In today’s digital world, no matter what type of sensitive data you handle, attackers are hard at work developing ways to access it. The rash of high-profile security breaches making headlines every day is clear evidence of the struggle businesses face in trying to stay ahead of these sophisticated cyber attacks.
In response to these threats, local and federal governments around the world have begun to impose increasingly stringent regulations to force companies to re-examine their internal cybersecurity standards.
DFARS clause 252.204-7012, HIPAA, PCI DSS, and GDPR are just some of the many compliance mandates that companies are currently juggling. And considering the disastrous fallout of even the smallest breach, not to mention the heavy penalties associated with non-compliance, there’s no time to waste in getting up to date.
The Risks of Non-compliance
As early as 2005, former U.S. President Barack Obama voiced his concern about cyberattacks, calling them a “national emergency.” In the years following this call to action, Federal agencies continually increased the regulatory mandates for private contractors, and over half of the state governments in the U.S. passed laws to put in place punitive measures for companies that fail to sufficiently protect sensitive data.
These include hefty fines and in some cases, jail time. Of course, these punishments are minuscule when compared to the consequences of actually being hacked. The costs of penalties, legal fees, and possible compensation for damages pile up quickly and can completely change the financial outlook of your company. Most damaging, however, is the subsequent destruction of your company’s reputation and the irreparable loss of confidence from your customer base.
Entities with the proper vision and intelligence work exceptionally hard to avoid these outcomes at all cost by prioritizing day-to-day operational security. Not only does this protect the company as a whole, but it ensures that the satisfaction of government or contractual requirements is a natural outcome of day-to-day security practices.
An Industry Leader in Cyber Protection
The unfortunate truth is that, even though compliance is absolutely essential, it’s not easy. Combing through the myriad of regulatory requirements to assess which apply to your business, coupled with the complex processes of then actually meeting these standards, leaves many companies lost.
With the right support, businesses can dramatically simplify this process. An industry leader in cybersecurity, CyberSheath has developed the one-of-a-kind systematic Measure Once, Comply Many ® approach to cybersecurity, enabling companies to reach compliance by implementing a specifically tailored security strategy.
CyberSheath starts by expertly identifying the vulnerabilities in your network and then uses this information to plan and build a strategic security organization that optimizes your personnel, security processes, and technology. We then monitor your systems in real-time, providing you early threat recognition and proactive prevention that helps eliminate the risk of attacks.
By using this proven and patented method, CyberSheath paves the way towards both reaching regulatory milestones and achieving optimal operational cybersecurity.
Measure Once, Comply Many ® utilizes the following services to provide a full-service comprehensive security platform, keep your data safe and secure, and assure across-the-board compliance:
• Centralized 24/7/365 Security Operations Center (SOC) capabilities.
• SIEM, network IDS, host IDS, file integrity monitoring, vulnerability reporting and management, and more.
• Real-time security intelligence, including correlation directives, IDS signatures, NIDS signatures, and asset fingerprints.
• Full suite of compliance reporting, including DFARS clause 252.204-7012, NIST 800-171, HIPAA, PCI DSS, GDPR, and state data breach laws.
• Instant detection and notification of ransomware and other malware variants.
• Managed Privilege Account Management Services to stop security breaches involving privileged accounts.
With these advantages in place, you’ll never be caught off-guard, regardless of the current regulatory measures. Your business will not only take the necessary steps towards compliance, but you’ll also be able to continually read and react to the latest state-of-the-art threats. It’s all part of our patented system designed to achieve compliance as a result of committing to optimal operational security.
Assure Your Cybersecurity Now
Staying on top of your cybersecurity requirements can be overwhelming, but being hacked is undoubtedly even worse. Partnering with CyberSheath can help you gain peace of mind by putting a proactive plan in place to ensure your business is not just compliant, but also efficient and thorough in every aspect of cybersecurity. Contact us today to learn more about Measure Once, Comply Many ®.
On December 31, 2017, the deadline for compliance with the NIST 800-171, a mandate for contractors serving local and federal governments, came and went.
This Special Publication provided guidance on the processes and procedures needed to adequately safeguard controlled unclassified information (CUI), defined as any information created by the government or entities on behalf of the government that is unclassified, but still must be appropriately safeguarded.
While some companies were quick to adapt to these new regulatory measures, many companies fell behind because of a lack of resources, confusion over the head-spinning compliance process, or just downright procrastination.
With the deadline long gone and the Department of Defense (DoD) making it crystal-clear that NIST 800-171 is here to stay, becoming compliant is an absolute must for those looking to remain competitive in the industry.
A Common Problem
Unlike previous security mandates, this is the first that impacts sub-contractors working further down the federal supply chain. This means that for many companies, it’s the first time they’re having to figure out compliance.
If this describes your company, you’re by no means alone. Because these standards must be met by anyone who stores, processes, or transmits CUI for the DoD, General Services Administration (GSA), NASA, or other federal or state agencies, many contractors are struggling to wrap their heads around the complex process ahead.
As it’s critical to a supplier’s ability to win new business and keep current defense contracts, both prime and sub-contractors will want to confirm that they are, at the very least, on the path to compliance with NIST 800-171.
Of course, becoming compliant is easier said than done. The fact that there is no certification process for NIST means contractors work on the honor system, attesting that they have reviewed and heeded the applicable requirements specified in the regulation.
This also means that becoming compliant is not a one-time achievement. Rather, it’s an ongoing process of continuous evaluation. Here are the three key actions you can take to get started…
Assess Your Compliance Level
First, you’ll need to do due diligence in identifying CUI as it applies to you. Check with your contracting officers or look through your contract to see if CUI has been clearly defined. In many cases, it may not be, and you’ll have to review the CUI registry to find similar examples of CUI.
Once you’ve clearly defined what you need to protect, you can begin to figure out if it’s actually being protected sufficiently. You’ll have to carefully review your critical systems, including servers, laptops, storage devices, network devices, end-user workstations. You’ll also need to assess the physical security of those devices that contain CUI to make sure they are properly safeguarded.
Design a Plan of Action
Chances are there will be a gap between where you are now and where you need to be. This is common so don’t worry!
Fortunately, clause 3.12.4 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to buy yourself some time as you work towards your compliance goal. Since many contractors are not yet compliant, these documents are required to show procurement officials you are heading in the right direction.
An SSP will provide an overview of the security requirements needed for every system you use, describe the curent controls you have in place, and outline the expected behaviors of all who access them. Your POA&M will show a clearly defined corrective strategy for exactly when and how you plan to resolve any security weaknesses.
All this planning and assessing means nothing if you don’t step up and deliver! Once you’ve put milestones in place, you’ll need to train your staff and ensure they adhere rigorously to these deadlines. You’ll also need to document critical advancements in your quest for compliance, properly maintaining your records as you go.
Still Nowhere Near Compliance? Don’t Panic!
If you missed the December 2017 deadline and you’re starting to feel the pressure, don’t panic. CyberSheath’s Managed Security Services can help you to define your CUI obligations, create a plan of action, and move step-by-step towards full compliance. Contact us today for a free consultation.
On Friday of last week, Europol reported that a worldwide attack using a piece of ransomware known as “WannaCry” hit more than 150 countries and infected at least 200,000 victims. Europol Director Rob Rainwright said that “the global reach [of the attack] is unprecedented. The attack appears to be targeting businesses and large corporations in the healthcare, financial and infrastructure sectors; these sectors have highly sensitive information ripe for a hostage.
Ransomware is malicious software, a virus, that has two purposes. The first is to encrypt the contents of a machines hard drive, preventing the user from accessing the information without entering a unique key or password. The second purpose is to act as a worm and spread to as many machines as possible. With a large footprint of infected machines, the attacker can then hold the data for ransom, promising to provide the password or key to decrypt the data once the ransom is paid in bitcoin (untraceable digital currency).
The WannaCry ransomware appears to exploit a vulnerability in the Microsoft XP operating system that was discovered as a result of the recent NSA tool dump. It’s unclear at this time whether the ransomware was developed by the NSA or just as the result of the NSA’s day one exploit stockpiling. Microsoft president and chief legal officer Brad Smith responded to the attack stating that it “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”. Smith continued his comment stating that “this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.
While IT and Security teams have no doubt been working around the clock over the weekend to prevent the spread and manage the fallout, some key actions organizations should take in the immediate fallout are as follows:
- Immediately backup important and sensitive data in case you are infected soon.
- Update to the latest Microsoft security patches.
- Update all anti-virus and conducting immediate scans.
- Scan all inbound and outbound emails for malicious attachments.
- Send out a companywide awareness email warning employees about the attack and to be cautious of scams and malicious emails.
Moving forward, organizations should consider a more proactive approach to dealing with ransomware as opposed to reactive. In August of last year, CyberSheath Security Engineers wrote about the rise of ransomware and how using sandboxing techniques in daily operations can be 100% effective against malware attacks when used in combination with least-privilege. Adding to defense in depth, implementing a privileged account management solution can be used to prevent ransomware from spreading to critical servers by securing privileged accounts, and in combination with isolating critical servers with a secure jump host such as CyberArk’s PSM, can be a highly effective combination in combating malicious threats.
Let the security professionals at CyberSheath help you become proactive, not reactive. You can learn more about our approach by viewing our Privileged Access Management service area or clicking the button below to download our detailed Privileged Access Management datasheet.
A list recently compiled by the cyber threat intelligence company Flashpoint (via Crain’s Chicago Business) reveals that law firms are not immune to cyber threats and are indeed active targets for today’s cybercriminals. Since January 2016, 48 elite law firms have been targeted by the criminal “Oleras” and his (or her) gang members attempting to access confidential client information for use in insider trading plots. While there has yet to be any indication that the hackers were successful, it raises the question of when law firms will be held to the same (or any) standards that are starting to be applied to other industries.
While the defense industry now has DFARS 252.204-7012 (and the NIST 800-171 control framework) and the financial industry has PCI DSS, no widely applicable or enforceable compliance standard exists for law firms. It’s also not entirely clear when law firms are required to report a breach. A 2014 Law Firm Cyber Survey conducted by Marsh identified some interesting statistics:
- 79% of respondents in aggregate viewed cyber/privacy security as one of their top 10 risks in their overall risk strategy.
- 72% said their firm has not assessed and scaled the cost of a data breach based on the information it retains.
- 51% said that their law firms either have not taken measures to insure their cyber risk (41%) or do not know (10%) if their firm has taken measures.
- 62% have not calculated the effective revenue lost or extra expenses incurred following a cyber-attack.
This sounds strikingly similar to the defense industry a decade ago. Organizations realize they should do something, but most don’t know how or where to start. They lack in house expertise, and most, 98% according to Marsh, view cybersecurity strictly as a function of IT and the group responsible for the overall management of cyber and privacy risks.
Last year, the American Bar Association reported in its Legal Technology Survey that 1 in 4 firms with at least 100 attorneys have experienced a data breach. It’s unlikely that smaller firms without in-house expertise or security control implementations would even know if a data breach had occurred, much less have the ability to determine what data had been compromised. As an industry that routinely pushes for their clients to protect themselves against risks, the results show that not all firms practice what they preach.
Regardless of your stance on the issue, your data needs protecting. CyberSheath has experience with applying cybersecurity strategies with law firms and can assist you and your organization in securing your data. Start with an assessment today, to identify your weaknesses and gaps.