Privacy

Zero Trust – What Is It and Should You Care?

Zero Trust is a term that gets thrown around a lot, but what does it actually mean? Zero Trust is a security framework that at a macro level is as simple as the name suggests; you “never trust, always verify” – meaning no user or application is trusted by default. Identity must be verified continuously for access to any of an organization’s assets. What this fundamentally means is that you can’t assume that users or applications inside your network are who they say they are. This has become more relevant as the traditional network perimeter has been replaced increasingly by cloud environments and employees in work from home (WFH) environments. There are numerous ways a Zero Trust architecture can add value to an organization’s data and security infrastructure, especially considering one of its core pillars is focusing on proper policy execution and implementation.

With the rise of decentralized workforces, and less defined network perimeters, there is an evolving need to change how we think about defense in depth. No longer is it sufficient to think about firewalls, and DMZs, and that’s where trust-based security comes into play. Identity, and its continuous verification become the new perimeter. In an ideal environment, even if an attacker is able to breach the network, they should find themselves relatively limited in their access as each account, application, and user require continuous verification. If a remote worker’s account is compromised, the breach should be limited to only their account and the attacker should find limited usable data while struggling to move laterally through the network to get a more advantageous foothold. A similar result can be achieved through operational excellence in implementing least privilege and user access controls. Least privilege is the concept that a user account, application, or process should only have those privileges that are essential for its intended function and nothing more. Access controls are intended to verify a user’s identity and to limit access of resources and information to only those users, applications, and processes which are authorized. While there are many tools out there that can help you achieve Zero Trust, the principles are rooted in controls you should already be practicing like the principle of least privilege and user access controls. 

While some enterprise level organizations may apply complex behavioral data and analysis run through Security Information and Event Managers (SIEMs) to enhance and build out their trust-based security posture, any organization can create a reliable trust-based security posture with the right policies and buy-in. To achieve this, you’ll need to be applying the principle of least privilege, implementing access control systems, and regularly reviewing these permissions and policies. You’ll also likely need to employ a Mobile Device Management (MDM) tool to ensure that all devices are in compliance with your trust-based security posture. Failure to enforce other basic security practices such as maintaining encryption when data is at rest, could jeopardize the effectiveness of your trust-based security posture. It is always a good idea to routinely perform internal security audits to identify any additional shortcomings in your security posture and practices.

Still confused? CyberData Pros can work with your team on an internal audit and data mapping exercise to help you better understand your company’s posture. We will then classify your data and help you put together an action plan. Contact us now for a free consultation and to learn more about our services.

read more

Risk Controls: What Are They and Do You Have Them?

So what are Risk Controls? Put simply, they’re a defined set of proactive steps or strategies that entities use to address risks to their business. These risks can include anything from technical and compliance concerns like data privacy and cybersecurity all the way to natural disasters and financial losses. These controls are an integral part of the larger risk management process that all businesses have to consider. While this process as a whole encompasses the identification, evaluation, prioritization, and remediation of risks, these controls serve as the answer to that all-important question at the end of the day; How do we fix it? Let’s take a look at the 5 typical classifications of risk controls- Remediation, Avoidance, Transference, Mitigation, and Acceptance- to see exactly how they answer that question, and how you might be able to use them within your own organization. 

Starting off, we have Remediation. This is a control that, when implemented, eliminates most if not all of an identified risk. This is a great strategy to adopt in instances like a software vulnerability where a patch or update can be applied. It’s quick, effective, and inexpensive to implement. While remediation may seem like an obvious strategy for a number of risks, there can often be a number of factors that prevent it from being a viable solution. Another control, Avoidance, can be a great way to fill some of those gaps. Rather than saying, ‘If there is an issue, we will fix it”, the concept of Risk Avoidance focuses on eliminating non-critical systems or processes entirely, preventing the proliferation of risk before it can occur at all. This strategy can offer some fantastic benefits like cost savings and reduced organizational complexity, but like remediation it’s no catch-all solution. There are plenty of risks that are simply inherent to the core of many businesses and are thus inevitable. So what can we do about it?

Mitigation, also referred to as Reduction, is a great strategy to apply in situations with inherent risk, as it seeks to lessen the likelihood of the risk being exploited. This type of control is typically most viable in unavoidable situations where there are steps that can be taken that will greatly diminish the risk but none that can remediate it completely. Scenarios like this often occur when there are known vulnerabilities within critical systems that are too important to be removed, so an organization tries to lessen the likelihood of that risk being realized through additional controls such as firewalls or antivirus software.

So what if you’re a small business and these strategies are too expensive or complex for your organization to implement with its limited resources? Well, Transference could be just the thing for you. This control essentially passes risks to a third party, like a service vendor or insurance company. By utilizing vendors for high-risk business functions, like servers and physical security, an organization can push the assessed risk to the vendor to manage. In the case of insurance, transferring risks materializes with the recovery of the costs associated with them, should an incident occur. 

Now, let’s face it; in the real world, there just isn’t always a simple, easy, or inexpensive solution for everything. In these cases, Acceptance is a risk control that doesn’t try to reduce the risk at all. Rather, Acceptance takes the cost and complexities of the other risk controls and weighs that against the costs and consequences of the risk itself. If the cost and complexity of controlling the risk outweigh that of the risk itself being realized, the most pertinent control may be to simply accept the risk as it stands. Typically, this option is only considered when the consequences of the risk are relatively low. For example, Acceptance would not be a viable strategy for business critical systems. Understanding the differences in these situations and how to apply the proper control is critical to effective risk management and governance. The modern business landscape is ever changing, which is why risk management should be a continuous, evolving part of an organization’s infrastructure. By continuously monitoring and assessing new and even previously identified risks and controls, you can rest easy knowing that your organization is managing its risks to the best of its ability.

CyberData Pros can run a risk assessment to determine your company’s risks. We will then classify them and help you put together an action plan. Contact us now for a free consultation and to learn more about our services.

read more

DLP Rules – What Are They and Why You Need Them

In the business world of today, a data breach can cause damage of all kinds to a company. The repercussions of such an incident can include loss of customers and clients, damage to the brand and reputation, and of course, major financial losses. While it is impossible to completely eliminate risk altogether, there are many tools available that can be used to help decrease it. One such tool is what is known as Data Loss Prevention, or DLP. By implementing a DLP product(s), your organization can be sure it is taking a vital step towards protecting its data.

Before explaining how DLP technologies work, let’s first run through a few of the reasons why an organization would need DLP and explore what exactly DLP is. Data breaches have become commonplace in the news media, but generally these stories tend to focus on external attacks from criminals or governments. However, a data breach can (and does!) occur as a result of an insider threat too, even in cases where it is unintentional. These insider threats, along with an increase in sensitive data such as intangible assets and more compliance regulations to contend with, require a modern solution that organizations can leverage to protect themselves. DLP addresses all of these concerns.

DLP refers to a set of software tools and processes which work to ensure that sensitive or critical information is not lost, misused, or accessed without authorization. After data is prioritized and classified by an organization, DLP rules are set up that can monitor and control the intended or unintended sharing of data. If one of these rules is violated, then the DLP software will jump in to remediate the issue through protective actions such as alerts, permission denials, encryption, etc. For example, if an employee were to try to send an email containing a 16-digit credit card number, a DLP rule could detect that potentially sensitive information is attempting to be shared and then might notify the sender with a warning, alert the security team, or even prevent the email from being sent altogether. 

There are a variety of DLP deployment solutions that work to protect data at rest, in motion, and in use. Examples of the primary architectures are email, endpoint, network, discovery, and cloud DLP. Your organization may require the use of one, some, or all of these, so it is important to define your objectives and determine which are the most appropriate for your use case. In any case, DLP products work in two methods: contextual analysis, and content analysis based on string matches. Exploring the specifics of how these methodologies function can get quite technical and in-depth, so for now just realize that it involves things such as file checksum analysis and lexicon matches. 

In sum, as our world continues to collect and store ever-increasing amounts of data, it is more important than ever to take every step possible to minimize risk. Since total elimination of risk isn’t possible, making use of the tools available to help your organization be proactive in protecting its data should be a top priority. Don’t wait until it’s too late and the damage has already been done – take steps today to protect your data tomorrow. 

Let CyberData Pros help you understand where your data sits, access control, and how to protect that data. Contact us now for a free consultation and to learn more about our services.

read more

Risk Assessments: What Are They and Do I Need One

As businesses grow, both in size and organizational complexity, so should the scope of their privacy and security efforts. This is an important lesson which many companies have had to unfortunately learn the hard way. But who among us can honestly blame them? The cybersecurity landscape can be VERY complicated. Penetration testing, data encryption, password management, user access controls, firewalls, domain administration, cloud servers, international data and privacy laws; these are just a fraction of things you have to consider when you start looking at your security posture. Heck, these days even your printer could be considered a cybersecurity risk!

So where do you start? You know you have to do something, but finding a place to start in such a vast and overwhelming space can be a barrier in and of itself. More often than not, simply understanding what you have that is at risk, and the factors that are putting you at risk, are the best first steps to put your company on the right path. Luckily the industry has a solution for this very scenario. Enter the cybersecurity risk assessment.

A risk assessment is a fantastic tool that takes a broad, contextual look into the privacy and security of your business, which can be simplified into three major objectives. The first objective is identifying information assets that could be targets of, or affected by a security breach. By understanding what assets are at risk to begin with, you can more easily focus on plans and important objectives for protecting them. This can also help you understand more about your privacy and security needs in general. Do you really need that expensive IPS your IT manager asked for? Should you be looking at ISO 270001 certification? Risk assessments can help answer those questions for you.

After identifying your assets, the second objective is identifying the risks to, or associated with, those assets. In other words, what risks do those assets come with, and what aspects of your company infrastructure could be putting those assets at risk. This can range from very technical things like firewall misconfigurations, or vulnerable software running on company servers, to less technical things like unlocked doors, and misplaced camera systems. This is the part of the assessment where you can start to see the work that needs to be done, and you can start prioritizing findings by criticality. This will tell you what findings are important and must be remedied immediately, or what might be considered minor and worth accepting if there are more important gaps to remedy first.

Once you understand your risks, the last major objective is of course, remediation. Starting with the most critical findings, a risk assessment will assign responsibility for these risks within the organization, as well as goals and guidance for mitigating them. Sometimes referred to as a ‘Treatment Plan’, having clear and concise documentation of the issues at hand drastically reduces the time it can take to alleviate them. Assigning responsibility for these risks also creates a sense of ownership and accountability within the organization to ensure these are not only fixed quickly, but are maintained over time. 

While risk assessments are phenomenal for newer businesses just getting started on building their cybersecurity infrastructure, they are also incredibly important for established security teams as well. Regular risk assessments allow your company to track progress, quantify improvements made, and continue to identify new opportunities for improvement as you change and grow. This ensures that as new clients join, or new services are offered, you can maintain a comfortable footing within your risk management structure, as well as a potential competitive advantage over others in your space. As the data privacy and security requirements for the biggest companies in the world continues to grow, due diligence and proactive tactics that show your organization is committed to handling their data responsibly and securely can make all the difference when they are deciding who gets that next big contract.

Let CyberData Pros conduct a Risk Assessment for your business and help identify any data privacy/security gaps that may exist. Contact us now for a free consultation and to learn more about our services.

read more

Virtual Chief Privacy Officer Services That Make Sense for Your Business

Let’s face it; privacy can be a pain for businesses. It can feel like a burden on your company’s time and resources, and be overwhelming to manage with mountains of governmental oversight and regulation to navigate. As the digital age continues forward, it has become more and more obvious that these are not just growing pains that will simply go away. If you own or manage a small to medium sized business, this fact is likely something that has more than just crossed your mind over recent years as you continued to grow. You may be asking yourself; “Am I prepared to handle this data?”, “What kind of risks am I currently accepting?”, “How do I know if my business is handling compliance in a proper way?”.

Enter the Chief Privacy Officer or CPO. The CPO role is designed to answer all these questions, as well as alleviate the burden of data privacy and security compliance. This includes an ever-growing list of international and domestic privacy regulations such as GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), CPPA (Canadian Consumer Privacy Protection Act), VCDPA (Virginia Consumer Data Privacy Act). A CPO possesses the expertise to build and guide a business through these arduous security and privacy processes. This encompasses simpler things such as a privacy policy, all the way to the not-so-simple things like international consumer data laws and security compliance for the company’s entire network and data infrastructure.

As you might imagine, a role like this is not filled easily, nor cheaply. CPO’s often have decades of experience with paychecks to match, and are in increasingly high demand with the exponential growth of digital and international market spaces. So how is a small to medium business expected to acquire one? Can your business support another C-level paycheck? How about another big, expensive office space? What about supporting staff and equipment? You can see how quickly hiring and implementing a CPO can become a struggle in its own right, especially when you may already be stretched thin in a period of rapid growth, ie, when you might need one the most. Well, there’s a solution for that as well.

Modern problems require modern solutions, which is exactly what a vCPO, or virtual Chief Privacy Officer is meant to be. A vCPO, sometimes referred to as CPO-as-a-Service, can offer experience, knowledge, and expertise in the data privacy and security field that so many quickly growing businesses need, without the daunting costs, resource drain, and complexity associated with building what amounts to an entire new division of the company. The vCPO can offer any and all solutions a traditional CPO can. This includes understanding and implementing both international and domestic privacy regulations, company data ethics and practices such as handling PII (Personally Identifiable Information), as well as incident response planning and documentation. So what allows a vCPO to do all this and still save money? The answer is scalability. A vCPO solution can grow, shrink, and customize itself to the exact needs and challenges of your business as it stands, and as it changes. It brings its own support and resources to you in a neat and tidy package, giving you the ability to focus on growth, and getting privacy and security out the way!

If you feel have additional questions or need a virtual Chief Privacy Officer, contact CyberData Pros and we can help. Let us help put together a plan and keep your business in full compliance.

read more

Why Do I Need Privacy and Security Documentation for My Business?

Documenting important processes for your business and employees is critical to the overall success of the business. This is no different than privacy and security documentation for your business. Having the proper documentation for your business will help with client/vendor questionnaires, insurance for your business, and knowing how secure data is.

There are multiple pieces of data privacy and security documentation that your business needs. Documentation does differ from industry to industry, but many of the critical documents are universal across the board. I’ve outlined some of these critical documents below:

IT Security Policy

Document that lays out the internal security policies of how the business uses, stores, and processes data. May include other policies such as Clean Desk, Remote Working, Responsible Parties, etc.

Disaster Recovery Plan

Set of policies and procedures on how to enable the recovery of vital infrastructure and systems following a disaster. The important portion of this document should outline critical processes and how long each process can be down in order for your business to recover.

Business Continuity Plan

Documented plan and process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations during the execution of disaster recovery.

Data Classification Policy

Policy document to classify different types of data into separate categories in order to understand “sensitivity”. These classifications could include levels such as Public, Sensitive, Private, Top Secret, etc.

Incident Response Plan

A planned set of instructions to help IT detect, respond to, and recover from data privacy or security incidents. These types of plans address issues like cybercrime, data loss, and service outages.

Risk Management Policy

Policy document that aims to provide guidance regarding the management of risk to support the achievement of corporate objectives.

Keeping your documentation current is essential so that critical pieces of the business are known to all. The worst thing that can happen is an employee walks out the door and nothing is documented. Consider this a major issue to the data privacy and security documentation.

If you feel you don’t have the proper documentation or where to start, contact CyberData Pros and we can help. It is not only important to have the proper documentation for the business, but to also keep it updated. Let us help put together a plan and carry out it out to keep your business in full compliance.

read more

Painful Experiences – Client and Vendor Security Questionnaires

It happens all the time. A client or vendor sends over a security questionnaire and you don’t know where to start. How do you fill this out? What if I make a mistake? What if I can’t answer their questions? These are just a few questions that may come to mind. In today’s world of strict compliance, these security questionnaires are becoming the norm. Being prepared and having answers is critical to ongoing business. Let’s break these down and how to approach them.

A typical security questionnaire is going to cover areas of your business that range from documentation of disaster recovery to physical security mechanisms in your business. On average, these questionnaires can be “hundreds” of questions long! Yes, you read that right and many of these require answers within a few weeks.

Start with the privacy and security documentation that you have written and know that you may need to provide some of this. We recently wrote a blog about the kinds of documentation to have and why is it important. Creating a document and data bank of answers will help you get through these questionnaires faster in the long run.

Understand the “technical” data privacy and security areas of your organization. You may have a department at your company that can help fill out the technical questions. This is great, but make sure you understand the answers in case there is any need for justification.

If this all sounds daunting and you don’t have time for it, let CyberData Pros assist you with these questionnaires. We have over 20 years of filling these out for our clients and we will help you better understand the details. Contact CyberData Pros now to see how we can help your business with this and many other data privacy and security solutions.

read more