Category Archives: Risk Management

Yearly hidden costs of managing vendor risk? $3.8 million per healthcare provider

The inability to adequately assess and understand the risks that vendors pose is becoming incredibly costly to healthcare providers, according to a new report by Censinet and the Ponemon Institute. According to the research, the yearly hidden costs of managing vendor risk is $3.8 million per healthcare provider, far surpassing the $2.9 million that each data breach costs providers. The cost across the healthcare industry is $23.7 billion per year. The research also indicates that … More

The post Yearly hidden costs of managing vendor risk? $3.8 million per healthcare provider appeared first on Help Net Security.

Organizations expect to boost their cybersecurity investments by 34%

Annual losses from cyberattacks averaged $4.7 million in the last fiscal year — with more than one in 10 firms losing over $10 million —according to a new report from ESI ThoughtLab in conjunction with Willis Towers Watson and other organizations specialized in cybersecurity and risk management. The study covered 467 firms across multiple industries in 17 countries revealing that companies worldwide expect to boost their cybersecurity investments by 34% in the next fiscal year, … More

The post Organizations expect to boost their cybersecurity investments by 34% appeared first on Help Net Security.

BH Consulting in the media: supply chain security still a concern

The Huawei controversy has raised fundamental questions around supply chain security, Brian Honan has told Infosecurity Magazine. In a video interview recorded at Infosecurity Europe 2019 conference in London, BH Consulting’s CEO said the issue of technology containing alleged backdoors to enable spying has led to “interesting conversations” in the security community.

The question boils down to whether it’s possible to build secure systems if there’s no trust in the technology platform they’re built upon, Brian said. “Unless we actually build something ourselves from absolute scratch, we are relying on third parties, and how much trust can we give to those third parties? So the bigger issue becomes: how you secure your supply chain?”

For security professionals, securing their company’s supply chain needs a more rigorous due diligence process than asking vendors whether they have antivirus software on their PCs. It’s about “asking the right questions into the right levels, and digging deep into the technology, depending on what your requirements are,” Brian said.

Huawei to the danger zone

Noting the accusations that Huawei technology has security bugs, Brian said that the same is true of products from many other places including the US, UK or Europe. “There’s no such thing as 100% secure systems. Take the Intel chips that we have in all our servers: they have security bugs in them,” he said.

Emphasising that he wasn’t trying to defend Huawei, Brian said: “A lot of what we’re reading in the press and the media, there’s nothing to substantiate the claims behind it.” The larger question about whether any bugs are accidental, or deliberately placed backdoors that allow Government-level spying, is “outside the remit of our industry,” he said.

The chain

Even if a security professional decided not to use a certain brand of equipment in their network, there’s a question of what happens when their information travels elsewhere within their company’s external supply chain, or through its internet service provider. Instead, infosec professionals should focus on protecting information at rest or in transit, since the early internet engineers designed it to share information, not keep it secret. “We have been trying to build security on top of a very unsafe foundation. We need to look at ways of how we keep our data safe, no matter where it goes or how far it travels,” Brian said.

As for what’s next in security, Brian said regulations will stay at the forefront over the next year. “GDPR isn’t over. GDPR is the evolution of data protection laws that we had already… the regulations are still being enforced. We still have to continue looking after GDPR.”  Some of the earliest court cases relating to GDPR are due to conclude soon, with potentially large fines for offenders. He also said Brexit is “the elephant in the room”, given how it could affect the way that European companies deal with UK businesses, and vice versa.

Toys in the attic

The ePrivacy Regulation (ePR) will have a huge say in how companies embed cookies on their websites and how they communicate and market to customers. Regulations like the EU Cybersecurity Act look set to impose rules on IoT or ‘smart’ devices. Their security – or lack of it – has long been a thorny issue. Brian recently commented on this issue in an article for the Irish Times about smart toys and we’ve also blogged about it before on Security Watch.

Summing up the likely short-term developments in security, Brian said: “A lot of things in the next 12-24 months are going to have a big impact on our industry, and it’s where the regulators are going to play catch-up on the technology. It’s going to be interesting to see how those two worlds collide.” You can watch the 15-minute video here (free, but sign-in required).

Panel discussion at Infosecurity Europe 2019. From left: Peter Brown, Group Manager Technology Policy, UK ICO; Steve Wright, GDPR & CISO Advisor, Bank of England; Titta Tajwe, CISO, News UK; Deborah Haworth, Penguin Random House UK; and panel moderator Brian Honan, CEO of BH Consulting

Regulate

Also during Infosecurity Europe, Brian moderated a debate on dealing with complex regulations while ensuring privacy, security and compliance. It featured with data protection and security practitioners from the Bank of England, Penguin Random House UK, News UK and the UK Information Commissioner’s Office. Bank Info Security has a good writeup of some of the talking points. Its report noted that Brian focused the discussion on the broader regulatory landscape, including the updated EU ePrivacy Directive, while panellists and audience questions kept returning to GDPR.

The article noted how the panelists broadly agreed that regulations, including GDPR, helped to improve their organisation’s security posture. It quoted Titta Tajwe, CISO of News UK, who said: “With the EU GDPR, it really helped for executives to understand what needs to happen to protect the data of your customers. So it did allow the CISOs to get the budget they needed to do the work they’d already been asking for, for a long, long time.”

Photos used with kind permission of Mathew Schwartz.

The post BH Consulting in the media: supply chain security still a concern appeared first on BH Consulting.

Third Party Security Risks to Consider and Manage

Guest article by Josh Lefkowitz, CEO of Flashpoint
 
Acceptable business risks must be managed, and none more so than those associated with external vendors who often have intimate access to infrastructure or business data. As we’ve seen with numerous breaches where attackers were able to leverage a weaknesses a contractor or service provider, third-party risk must be assessed and mitigated during the early stages of such a partnership, as well as throughout the relationship.
 
The following tips can help security decision makers more effectively address the risks posed by relationships with technology vendors.
 
Do Your Homework
Conducting thorough due diligence on a prospective vendor is essential. Organisations could evaluate technical and regulatory risk through due diligence questionnaires, for example, or even on-site visits if necessary. The point is to evaluate not only a third party’s information security risk, but compliance with regulations such as GDPR for privacy and PCI DSS for payment card security, for example. An organisation may also want to evaluate a third party’s adherence to industry standards such as NIST or ISO in certain security- and privacy-related areas.
 
Next, consider what this compliance information doesn’t tell you. What do you still need to learn about the vendor’s security posture before deciding whether you’re comfortable with it? Think about what questions you still have and, if possible, seek answers from the vendor’s appropriate security contact. Here are some questions to pose: 
When was your last penetration test? Is your remediation on schedule?
  • Have you documented security incidents? How did you remediate those incidents?
  • Do you have the result of your last business continuity test? If yes, can you share it?
  • What security controls exist for your users? Do they use multifactor authentication, etc.?
  • How are you maturing your security program?
  • Are you ISO, SOC 1/SOC 2, and NIST Compliant, and is there documentation to support this? 
Additional Security: It’s All in the Controls
If you’re unsatisfied with the answers from a potential partner regarding their security, it’s OK to walk away, especially if you make the determination that working with the vendor may not be critical to your business.  

That’s not always the case, however. If you must partner with a particular third party and if no other reputable vendors offer anything comparable, you will likely need to implement additional technical and/or policy controls to mitigate the security risks associated with your business’s use of the offering, such as:
 
Technical
These are typically restrictions on the access and/or technical integrations of vendor offerings. For example, if a product is web-based but unencrypted, consider blocking users on your network from accessing its website; provided the proper authentication is in place, use its API instead. In most cases, there are two options, remediation or compensating controls:
  • Remediation: Can you work with the vendor to remediate the technical risk?
  • Compensating controls: If you cannot remediate the risks entirely, can you establish technical compensating controls to minimise or deflect the risk?
Policy
These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely. Some typical policy scenarios include:
  • Regulatory compliance: For example, a vendor’s non-compliance could mandate you walk away from a third-party relationship.
  • Contractual obligations: Are there contractual obligations in place with your existing clients that prevent you from working vendors who don’t meet certain security and privacy standards?
  • Security best practices: Ensure your policies around risk are enforced and determine whether they may conflict with your vendors’ policies.
Asset Inventory is a Must
There are several reasons why it’s imperative to know which of your business’s assets the vendor will be able to store and/or access. For one, this knowledge can help identify and shape any additional security controls. Second, having this knowledge on hand is crucial should the vendor suffer a breach. Knowing exactly what assets were impacted, as well as who is doing what with your inventory, can expedite your response and identify and mitigate any exposure efficiently and effectively.
 
Response Plans Must Include Partners
Before finalising a vendor relationship, it’s crucial to use all the information gathered during your due diligence process to construct a response plan in preparation for any future incidents the vendor might experience. Tracking the assets to which your vendor has access is one component of an effective response plan. Others include courses of action to mitigate exposure, disclosure and notification procedures, external communications strategies, and plans to re-evaluate the vendor’s security and remediation following an incident.
 
The most effective way to manage vendor risk is not to work with any external vendors in the first place, which isn’t a feasible strategy. The most secure and successful vendor relationships are rooted in preparation and transparency. Thoroughly understanding all facets of a vendor’s security program, implementing additional controls as needed to appropriately safeguard your business’s assets, and being prepared to respond to future incidents can go a long way toward reducing business risks associated with any vendor relationship.
Josh Lefkowitz, CEO of Flashpoint

Understanding the GDPR

The European Union’s Parliament approved and adopted the General Data Protection Regulation (GDPR) in April 2016. This regulation will take effect after a two-year transitional period, meaning it will be fully enforced on May 25, 2018. At this time, if organizations are non-compliant, they will face hefty fines. There is a tiered approach to these fines; however, at a maximum an organization can be charged 4% of annual global turnover or 20 million euros ($23,554,200).

The GDPR applies to all organizations that process and hold the personal information of EU residents, regardless of the company’s location. To exemplify, the regulation pertains to all organizations located within the EU, as well as organizations that are located outside of the EU that offer good, services, or observe the behavior of EU citizens. These rules also apply to both controllers and processors of information, meaning that the cloud and other technologies are not exempt from the GDPR.

If information can be used to identify a person, directly or indirectly, it is protected under the GDPR. This includes but is not limited to names, email addresses, financials, medical data, and computer IPs.

Steps to take to prepare for the GDPR:

  1. Perform a compliance audit against the GDPR legal framework to identify where gaps exist, then work to remediate these shortcomings.
  2. Classify the personal data your organization possesses that is protected by the GDPR and implement the appropriate security measures. This includes understanding what information you have, where it came from, who it is shared with, and who has access to it.
  3. Appoint a data protection officer for your organization.
  4. Document all processes and keep a record for the Data Protection Association (DPA) in the country or countries your organization conducts business.
  5. Make sure the appropriate contracts are in place to protect your organization and ensure that the businesses you engage with are employing the same security measures.

Infringements of the GDPR include:

  • Not having sufficient customer consent to process personal information.
  • Not having records in order.
  • Violating the “Privacy by Design” and “Privacy by Default” concepts.
  • Failing to notify the data subject and the supervising authority about a breach or incident.
  • Not conducting an impact assessment.

Altogether, the GDPR is the most important change to data privacy regulations in decades. It is intended to make organizations more secure and accountable to their data subjects during all stages of their interactions. For more questions or to implement GDPR standards in your organization, please CONTACT US.

Patch Management

Cyber security controls are only effective if there are no means of bypassing them. If a vulnerability exists that enables someone or something to circumvent your organization’s existing set of security standards, your whole network could then be compromised. With the rise of cybercriminals targeting known vulnerabilities on unpatched systems, especially through worms and malicious code, implementing a patch management system in your organization is critical to maintaining a strong security posture.

Patch management is the routine procedure of administering updates for all technologically based products and programs, primarily applications and operating system versions. The goal is to create a securely configured digital environment in your organization that is consistently protected against all known vulnerabilities.

To be successful, patch management must be an ongoing process in which your system administrator or managed services provider:

  1. Maintains knowledge of available patches.
  2. Determines what patches are appropriate for the specific systems.
  3. Prioritizes the patches and protects your most critical vulnerabilities first.
  4. Tests the patches on non-critical systems before installation.
  5. Performs backups before installing a patch.
  6. Installs patches and makes sure they work properly.
  7. Tests the systems after installation.
  8. Documents all installed patches and the processes utilized.

Patch management is a critically important aspect of cyber security risk management because outbreaks like WannaCry occur because of unpatched vulnerabilities being exploited. In an organization with hundreds of systems, it only takes one compromised system to then harm the entire network. Altogether, in the technological world, there is rarely, if ever, a software or application that is developed without having to be modified or upgraded. As a result, a process must be implemented to distribute patches and remediate known vulnerabilities.

If you would like to discuss patch management in your organization, please CONTACT US.

National Cyber Security Awareness Month

Although National Cyber Security Awareness Month is coming to a close, COMPASS maintains a commitment to raising cyber security awareness throughout the year. The following are this year’s top blog posts that demonstrate ways to implement cyber security risk management in your organization and minimize the threats you may face.

  1. A Risk Manager’s Approach to Cyber Security 

Cyber security threats arguably pose the greatest danger to an organization’s risk management strategy. Risk managers should leverage their organization’s existing risk governance processes and methodologies to effectively analyze and manage cyber threats.

  1. Top 10 Assessment Findings

Although COMPASS’ client base is highly diverse, there are common findings we encounter on almost every single engagement. They are grouped by our approach to cyber security risk management which focuses on the 3 pillars of cyber security – people, policy and technology.

It is important for organizations to regularly assess not only their technical infrastructure, but also their organizational security awareness and policies. Organizations that fail to perform periodic assessments risk leaving themselves exposed to hackers who can exploit these vulnerabilities or negligent insiders who expose data unintentionally.

  1. 5 Steps to Develop a Security Program

Developing a practical and effective cyber security plan is vital to incorporating security into your organization’s risk management strategy. A common misconception is that a cyber security plan is lengthy and difficult to follow. However, that does not have to be the case. COMPASS recommends 5 steps for your cyber security plan.

  1. Business Email Compromise

BECs remain a prominent threat and will continue to be used in targeted scams. The victims of BEC attacks range from small business to large corporations and all employees should be aware of the dangers. Organizations that utilize robust prevention techniques have proven highly successful in recognizing and deflecting BEC attempts.

 

If you have any questions or would like to discuss the unique cyber threats your organization faces, please CONTACT US.

Employee Security Awareness Training

Because humans are often the weakest link when it comes to cyber security, it is critically important to integrate employee security awareness training into your cyber security action plan. By educating employees on best practices, policies, procedures, popular attack methods and trends, organizations can significantly reduce their risk of a data breach.

Increasing your investment in cyber security awareness training can decrease the threat of a cyberattack by 45% to 70%. Common and effective employee training methods include:

  • On-boarding – When a new employee joins your organization, immediately make them aware of cyber security best practices your organization requires. This will create a strong cyber security posture throughout the employee’s lifespan.
  • Mock phishing exercises – Phishing attacks are one of the most common forms of social engineering that can harm businesses. By employing these exercises organizations can test their email platform and see how their employees would react in a real-life scenario.
  • Webinars – Webinars on cyber security trends give employees a chance to ask questions and hear firsthand of the importance of keeping data secure. These interactive sessions empower employees with the information necessary to support the organization’s goal of protecting its sensitive data.
  • Policy check surveys – Regularly testing the knowledge of employees is important to their understanding of company policies and procedures. These can identify and prioritize gaps that should be addressed in further employee training sessions. In addition, these surveys and their results will be important if your organization is audited or breached.
  • Regularly discuss cyber security with employees – Make cyber security part of your workplace culture so that employees are regularly acting with the organization’s best interests in mind. Proactively address employee negligence as it is one of the top causes of security incidents.
  • Incident response plan –Ensure employees are aware of their role in the company’s incident response plan. Practice this plan quarterly so in the event of a breach your organization can respond quickly and comprehensively to minimize the impact and associated costs.
  • Onsite training – Providing face-to-face security awareness training on cyber best practices and company policies and procedures gives employees an opportunity to ask questions and learn from experienced personnel.

Proactively training employees before an information security incident is critical to protecting the future of your business. Create policies and guidelines that assume your company will be targeted by cybercriminals and make sure employees know the appropriate actions that are necessary to keep the company’s data safe. Implementing employee training in your organization at least quarterly is one of the best and most cost-effective ways to reduce cyber security risks.

For more information on employing training in your workplace, please contact us.

Mobile Device Management

Mobile Device Management (MDM) is a great method to ensure that your employees remain productive and do not violate any corporate policies. In the ever-expanding Bring Your Own Device (BYOD) world, more organizations are allowing employees the freedom to work from their own mobile devices. Tablets, smart phones, and personal laptops are taking a larger and larger space on corporate networks.

While there are numerous advantages to a BYOD environment, allowing personal devices onto a corporate network introduces a variety of security threats. A Mobile Device Management solution helps in securing that environment.

Here are 5 Tips you should implement when securing your devices with a MDM approach:

  1. Require standards for password strength – Make sure that your MDM is configured to require device passcodes that meet or exceed guidelines concerning length, complexity, retry and timeout settings for the appropriate device.
  2. Device Update Compliance – Set a minimum required version for employee mobile devices. This will require that employee devices are kept updated and restrict devices that do not comply with this setting.
  3. Prevent Jail-breaking – Prevent jail-broken or ‘rooted’ mobile devices. Allowing these devices could add an additional attack vector as many ‘rooted’ or jail-broken devices install third-party app stores that may contain malicious apps. Preventing these devices helps secure access to company data.
  4. Require usage of signed apps and certificates – Use your MDM to screen any mobile devices for suspicious applications before allowing access to company resources. These could be email programs, mobile apps, and networks (Wi-Fi or company VPN access). As with jail-broken devices, unsigned apps and certificates may allow malware to infect the device.
  5. Seek Employee BuyIn – Prior to allowing a user device onto your network, require the user acknowledge and accept basic corporate policies. Make sure that the user understands that company administrators will be able to revoke and/or restrict access to devices that don’t comply with company policy.

The best idea is to decide your corporate strategy and then choose a MDM solution that fits your project. For more information on mobile device security, download our iPhone and Android Security Guides. If you would like to begin a conversation about Mobile Device Management, please CONTACT US.

COMPASS Cyber Security Mobile Application

As a part of COMPASS Cyber Security’s ongoing commitment to raising cyber security awareness in the community, we are excited to announce the launch of our very own mobile application! By downloading this app, users will be provided with real-time cyber security threat alerts, best practice tips, and applicable guidance, so they can be prepared for the cyber security risks they may face. It is COMPASS’ mission to “shift the world’s data to be safe and secure” and this app is a testament to that by offering businesses and consumers valuable content they can use to protect their data.

Download the COMPASS Cyber Security app in the iTunes and Google Play stores to begin improving your cyber security posture!

Back to School Cyber Security

As schools open their doors for a new academic year, it is evident that education is becoming increasingly dependent on technology.  As a result, cyber security is a critically important component to the risk management strategies in schools.

Having worked with dozens of schools internationally, COMPASS understands the unique threats they face. Fall is the best time to set the tone for your school’s cyber security posture, here is how:

  • Perform a risk assessment of your school’s IT infrastructure to identify critical vulnerabilities and remediate them.
  • Segment your network so if one part of your network is compromised, it does not affect the integrity of the rest of your network. For example, put students on a network separate from the faculty and staff.
  • Limit the number of privileged users to only administrators with a legitimate need as defined by management protocol.
  • Implement quarterly cyber security awareness training. It is important that the faculty as well as the students are cognizant of cyber best practices so they have a strong digital safety background.
  • Review all policies to make sure they are current with the technologies and procedures within your organization.
  • Conduct a security configuration review of the central image from which all of the faculty devices are copied to provide maximum security.

With a variety of diverse user profiles traversing the network and a treasure trove of sensitive personal and financial information, it is often difficult to balance cyber security in an open learning environment. However, by implementing these cyber security strategies in your school you will greatly reduce your risk of an incident.

For more information on school security, download our Back to School Security Guide. To discuss your school’s unique cyber security posture please, CONTACT US.