Blog

5 of The Top Benefits of a Virtual CISO (Chief Information Security Officer)

Trying to improve your organization’s cybersecurity? Thinking of Hiring a virtual CISO?

Find out the top benefits of a vitrtual CISO (chief information security officer) here!

Hiring a virtual chief information security officer (vCISO) is essential for banks and credit unions that need to protect their organization from cyber threats. A CISO can strategically lead your organization in cybersecurity to help ensure your organization is protected.

Below we’ll look at the top ways that hiring a virtual CISO can help your organization.

1. Independence

One of the best things about hiring a vCISO is that they will be able to remain independent from other parts of your organization.

It’s important that a CISO is independent of the IT operations of your business and that they are free from the restraints and potential pitfalls of office politics. This will allow them to do the best job possible while strategizing effectively.

2. Cost-Effectiveness

Another excellent benefit of hiring a vCISO is that doing so will be much more cost-effective than hiring a CISO internally.

Salaries for full-time CISOs can be over $150,000 and not every organization is able to keep one on staff easily. It can be difficult to worry about paying salaries, benefits, bonuses, and training.

Plus a vCISO does not require an office as they work remote from their office but can visit in person as needed this means more savings. 

Luckily, a virtual CISO service is usually more than enough for many types of organizations. A vCISO can be a great alternative since your organization will only pay for what it actually needs.

3. Expertise

A CISO can do many things to help protect your business. When working with a vCISO, you’ll get access to experts who have advanced know-how to improve cybersecurity and protect your business.

Hiring the right CISO, training them, and retaining them can all be difficult tasks. With a vCISO, you’ll get access to all of the expert knowledge that you need without needing to go through the trouble the management and hiring of a full-time CISO.

Typical CISO objectives for vCISO include: 

    •    Information Security Governance leadership and strategy.

    •    Steering committee leadership

    •    Security compliance management.

    •    Data privacy.

    •    Security policy process and procedure development.

    •    Incident response and DR/BCP planning.

    •    Security awareness training.

    •    Security risk assessments.

    •    Internal audit.

    •    Penetration testing

    •    Social engineering

    •    Plus any of your top business technology management concerns.


4. Specialization

In addition to having plenty of general knowledge, some virtual CISOs will also have more specialized knowledge as well.

Some virtual CISOs will be extremely experienced with specific topics. IE: Our vCISO’s have broad industry experience across multiple business sectors and compliance frameworks. We also have experience with HITRUST, FISMA, NIST, PCI DSS and data privacy.

This kind of specialized expertise can be very valuable for your organization and can help fill in the gaps where your organization may be lacking.

Additionally, even if you have a full-time CISO already, a vCISO with specialized knowledge can be very beneficial.

5. Flexibility

Another great thing about hiring a vCISO is that doing so will give you a huge amount of flexibility in the way you operate.

While strong cybersecurity is crucial, it’s not always necessary to have a full-time employee. With a vCISO, you’ll be able to call on them only when you need them and the services will be crafted for your organization’s unique needs. This means you  only pay for the CISO services you need.

Additionally, scaling will also be easier as well. You’ll be able to get access to as much or as little CISO support as you need at any given time.

Making the Decision to Hire a Virtual CISO

Hiring a virtual CISO is essential for financial institutions and probably come with more benefits than you may have realized. Make sure to consider the above points if you’re wondering if it’s time for you to hire a vCISO for your organization. The bottom line is that we are successful because we provide unmatched customer service, efficient and precise technology management and compliance solutions every time. When it comes to your CISO demands, everything matters!

Ready to hire professional virtual CISO services? Contact us today to learn more about what we can do for you.

12 Effective Cyber Security Tips for Your Small Business

Your small business can’t afford to get infected with malicious software. Here are 12 effective cyber security tips to safeguard your company’s data.

I don’t have to tell you about the latest data breach, it’s like the evening news we have become numb to all the losses. Aetna, Jason’s Deli, CarePlus, Partners HealthCare, FedEx, Panera Bread the breach list is endless. So the real question is:what is the root cause of these data breaches? Is it people, processes or technology or all of the above?

As we in Audit look at people, processes and technology, we must at some point be able to tell organizations that the IT director can’t also be the chief security officer and the IT manager can’t be the systems admin, security engineer and the security analyst. Also IT should not be procuring all audits, the board and the CEO must be leading this effort. Otherwise it’s not likely to be very balanced or meaningful.

I have worked in IT departments where this was the case, and it’s always a weak performing organization when it comes to security and compliance. I also see it every day as an auditor, it’s the root cause of so many poor audits and eventual data breaches. The question is how to delicately tell the corporation without any strict regulations forcing the issue (that’s not required to be data security compliant) that this is in their best interest. How do we start a real dialog with boards and CEOs to make this point clear? This a lengthy topic for another Blog article, so stay tuned and we will cover this soon. In the meantime, follow these industry tested cyber security tips for survival.

Keyword(s): cyber security tips
Don’t assume that your small business is safe from a cybersecurity breach. In a single year, 61% of attacks are now on small businesses.
These attacks end up costing $84,000 to $148,000. Of those small businesses attacked, 60% go out of business within six months of the attack.
Why risk those odds with your small business? Use these 12 cyber security tips to prevent your small business from becoming another victim.

  1. Have a Backup
    Create a process to back up all critical data on a regular basis. When ransomware attacks, company operation can continue by picking up with the backup. What is critical data? Whether you sell auto parts or flowers, then your financial data and customer orders are critical. Remember also if you sell to an individual that is a European union citizen, then you are subject to (Global Data Protection Regulation) GDPR. More on this later but its a Privacy act from Europe that impacts the globe when it comes to protecting customers privacy. IE: if your systems are hacked and you lose customers data you can be subject to significant fines and penalties.
  2. Assess Risk
    Do not make the mistake of thinking your company isn’t a target. You need to identify any valuable data. IE: what data runs your business? When the power goes out how do you run transactions? If your computer system crashed could you recover?
    Then look for any potential threats. Finally look for the weak points in your system that are most vulnerable and make sure that you address the highest risk vulnerabilities first. Your options when faced with a risk are to: Accept it, Avoid it, Transfer the risk or Mitigate it.
  3. Update Your Software
    The majority of software providers distribute free updates for their licensed products. New threats appear on an ongoing basis. Update your software to protect against these new threats. IE: each day thousands of new attacks are targeted at any and all computing systems and their applications. These patches are the vendors response to provide stability and security to an other wise compromised piece of software.
  4. Create an Action Plan
    Having a response plan in place will help mitigate the damage when a breach happens. Keep the plan simple, realistic, and actionable. IE: a simple plan of who to call to restore your internet, servers and how to run in manual mode until things come back up are a good starting place.
  5. Name a Key Person
    Choose one person who handles putting the action plan in motion. This reduces confusion and the potential for conflicting actions. IE: also add a call tree of who to call and put your emergency plans into action.
  6. Create a Defense
    Create a digital wall around your systems. Firewalls, anti-virus, and anti-spyware work to prevent unauthorized people from viewing your data.
    Don’t forget to secure your Wi-Fi network. Always use a complex and unique password. To learn more about complex passwords visit: Secure Passwords
  7. Educate
    Teach your employees about the importance of the best practices to stay cybersecure. They are the first line of defense for safe browsing, avoiding phishing, and safe email use. Contact us for cyber security awareness training options.
  8. Approve the Least Amount of Privilege
    When creating accounts, give each one the least amount of access necessary. This limits the number of potential risk points. If a breach does happen, the exposure can be limited to a specific account’s access.
  9. Protect Your Passwords
    Always change the default password to a custom one. Default passwords are easy to decipher and available online.
    Each employee should have their own unique complex password. They should also change on a regular basis.
  10. Do Not Share Accounts
    Do not let your employees share accounts. This means no using a community account or freely sharing individual login credentials. This prevents accidental leaks and malicious intentions of a disgruntled employee. It also allows you to identify the source of a breach.
  11. Watch the Privileged Accounts
    Limiting the number of accounts with the highest privileges is a great start. Those highest accounts are capable of covering up malicious activities though.
    Use monitoring software to supervise their activities. This will ensure they are not compromised or doing anything malicious. IE: This is how Banks are run, not everyone gets access to the safe and not just one person can transfer $1000000 dollars, Its least privilege and separation of duties.
  12. Don’t Forget Personal Devices
    Security for business doesn’t end with the equipment in your office. Employees who access the system from home or on personal devices are a weak point in your security. IE: the average smartphone or USB storage device can be used to transfer many Gigabytes of data from your business right out the door.
    Ensure data encryption occurs on these devices. Track activity on these devices. It is easy to hide malicious activity with data stored on external devices.
    Use These Cyber Security Tips
    By following these cyber security tips you will keep your business safe from a breach. Start by creating an action plan by assessing the risks.
    Have one person that will put the plan into motion if a breach happens. Maintain ongoing security by limiting access, creating secure passwords, and monitoring activity.
    Stay diligent about maintaining standards. This will help you avoid attack or reduce damage when one happens.
    Let us help you put these small business tips for cyber security.
    Depending on your business size and its regulatory environment, you may benefit from our Virtual CISO program. A Virtual Chief Information Security Officer. Use the contact link above to learn more.

GDPR Compliance Checklist: Is Your Website Compliant?

EU General Data Protection Regulation Compliance. Rubber stamp with the text GDPR Compliant over white background. 3D illustration

GDPR Compliance Checklist: Is Your Website Compliant?

For many website owners, GDPR compliance has never really been at the top of the “to-do” list. Unfortunately, you can’t keep it on the back burner anymore. Today, we’re going to provide you with a GDPR Compliance checklist so you can do a self-audit on your sites to ensure that you’re compliant.

The European Union’s General Data Protection Regulation (GDPR) went into effect May 2018.

It applies to any company that handles personal data about EU citizens. Up to 50% of companies do not yet meet GDPR compliance requirements.

What Is GDPR?

The GDPR applies to the 28 member states of the European Union and any entity conducting business in the EU. It differs from a directive, which requires member states to draft laws to enforce its rules. The purpose is to strengthen the rights of EU citizens about their personal data.

Because of GDPR, companies must now pay significant fines if they fail to comply. Companies could pay up to €20 million, or 4% of its annual turnover.

Does GDPR Apply to Me?

GDPR compliance in the UK is mandatory. GDPR compliance applies to US companies that control or process EU residents’ data. Companies don’t have to be in the EU to be bound by the GDPR.

Note that GDPR for small business is no different. Companies of any size are subject to the regulation.

Checklist for GDPR Compliance

Your first step is to audit the information your company holds. The following information is a high-level checklist. You’ll find these topics on any GDPR audit questionnaire.

IT and Data Governance

What data do you have? Set up a list of the personal data types and sources for each type of information. Establish if you have a legal basis for collecting this data. If so, include that in your privacy policy.

How do you store and share data? Which databases store data, and what third-party storage providers do you use? Any time you change or delete data, direct any other organization to update their records.

How is data processed? You’ll need to outline your processing. Document the contact information of your data processors. Also, document transfers of personal data to allowable third parties or international organizations.

Review Customer Awareness

Next, review and update your privacy policy. Write a clear policy and make it accessible on your website. The privacy policy should state the lawful basis for data collection and processing it. Clear communication builds long-term customer trust.

Reestablish your existing customer consent. Under GDPR, pre-checked boxes or opt-outs are not acceptable. You also can’t bundle consent with other terms and conditions. Users must also be able to withdraw consent at any time.

Finally, highlight third-party processors. Allow your customers to give consent as part of your privacy policy.

Maintain Customers’ Rights

Examine your procedures. Ensure they cover the new and existing rights customers have under GDPR. This includes how your organization deletes personal data or provides data upon request.

You must fulfill people’s requests to access their data within a month at no charge to the customer. You must also have a process for correcting, erasing, or moving personal data.

Internal Accountability

Training your staff on GDPR maximizes your ability to reach compliance. It also minimizes the risk of data loss or theft. Don’t forget to train all members of staff including upper management.

Training senior staff ensures accountability and governance of the GDPR compliance processes.

You should appoint a Data Protection Officer (DPO) to oversee data protection compliance. The DPO must also receive proper training to carry out his or her duties.

Data Protection Impact Assessments (DPIA) are mandatory for organizations implementing new technology. DPIAs establish how risky select data processing activities are.

Under GDPR, You must report data breaches within 72 hours. Detail what data was lost, the consequences, and the countermeasures taken. You must also notify the data subjects involved.

The GDPR increases penalties and other legal implications of data breaches.

GDPR Compliance for 2019

The GDPR is entering its second year and gaining traction. It’s more important than ever to understand its impact on your organization. If you have any questions about GDPR compliance, please contact us today.

4 HIPAA Violation Cases and What Companies Can Learn from Them

4 HIPAA Violation Cases: Cautionary Tales for Businesses

Do you have a company dealing with patient health data? If yes, you need to seriously think about HIPAA compliance. Check out these HIPAA violation cases to know what you’re in for if you don’t comply with HIPAA’s rules.

The Health Insurance Portability and Accountability Act (HIPAA) created a standard for how medical information can be stored and accessed.

Breaking this law can have serious consequences, including jail time and massive fines. As you’ll soon see in these HIPAA violation cases, it’s easy to overlook things that are actually serious violations.

Keep reading to find out what you can learn from these four cases to avoid becoming a cautionary tale yourself.

1. Train Employees

It can’t be stressed enough how important it is to make sure every employee is trained to avoid HIPAA violations. And, it’s not enough to have them read over the guidelines on their first day.

Ongoing HIPPA training will help prevent violations as these regulations will be consistently in the front of their minds. In addition to training employees, having a system in place that instantly catches violations will help prevent things from going too far.

This lesson was learned the hard way by a clinic located in Virginia. When a high-profile patient came in, 14 of their employees couldn’t resist checking out the electronic file. However, because of the logging system in place, all of these improper logins were caught and the employees were promptly fired.

2. Consider Waiting Room Design

HIPAA compliance starts in the waiting room. One private practice was investigated after a violation and had to completely change the way their waiting room was set up.

The first lesson to learn here is in regards to the position of the computer monitors. They should not be placed in such a way that any patients or other visitors can see them at any time.

Additionally, any conversations that could reveal what a patient has come in for needs to happen in privacy. In this violation case, a staff member told a waiting patient about HIV-testing procedures in front of other patients.

3. Keep Track of Data Storage Devices

The best way to avoid a HIPAA violation because of portable devices is to keep data from being stored on anything like a laptop or flash drive. These are easily stolen and if that happens, it will result in a severe HIPAA fine.

A cardiac monitoring device vendor settled with the Office of Civil Rights (OCR) for $2.5 million after a laptop that had hundreds of patients records was stolen from their vehicle.

Another similar incident occurred in a private practice when a flash drive was misplaced by an employee at a dermatologist office. They had to pay a $150,000-fine and change policies regarding portable storage devices.

4. Don’t Allow Professionals to Treat Acquaintances

When a close friend or family member is at risk because of a patient, it may prove to be too strong a temptation for those treating them. That was the case with one such nurse in New York.

After her sister-in-law’s boyfriend was diagnosed with an STD, she couldn’t help but to warn her sister-in-law about it. It cost the nurse her job, and the clinic is still in litigation with the patient whose confidentiality was violated.

Takeaways from These HIPAA Violation Cases

Hopefully, you picked up a few tips from these HIPAA violation cases so you can avoid making the same mistake in your own health-related business. Here are the tips in review:

  • Provide ongoing training for employees
  • Position computer monitors so patients can’t see them
  • Don’t discuss procedures or patient information in the waiting room
  • Don’t use portable storage devices
  • Avoid allowing nurses and doctors to treat people they know

For more help in keeping your practice or business HIPAA-compliant, contact us today!

Preparing for the Unexpected: 5 Things Your Disaster Recovery Plan Must Cover

Preparing for the Unexpected: A Disaster Recovery Plan Checklist

No business owner should leave things to chance and just hope that a natural disaster won’t hit his/her business. If you want to cover your bases, you should invest in risk management and have a disaster recovery plan in place. Find out how to devise a DR plan checklist here.

Unfortunately, natural disasters happen when people least expect it. If you are a business owner, you know that a power outage has the potential to be disastrous.

Investing in risk management and covering your bases beforehand will help avoid mass chaos and panic in the long run.

Here are some things you should have on your disaster recovery plan checklist.

Your Disaster Recovery Plan Starts With a Trustworthy Source

The first thing on your disaster recovery plan checklist should be to find a trusted IT partner to help you through this process.

Immersion Security has a lot of experience in risk management.

These professionals will work on identifying any potential threats and will also develop and put in place the recovery plans.

Some tasks and assessments that your source can help you with would be:

  • Vulnerability Scans
  • Risk Assessments
  • Risk Remediation
  • Risk Management Program Design

The process of creating a disaster recovery system can be intricate, so it is best to contact the professionals for a foolproof plan.

Know Your Important Data

When disaster recovery planning, it is crucial to understand where your high-value data is and what that means for your specific business.

This high-value data would be any sensitive customer information. This data could also be files that you frequently use on a day-to-day basis.

It might be helpful to create a hierarchy system of data for your business which shows you what is the most important to least important data you have stored.

The hierarchy that you think up will show you which type of data is what you will most want to consider protecting because it is the most critical.

What is Your Ideal Recovery Time?

Every business is different; therefore every recovery plan is different including the recovery time.

You will need to decide how quickly you would ideally want/need to have your data back up and running for your business.

For example, the least expensive option (storing data offsite) often be the one that takes the most time.

Other things to consider that will affect recovery speed is is the data would be stored onsite or in the cloud or if you use a tape or a disk.

Whatever you choose, use the system that provides your business with the optimal recovery time for your budget.

Make Updates Accordingly

As your internal systems data changes, so should your data recovery system.

Not updating your recovery system is a common mistake that can cost you big.

These changes include any major software updates, new technologies, or updated algorithms.

Practice, Practice, Practice

While having a disaster recovery plan in place is admirable, the only way to know if it works as it should is to test it out.

Implement practice procedures and do regular testing to make sure that everything is performing as it should.

Be Prepared

Using these disaster recovery plan tips can help your business in its most desperate time of need if it comes down to it.

Immersion Security will help keep you secure from any cybersecurity threats.

Take a look at our blog for more business cyber security tips and advice.

Vendor Risk Management: Why You Need to Think About Third-Party Cybersecurity

All About Vendor Risk Management: How Secure Are Your Vendors?

You might be investing a lot in your own company’s cybersecurity. But are you taking steps to ensure your vendors aren’t putting your business at risk? Let’s talk about vendor risk management and why vendor security is a must.

Around 46% of Americans have been victims of credit card fraud. Protect your business and all of your sensitive information with vendor risk management.

Nearly half of all credit card fraud (47%) happens in the United States. Unless you’re taking extra steps to protect your sensitive data, you’re at risk for a security breach.

Here’s what you should know about working with 3rd party vendors and being safe:

What is Vendor Risk Management?

Vendor risk management involves identifying and decreasing legal liabilities and uncertainties in business. It also entails managing how third-party vendors deal with sensitive information.

Sensitive data is transmitted and processed on company and vendor networks. When you hire a 3rd party vendor, all of this data is processed and saved on their database, even if they don’t create a back-up.

Sensitive information like credit card numbers, passwords, and social security numbers don’t simply linger in a database. This data gets transmitted to other areas. For instance, data often gets transmitted to logging servers.

Implementing vendor risk management policies lessen the likelihood of sensitive information getting abused.

Develop a Strategy

Vendor risk management involves vendor risk assessment. Only get involved with honest, trustworthy vendors. Develop a set of questions vendors must answer to assess their risk level.

A good strategy always has a contract that details the business relationship between the organization and the business. Your contract should have stipulations that vendors must meet to ensure high-quality performance in maintaining cybersecurity. Their performance should be regularly monitored.

The vendor agreement should have guidelines explaining who has access to what information. There should also be explicitly stated rules against abusing this information.

Choose and Monitor Vendors Wisely

All vendors should meet stipulations that comply with the regulatory guidelines of your industry. How vendors are meeting these stipulations should always be monitored.

For instance, if your vendor has a 10% failure rate in internet software patching, can you really trust them with sensitive information? Research vendors thoroughly and don’t be afraid to ask questions.

Your vendors should have a security policy and procedures that extend beyond the bare minimum. Without written policies, security risk assessment is left to individual interpretation.

Look out for vendors who’ve gained special recognition for their security practices. This includes awards and certifications from organizations like Service Organization Controls (SOC) and the Health Information Trust Alliance (HITRUST).

You should always verify that your vendor conducts regular information security risk assessments. Security risk assessments should evaluate the likelihood of risks and their impact, implement changes to fix the risk, and document those changes afterward.

Encrypt Data In Transit

Encryption protects data by making it unreadable without a password.

Sure, it’s easy to claim data is encrypted when it’s on the server, but what about in transit? Third parties vendors should be encrypting sensitive information while it’s being transmitted to another server.

Ask vendors specific questions about how they protect data in transit in certain situations. Make sure the keys used to encrypt the data are highly protected.

Keep Your Data Safe and Secure

Nearly 76% of all IT security breaches are money-motivated. Save yourself money and time with vendor risk management.

Give yourself some peace of mind and learn more about cybersecurity. You’re better off safe than sorry.

    Immersion Security

    Providers of vCISO (Virtual Chief Information Security Officer), Secure MSP (Managed Service Provider), Compliance and Consulting.

    Immersion Security is a team of dedicated cyber security experts and researchers who are dedicated to bringing the best and most up-to-date information, technology, and practices to your business.

    ADDRESS

    37 N. Orange Ave.
    Orlando, FL 32801

    PHONE

    833-828-2732

    EMAIL

    info@immersionsecurity.com