Wouldn’t it be great if there were an “easy” button for developing your organization’s governance, risk, and compliance departments? There are several aspects to consider when building out each sector, such as, what kind of control assessments should we have and how often? What kind of approval chain should our policy documents be following? How should we conduct our business impact analyses? Where should we house our asset inventory? How do we tie all of these aspects together? Why is GRC even important?
As the result of several notable cyber-attacks throughout the years, governance, risk, and compliance are factors in the corporate environment that no organization, either big or small, can escape from. The concept of focusing on growth without considering risks is not only impractical but also unsustainable. Too often we see common themes among the victims of cyber-attacks: failures to link development strategy with risk, the lack of oversight for risk management, and the lackadaisical viewpoint on a day-to-day risk. A major problem with most corporations is that their processes involving GRC are spread out amongst several different groups. These groups often fail to share information and wind up having a multiplicity of frameworks and processes. This results in inefficiency and greater exposure to risk across the entire organization. For all these reasons, it is imperative organizations of all sizes recognize the importance of GRC convergence and collaborate across all lines of business to reduce risk and enforce compliance. One of the best ways to achieve this mentality and efficiency is by employing a comprehensive risk management tool such as RSA Archer.
The RSA Archer GRC platform offers users a simple yet comprehensive way to design, build, and manage solutions that can grow right along with your business. Customers can configure enterprise-class, security-assured applications and deploy them in a way that enables and prepares their organization to maintain compliance and prevent risk. In addition to providing customers with a foundation for compliance through content bundles for the Policies, Control Standards, Control Procedures, Authoritative Sources, and other applications; Archer also comes complete with pre-configured reports and dashboards to utilize as building blocks for your reporting metrics. Furthermore, Archer provides users with assessment content such as built-in business impact analysis, quarterly risk, control self-assessment, device, and facility questionnaires. These pre-configured questionnaires allow users to automatically score questionnaires and generate findings for incorrect answers, they can even be issued automatically via campaigns. When it comes to governance, risk and compliance functionality, the possibilities are endless with Archer.
CyberSheath’s team of experienced Archer security consultants have years of experience in both private and public environments implementing and deploying both custom and prepackaged solutions. Having worked with and successfully deployed all use cases provided by RSA, we are your “easy” button to developing your GRC sector of your organization.
A list recently compiled by the cyber threat intelligence company Flashpoint (via Crain’s Chicago Business) reveals that law firms are not immune to cyber threats and are indeed active targets for today’s cybercriminals. Since January 2016, 48 elite law firms have been targeted by the criminal “Oleras” and his (or her) gang members attempting to access confidential client information for use in insider trading plots. While there has yet to be any indication that the hackers were successful, it raises the question of when law firms will be held to the same (or any) standards that are starting to be applied to other industries.
While the defense industry now has DFARS 252.204-7012 (and the NIST 800-171 control framework) and the financial industry has PCI DSS, no widely applicable or enforceable compliance standard exists for law firms. It’s also not entirely clear when law firms are required to report a breach. A 2014 Law Firm Cyber Survey conducted by Marsh identified some interesting statistics:
- 79% of respondents in aggregate viewed cyber/privacy security as one of their top 10 risks in their overall risk strategy.
- 72% said their firm has not assessed and scaled the cost of a data breach based on the information it retains.
- 51% said that their law firms either have not taken measures to insure their cyber risk (41%) or do not know (10%) if their firm has taken measures.
- 62% have not calculated the effective revenue lost or extra expenses incurred following a cyber-attack.
This sounds strikingly similar to the defense industry a decade ago. Organizations realize they should do something, but most don’t know how or where to start. They lack in house expertise, and most, 98% according to Marsh, view cybersecurity strictly as a function of IT and the group responsible for the overall management of cyber and privacy risks.
Last year, the American Bar Association reported in its Legal Technology Survey that 1 in 4 firms with at least 100 attorneys have experienced a data breach. It’s unlikely that smaller firms without in-house expertise or security control implementations would even know if a data breach had occurred, much less have the ability to determine what data had been compromised. As an industry that routinely pushes for their clients to protect themselves against risks, the results show that not all firms practice what they preach.
Regardless of your stance on the issue, your data needs protecting. CyberSheath has experience with applying cybersecurity strategies with law firms and can assist you and your organization in securing your data. Start with an assessment today, to identify your weaknesses and gaps.
ARS Technica recently published an article on the security of inflight Wi-Fi. Providers like GoGo Wireless and Global Eagle Entertainment offer passengers to pay for use of Wi-Fi services. While customers may think their communications and activities are secure, think again, says USA Today columnist Steve Petrow. Mr. Petrow was “hacked” while on an American Airlines flight – a man claimed to have been able to read his email communication with a source for a story. Given the overall Wi-Fi security lapses, as addressed in this post from ComputerWorld, it is easy to begin to understand how this can happen. But what can be done about it?
First, Wi-Fi on an airplane operates similar to public Wi-Fi networks. Access is granted through a “captive portal” where you have to provide login details and/or payment info and accept the terms of service. Once that is done – the user is granted access to the web. There is no password protection on the connection, which means the traffic that is carried on the Wi-Fi network’s packets is being transmitted in the clear. This means anyone listening can grab the data that passes through the access point.
Second, inflight wireless networks have taken a further step that affects the privacy of the network by blocking basic network security tools such as secure HTTP and some virtual private networks. Without these basic building blocks of security, it becomes clear how Mr. Petrow was “hacked.” When you are on a public Wi-Fi your device becomes visible to other people on the network. Unencrypted traffic is visible and in cases where the user is using POP/SMTP, that traffic is also readily visible.
While it appears that blocking basic security measures appears to be an oversight, it is indeed intentional. Gogo and Global Eagle Entertainment block some commercial VPN networks and GoGo was issuing its own certificates for secure websites such as Google. By stripping away SSL encryption this allows Gogo to prevent passengers from accessing sites with inappropriate content and gives law enforcement more visibility into the browsing and search habits of GoGo customers. ARS Technica reported that GoGo works closely with law enforcement and designed their inflight network with law enforcement in mind:
“In designing its existing network, Gogo worked closely with law enforcement to incorporate the functionalities and protections that would serve public safety and national security interests…”
While the jury is still out as to whether or not Wi-Fi networks do not pose a threat to airplane communications or functionality, the passengers using the service should be aware of what they are signing up for. Attackers sitting on flights wishing to hack into a passenger’s device can easily set up a fake access point, rerouting legitimate traffic to their laptop with two Wi-Fi signals. While SSL would still protect passengers from accessing other user sessions, a determined attacker can overcome this with tools like SSL Strip.
To protect your session, ARS technica recommends using a VPN connection (if it will work), and ensure that sharing has been disabled. Also, pay attention to the certificate warnings. If chrome or firefox warns of a bad or unknown certificate, don’t proceed – wait until you are on the ground with a better network to connect to. Of course, the best defense is to turn off your Wi-Fi and work offline.
What does this mean for your organization? As your organization sends workers around the globe, it is important to develop good security habits. Start with security awareness training. Ensure devices are protected. An employee who travels a lot is likely to introduce something back into the network when she connects with the “mothership” so it is imperative that devices are routinely patched and monitored for vulnerabilities.
Whether or not you send your employees on the road frequently, CyberSheath can help you build your security program to make informed and secure travelers.
Product vendor’s marketing focuses on advanced persistent threats – Stuxnet, China and all of the other fear, uncertainty, and doubt (FUD) – that are almost completely out of your control. So take a step back from the overwhelming advertisements leaving you feeling insecure and spend some time on something that you can actually control, your organization’s information security policy. Exciting right? Maybe not, but a policy represents the foundation upon which your security program can and should be built. Here are 3 reasons why a documented security policy endorsed by corporate executives materially improves security.
3 Reasons Why a Documented Security Policy Endorsed by Corporate Executives Materially Improves Security
1: Corporations Take a Policy Seriously
2: A Policy Presents an Opportunity to Lead the Security Conversation
3: A Policy Can Help Drive Resource Allocation
Don’t Know Where To Start?
CyberSheath’s Strategic Security Planning service will assist you in successfully creating a policy for your business that will materially improve security. A security policy can be the first step in your journey to an optimized information security environment and the foundation necessary to promote the endorsed support of your executive leadership.