handling online privacy on the state level. California has led the charge with the California Consumer Privacy Act (CCPA) that was passed into law in 2018.

3 main takeaways from the California Consumer Privacy Act of 2018

CCPA is designed with consumers in mind and gives California residents some of the strongest online privacy protections in the country. Here are three main takeaways of the California Consumer Privacy Act of 2018:

To read this article in full, please click here

How to document the scope of your ISMS

If you’re planning to implement an ISMS (information security management system), you’ll need to document the scope of your project – or, in other words, define what information needs to be protected.

There will almost certainly be more information and more locations where information is kept than you initially think of, so it’s essential that you take the time to scope your organisation. However, this involves more than simply identifying the data stored on your systems.

Benefits of defining the scope of your ISMS

Organisations that define the scope of their ISMS will have a much better understanding of their information security environment – where their data resides, where their data is safe, what format the data is held in, and so on.

Knowing this helps you complete information security audits, particularly when it comes to understand how to approach specific risks and which controls are most suitable.

Similarly, by defining the scope of their ISMS, organisations also define what’s out of scope. Having a firm grasp of what doesn’t need to be addressed provides assurances that key parts of the business aren’t being overlooked.

For example, you might identify a third-party data processor that collects information on your behalf – like a payroll service.

You will probably have a contractual agreement with the third-party outlining mandatory information security controls, but you have no control over how these are operated, so you can’t consider it within your scope.

You should instead document the organisation and its processing under Annex A control A.15 – supplier relationships.

Defining your scope

There are three steps to defining the scope of your ISMS. First, you need to identify every location where information is stored.

This includes physical and digital files, the latter of which might be kept locally or in the Cloud.

Second, you need to identify the ways in which information can be accessed. Any entry point, be it a drawer full of files or an employee’s work-issued laptop, should be noted.

Third, you need to determine what is out of scope. These are elements that your organisation either has no control over (such as third-party products) or that don’t give access to or house sensitive information.

For example, your organisation’s foyer probably won’t need security controls. If for some reason you do keep sensitive information there, it would be worth relocating it to put the foyer out of scope.

A well-defined scope ensures that every area of your organisation receives adequate attention when it comes to implementing security controls.

Documenting your scope is also a requirement of ISO 27001, the international standard that describes best practices for an ISMS.

What should the ISO 27001 scoping document look like?

Organisations often get tripped up by how to document the scope of their ISMS, either guessing or spending an inordinate amount of time researching how much detail to go into and the best way to lay out the information.

However, you can avoid that hassle by using our ISO 27001 ISMS Documentation Toolkit.

Developed by expert ISO 27001 practitioners and enhanced by more than ten years of customer feedback and continual improvement, it contains a customisable scope statement as well as templates for every document you need to implement an effective ISMS and comply with the Standard.

Our customisable scope statement takes the hassle out of documenting ISO 27001 compliance.

Our customisable scope statement takes the hassle out of documenting ISO 27001 compliance.

The toolkit contains:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Find out more

A version of this blog was originally published on 24 May 2018.

The post How to document the scope of your ISMS appeared first on IT Governance UK Blog.

Three Consequences of a Misaddressed Email

Article by Andrea Babbs, UK General Manager, VIPRE SafeSend

With the number and sophistication of cyber attacks increasing significantly, organisations have had to become aware and adapt to new and evolving digital threats. Yet, many would still consider the simple error of sending an email to the wrong contact trivial, at most embarrassing, but not of concern when it comes to data security. However, misaddressed emails have far-reaching consequences that can seriously impact an organisation, especially in highly regulated industries such as healthcare and finance. From fines to data breaches, what are the potential ramifications of sending an email to the wrong address?

Reputational and Financial Damage

While accidentally dialling a wrong number can be a little embarrassing, the same cannot be said for sending an email to the wrong contact. You could try to correct the error with a follow-up email to apologise and request that the recipient delete the message, but even if you’ve spotted the error it’s often too late. Moreover, the misuse of CC and BCC functions could expose your entire contact database, potentially giving your competitors an opportunity to lure your customers or employees away, or worse – exposing customer emails to potential hackers.

BitMEX, one of the world’s largest cryptocurrency trading platforms accidentally leaked thousands of private customer email addresses when they sent out a mass mailshot without using the BCC function. While the company maintains that customer privacy remains a top priority, its customers were left wondering how they could trust BitMEX with huge personal assets in the aftermath of this data protection failure.

A similar incident in 2018 led to the Independent Inquiry into Child Sexual Abuse (IICSA) being fined £200,000 by the Information Commissioner’s Office (ICO) for failing to protect the identity of possible victims of child abuse after a human error accidentally exposed victim identities to third parties, when they included their email addresses in the ‘To’ rather than ‘BCC’ field. In the age of increased data protection regulations, this example demonstrates just how seriously the ICO takes these types of data breaches. The pain of embarrassment from sending an email to the wrong contact pales in comparison to the business pain from financial penalties.

Intellectual Property Loss
Should confidential corporate information fall into the wrong hands, the consequences could be devastating. Crucial company information such as trade secrets or blueprints of an unpatented new product leaking into the public domain could easily be intercepted by the competition, resulting in a lost competitive advantage.

All it takes is a simple missed or added character in the email address, autocorrect taking over, or simply pressing send too soon and the information that was once confidential is sitting in the wrong inbox. It could be that of an unknown individual, competitor, or even a cyber-criminal.

In 2018, Commonwealth Bank staff inadvertently sent 651 emails to an overseas company as they forgot to include ‘.au’ at the end of the domain that should have read ‘cba.com.au’. This data leak occurred over a long period without anyone noticing, so could have potentially exposed sensitive company data or private customer information to competitors, putting the company at serious risk. However, luckily on this occasion, the company confirmed that no customer data had been compromised.

Data Breach
The ICO found that misaddressed emails are the largest source of data loss for organisations – over 269 billion emails are sent around the world each day. Gone are the days when employees operated from a single office-based computer, the modern workforce is now working from potentially several locations across a number of devices. Combine this with increasing pressures on staff juggling deadlines and deliverables to perform better and faster, it’s no surprise that most don’t spend time verifying the accuracy of the email address they are about to send confidential information to – no organisation is immune to human error.

Hackers can capitalise on this complacent email culture by cleverly disguising emails to look like they are coming from inside the company, but actually, have a similar spoofed domain name that the employee would probably fail to spot on a first glance. Potentially opening the organisation up to a devastating hacking, malware or ransomware attack and a clear reason why Business Email Compromise (BEC) scams continue to be popular with cybercriminals.


The ramifications of misaddressed emails go far beyond just an embarrassing mishap – the threat that comes from accidental data leakage can be just as damaging as the external threat of cybercrime, especially as these leaks often go unnoticed for a period of time. Businesses need a clear strategy to address the issue of misaddressed emails and mitigate the associated risks to remain compliant and secure. What is required is a tool that prompts users for a double-check of their email based on set parameters, who it is being sent to, the contents and attachments. But this isn’t about adding time or delay to employees that are already under pressure – it’s about increasing awareness and improving email culture where mistakes can so easily be made.