Coronavirus-Themed Cyberattacks To Watch Out For

Written by
Published 05/06/2020

The novel coronavirus isn’t the only plague affecting businesses. Cyberattacks are spreading, too, as malicious actors take advantage of interest in COVID-19 news and coronavirus fears to trick people into clicking on phony links and attachments in social engineering and phishing scams. The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) warned of a surge in cybercrime attempts in an April 8 joint statement. According to the agencies, these hackers’ phishing emails and social media posts purport to offer information about the virus—but the links and attachments they contain, when opened, install malware or ransomware. Malicious actors aim to gain access to systems and information or even to…

Tags: ,
Categorized in: ,

Tips for Managing Third-Party Risk in Health Care

Written by
Published 05/05/2020

The healthcare industry possesses the crown jewels that the bulk of attackers are after: Personally Identifiable Information (PII). Data has become the new currency in the digital underground, consisting primarily of social security numbers, credit card information, health information, and passwords. Third-party vendor risk has become a popular topic amongst attackers and defenders mainly because attackers are leveraging third-party vulnerabilities to gain access to sensitive information, while defenders are trying desperately to keep the bad actors out and better understand risk management. One answer by defenders was the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was developed in order to help protect patient data and better secure a healthcare organization.  With HIPAA as a template, there are several other…

Categorized in:

7 Pandemic Risk Management Tips to Implement Now

Written by
Published 05/04/2020

As COVID-19 continues to spread worldwide, not only disrupting health and life but also business continuity up and down the supply chain, economic and cyber risk have taken on pandemic proportions, as well. Many enterprises are struggling just to keep essential services functioning as they send employees home to work with new, hastily procured technologies. At the same time, they’re battling a surge in cybercrime by threat actors seeking to take advantage of the chaos. Risk management right now can feel, to these organizations, like a frantic game of whack-a-mole: mitigate one risk, and another pops up. Add in the wild fluctuations in financial markets the pandemic has caused, and organizations in almost every sector—health care, banking, education, and more—find…

Tags:
Categorized in: ,

How Nevada’s SB220 Compares to CCPA

Written by
Published 05/01/2020

On May 29, 2019, the governor of Nevada signed into law Senate Bill 220, a new consumer privacy law. The new privacy law amended Nevada’s existing 2017 online privacy law. Effective October 1, 2019, the new privacy gives consumers the right to opt-out of the sale of their personal information.  Senate Bill 220 “is an act relating to internet privacy; prohibiting an operator of a website or online service which collects certain information from consumers in this State from making any sale of certain information about a consumer if so directed by the consumer, and providing other matters properly relating thereto.” Put simply, Nevada’s privacy law will require operators of websites and online services to follow a consumer’s instructions not…

Tags:
Categorized in: ,

The Difference Between Vulnerability Assessment and Vulnerability Management

Written by
Published 04/30/2020

In today’s constantly evolving cybersecurity threat landscape, you have to do everything possible and then some to protect your critical data assets. Performing a vulnerability assessment and implementing a vulnerability management program can help your organization effectively deal with cybersecurity vulnerabilities. However, it’s important to understand the difference between vulnerability assessment and vulnerability management. What is Vulnerability Assessment? A vulnerability assessment is a one-time project with a specific start and end date. Generally, an external information security consultant will review your IT environment to uncover any vulnerabilities that cybercriminals could potentially exploit.  The information security consultant will document these vulnerabilities in a detailed report and offer recommendations to remediate those vulnerabilities. Once the information security consultant prepares the report, the…

Categorized in:

What Compliance Lessons Can We Learn From Past Pandemics?

Written by
Published 04/29/2020

COVID-19 has us reeling from health, social, and economic shocks, but this isn’t our first global crisis. It is, however, the first in which cybercrime plays a starring role. The world has faced several pandemics in the past 100 years—several influenza pandemics including swine flu (H1N1) and Avian, or bird, flu, and HIV/AIDS—as well as economic depression and a number of recessions. Life and business tend to suffer disruptions during crises, but at least one thing holds true: the need to comply with laws, regulations, and industry standards. This time, though, compliance is different. Regulations addressing cybersecurity and data privacy are now in the mix, and the rapid shift to work-at-home, telemedicine, and digitization of operational and consumer services have…

Tags:
Categorized in: ,

FCPA compliance checklist

Written by
Published 04/28/2020

An FCPA compliance program checklist outlines the things an American company needs to check when it wants to do business in a foreign country to ensure it follows the guidelines of the U.S Foreign Corrupt Practices Act (FCPA) of 1977. The FCPA is a federal law that aims to prevent all U.S. companies and their officers, directors, employees, and agents from making corrupt payments to foreign government officials to retain or obtain business.  Agents, including consultants, third-party business partners, distributors, and joint-ventures, are also subject to the FCPA’s anti-bribery provisions. The FCPA also applies to foreign companies with subsidiaries in the United States, that do business in the U.S., or whose transactions go through the U.S. banking system FCPA violations…

Categorized in:

What is NIST Special Publication 800-37 Revision 2?

Written by
Published 04/23/2020

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 revision 2 is a Risk Management Framework for Information Systems and Organizations: A System Lifecycle Approach for Security and Privacy.   NIST SP 800-37 rev 2 was published in December of 2018 and describes the Risk Management Framework (RMF) and guidelines on how to apply RMF to information systems.  The Special Publication is inline with the Office of Management and Budget (OMB) requirements, specifically the OMB circular a-130. The RMF outlines the necessary structure and processes to manage security, privacy, and risk. The framework includes information on security categorization, which controls to select, implement, assess, and continuously monitor.  The goal of the RMF is to prepare organizations to execute appropriate…

Categorized in:

How to Prevent Third-Party Vendor Data Breaches

Written by
Published 04/21/2020

Third-party vendor data breaches are becoming an epidemic for organizations that themselves have solid information security programs. The Ponemon Institute has proven year over year in its survey that the cost of third-party data breaches increases with each survey. Many struggle with how exactly to hold third-party vendors accountable and enforce the same rigid standards and controls that they consume internally. The big question is: how do organizations prevent third-party vendor data breaches? There are several tactics an organization can leverage in order to ensure shared compliance by third parties and reduce overall third-party risk. Audit third-party vendors for compliance. Require proof of third-party vendors’ cybersecurity program. Adopt a least privileged model for data access. Adopt the Zero Trust network…

Categorized in:

COVID-19 Compliance Considerations for Remote Employees

Written by
Published 04/17/2020

If the coronavirus disease (COVID-19) pandemic has caused your enterprise to make a sudden, rapid switch from an on-premises-centered business model to a diverse, dispersed network of ad-hoc home offices, you may have let security and privacy measures slide a bit. Or perhaps cybersecurity has lapsed of its own accord while you’ve focused on matters that seem more urgent, such as getting laptops and mobile phones for your personnel and setting up teleconferencing and other work-at-home technologies. The bad news is, cybercriminals are standing by to slip into any holes you might leave open. If you’re breached, don’t expect regulators to look the other way: With the exception of the Health Information Portability and Accountability Act (HIPAA) in very specific…

Categorized in: ,