Navigating the Cybersecurity Landscape

Introduction

As a CIO, understanding and preparing for various cybersecurity compliance requirements is crucial. This blog offers insights into preparing for CMMC, CCPA, SOC-2 Type 2, NYDFS, FTC Safeguards Rule, and SEC compliance, focusing on their general requirements.

Understanding Cybersecurity Compliance

Key Regulations and Standards

CMMC (Cybersecurity Maturity Model Certification):

General Requirements: Implementing layered cybersecurity practices, documentation of processes, and maintaining cybersecurity hygiene. It’s tiered across five levels, each with increasing security requirements.

CCPA (California Consumer Privacy Act):

General Requirements: Giving California residents more control over their personal data, including the right to know what data is collected, request deletion, and opt-out of the sale of their data.

SOC-2 Type 2:

General Requirements: Demonstrates a company’s ability to securely manage data protecting the interests and privacy of clients. It requires a detailed audit of control activities over a minimum of six months.

NYDFS (New York Department of Financial Services Cybersecurity Regulation):

General Requirements: Establishing a cybersecurity program, adopting a written policy, designating a Chief Information Security Officer, implementing access controls, conducting risk assessments, and reporting cybersecurity events.

FTC Safeguards Rule:

General Requirements: Financial institutions must develop, implement, and maintain a comprehensive information security program. It includes risk assessments, access controls, employee training, regular testing, and oversight of service providers.

SEC (Securities and Exchange Commission) Compliance:

General Requirements: Publicly traded companies are required to implement cybersecurity risk management policies and procedures, disclose cybersecurity risks and incidents, and ensure accurate record-keeping.

Preparing for a Compliance Review

Step 1: Conduct a Comprehensive Risk Assessment

Evaluate your IT infrastructure and practices against the specific requirements of each regulation.

Step 2: Develop and Implement Robust Security Policies

Tailor your policies to meet the requirements of each standard, with a focus on data privacy, access controls, and risk management.

Step 3: Ensure Proper Data Management and Protection

Align your data management and protection strategies with the specifics of each regulation, emphasizing consumer data rights (CCPA) and secure data handling practices (SOC-2 Type 2, NYDFS, FTC Safeguards Rule).

Step 4: Regularly Update and Patch Systems

Ensure your systems and software are updated regularly to comply with the technical safeguard requirements of these standards.

Step 5: Train Staff on their respective roles regarding cybersecurity

Make sure that staff are trained on organizational cybersecurity requirements, general cybersecurity hygiene and specific responsibilities that exist as part of their role within the organization.

Step 6: Prepare a thorough Incident Response Plan

Identify an incident response team and develop an incident response plan which steps through what is to be done based on type of incident and potential severity.  Test the incident plan periodically so you aren’t trying it out for the first time during an actual incident.

Step 7: Document Compliance Efforts

Maintain thorough documentation for all compliance-related activities, including internal audit checks, a critical element for proving adherence to these standards.

Best Practices for Risk Assessment and Data Protection

Effective risk assessment and data protection are pillars of robust cybersecurity compliance. Here are some best practices to enhance these areas:

Risk Assessment Best Practices:

– Conduct regular and comprehensive risk assessments to identify vulnerabilities in your IT infrastructure.

– Utilize advanced tools and methodologies like penetration testing and vulnerability scanning.

– Involve cross-functional teams in the risk assessment process to get diverse perspectives.

– Stay updated with the latest cybersecurity threats and adjust your assessment strategies accordingly.

Data Protection Best Practices:

– Implement strong encryption methods for data at rest and in transit.

– Regularly update your data protection policies to comply with evolving regulations.

– Ensure strict access controls and use multi-factor authentication for sensitive data access.

– Conduct regular data backup and recovery drills to minimize the impact of data breaches.

 

 

Insightful Tips for Continuous Compliance Improvement

Continuous improvement in compliance is essential for adapting to evolving cybersecurity landscapes. Here are some tips to keep your compliance efforts proactive and effective:

– Establish a culture of continuous learning and improvement within your cybersecurity team.

– Regularly review and update your compliance policies to align with new regulations and standards.

– Engage in periodic training and awareness programs for your employees.

– Invest in technology that facilitates compliance monitoring and reporting.

 

Conclusion

Companies that look to incorporate compliance as part of an organizational cyber risk strategy (as opposed to a ‘set it and forget’ approach) tend to achieve their compliance goals in a more cost effective manner because the compliance measures are developed more organically within the organization.   If you would like to learn more about how best practices in terms for preparing your organization for compliance, please contact us at [email protected]

Clients increasingly Asking about Vendor Cybersecurity Procedures 

Clients increasingly Asking about Vendor Cybersecurity Procedures 

With increasing requests from clients regarding their cybersecurity controls, companies are looking to us to help in a number of areas, with questions about written security policies, vulnerability and penetration testing, risk assessments, and security awareness training. These questions and concerns, which were mainly targeted towards large companies are now also crucial for small and medium-sized businesses.

In addition to the previously mentioned topics, clients are looking to see that companies have certain security tools in place such as:

  1. Multi-Factor Authentication (MFA): MFA is a keyway to provide an extra layer of security to prevent hackers from accessing your system. MFA is when an alternate means of identification, in addition to a password is necessary to log in.
  2. Endpoint Detection and Response (EDR): EDR is a cyber security solution that continuously monitors, collects data, and responds to help mitigate cyber threats.
  3. Backup: Companies should be sure to include multiple forms of backup with at least one stored off-site. Backups should also be regularly tested to ensure they can be restored as needed.
  4. Patching: Patches are software and operating updates that help address any vulnerabilities and keep your system up to date.

If your company is getting overwhelmed by client requests about your security posture, you are not alone. If you think your current measures may not be up to par or do not have the time, Designed Privacy created a program that provides you with a guide to cybersecurity and the tools you need to keep your company and your clients protected and stay competitive.

Dental Data Breach Caused by Vendors and Human Risks

Dental Data Breach Caused by Vendors and Human Risks

This Fall, the personal health information of over 170,000 dental patients was exposed in a data breach associated with the Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group. According to the Professional Dental Alliance, patient information was exposed due to a successful phishing attack against one of their vendors, North American Dental Management. The phishing campaign gave attackers access to some of NADM’s emails, where the personal information of patients were apparently stored.

While the Professional Dental Alliance has said their electronic dental record system and dental images were not accessed, an investigation found that the protected health information of patients such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information were accessed by the attackers.

This is not the first time dental offices have found themselves the target of a data breach. In 2019, a ransomware attack against a managed service provider resulted in the exposure of patient information from over 100 Colorado dental offices. A year later, the information of over 1 million patients was exposed after an attack against the Dental Care Alliance.

These incidents reveal just how vulnerable professionals can be against cybersecurity attacks and data breaches. One of the reasons for this is because many professionals are small businesses who don’t have the time or expertise to deal with everything that goes into cybersecurity. So, many professionals rely on vendors and associations to ensure they are protected. The issue is, if those vendors and associations experience a breach, professionals are also at risk.

To keep their patient information safe, it’s vital that dental offices and all professional businesses pay attention to some of the human risks that can lead to cybersecurity incidents. The attack this week, for instance, was the result of a phishing attack that tricked an employee into handing over account credentials. Here are a few things all professionals can easily do on their own to stay secure:

Endpoint detection and prevention

Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops, and other devices to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today to stay on top of potential threats and put a stop to them before they can cause any damage.

 Multi-Factor Authentication

Using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. For example, if an employee is successfully phished and the attack gets that employee’s login information, having MFA in place for that employee’s account can stop the attacker from accessing their account even if they have the right username and password. If possible all users accessing your system should have multi-factor authentication set up for all of their accounts. At minimum, however, it is extremely important that every user with administrative privileges use MFA, whether they are accessing your network remotely or on-premise.

Patching

Hackers are constantly looking for vulnerabilities in the software we rely on to run our businesses. All those software updates may be annoying to deal with, but they often contain important security features that “patch up” known vulnerabilities. At the end of the day, if you’re using out-of-date software, you’re at an increased risk for attack. It’s therefore important that your team stays on top of all software updates as soon as they become available.

Back-ups

Having a backup of your systems could allow you to quickly restore your systems and data in the event of an attack. This is especially important if you are hit by ransomware, in which the attackers remove your data from your networks. However, it’s essential to have an effective backup strategy to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your backup. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.

Security Awareness Training

As this latest data breach shows, phishing and social engineering attacks are common ways attackers gain access to your systems. Unfortunately, phishing attacks are not something you can fix with a piece of software. Instead, its essential employees are provided with the training they need to spot and report any phish they come across. Sometimes it only takes one wrong click for the bad guys to worm their way in.

Changes to Employee Training Align with Behavior-Design Principles

Changes to Employee Training Align with Behavior-Design Principles

A recent article in The Wall Street Journal highlights some of the big changes that businesses have made to their employee training programs since the start of the pandemic. Typically, these trainings are formal, multi-hour in-person meetings. According to Katy Tynan, research analyst at Forrester Research, “formal, classroom-delivered training was easy to plan and deliver, but organizations didn’t always see the intended results.” Once the pandemic came along, trainings moved online and offered fun, informal bitesize trainings that employees take overtime. These changes to classical training programs echo many of the behavior-design principles that we incorporate into our cybersecurity awareness training.

Let’s break down some of the key changes the Journal article discusses and how they related to behavior-design principles:

1. Keep it Simple

Instead of hours-long trainings, businesses are starting to break down their trainings into small pieces for employees.  In behavior-design terms, this represents an important element towards creating change: making sure users can easily do what we are asking them to do. Simply put, you can’t throw a ton of information at someone and expect them to keep up with it all. What’s more, employees will be a lot more willing to go through with a training if they know it will only take 5 minutes instead of 5 hours. Keeping trainings short and easy to do are therefore important steps towards ensuring that your desired outcome aligns with your employees’ abilities.

2. Consistency is key

Most traditional training programs are a one-and-done deal. Once it’s over, you never have to worry about it again. However, this is exactly what we don’t want employees to take away from training. Instead, consistency is key for any changes. With short lessons, employees can go through the program in small, daily steps that are easy to manage while also keeping the training in their mind over an extended period of time.

3. Make it Interesting

The final piece of the behavioral puzzle is ensuring that employees actually want to do the trainings. Most traditional training programs may involve some small group discussions, but overall employees are shown videos and made to listen to someone talk at them for long periods of time. Employees are only taking in information passively. Instead, trainings should be fun, interesting, and engaging to keep users coming back for more.

The pandemic has brought about so many changes to our lives. While some of the changes have been for the worse, it’s also forced us to start thinking differently about how we do things and come up with creative solutions. The new trend in training programs is one such change. And what makes these changes so successful is the way it incorporates some of the basic behavior-design principles. This is an approach we’ve taken when we developed The PhishMarket™, our cyber awareness training program. By offering engaging and interactive 2-4 minute lessons given daily over an extended period of time, our program has shown success in reducing employee phish susceptibility 50% more than the industry standard.

The Human Factors Behind the Robinhood Data Breach

The Human Factors Behind the Robinhood Data Breach

Earlier this week, the trading app Robinhood announced a data breach in which a mixture of email addresses and full names of 7 million of their users were stolen. It is still unclear what impact this may have for Robinhood’s entire userbase. However, at the very least, this breach could provide attackers with enough information to carry out phishing and other social engineering attacks against those whose data was stolen. While on the face of it, this may appear to be your standard data breach, a closer look reveals how human factors lead to the breach.

While we don’t have all the details yet, according to Robinhood’s statement, the attack was carried out after someone called the company’s customer support line and tricked an employee into handing over access to “certain customer support systems.” From there, the attack was likely able to access customer information or gain additional access to other parts of Robinhood’s network. This form of attack is commonly known as a “vishing” attack, in which the attacker impersonates someone over the phone rather than through a traditional phishing email.

This form of attack is not uncommon and highlights a number of key questions that business leads need to consider when it comes to digital risk. First, it’s important to take a broad view of all the different avenues attackers could use to gain access to your systems. While your customer support channels may not come first to mind, any outward-facing platforms can pose a risk. Second, business leaders and their employees need to start thinking about how their own digital behaviors can be leveraged against you. Traditional security awareness programs do a good job at explaining issues and in some cases testing for the presence of negative digital behaviors. But, to start to see real change, security awareness training needs to focus on designing for the positive, more secure behaviors that are strong enough to override the bad online habits we develop.

Any way you cut it, the Robinhood data breach is yet another example that highlights the vital importance of taking a human-factored approach to cybersecurity. Business leaders need to actively invest in not just security tools, but also in training and controls that help employees understand human factors threats and what they need to do to ensure they don’t fall for social engineering scams.