How to be PCI Compliant: Top 5 Dos and Dont’s

No matter how small or big your business is, if it accepts, stores, and transmits credit/debit card data, it must be PCI compliant. Lucky for you, we’re breaking down everything you need to know about how to be PCI compliant.

In today’s environment, no one can afford to play fast and loose with sensitive data. In 2017 alone, data breaches cost American companies 7.35 million dollars.

This is what the Payment Card Industry Data Security Standard (PCI DSS) is for. Credit card data is often targeted by data thieves, and IT companies that handle it need to follow special precautions.

While following these regulations may seem like a headache, it’s much more costly to suffer a data breach. In fact, non-compliance can cost an organization up to $500,000 per incident.

Check out this guide for more details on how to be PCI compliant.

1. Do Use a Secure Network

The first step in building a secure network is to create and install a firewall configuration system unique to your company. There should be a clear policy and configuration test procedure that is regularly updated. Maintaining these firewalls is best practice for maintaining PCI compliance.

Don’t use system passwords provided by software vendors. Instead, make sure to create passwords unique to your organization, managing their use regularly.

2. Do Protect Data

Companies that do not store data are saving themselves a lot of work when it comes to PCI compliance.

If you do store data, you need both virtual and physical protection from your hosting provider. Virtually, make sure they have several layers of protection that include passwords, authentication, and authorization.

Physically, your private data hosting provider should securely store their servers. This means housing the equipment in a locked environment.

3. Do Use a Vulnerability Management Program

If managing your own private data, anti-virus software is a must. As with all software, it needs to be regularly updated.

If outsourcing your data storage, make sure the company keeps audit logs of their system checks. You can ask for these regularly to ensure the company is responsibly handling the data.

Security vulnerabilities are an inevitability. This is why your system should regularly identify them so they can be properly addressed as they occur. Alert systems should be in place to do this.

4. Do Have Strong Access Control

Having strong access control means limiting access to protected data. This will limit the potential for mishandling and misusing that data.

Those with access should have user accounts with password encryption, regular password updates, login time limits, and other authentication procedures.

The physical environment holding the sensitive data needs entry authentication and thorough surveillance.

5. Do Have an Information Security Policy

Work policies must reflect PCI compliance, and employees should be knowledgeable about them. These policies should discuss how employees should and should not use company technology. They should also detail security procedures.

In addition to sharing the content of the policy, the company should review it with staff. Quality checks of policy adherence can help with data risk management.

More on How to Be PCI Compliant

In our increasingly digital world, PCI compliance is more important than ever before. Unfortunately, PCI compliance is a complicated task and many businesses struggle to meet it.

To learn more about how to be PCI compliant, check out our blog page.

The Importance of Having a Security Incident Response Plan

Having a Security Incident Response Plan is a Must for Businesses

Having a system in place for preventing cyber attacks is not an option for businesses. It’s a must. Part of that is having a security incident response plan at the ready in case prevention methods fail. Let’s talk about what it means to have an incident response plan & how you can go about making one for your company.

60% of businesses that experience cyber attacks will go out of business within 6 months.

Because they don’t prepare for it, is the reason the majority of business go out of business after a security breach. Not only are they unable to protect their company from an attack, but they can’t control the damage either.

With technology always advancing, different types of cyber attacks are a common occurrence for small businesses.

This is why it’s so important to have a security incident response plan in place in case a cyber attack does happen. In this blog, we’ll discuss the different aspects of security incident response that you should plan for right now.

Important Aspects of Your Security Incident Response Plan

Cyber attacks happen often, especially if you don’t have a reliable risk management company protecting your business.

This means you need to have a solid plan in place that will minimize the damage and potentially save your company from going out of business.

Plan of Action

You need to create an initial plan of action that will go into effect right when you learn of a cyber attack.

First, you need to find the source of the security breach. Then you need to see how far into your system the breach has spread. Finally, you’ll stop it from further spreading, and eliminate the cyber threat.

Then, you’ll want to switch to backup servers so you can continue working safely and obtain any info you need from these servers.

Notify Customers, Clients, and Partners

Once the security breach has been taken care of, you need to notify everyone that could have been affected by the cyber attack.

If your system containing client information, they need to be made aware that their information could have been stolen. This will allow everyone affected to take the necessary steps to protect themselves from any further harm.

Gather Forensic Info

Once the threat has been eliminated and you’ve moved to backup systems, you’ll want to investigate your affected servers.

You need to try and gather as much information about the cyber attack such as how it happened and where it originated.

Once you’ve gathered all of the necessary information, contact the authorities so they can try to find out who conducted the attack.

Hire a Cyber Security Company

The best way to prevent another cyber attack is by hiring a cyber risk management company that will give your systems the protection they need.

The last thing you want is to suffer back-to-back cyber attacks because you didn’t change your security approach. Customers may be forgiving after one breach of security, but you’ll almost certainly lose them after a second cyber attack.

For More Information

If you want to decrease the risk of your company failing due to suffering from a cyber attack, you need to have a security incident response plan.

This plan should consist of a plan of action, notifying the people affected, gathering info, and ultimately hiring a cyber risk management company.

For more information on how you can help protect your business from cyber attacks, please contact us today.

How to Prevent Data Breaches to Protect Your Business

The last thing you want is for a data breach to happen on your watch. But preventing data breaches can only be done when you have a solid plan. This guide will show you how to prevent data breaches to protect your business and clients.

When it comes to keeping your data safe, we have some bad news and good news.

First, the bad news. According to Verizon, there were over 53,000 incidents and more than 2,000 data breaches within the past year. To make matters worse, these numbers are only expected to rise in the coming years.

So what’s the good news? Your business doesn’t have to fall victim to cybercrime.

Here are some tips on how to prevent data breaches at your workplace and strengthen your team’s cybersecurity effortlessly:

Restrict Download and Website Access

Recent phishing scams are a great example of how cybercriminals are getting smarter every day. Take, for instance, the recent outbreak of fake Apple emails.

Users would receive an email stating that their Apple ID was compromised, with instructions to click a link to recoup their lost access.

However, once the unlucky recipient clicked on the embedded link and “changed” their account info, hackers could then access their Apple account information. That includes their credit card information.

It became such a problem that Apple had to get in front of the problem and create a guide to help users determine what was and wasn’t a legitimate email.

So how does this pertain to your workplace? Well, most scams aren’t always obvious. Even a tech-savvy individual could fall for a fake email if the sender’s address looks legit.

Improving your office’s web security can prevent employees from accidentally exposing important information. Restrict access to downloads (unless absolutely necessary) and keep an eye on your business list of trusted websites.

Educate Your Team on Cybersecurity Protocol

As the saying goes, the best type of offense is a great defense. Even if you have a great IT team, data breach prevention starts with employee education.

Once per quarter or so, gather your employees and brief them on cybersecurity trends. Include common types of scams as well as information on how they, as employees, can keep data safe.

Even if your meeting is brief, stress the importance of keeping company data secure.

This includes routinely checking password strength. If your employees are using weak passwords, they’re putting your entire system at risk.

Encourage employees to create complex passwords with alphanumeric and special characters.

Create a Breach Response Plan

What would you do if your company suffered a data breach at this moment?

If you don’t have an immediate answer to this question, it’s time to put together a data breach protocol plan.

Come up with an extensive strategy for how to handle the very real possibility of a data breach. Even if you never have to use this plan, just having the resources and information at your disposal can put your whole company at ease.

Learn How to Prevent Data Breaches

Want more specifics on how to prevent data breaches? Get in touch with our team at Immersion Security.

We’re dedicated to keeping your data right where it belongs. A few minutes of your time could save your business millions of dollars.

HIPAA Compliance Checklist: Is Your Website HIPAA Compliant?

If you have a medical website or software, you need to make sure it’s HIPAA compliant. Here, we’ll talk about HIPAA and how to put together a HIPAA compliance checklist to make sure you’re doing everything to keep your medical website or software HIPAA compliant.

It doesn’t matter whether you’re a medical practice or a third party business provider. If you’re a covered entity, then your website needs to meet HIPAA requirements.

HIPAA policies are complex and are subject to change based on the whims of the Department of Health and Human Services. Despite the convoluted nature of these rules, an underlying theme runs through every rule: privacy and security.

You’ll need to:

  1. Protect patient health information
  2. Keep data private
  3. Inform any partners of the rules
  4. Limit internal use of patient health information

What does this mean in practice? Follow this HIPAA compliance checklist to keep your website compliant.

How to Become HIPAA Compliant: HIPAA Compliance Checklist

HIPAA compliance requires careful attention to detail. To get started, ensure these four critical elements are part of your website.

1. Encryption

All data in all forms must be encrypted. It must remain encrypted when:

  • Stored
  • Sent
  • Archived

Consider using SSL as a baseline encryption system. SSL is a common form of encryption, and it also meets the HIPAA data security standards.

2. Data Management

A transparent data management process should already be in place with your healthcare management software. The same policy applies to your website.

Storage, transmission, and deletion should all be covered. The regulation lists several proper disposal methods for health information on electronic media including:

  • Clearing
  • Purging
  • Destruction

In most cases, you’ll need to attach a trusted data disposal system to your website to dispose of data according to HIPAA rules.

3. HIPAA Privacy Officer

You must have a named HIPAA privacy officer. A HIPAA privacy officer is a person who works with patient health information and keeps the whole organization accountable to HIPAA rules. Your privacy officer performs the role of keeping up-to-date with all the present rules and regulations.

Nominating a HIPAA privacy officer is required for general compliance. You’ll need to list their contact details on the website because as the patient privacy specialist, they’ll also be the contact person for all privacy issues.

4. Display HIPAA Policy

HIPAA rule 45 CFR 164.520 says all patients and customers have the right to be informed of their provider’s privacy practices.

Your organization’s HIPAA policy must be displayed on your website. It should include:

  • How the organization uses protected health information
  • When the organization may disclose the information
  • What rights patients have and how to exercise those rights
  • What the organization is legally required to do with the information
  • Who to contact (HIPAA Privacy Officer) with questions or concerns

Remember to display your policy in clear, concise language that’s discernable to the general public.

Stay Compliant

Remaining compliant with HIPAA regulations is right for your organization and for your patients. Keeping a close eye on sensitive health data is part of caring for patients because it protects patients from damaging disclosures. Additionally, HIPAA violations start at $100 per violation and range up to $50,000 per violation depending on negligence.

For a complete HIPAA compliance checklist for your website, contact Immersion Security today for a customized approach to privacy and security.

4 Cybersecurity Trends That Could Impact Your Business in 2018

Cybersecurity threats are a never-ending concern for businesses. It doesn’t matter how big or small your company is it pays to know the cybersecurity trends that could affect how your business operates this year.

In 2017, there were more than 2.5 billion records stolen, exposed or lost around the globe. This represents an 88 percent increase from 2016.

While 2017 was a huge year regarding cyber-attacks, that doesn’t mean that cybercrime is taking a break in 2018. In fact, there have already been countless attacks.

As a company or business owner, it’s imperative that you know the types of threats that may impact your business. However, what’s even more important is being aware of what’s going on in this industry.

Learn more about the four biggest cybersecurity trends that may impact your business in 2018.

1. 2018 Will Make History in Regard to Cyberattacks

While many thought 2017 would be the worst year for cyberattacks, this simply isn’t the case, what’s been seen thus far in 2018 is just the tip of the iceberg.

The main issues that have caused most of the recent cyberbreaches haven’t been resolved.

Today’s IT departments now have the task of managing more complex networks than ever before, while supporting more different types of endpoints and protecting more sensitive data.

Attackers are also becoming more sophisticated, with more incentives to mount cyberattacks.

An even bigger problem is that Legacy systems are still dominating many businesses and organizations. These are being decommissioned, but it is a process that will take years.

2. Physical Harm is Going to Result from Cyberattacks

Successfully securing the IoT (Internet of Things) is more important than securing traditional IT networks. There’s a simple reason for this.

IoT attacks are a threat to public safety.

Hacked mobile devices and computers usually can’t cause physical harm. While this can be frustrating, it doesn’t compare to being involved in a car accident or having your pacemaker or infusion pump compromised.

IoT is going to literally become a matter of life and death. You can’t just sit around and wait for this to happen.

With the growing use of IoT and a lax concern regarding security, it’s really only a matter of time until criminals and hackers breach the critical connected infrastructure and devices, causing direct physical harm to people.

3. Hackers Will Begin Targeting Employees

Most IT departments focus their spending on actively preventing external attacks. However, the reality is that the majority of data breaches begin internally.

This happens by haring documents via unsecured, consumer applications, or by clicking on phishing attacks that are becoming more and more sophisticated.

As technical defenses continue to improve, workers are considered the weakest link. As a result, they are targeted more than ever by attackers.

Wondering what the best method of protection is? Hack yourself.

Bring in ethical hackers to help you find vulnerabilities and fix them. Also, be sure to educate employees. If they don’t know the risks, they can’t be part of preventing a breach.

4. Cybersecurity Products and Insurance Go Together

In 2018, it doesn’t matter what employee or system is proven to be the weakest link. Huge corporate data breaches are going to happen, and insurance companies are now taking notice.

They take notice because an attack to their clients can be both harmful and helpful to their bottom line.

Not only are more firms going to see additional cyber policyholders, but the avenues of high tech cybersecurity products and insurance are going to go together to help manage risk.

Being Informed of Cybersecurity Trends is the Best Way to Protect Your Business

There’s no sign that cybersecurity attacks and breaches are slowing down anytime soon.

While steps are being taken to try and prevent these situations, they still aren’t entirely effective.

Being aware of the cybersecurity trends can help you protect your business from serious harm and loss.

If you want to learn more about cyber protection and why it’s so important, visit our blog. To find solutions to your cybersecurity woes, contact our team.

Cyber Security Basics You Should Know

With IBM estimating that the average cost of a data breach for a company sits around $3.6 million, it’s essential that your company takes cybersecurity seriously. As just about every element of our daily lives becomes networked, hackers are finding increasingly sophisticated ways of breaking into a company’s system. You need to implement some cyber security basics to protect your company and your clients.

The massive amount of revenue lost from a data breach can come via lawsuits, a damaged reputation, and lower sales in the future. Your business can’t afford to be in newspaper headlines for something other than the quality of your products and services. Even companies who aren’t tech savvy need to take cybersecurity into consideration now.

If you want to know some cyber security basics, here are 4 concepts your company should master as soon as possible.

1. Multiple Passwords

One of the most important things you can remember in cybersecurity is that if you use one password for everything, you set yourself up for problems. Imagine if you had one key for your safe, your car, your house, and your safe deposit box. All anyone would have to do is to get that key to get control of everything.

Unfortunately, lots of people do this and it’s why lots of people get hacked. Remind your employees to use different passwords for everything.

2. Secure Wi-Fi

Believe it or not, your beloved wi-fi router could be the gateway to your most secure data. Your neighbors or even someone parked outside your building could get into your network and start snooping around.

If you have any unsecured devices on an unsecured network, you’re basically leaving it open to any student who has ever taken a computer science 101 course. If you don’t protect access to your network, you’re in for trouble.

3. Two-Factor Authentication

Two-factor authentication is a prophylactic measure against the problems with duplicate passwords. Two-factor authentication systems will send a code with a few digits to a device belonging to the owner of the account being logged into. After they enter their regular password, they must then enter these digits within a few minutes to gain access.

4. Update Your Software

Security limitations and needs change on a daily basis. Software companies know this and that’s why they’re constantly asking users to update their operating system and their software. By updating, you can download the latest protections against coming viruses or ransomware.

It’s the technological equivalent of getting a flu shot. It can keep your data from leaking, which you’d agree is much more detrimental than a runny nose.

Cyber Security Basics Are Easy And Save Money

You can’t afford to have your profits disrupted by a major hack. While companies know they should take cybersecurity seriously, they still don’t. This can be a selling point for your company and allow you to catch all of the clients that other companies lose after a hack.

Several countries and states are not adding cybersecurity requirements for all businesses. Check out our guide to the major changes going on in Europe.

    Immersion Security

    Providers of vCISO (Virtual Chief Information Security Officer), Secure MSP (Managed Service Provider), Compliance and Consulting.

    Immersion Security is a team of dedicated cyber security experts and researchers who are dedicated to bringing the best and most up-to-date information, technology, and practices to your business.


    37 N. Orange Ave.
    Orlando, FL 32801