What is the CCPA and how is it different from the GDPR?

Nearly two years since its introduction, businesses are growing accustomed to the European Union’s General Data Protection Regulation (GDPR), a piece of legislation that puts power back in the hands of consumers when it comes to how their own data is used and who has it. Compliance with the GDPR may have seemed like a nuisance to begin with, but everyone has quickly seen that the penalties for failing to comply are too heavy to ignore and GDPR compliant businesses earn greater trust from consumers anyway.

It’s a little bit of extra work, but well worth it. The success of the GDPR and the recognition that the questions surrounding the use of data cannot go unanswered any longer have driven other jurisdictions towards relevant regulation as well – most notably California, the world’s third-largest economy and author of the California Consumer Privacy Act (CCPA).

But the CCPA isn’t a carbon copy of the GDPR. The world’s leader in the data industry has its own ideas of how to start addressing the topic of data use and privacy. As with the GDPR however, businesses are going to find that the CCPA is not a regulation to ignore or take lightly. So, before it comes into effect on January 1, 2020, what are the differences between the two and what do businesses need to know about the CCPA?

Who needs to be CCPA compliant?

Europe’s GDPR is generally considered to be broader and more ambitious in scope than the CCPA – a characteristic that can be seen in stipulations regarding which businesses must comply. The GDPR applies equally to all businesses, European or otherwise, that process the data of EU citizens. African, Australian, Asian and American businesses must all comply with the GDPR if they intend to process and profit from the data of Europeans.

The CCPA, on the other hand, applies strictly to California-based businesses and only businesses earning more than $25 million annually or those whose primary business is the sale of personal information. Even If none of these apply to you, the CCPA should still be followed closely as it impacts and relates to future data regulation.

What CCPA means for the future

The CCPA’s impact on the future of data regulation could be significant, in fact. While it may not be as robust as the GDPR, the CCPA is seen by many as just the first step in regulated data protection, meant to introduce California and the U.S. as a whole to a workable framework to address the urgent issue of data usage and protection.

The same way the general outline of the GDPR has influenced the CCPA, the CCPA is expected to impact legislators throughout the U.S. and possibly even abroad as data protection becomes an ever-more immediate concern. The CCPA, which goes into effect on January 1, 2020, specifically addresses American concerns over cases like that of Facebook and Cambridge Analytica while the GDPR, which came into force in 2018, took a broader stance in trying to foresee future issues that may arise as well.

The price of non-compliance

One of the biggest differences between the two pieces of legislation is how they allot penalties for non-compliance and violations. Under the GDPR, businesses may be fined as much as 4% of annual global turnover or 20 million euros (whichever is greater). Sanctions may also be applied to a company under the GDPR simply for being at risk of a breach or behaving irresponsibly.

The CCPA, on the other hand, mandates fines per violation, up to $7,500 for each. The total cost of penalties is limited only by the number of violations discovered and, while still subject to change before enforcement in 2020, there is currently no threat of sanctions for non-compliance. Notably, violations are only considered violations at the point of breach, which proponents of the GDPR model believe is too late.

Consumer rights

Finally, the CCPA and GDPR differ on some of the specifics regarding the rights granted to, and protected for consumers. For example, while the GDPR requires that consumers opt-in to allowing their data to be stored and/or sold, the CCPA instead requires that companies give consumers the ability to opt-out.

There is one important similarity between the GDPR and CCPA that should be mentioned: both directly address encryption. Though both regulations keep most stipulations broad to allow for some flexibility and changing technologies, both feature articles with technical stipulations for responsible encryption of data, meant to reduce the likelihood of data being compromised even in the event of a breach.

Such specific requirements addressing technical aspects of security highlight the importance and urgency of adopting more rigorous security practices across the entire data industry. After all, regulations like the GDPR and CCPA are not only important to keeping your business out of trouble, they are crucial to creating a healthy data ecosystem backed by good practices and security.

The cloud might not be safe anymore – and we should all be concerned

When the topic of online privacy comes up, one of the most common arguments you’ll still hear is, “I’ve got nothing to hide, so it doesn’t matter to me who has my data or files.” While this kind of statement has always been problematic, there are new developments that reveal this kind of thinking as downright dangerous for the future.

According to a report in The Financial Times, an Israeli security company called NSO has the key to break into popular cloud storage services like iCloud, OneDrive and Google Drive. Even more concerning, the report claims that NSO is advertising and possibly selling this knowledge to governments around the world as part of its Pegasus software.

The company has directly denied marketing or providing the ability to crack encryption on cloud services, but it said nothing of having the technical capability themselves. According to The Financial Times, the Pegasus software has been identified installed on devices beyond the internal scope and boundaries of NSO. If true, NSO has either sold its software and given it away while lying about it, or it was somehow stolen. Both scenarios are cause for serious concern.

For proponents of the “I have nothing to hide” mentality, this may not sound too alarming at first glance. As long as these technological tools are going to responsible governments and not malicious cyber criminals, it’s only criminals that have something to fear, right?

At first, perhaps. But this case gives rise to several considerable worries:

  • How long will the ability to breach the cloud remain in the hands of government alone?
  • What governments is this ability being sold to?
  • What happens when new leaders emerge in a rapidly evolving political situation with new ideas about how to use this technology?

In the end, if one person or institution can access everything on the cloud, then anyone can with a bit of time and effort. To those who don’t mind if your government sees what you’ve stored on the cloud, we say this: it doesn’t matter what you as an individual have there, it matters what everyone as a collective has stored there.

Governments with the ability to access all your files and documents are unlikely to use them against you as an individual unless you’re directly involved in criminal proceedings. But the fact that governments seem to be in the market for such technology suggests that at least some of them want the capability of quietly gathering and storing data on entire populations that can be used in all kinds of nefarious ways. You may not notice it right away if your government has access to the information you’ve stored on the cloud, but it doesn’t bode well for the future as digital dictatorships become an increasingly realistic possibility.

But it’s not all doom and gloom – not yet, at least. Google told Inc.com that they have not thus far found any evidence that their cloud services have been compromised. While it’s unclear exactly how NSO might have technically succeeded in breaking encryption for cloud services, it is known that they would have to have root access to your device to break into your cloud storage, which makes it highly unlikely your cloud storage could be penetrated without physical access to your device (e.g. if it were confiscated by police or an intelligence agency).

But that may not be the case forever, and there are larger issues to consider. Companies who gather and control big data may not always have your privacy in mind when they sell it to third parties, but they are subject to the law and the forces of the free market. The forces restraining government are often far more tenuous.

Stay cyber-safe on your summer vacation with these 4 tips

Headed out on vacation this summer? If you haven’t made it yet, you still have some time. Grab your passport, wrangle the kids into the car for a road trip or just head to the beach for a few days to soak in some sun – but not without taking the necessary precautions. Travelers insurance is always handy, sunscreen will protect your skin in the long run and it’s a good idea to know what number to dial to reach the police in whatever country you’re traveling to.

It’s common sense to take these steps to protect yourself, right? Then it should also be common sense to protect yourself in cyberspace this summer. After all, when we travel and have new experiences, our guard is down and our thoughts are on other things, which is the perfect opportunity for a hacker to compromise your online presence, just like a pickpocket trying to get your wallet. Here are a few tips and things you should be aware of in order to reduce your vulnerability.

1. Fake Wi-Fi

Fake news may be all the rage these days, but did you know there is fake Wi-Fi as well? Especially while traveling, you’re likely to connect to every free Wi-Fi access point you can: at airports, cafes or other places of business. Generally speaking, these places do offer legitimate internet connections to their customers and, without password protection, to anyone in the vicinity. But malicious players are well aware, and they’ve thought of ways to take advantage.

Data thieves sometimes set up fake Wi-Fi access points under names similar to nearby businesses and known access points so that users might trust it and log on, believing it to be the proper connection. While browsing with these Wi-Fi connections however, criminals can intercept any data that passes between your device and your social media accounts or even your bank. More sophisticated attacks can even trick your device into automatically connecting, believing it to be a recognized Wi-Fi connection.

Protect yourself by asking the business for the name of their Wi-Fi SSID or installing VPN software onto your device for encrypted connections.

2. Password protection

How many passwords do you have to remember in order to access your online accounts? 10? 50? Maybe more? Whatever your number, most people use at least dozens of different websites that require unique passwords to login. That’s why many people also use the same password for everything, but that means hackers who get your password for one site can then access them all.

Protect yourself by using a password vault so you only need to remember one strong password, using 3-4 different passwords for different kinds of sites and apps, changing your passwords every few weeks and using two-factor authentication whenever and wherever you can.

3. Don’t be the phish

If you’re going fishing this summer, you want to catch fish, not be caught like one – and that means being aware of what’s in your inbox. Attackers try to induce you open malicious emails with alarming subject lines or sending you messages from a friend’s compromised account.

Protect yourself by being on the lookout for suspicious elements in emails. Don’t open emails from unknown individuals you weren’t expecting to receive and watch out for links that may appear to be from well-known domains at first glance like amaz0n.com.

4. Don’t post just to post

Social media is an amazing tool, but it can also make you vulnerable to dedicated and determined attackers. Avoid posting about your vacation until you get back so others won’t see you’re away and might be vulnerable to attack or even real-life home invasion. Posting personal information on social media could also give ammunition to attackers sending out phishing emails.

Protect yourself by simply being mindful of what you post.

6 ways malware can bypass endpoint protection

Malware attacks are growing more and more numerous. They find most success against those with little protection, but they are also overwhelming endpoint security measures using various methods that are always evolving and improving, just like endpoint security measures themselves.

Learning how to challenge this growing threat means understanding what attackers are actually doing and how. Here are 6 ways attackers are using malware to bypass or otherwise overcome endpoint protection security.

1. Script-based attacks

Typical endpoint protection security will defend against breaches primarily when new files are introduced into a system, like when new software is installed. Script-based attacks, however (also known as “fileless” attacks) make use of existing software like PowerShell and other computer components, circumventing this crucial point of security. These kinds of attacks have a higher success rate than almost any other, and are among the most difficult to spot. The key is to identify uncommon operations being executed by common applications.

2. Hosting malicious sites on popular infrastructure

Phishing attacks have always relied on deception for success, and one of the best tricks (and one of the simplest) used by attackers is to host malware on infrastructure that people tend to trust or that can’t be blacklisted by traditional security methods at all. Google cloud is one such example, and attackers are even using platforms like GitHub for their nefarious purposes. Command-and-control servers can also be hosted on these legitimate platforms, even benefiting from their built-in encryption features. Just like with script-based attacks, defense in this case means being able to spot unusual activity. Here, it is usually masked as normal communication but happens at unusual times.

3. Poisoning legitimate applications and utilities

Successful breaches, if gone undetected, can often lead to further threats. Attackers who manage to gain access to a business, for example, can then access all the third-party apps and tools used by employees, installing backdoors and other malicious code there. Open-source code is especially vulnerable to this, since attackers can hide nefarious code within legitimate bug fixes or software improvements that get reviewed and accepted.

4. Sandbox evasion

Think your sandbox keeps you safe? Well, it certainly helps, but a decent hacker can find a way around this protection as well. Malware can be engineered to be quite dynamic, only activating outside the sandbox or when interacting with a real person, for example. Any delay in detonation within the sandbox can also be a liability, allowing malware to spread elsewhere before it’s destroyed.

5. Unpatched vulnerabilities

Sometimes, it’s just hard to keep up. Much of cybersecurity requires ongoing care and attention in the form of software patches and updates that include fixes to vulnerabilities. But not everybody is on top of their patches, and the result is countless machines operating on unpatched software that includes all the old vulnerabilities. Malware doesn’t need to bypass something that isn’t there – it can shoot straight and get direct access.

6. Taking down the security agents

There are a lot of endpoint security agents out there. Most machines are protected from multiple sources. But, unfortunately, even the security agents meant to protect can be taken down. Each agent may cover and protect a different area, but they also often overlap with one another in an inefficient manner. What’s more, any security agents installed on an already compromised machine can be taken down from within. If patches and updates to these agents aren’t constantly being installed, there is a window of opportunity for the right attacker at the right time.
Hackers and attackers are working hard to be at the top of their game. We have to do the same, and that starts by looking at the 6 potential risk areas above.

Is AI fundamental to the future of cybersecurity?

Everyone has been talking about artificial intelligence since the mid-90s, if not earlier, but AI is only just now starting to develop as a breakthrough technology with foundations in reality. While it’s only now coming onto the scene in a significant way, it’s already safe to compare AI to the internet and smartphones in terms of its transformative potential.

AI has potential applications and uses in just about every industry and activity you can think of. With time, we may even find ourselves having complex relationship with AI. But let’s not get ahead of ourselves. For now, we’ll settle for making basic AI tools work for us.

In the cybersecurity industry, putting AI to work represents a cosmic leap forward in digital safety – at least in theory. Some cybersecurity AI tools are already in use and they’re only getting more sophisticated with time. AI could represent a quantum leap for the good guys in the arms race against hackers, allowing for tighter security provided by fewer personnel.

Smart firewalls

The most obvious advancement that AI offers to cybersecurity experts that could be prevalent in the near future is smart firewalls. These important defenses currently require manual management, but AI-enhanced firewalls bring things to a whole other level, removing a significant amount of human input from the equation.

By giving firewalls the gift of machine learning, they will be able to deal with most tasks related to event monitoring and incident response currently handled by humans. Not only does this remove the need for constant attention from a trained human, it also reduces (in fact, it almost eliminates) the factor of human error.

These firewalls will recognize threats more reliably and much quicker than humans by recognizing patterns in web requests and blocking the bad ones automatically. And it’s not just firewalls; this same principle could be applied to cybersecurity in a number of different ways, ushering in a whole new era of security that hackers would struggle to get around.

AI could also put experts an extra step ahead by giving them unprecedented information on cyber threats and how they originate. In fact, the technology to accomplish this is already in existence. Bots and other AI tools are already scanning publicly-available data online and analyzing it in meaningful ways. This will surely be adapted for use in cybersecurity in the near future.

No need for passwords

Though slightly more futuristic, AI may soon make passwords obsolete altogether. Passwords are one of the main ways users are able to protect their information online today, but they are cumbersome, annoying and often vulnerable to attack, exposing entire systems to the right (or wrong) cyber threat.

Various forms of AI could be brought together to identify users in better ways. Passwords are like the key to your house: anyone can get in as long as they have it. But facial recognition, fingerprints and speech analysis could provide a better, more secure way to access your accounts and information online.

Similar AI tools could be used to track your activity online and send alerts whenever there is a serious deviation from regular behavior that may constitute a threat. In short, AI promises that you’ll need to be less alert than today and yet you’ll still be more secure.

The biggest challenge of AI technology is cost. Small businesses and organizations are the prime target for cyberattacks today because hackers know they are the least likely to have robust defenses in place. They are also the least likely to be able to afford advanced AI solutions. In time, the technology is likely to become cheaper and more accessible, but until then, smaller businesses focused on growth and survival in a competitive global market may be left behind.

Is AI the future of cybersecurity? Almost certainly. AI is set to transform the world in countless ways and cybersecurity is no exception. The road to get there may not be smooth, however, and traditional solutions are going to be a commonplace necessity for many entities for years to come.

Top healthcare cybersecurity trends

Healthcare is perhaps the most vulnerable industry to cyber threats at this time. The value of medical documents on the black market has helped paint a large target on healthcare infrastructure, several unique factors in the industry have made efficient cybersecurity particularly challenging and the consequences of cyberattacks are more serious in the healthcare industry than anywhere else.

Unless significant action is taken, it does not appear that this situation will be rectified anytime soon. And yet, like everything else, cyber threats are always evolving and changing. While the healthcare system is likely to remain at risk in the near future, the type of risks it faces are in flux. Anybody trying to help tackle these serious issues should be keeping their eyes on these cybersecurity trends currently changing the nature of the threats to healthcare.

A lack of boundaries between personal and business activity

Doctors and other practitioners are increasingly, and understandably, succumbing to pressure to use every tool available at work, even personal ones. Tablets, smartphones and laptops from home are being brought into the workplace and connected to networks and systems there. On one hand, this can help save clinics and hospitals on the cost of providing needed devices and it can even make practitioners more efficient at their jobs, but the price is great insecurity in cyberspace, as each device can act as an access point to sensitive information on whatever systems they connect to.

What’s more, personal emails are being used for work related tasks and vice-versa. This mixture of activity makes it increasingly difficult to keep all activity secured and healthcare employees are often entirely unaware of the risks and how to mitigate them.

Even better phishing attacks

Phishing attacks are on the rise and they’re getting more and more sophisticated, fed by your everyday activity online. In the same way companies like Facebook and Google are able to show you targeted advertisements based on your searches and other online activity, phishing attacks are using the same principle to become more and more targeted.

The result is that they can often outsmart email spam filters and convince the untrained eye to open them. These increasingly effective phishing attacks are hitting the healthcare industry as well, where workers often aren’t trained to spot sophisticated attacks and are distracted by other complex tasks at work.

More stolen identities

Identity theft has always been a serious concern in cyberspace, but it’s only gotten worse as more information is collected and hackers adapt more sophisticated tools to access personal data. The healthcare industry is bearing the brunt of this trend as well, since medical records are worth far more on the black market then social security numbers and credit cards.

Part of the solution to these troubling trends is increased education and awareness, so that practitioners and other healthcare workers are more likely to spot an attempted attack and report it. But they also can’t be expected to spend their days preventing cyberattacks when they need to focus on their real specialty: saving lives. The industry must invest in better tools, experts and developing new systems and methods of cybersecurity that can protect critical healthcare infrastructure.

Top cybersecurity risks and problems in healthcare

The healthcare industry is struggling, and not just with high costs or a shortage of practitioners. Healthcare has a cybersecurity problem. Reports and studies indicate that the healthcare industry is currently bearing the brunt of ransomware attacks while U.S. authorities in 2017 stated that cybersecurity in healthcare was in “critical condition.”

While cyberthreats to national power grids, financial institutions and even individual businesses are certainly troublesome and dangerous, the vulnerabilities in healthcare don’t just result in financial loss or political fallout; they could even result in the death of patients. So why aren’t things getting better? The constant small-scale attacks on healthcare systems that are usually prevented may go unnoticed, but there have also been several high-profile cases that have stressed the need for improvement, so what’s the holdup?

Well, just as the consequences of poor cybersecurity in healthcare are unique, so too are the challenges that must be overcome to make improvements. Here are some of the key risks and problems that have to be tackled:

  • Privacy vs. Safety – It’s not that healthcare institutions don’t have cybersecurity measures in place, many of them do. But, more often than not, they’re only focusing on half of the problem. Strict regulations on the privacy of patient data have many institutions implementing robust systems of defense to keep personal data safe. The same cannot be said for protecting the connected devices and networks in clinics themselves that help doctors treat patients. Regulation in this area is lax and/or vague, partly because of some of the other challenges in this list.
  • Everything is connected – Modern medicine relies on a countless number of separate, yet connected medical devices. Did you know that even pacemakers can be hacked? This proliferation of connected, but non-unified devices make it difficult for clinics and hospitals to keep everything updated with the latest security measures or to monitor everything for signs of an attack. What’s more, medical devices are expensive. Even compromised devices are not easily replaceable. And what happens if an outdated or compromised device is the only possible tool available to save a life?
  • Focused on the patients – All practitioners are highly trained, but not in cybersecurity, which they often see as an administrative issue. No, they specialize in patient care and generally rely on others to give them the tools they need to work. Why does that matter? Because even hospitals with robust cybersecurity measures in place rely on doctors to update devices and spot suspicious cyber activity. All too often, practitioners aren’t trained in either of these skills.
  • Personal devices – More and more doctors and nurses are being encouraged to bring their own personal devices to work as necessary. That includes personal smartphones, tablets, computers and other devices. This lowers administrative costs for the hospital and can make practitioners more flexible in their work, but every unsecured device that connects to any larger network is a vulnerable point, one that often isn’t accounted for.
  • Black market economics – Medical records sell for big bucks on the black market, painting a huge target on healthcare institutions. While these may sell for $50 apiece, a social security number or credit card number may only be worth $1. A hacker with money on the mind and a buyer is going to hit a poorly-guarded medical facility for data before trying anywhere else.

Finally, the industry needs to acknowledge the consequences of inaction. The worst-case scenario sees a massive attack taking down computers and devices at multiple hospitals at the same time, disrupting urgent operations or leading to mistaken, potentially fatal, diagnoses. But even what may seem to be a relatively minor attack could be disastrous. Even if an attack manages to simply disrupt the workflow in a clinic or hospital for a few hours, statistics show that death rates increase during that time period, the same way they increase when a marathon stops traffic and cuts down response time.

Many institutions have some form of protection in place. But an increased investment in training staff by cybersecurity experts will help guide institutions down a safer and more secure path. The only other option is an insecure future.

Cybersecurity in healthcare: Vulnerable where it matters most

The power of big data is evident today in a wide range of industries and businesses, but nowhere are the implications bigger than in healthcare. After all, the healthcare industry isn’t primarily about profit, it’s about something far more important: saving lives. And big data is making healthcare providers far more efficient at doing just that.

Coupled with developing technology, big data is one critical factor that appears set to give the world better healthcare than we could have ever dreamed of just a few decades ago. Healthcare data not only helps track diseases and treatment, it can also help individuals track specific health conditions. Provided with such data, individuals may soon be able to anticipate certain illnesses before even experiencing any symptoms.

Good news, right? Of course. This tech boom in healthcare will inevitably result in longer, healthier lives for more people. But, as with other industries, this increasing dependency on tech has one vulnerability: cyberthreats.

There are few other industries that present such big targets to hackers and even governments. Healthcare data generally includes important and/or useful information about a population that could be used in countless nefarious ways. The WannaCry cyberattack on the UK’s healthcare system in 2017 wound up costing the government there roughly 92 million pounds. Perhaps worst of all, the attack temporarily shut down thousands of computers and healthcare facilities that depend on technological tools to treat patients.

This high-profile attack showed what’s at stake in healthcare cybersecurity. The NHS was using outdated systems and generally was not practicing the highest levels of caution. While businesses in other industries are driven to maintain a high standard of security by a potential loss in profits, the stakes for healthcare companies are much higher – life and death, in fact.

But it’s not just high-profile attacks like WannaCry that are threatening the healthcare industry. In 2017, it was found that the healthcare industry bore the brunt of ransomware attacks – a full 34% of them. Indeed, it seems that healthcare is one of the industries currently most vulnerable to cyberthreats, and where the consequences are the most serious.

We’ll discuss how to rectify this trend in more detail in other posts. But, needless to say, healthcare companies and national systems must continuously invest in updating technologically and regularly testing their own defenses for vulnerabilities that could be exploited. Yes, malicious attackers are getting more and more sophisticated, but there’s no reason the good guys can’t stay one step ahead, especially with lives on the line.

The one thing startups always forget to do before raising funds

Everyday in the life of a startup is a hectic one. There’s just so much to do that a lot gets forgotten. If you’ve started a business before, you’re probably familiar at least with the long list of tasks ahead of you. Someone with less experience, however, may not even be aware of some things that need to be dealt with.

One common mistake is starting aggressive fundraising before ensuring compliance with important standards and regulations in your industry. At these early stages of your business, it’s easy to put off compliance or even see it as a nuisance eating up your time, but it really should be higher up on your list of priorities.

What is compliance?

Every business is legally bound to any number of government regulations that stipulate best practice in a given industry. These regulations are often meant to protect consumers and foster confidence. Then there are industry standards, which generally aren’t legally binding, but are critical for any growing business nonetheless.

The mistake often comes in thinking it’ll be easy to stay on the good side of these standards and regulations. It isn’t. Compliance with these documents often requires technical and legal expertise to understand complex clauses and cover all your bases. But the work that goes into compliance is well worth it. Sometimes a minor mistake could cause a major problem.

Why compliance is important early on

Another common mistake is imagining that compliance is best dealt with later in development, when you’ve got more resources to spare and start trying to reach a larger audience, making your more vulnerable. But running a business is often like riding a bike: you have to master the fundamentals before trying to do flips or riding without hands.

Compliance is crucial for investors. True, you might still be able to raise some funds with nothing more than a great concept and quality product, but crossing your T’s and dotting your I’s with compliance shows that you have more than just a fancy idea – you’ve also got a functioning responsible organization on your hands that investors can trust their money with.

In fact, many investors are likely to ask you point blank if you’re compliant with a few of the most important standards and regulations like ISO 27001 and PCI DSS. Non-compliance in these areas could lose you important sources of funding. If you’re selling your small startup, on the other hand, buyers are going to expect you do your due diligence and meet certain cybersecurity standards.

What’s more, the perception that your business is more vulnerable the larger it gets isn’t entirely true. Yes, there are more eyes on you and you become a bigger target for lawsuits, cyber attacks and all the other things standards and regulations aim to prevent, but you’re also more likely to have the reserves to weather such a storm as a larger business entity.

Small businesses are the most vulnerable technologically and everybody knows it, making you an easy target. Small businesses are also the most vulnerable financially, meaning that one bit of trouble could be the end.

Standards and regulations are meant to protect you from all of that, acting as a secure foundation for you to grow without constantly worrying about cyber vulnerabilities and legal trouble. Wouldn’t you rather have that out of the way early on (preferably before fundraising)?

The disasters you can avoid by tackling cybersecurity on time

We tend to put off preventative measures whenever possible. Even when we know better, we often put ourselves in reactionary position against threats rather than taking a proactive, grab-life-by-the-horns approach. As an entrepreneur, it’s easy to understand how this happens: You’re swamped with other projects critical to your development and you’re probably trying to save cash where you can, waiting to take on some issues until they just can’t be put off any longer.

But when it comes to cybersecurity, that point may already be too late. If you adopt a reactionary stance to cyberthreats, you’re likely to find yourself in hot water with nothing to shield you from the consequences. Whatever plans you had in mind moving forward must then be sidelined as you try to weather the storm.

So, why let things get so out of hand? The vast majority of cyberthreats can be stopped before they begin simply by investing in cybersecurity services before you find yourself targeted in any way. Here are some of the different disasters that can be prevented by tackling cybersecurity early on:

Infrastructure damage

The most obvious is damage to the foundation of your business: its infrastructure. This could be an attack on your website, the destruction of important databases or even a virus that manages to corrupt all the computers in your workplace. This kind of cyber disaster essentially stops your development cold and forces you to take a 90-degree turn.

What went wrong? What is the extent of the damage? Can your hard work be recovered or will you have to spend time putting it all back together again? These are all questions you frantically ask yourself as it becomes abundantly clear that putting off any serious cybersecurity measures has cost you too much in your most precious commodity: time.

Financial damage

But cyberattacks and damages cost you in another significant way: your cash flow. The most important thing for any growing business is its bottom line – that’s why it’s called the bottom line. Cyberthreats not only incur costs to repair whatever damage was done; there is also mitigation to think about, those desperate attempts to minimize damage when damage has already been done.
On top of it all, any cyberattack causes significant disruption to your business operations, which inevitably has a direct impact on your sales and clientele. The question then becomes: for how long? If operations are miraculously compromised for just a day or two, you’re one of the lucky ones.

Reputational damage

In today’s market, much rides on being perceived as a dependable and secure business. The general public is more wary than ever of companies mishandling their data and most business clients will choose to work with the most reliable companies and products over ones with a less-secure innovation.

People across the globe are becoming exceedingly dependent on certain technologies and services, making it crucial that those technologies and services are safe. Being hit in an attack, even once, can have a detrimental impact on your reputation. This impact gets even worse if it becomes clear that you could have done more to prevent the attack, including cybersecurity measures and complying with safety standards and regulations.

Legal damage

In cases where your business wasn’t the only entity to suffer damage or you’re found to be non compliant with safety standards and regulations, you could find yourself in deep legal trouble on top of everything else. This may include expensive lawsuits or even government intervention in some instances.

Out of all these disasters, the legal one is perhaps the most feared by entrepreneurs, as it eats up resources for an indefinite period of time. Legal proceedings could take several months to reach a conclusion in the best of circumstances. Often times, a cyberattack will result in all of the disasters listed above to one degree or another. The key to mitigating this risk is not reaction, but preemption.

Everything you need to know about ISO 27001

Information security is a top priority for anyone dealing with any kind of data these days. The general public has become more aware of this issue with public cases of attacks like that on Target in 2013 and privacy is valued by internet users more than ever. There are many ways to build up your security and protect the data under your control, but that security should begin with becoming ISO 27001 compliant.

ISO 27001 details the best business practices and system structures to guarantee you a solid level of information security, which can of course be expanded upon as your organization sees fit. Not only does this recognized industry standard give you solid footing in the security arena, it helps you build a trustworthy reputation and keeps you competitive against other companies that may or may not be offering the same level of security.

What is it?

ISO 27001 is a security standard published by the International Organization for Standardization (ISO), headquartered in Geneva. As the world’s largest developer of voluntary international standards, the organization includes 163 nation-state members, has established over 20,000 standards and was one of the first organizations granted general consultative status with the UN Economic and Social Council.

While ISO 27001 is not binding or legally required for anybody, its globally recognized status gives it weight and legitimacy among business and institutions across member nations. The standard unifies various security controls used by different companies and organizations into one comprehensive framework that represents the best of these practices in one package.
Specifically, ISO 27001 stipulates that a company’s management take certain steps towards security including rigorous risk assessment and the implementation of certain security controls.

Why it matters

To put it lightly, you don’t want to be caught unprepared on the security front. Damages and cleanup from any significant breach can be enough to drag you down and hold you back while depressing trust and investment in your project. One sure way to guarantee that you’re on the right track is to become ISO 27001 compliant.

Especially in the business-business environment, and even with investors, you may be asked if you are ISO 27001 compliant. These clients and investors want to know they can trust you to protect your own business and take seriously the data you’re entrusted with. Becoming compliant usually means hiring experts to lead you through the process.

How to become compliant

These experts first examine current operations to find out what’s missing before constructing a comprehensive plan to move forward. The different points of this plan can vary greatly from company to company as each presents its own challenges depending on the relevant product and company culture.

Depending on the size of the company, full compliance may take 4-5 months to achieve and require 70-100 hours of investment from you and some of your employees. These include senior managers, HR, IT, your CISO and CFO. Even if you employ an expert internally who is able to make sure you follow the stipulations of ISO 27001 in practice, an external organization is required to perform an audit to provide you with a certificate of compliance.

Once you’re compliant, the future is yours! You can move forward with confidence that others can trust you and that you actually are in fact well protected.

Everything you need to know about PCI DSS

Depending on the size of your business and the product or service you provide, there are several kinds of regulations and standards you want to be in complete compliance with to both protect and guide your growth. Many of these will differ from business to business, but one of the most common standards that companies need to take into consideration is PCI DSS.

If your company stores, processes or transmits credit card information (common activities for any business using data to its advantage), compliance with PCI DSS borders on being an absolute necessity. In fact, it truly is a necessity required by law in some jurisdictions, making it a solid bridge between standard and regulation.

What is it?

But what is PCI DSS? For new entrepreneurs in particular, these kinds of technical hurdles can feel slightly overwhelming. And, after all, you have a grand vision you’re trying to implement for your product – one that probably has nothing to do with PCI DSS compliance. But whether you planned for it or not, PCI DSS is one of the “minor” details you have to take care of to turn your vision into a reality. So, here we go.

PCI DSS, or Payment Card Industry Data Security Standard, was originally developed when Visa, MasterCard, American Express, Discover and JCB decided to merge their security standard protocols into one for the entire industry, in order to reduce credit card fraud. The earliest version of this vision was released in 2004 by the PCI SSC (Payment Card Industry Security Standards Council), a body jointly established by the major credit card companies.

Their efforts to establish a safer environment for credit card users was successful and developed quickly. These days, compliance or non-compliance with PCI DSS has become a commonly-cited indicator of how safe it is for a company to perform credit card transactions.

Why it matters

Depending on your business and clientele, there’s a good chance that most of your customers won’t be investigating whether or not you’re PCI DSS compliant before making a purchase with you, but that’s trusting to chance – a chance that’s best not to take. Part of PCI DSS compliance is about maintaining a reputation for safety, especially as the general public becomes ever more aware of the consequences and implications of data security failures. All it takes is the right (or in this case wrong) person to discover that you aren’t compliant with this common industry standard to start throwing doubt on your organization.

This could impact not only your customer base, but your business partnerships as well, and believe or not, that’s not even the biggest reason PCI DSS compliance matters. What happens when (knock on wood) data is compromised and it is revealed that your business wasn’t protecting itself properly? What happens is big lawsuits and expensive legal proceedings that are nothing more than a barrier to your progress and growth towards your vision.

Compliance with a standard like PCI DSS has a positive impetus as well. Not only can you prevent calamity this way, you can build trust, keep yourself protected, maintain your competitiveness with others that are compliant and even let it guide some of your decisions. PCI DSS doesn’t only protect credit card users; it can also be seen as a group of best practices that you’d be smart to follow anyway.

How to become compliant

Another best practice is to consult compliance experts, usually from a qualified security assessor approved by the PCI SSC, who can guide you on a thorough process to achieving compliance. PCI DSS includes 350 separate requirements that need to be met. Each one can be a challenge to one business or another and compliance experts are in the best position to help you figure out the ins and outs of each.

The process of making your operations compliant is methodical and professional, including a comprehensive risk assessment process and penetration tests before ending with a full PCI audit. While time and investment depend greatly on the size of a company, the full process may take roughly 6-8 months and require the availability of your information security officer and infrastructure and application employees.
In the end, you are certified as compliant at one of four levels defined by the number of credit card transactions you perform annually.

You’re doing the right thing by educating yourself on the topic of PCI DSS compliance. It’s not something you want to go without, and you don’t need to. There’s a clear and established path to compliance that will make your business stronger and more resilient. All that’s left is to get started.

The 2 standards you should meet to ensure your security – and prove it

Every company is different, and therefore has different needs when it comes to compliance. What do you need to comply with and what’s the best way to do it? That mostly depends on what industry you’re in, what kind of product or service you offer and even to some degree the character of your business.

Having said that, there are two established standards that almost every business should know something about. Ideally, you shouldn’t only be aware of them, you should be certified in both to form a foundation of trust for the work you do. We’re talking of course about ISO 27001 and PCI DSS.

ISO 27001

Ever wondered how customers, clients and government bodies could judge how well you protect the information that’s been entrusted to your business? Especially in this day in age, confidence that you can do so is crucial: your employees need to know that their personal information is kept safe, if you store any kind of private data from your customers, they need to feel confident that it won’t be stolen or given away, and in some cases, government needs to have some way of gauging whether or not you’re following recognized best practices.

ISO 27001 is the neon sign indicating to all these parties that you can be trusted to keep data safe by following industry standards accepted across the board as the fundamentals to information security. On a more practical level, compliance with ISO 27001 means consciously maintaining a data protection system informed by comprehensive risk assessment and reviewing management structure and behavior to facilitate security.

PCI DSS

It’s a mouthful, but PCI DSS (Payment Card Industry Data Security Standard) is critical to any operation that stores, processes or transmits credit card information. Originally designed to reduce credit card fraud, PCI DSS has grown in importance to become an indicator of how safe it is for your company to perform credit card transactions. In some jurisdictions, compliance with PCI DSS is even required by law.

Similar to ISO 27001, PCI DSS stresses the need for data protection in particular, since customers making credit card payments must trust you with their credit card information in the process. Firewalls, strong encryption and other practical steps are all detailed in the clauses of PCI DSS.

Complying with these kinds of standards might seem like a lot of extra effort at first glance, but in reality you’re doing yourself a favor as much as you’re doing one for your customers. Demonstrating the security of your company by meeting these two standards in particular can protect you from lawsuits and government intervention, but it can also prevent costly attacks on your business and make sure your growth can go unhindered by all kinds of negative external influences. ISO 27001 and PCI DSS protect you as much as they protect everyone else.

What is compliance and why do you need it?

A high level of competition in an ever-more globalized economy makes it tough for a business to stand out from the crowd and establish itself as an industry player. You have to be creative with marketing and management, and be backed up by an honestly great product. But before you can even begin to think about rising above the noise, you need a foundation to stand on.

Compliance is that foundation, meant to bring your operations in line with regulations and standards that solidify your reputation as a trustworthy brand and free you up to focus on growing your business instead of doing damage control. Simply put, compliance is that process of reviewing your business operations and then making sure they fulfill various legal conditions and industry best practices.

Regulations

Every business needs to deal with some, if not a lot of, regulation – and it’s easy to get frustrated. Of course you don’t want your customers, the environment or your own business to be unprotected, but regulation can slow down your progress towards realizing your goals and dreams, especially if you don’t fully understand them.

And no one would blame you for not having a good grasp on regulation; there are dozens you’re expected to comply with at once and each one is complicated in its own way. We also shouldn’t be too quick to judge legislators and regulators, however – it’s tough to translate the ideals and theory behind regulation into a practical framework that offers protection while also giving you the flexibility to succeed.

The consequences of failing to meet regulations, however, are not something you ever want to deal with. Lawsuits, fines, longer sale cycles and profit loss are just a few of the problems that could result – and catch you quite by surprise – if you aren’t keeping regulations in mind. Dealing with these kinds of issues repeatedly could be a death-blow for business. To make matters worse, regulations are occasionally updated and changed while new ones emerge regularly, requiring that you be on the ball and adapt along with it.

Standards

On the less legally-binding side of things, you want your business to meet industry standards and best practices like ISO 27001 and PCI DSS. But, if this isn’t a legal requirement, what’s the benefit of achieving compliance with standards like these?

Think of it this way: You are interviewing candidates for a new position in your company. One of them says he studied a relevant topic in university, but can’t produce a diploma. Do you trust him? Probably less than if you were able to hold that diploma in your hands.

But meeting industry standards is even more important, since they tell clients and potential business partners that are you conducting business in a responsible, safe and trustworthy manner. Do you want to maintain and grow those relationships? Then it’s best to get familiar with the relevant standards and practices.

But regulations and standards don’t just keep you out of trouble, they often outline the best way forward for your business to keep you solvent and growing. Instead of seeing regulations and standards as a drag, use them as a framework – guidelines to show you the way forward when you aren’t so sure of yourself.

Now you face the dilemma of how best to achieve compliance. How do you keep up with all the changes and finer points that you might misunderstand or miss altogether? Well, the answer is that you can’t shoulder all the responsibility yourself. If you want to protect yourself from disruption and use regulations and standards as a helpful tool to your own development, you need to include experts who know the ins and outs and can help you review your business to achieve full compliance. From there, you can only go up!

6 things you should know before hiring a risk assessment service provider

We all like to prepare for things. Good research and preparation can help us understand what’s coming, making us that much better decision makers. You could even say that this process involves a bit of risk assessment itself, since we need to identify the inherent risks of an unknown situation and reduce the risk by learning more about it. But how do you know what to expect from cybersecurity risk assessment? Well, let us help you minimize the risk of the unknown with these 6 things that will help you understand exactly what you’re getting yourself into.

1. Risk assessment is the first step to protecting you in cyberspace

First of all, what is risk assessment exactly and how does it fit into the framework of a cybersecurity solution? Well, risk assessment is the launch pad – the first square on the board game that will bring smart, efficient security to your cyber presence. Before figuring out how to achieve greater security, you need to draw a map of the current situation.
What security measures are already in place? What are the most important elements of your cyber presence that must be secured no matter what? Where are risks most likely to come from and how high is the risk they pose? These are all questions that risk assessment aims to answer to start you on your journey.

2. Risk assessment is a methodical process

And it’s conducted by experts, who are called experts for a reason. Risk to your business is not assessed on the hunch or whim of someone who knows a bit about computers. Instead, these professionals follow a methodical process of protocols, lists, numbers and diligent consideration based on experience.

3. Risk assessment is guided by well-known standards and practices

Cybersecurity is too important to trust everyone to approach it however they want, and businesses like yours need to have confidence that risk assessment is being conducted in the most responsible manner possible. That’s why it’s best to adhere to industry standards and practices. Not only do these frameworks help guide and define the boundaries of an effective cybersecurity process, they also signal to you that the best practices are being used.

Standards like ISO 31010 and ISO 27005 are a good place to start. To meet these two important standards, cybersecurity organizations must manage their affairs following certain good practice guidelines and follow a series of steps in every risk assessment process.

4. Risk assessment is mostly based on interviews

Cybersecurity isn’t about going out with guns blazing and taking on hackers like you might see in a modern spy flick. Before diving into exciting technical elements like penetration testing, everything starts with risk assessment, and that means interviews. The majority of the risk assessment process is focused on speaking to key individuals in your company, each of whom may have a piece to the puzzle that use your current security status.

Gathering this information is crucial to obtaining an overview of the situation and getting leads on what may have been overlooked.

5. Risk assessment is not a side project

These kinds of interviews may seem somewhat intimidating for some employees, but risk assessment isn’t a passive process to be sidelined. You need to make a conscious effort to get your entire team on board, especially by informing everyone of the project and its purposes so they feel comfortable sharing and collaborating.

And just as you need to make this special effort with your employees, the entire risk assessment process requires that you take it seriously. That may mean investing time, resources and attention, but trust us, it’s worth it.

6. Risk assessment doesn’t protect you on its own

Risk assessment is crucial to your protection in cyberspace, but this process won’t get the job done all on its own. When you embark on a journey, you first need to draw up a map (risk assessment). Without it, you could get lost. But you also have the entire journey to travel! So, it’s time to plan ahead. Now that you have a good idea of what risk assessment can do for you, start thinking about what comes after – like penetration testing.

What’s involved in the risk assessment process?

We assess risks all the time in our daily lives. Is that knife sharp enough to cut me? Is my child safe with the babysitter? Are there cars coming, or can I cross the street? Most of these decisions can be made automatically, instinctually without too much conscious thought going into them. And yet, our brains are going through a methodical process, whether we’re aware of it or not.

Things like cybersecurity aren’t quite so intuitive. That’s why experts have a conscious, methodical framework – or a kind of protocol if you’d prefer – for how to go about risk assessment in cyberspace. The goal is to come out the other end of risk assessment with a clear map that highlights the most likely incoming threats, who and/or what they might target and how best to counter them. Here’s how it works:

1. Defining the scope of the project

First things first, and the first thing in risk assessment is to get the lay of the land. Risk assessment experts need to get to know your business and what’s most important to you while laying the groundwork for the rest of their work. Someone has to draw a map first before it can be used.

This process begins with interviewing key personnel including your chief information security officer (if you have one) and department managers if necessary. Next up is defining critical assets, or establishing which networks, processes or databases are most important to your security and stability. Budget may affect the number of assets you’re able to target, but regardless, setting clear priorities will help clarify the process and keep everyone on track. A similar set of priorities are then given to critical business processes as well.

2. Identifying threats and vulnerabilities

Next, experts consider what threats and vulnerabilities might be putting the identified critical assets at risk. Again, key members of your team are interviewed to get a more in-depth understanding of the security issues surrounding the assets. Then the maps come out. Threats and vulnerabilities are mapped out for a comprehensive overview of the existing security situation.

Then any existing security controls are accounted for and threats then deemed to be irrelevant are removed from the map.

3. Analyzing current controls

Experts then take a closer look at those same security controls in an effort to understand the safeguards you have in place. But that’s not all. The second part of analyzing established controls is analyzing the potential consequences in a situation in which they fail.

This careful thought process is important to calculate risk and understand what’s at stake. Experts look at figures like asset value and the impact on your business of the processes that need to be protected while considering potential scenarios in which damage could be caused.

4. Calculate the risks and report

Finally, it’s time to take everything that’s been learned and calculate the real risk to the assets defined in step 1. What are the worst scenarios that absolutely must be prevented? How likely are those scenarios to occur? But most importantly, this phase answers the crucial question: How can that likelihood be decreased? What steps can be taken to grant a greater level of security?

Critically, this is all gathered in a final report that sums up the findings and records the situation for future reference. But the process doesn’t end here. Risk assessment only give experts a roadmap to move forward with to provide you with comprehensive security.

What is risk assessment and why is it important?

Lots of activities in life are risky. Everything from driving to investing in a startup involves some form of risk, but as the saying goes: No pain, no gain. The trick is learning to mitigate – or manage – these risks to reduce the chances of disaster. We can mitigate risks by training and educating ourselves to avoid mistakes and carefully analyzing a situation before diving in head first.
The very first step to protecting ourselves against the potential harm of any kind is to undergo the process of risk assessment. For tasks like driving and even investing, risk assessment is often performed instinctually, but in the cyber world, risk assessment requires a clear and methodical sense of purpose.

Assessing cyber risks

Risk assessments as part of cybersecurity is all about identifying what kinds of threats a business is most likely to face and where they might come from. This comprehensive process provides a snapshot of the current status of a company’s information security, risk maps, and common threats and serves multiple purposes:

  • Helps security experts get familiar with an organization and its structure
  • Provides a basic platform of knowledge that informs future security strategies
  • Gives of the gift of efficiency a business doesn’t blindly spend on security measures that may not be the most urgent or necessary

How do cyber experts know what to look for during the risk assessment process? Like in most other fields and industries, cybersecurity also has its standards and protocol that help everyone know where they stand. During risk assessment, experts look first at ISO 31010 and ISO 27005 to make sure they’ve covered all their bases. Then they can get creative and dive in deeper if necessary.

Understanding what threats you face or are most likely to face enhances your ability to manage the risks inherent to operating a business that’s connected to cyberspace. We do the same thing when getting a driver’s license: getting to know the basic functions of a car and where that blind spot in the mirrors are.

Why it matters

Obviously, it’s always a smart move to manage risk. But for cybersecurity, it’s never been more crucial. Taking the step of consulting with security experts and performing risk assessment can make the difference between unhindered progress and a crippling attack that puts your business out of commission and in survival mode.

As competition online reaches fever pitch, the stakes are higher than ever. Those with malicious intent are developing more sophisticated ways to cause disruption and, as high-profile cases in the media attest to, new kinds of threats are emerging all the time. Risk assessment is all about not being caught off guard. So keep your gloves up and keep yourself protected using all the means at your disposal.

What does cyberservices really mean?

When you want to take the safety of your networks into your own hands, you need to look for “cyberservices”. But what does that actually mean? Expectations can ruin relationships and set you up for failure, but knowing what to expect can let you know exactly what you’re getting yourself into. So, what can you expect to get as a part of these “cyberservices”?

Cyberservices vs. Cybersecurity

It’s easy to think that cyberservices and cybersecurity are synonymous. They are in fact closely intertwined, but not quite the same thing. Cybersecurity is one of the things you get as a result of cyberservices. It is also a broad term to describe some of the tasks that are included in cyberservices. But cyberservices often include more than a vague guarantee of cybersecurity. So, what are the details? What can you expect when you see the term “cyberservices”?

· Risk assessment – This is the backbone of all cyberservices on which you can build true cybersecurity. Experts start with risk assessment to identify security risks and develop a strategy to move forward in building a robust defense.

· Penetration testing (PT) – One result of risk assessment and the next step in establishing security is penetration testing. PT experts essentially take the place of cybercriminals and use their skills to attack your systems. But don’t worry, the goal is to keep you safe rather than harm you or your business. By assaulting the networks you want to keep safe as if they were malicious hackers, PT experts can identify any existing vulnerabilities in your systems and help you fix them.

· Security design review – Staying safe isn’t only about guessing what hackers might attempt and closing those holes, it’s about reviewing the very structure of your applications and networks to guarantee that they meet a certain standard of security. The architecture of your systems is studied on a broad level and then much deeper, reviewing the security layers of each component. Ideally, security design review should be performed before the official launch or release of an app to try and ensure security before anyone has the opportunity to take advantage of a vulnerability. This means it should also come before any penetration testing, since PT can catch anything that was missed or overlooked in the security design review.

· Compliance – One element you might not think about in connection to cyber is compliance. National and regional governments often implement detailed regulation on the cyber activities of a business to protect consumers and support fair practices. Business also seek to be compliant with various standards of conduct that send a signal of strength and stability. Cyberservices can include helping your business successfully navigate this network of rules and guidelines. It’s just another way of keeping you and your assets safe.

· Other – On a more technical level, cyberservices might also include APT simulation,code review, SDLC, FW rulebase review, security tools professional services, Win/Linux hardening and vulnerability scans, depending on the specific needs of your business. Ongoing consultation services are also important to staying safe and combating new threats that are always emerging as cyberattacks become more and more sophisticated. With so much to cover, it’s also possible to get CISO (Chief Information Security Officer) as a service. It’s always a good idea to have someone on the team that is in charge of security and has relevant knowledge on the subject, even if it’s just for a few days or weeks.

The cyberservice philosophy

You may have noticed a trend running through all of these elements. You can’t miss it: Cyberservices mean safety. The actual tools put in practice to serve your business might vary according to circumstances, but the goal and outcome are the same: security for cyber threats.
Cybersecurity has quickly become one of the most important concerns for any entrepreneur to worry about. Your business almost certainly relies on a connected, online presence or storing data on an internal network. While these activities and operations bring great opportunities and benefits to your business, they also bring the threat of attack that, in the best of circumstances, could be immensely expensive to rectify. Cyberservices help you stay ahead of these threats and protect the prosperity of your business.

Why PT is so important for your business

Why penetration testing is so important for your business

The vast majority of businesses with any sort of online presence or electronic network are waking up to the urgency of maintaining security in cyberspace. Abilities developed by hackers in recent years have even put small-medium-size business in their scopes, even if the cyber stories you hear about in the media focus on high-profile companies and government institutions being targeted.

While some sophisticated hackers focus their efforts on larger companies and institutions to make a social statement or just to cause disruption on the largest scale possible, others go for easier prey: smaller entities with less protection. For these smaller businesses, the disruption caused by a cyberattack can be just as damaging, if not more than for large entities.

That means everyone needs to keep their systems safe. Profits and customers are at stake and just one successful attack could set you back months while you scramble in damage-control mode. And the best tool businesses have to defend themselves is to preempt attackers with penetration testing.

Penetration tests safely simulate a gauntlet of different attacks on your networks and online connections with the goal of finding security flaws before any hackers have the opportunity to take advantage of them and cause you harm.

Reviewing your code just doesn’t cut it

But why penetration testing? What makes this method so effective at keeping you protected? Penetration tests bring several advantages and benefits to the table. The bottom line is that reviewing your code visually to try and spot vulnerabilities just doesn’t cut it. Reviewing code this way is notoriously difficult and long lines of code interacting with one another can behave in unpredicted ways, leaving hidden back doors unlocked to attackers.

Penetration testing gives you the ability to get in the mind of the hackers and think like they do. When the military draws up war plans and formulates strategies, they simulate the whole thing with massive exercises. Some of the troops play the part of the enemy and a full-blown simulation is enacted while every possible scenario is considered and acted out so the generals know best how to prepare themselves. The same is true of penetration testing.

Without careful penetration testing, you leave your business open to any attackers with the ability to locate and take advantage of vulnerabilities in your systems. That could mean losing customer data and therefore public trust; you could have technology or even money stolen right from under your nose; and the network your computers rely on could be brought to a complete standstill along with your business operations.

In any of these scenarios, you face major setbacks that could be very difficult to recover from. Penetration testing is all about putting you ahead of the threats you face and making sure you can continue to prosper free of worry.

Different kinds of PT

All the kinds of pen testing you should know about

If you’re here, you’re probably turning your attention to your company’s cybersecurity. Welcome, and good job – you’re doing the right thing. Cybersecurity is a major issue for every business to confront these days and it’s an increasingly complex topic, requiring input from industry professionals who understand the kinds of threats posed to companies with any kind of electronic network.

But what do such experts do to keep you safe? The first step is diagnosing the problem – in other words, finding the vulnerabilities in your systems, and that means penetration testing, or pen testing. By safely simulating an attack on your systems, pen testers are able to infiltrate your operations and show you how they did it so the vulnerability they took advantage of can be fixed. Here are the different kinds of pen testing you should be aware of:

Network services

This type of pen test can be both internal and external, looking for vulnerabilities in your networks, systems, hosts and network devices like routers that hackers could infiltrate to extract data or even take control of for their own purposes. Think your clients’ data is safe in your network? Network services pen tests will tell you for sure, by examining things like:

  • Firewall configuration
  • Stateful analysis
  • Firewall bypass
  • IPS evasion
  • DNS attacks

A big part of keeping your network safe is examining your wireless connections. A password on your Wi-Fi often isn’t enough to keep out a sophisticated hacker. That’s why experts look into the use of wireless devices at your office to see how they could be used to hack into your cyber infrastructure and cause damage. Wireless protocols, wireless access points and administrative credentials are all checked in this process.

Web application

Web application pen tests go deeper than the network services tests, looking for security flaws in web-based applications. Expect this test to take longer due to its complexity. But the time spent is well worth it as web application tests dive into important components like ActiveX, Silverlight and Java Applets.

This type of testing can also look at issues within your workspace. What if your laptop fell into the wrong hands or your personal computer was successfully hacked from outside? Suddenly, a lack of security at your own workstation turns into a security liability for the entire company. Web browsers on your computer and installed software are scanned to make sure there are no backdoors from your device to infiltrate the company’s infrastructure.

Native mobile app testing

There are also all kinds of clever ways to tests those high-performance mobile apps that store lots of sensitive information. A vulnerable financial app could leave credit card information or bank account details exposed to hackers without doing your due diligence. For an app like that, a serious breach could be the end of the line.

A word about black, white and gray box testing

As you educate yourself about your company’s cybersecurity, you’re also likely to come across the terms black box penetration testing, white box penetration testing and gray box penetration testing. These are more general terms that refer to how much knowledge a hacker has of your systems and therefore what conditions a tester needs to simulate.

In black box testing, it’s assumed that the hacker knows next to nothing of your cyber infrastructure. A full-on attack is launched at your entire system to try and locate a weakness. It’s good old-fashioned trial and error. In white box testing, testers simulate a situation in which a hacker has full knowledge and access to key elements like the source code and software architecture of a web application. Gray box testing sits somewhere in the middle, assuming that a hacker has obtained partial knowledge of your systems and how they work. Considering which angle to approach pen testing is important to locate any threats that a hacker could find and exploit.

It’s often best to periodically do a full sweep, making sure that all of these systems are as safe as can be and keeping you protected from whatever new tools and methods hackers may have come up with. Whatever the case may be, security is always a top priority.

What is penetration testing?

Who knows more about security than those who are able to breach it? The thief who gets the jewel from the museum must have utilized some flaw in the security system that no one recognized before and the hacker that steals data or plants a virus does so thanks to a cyber vulnerability that slipped through the cracks.

While thievery and hacking are harmful to any business that falls victim to a security vulnerability, the one upside they produce is bringing that same vulnerability out into the open. It’s an odd cycle: Without thieves and hackers, you wouldn’t need cybersecurity, but falling prey to them makes you aware of the threats you face. Once your system has been hacked one way, it’s up to you to do your due diligence and analyze the vulnerabilities they took advantage of. After fixing them, any other hacker that comes along will need to find a new approach to slow you down.

That’s why, in a roundabout way, hackers and thieves are performing penetration tests. By breaking into your system, they reveal the flaws that you might have missed, and the result is stronger security for the future. But not everyone capable of breaking into your system means to do you harm. Why allow dangerous individuals to break into your system when you could authorize experts and professionals to penetrate your operations with the purpose of locating vulnerabilities and helping you resolve them?

Now we’ve arrived at the essence of penetration testing, otherwise called pen testing. True pen testing isn’t just an action, it’s an intention. While thieves and hackers want to harm you, pen testers want to help you stay ahead of threats technologically. To meet this goal, they use all the tools in their cyber arsenal to see if and how they can break into your system – not to steal or cause harm, but to come up with ways to make your system safer.

That’s why pen testers like those at GRSee don’t just hack into your system and prove that you have a vulnerability, they show you what they did and how they got in before recommending ways to fix the issues that were found.

What better way to beat the hackers than to think like them and use their weapons against them? As long as cyber assets continue to grow in importance, ill-intentioned individuals will try to find vulnerabilities to benefit from. The best way to get ahead of them is to simulate an attack on your system before a real one can take place.

From creeping worms to costly viruses: The evolution of cybersecurity

As with every other major technology developed by mankind, it didn’t take us long to demonstrate how the digital world could be used for nefarious means. Cyberspace was conceived of as a sort of utopian, open, free space for instant global communication – and that ideal is still alive in the minds of many users and entrepreneurs. But the last 30+ years have shown us that even the greatest of utopias need a defense force to protect it.

You reap what you creep

Did you own a computer in the 70s? Probably not. Did you know what the internet was? Definitely not, because it was called ARPANET back then: the earliest evolutionary ancestor of our interconnected lives. But while you remained in a state of blissful ignorance, it wasn’t only the internet that was being put together; a foundation for the digital virus was being laid.

Today, we fear internet-borne viruses like the plague and the threat of hackers disabling important infrastructure like electrical grids is very real. But it didn’t start out with such harmful intent. In fact, it was downright innocent behavior that created history’s first worm, called “Creeper”. It was nothing more than simple code written by BBN Technologies engineer Bob Thomas that reached computers connected to ARPANET (of which there were only a few) and playfully displayed the words “I’m the creeper: catch me if you can!” on the screen.

But the world’s first worm gave rise the world’s first cybersecurity mechanism, a slightly more sophisticated code from Bob’s colleague Ray Tomlinson that moved between computers on ARPANET, copied itself in the process and did nothing more than deleting Creeper. This countermeasure would forevermore be known as “Reaper”.

Early internet vulnerabilities

Creeper and Reaper had set a theoretical precedent for cyber threats and cybersecurity, but the digital space still wasn’t outright dangerous, as highlighted by the “Morris Worm” in 1989 – the first major case of a denial-of-service (DoS) attack. Robert Morris, the author of the new generation worm, argued in court that his code was only designed as a way to measure the size of the internet at the time. Whatever his intentions, the worm slowed infected computers and infected them multiple times until they became inoperable.

The Morris worm may have infected a whole 10% of computers connected to the internet and clean up was estimated to have cost anywhere from $100,000 to $10,000,000. Cybersecurity was caught unprepared and removing the worm required the entire internet to be shut down for several days on a regional basis. Industry experts, with both positive and negative intentions, were waking up to the power of cyber threats.

Cybersecurity on the backfoot

It would take a while for cybersecurity measures to catch up to the threats of viruses. In the same why firefighters are on duty to put out fires where they pop up, the Morris worm taught everyone that the internet needed its own emergency response team. CERTs (Computer Emergency Response Teams) were established to fill this role, but the early 90s saw them reacting to threats rather than trying to prevent them.

Antivirus software finally hit the market in the middle of the decade, offering a simple preventative solution to most basic viruses that could be installed on any computer. At that point, the internet had become saturated with viruses created by less-than-savory players in the industry who knew they could get away with simple harmful activity. While antivirus programs helped put an end to this proliferation, they also triggered an arms race.

As the capabilities of hackers and viruses became more and more sophisticated, awareness of potential threats and investment in protection increased. Things went well for over a decade until a series of complex attacks in recent years seemed to show that at least a few of those with malicious intent had gotten a step ahead of antivirus and security experts.

Target was hit, along with the British healthcare system and a number of other large institutions that employed the largest security companies using the most sophisticated defense techniques. But the good guys have learned from these incidents and stepped up their game even further. Will any network ever be 100% secure? Possibly not, but the consequences of ignoring cybersecurity are too big to ignore and large, complex attacks only highlight the need for businesses in the digital space to work closely with cyber experts who continuously keep themselves up to date with developments in the industry and keep the hackers on their toes.

Simply put: How we at GRSee increase your security

Running a business means focusing on growth. You want to bring your products and services to as many people as possible because you believe in what you do; you want to increase profits to hire more workers and expand operations, so you invest your efforts in PR and customer care. These activities make sense and, performed correctly, directly contribute to your prosperity.
Ideally, you should be free to focus on these kinds of initiatives that directly support growth. But without a solid behind-the-scenes backbone of security, compliance and risk management, even great momentary success can be painfully reversed in the blink of an eye. GRSee addresses these concerns for you, so you can pursue other tasks safe in the knowledge that none of these three critical areas are being ignored.

Your freedom, our focus

While you dive into all the other business activities you need to pursue to thrive, GRSee handles three elements that are even built into our name. GRSee stands for GRC, or Governance, Risk management and Compliance. Without solid footing in these three areas, your business could face future losses to legal problems encountered when trying to adhere to new and complex regulations or cyber-attacks and other related threats. It’s best to put these concerns to rest before encountering any real mishaps.


Let’s take a closer look at what we do every day to ensure that businesses like yours are safe, compliant and built to weather any storm:

  1. Compliance – GRSee aims to bring your business into full compliance with security standards and related information and data regulations. ISO 27001 directly addresses the overall security of your systems and governance while PCI DSS is a standard that must be met by any business accepting card payments. Meanwhile, Europe’s GDPR helps protect user data and the CCPA aims to do the same in California.
  2. Cyber security – In our connected world, even the best business concepts can be brought down by ignorance of potential cyber threats. Depending on who you are and what you do, these threats could come from individual hackers looking to steel or cause trouble just for fun, politically motivated groups that aim to disrupt or corrupt your efforts, or even advanced and well-coordinated governments around the world. Maintaining cyber security has never been more important for a business or its customers.

GRSee offers a wide range of cyber services and a team of experts with over 20 years’ experience in the field. With penetration testing and Advanced Persistent Threat Simulation, we simulate attacks on your computer system, application infrastructure or otherwise to ensure that defenses are up to snuff and to reveal any vulnerabilities that need paying attention to. We also review the entire architecture of your digital infrastructure to identify potential weaknesses that could be exploited.

  1. Risk management – This is closely related to our cyber security work. Our experts provide ongoing analyses and assessments of the risks your business faces and aims to help you keep operations in line with global information security standards. Meeting them tells everyone else that your business is safe.

To this end, we also give businesses the opportunity to adopt one of our experts as their CISO (Chief Information Security Officer), who takes charge of security operations and acts as an ongoing advisor and consultant for all cyber security issues as well as formulating and overseeing tailor-made long-term security strategies.
We can tackle all of these issues with you, making sure your business is following the best practices that boost confidence and reduce the number of unforeseen but completely avoidable roadblocks you might encounter on the road to success. Based in California, New York and Israel, we already provide service to global brands like 888, Fiverr and Amdocs. In this way, our work doesn’t only make you free to focus on other areas of business, our involvement also contributes in more direct ways to your growth and prosperity.

How to Avoid These Five PCI-DSS Pitfalls

Kudos to you for taking credit card data security seriously! You’re likely feeling good about taking that big step to properly secure your customer’s credit card data by becoming PCI DSS accredited. And you should! However, did you know that compliance alone does not necessarily guarantee data security? Here are five things to look out for to ensure the credit card data is truly secure and that you don’t find yourself caught in one of these common pitfalls.

1. Failing to review firewall rules and perform penetration segmentation tests every half year

According to the PCI DSS standard, service providers must review firewall rules and perform penetration segmentation tests every half year. Though most companies remember to do the PTs leading up to the audit at the end of the year, they often fail to do the proper checks mid-way through the year. Mark it in your calendar so you don’t forget these important steps in your PCI compliance!

2. Failing to Manage Vulnerabilities

As part of the PCI DSS standard, vulnerability checks need to be performed on a quarterly basis. Additionally, any vulnerabilities that are found need to be remediated during the same quarter. Failure to do so leaves credit card data vulnerable and increases the chances of a security breach. Unlike the initial certification which requires a vulnerability check during the last quartey only, when being recertified, checks are required on a quarterly basis.

3. Improper Scoping

When it comes to PCI the ‘scope’ is the cardholder data environment (CDE) and includes all of the systems, people, processes, and technologies that handle cardholder data. It is important to note that systems that support & secure the Cardholder Data Environment must also be included in the scope of PCI DSS. Examples include antivirus, patch management, vulnerability scanners and the like.

4. Storing SAD (Sensitive Authentication Data) After Authorization

During the payment process, service providers collect Sensitive Authentication Data (SAD) to authorize the payment. However according to PCI Regulations, you are only allowed to use SAD strictly to process the payment and may not store the data after completing the authorization.

5. Addressing PCI DSS Compliance During Audit Period Only

PCI should be part of your annual work plan and not reserved for a once-a-year security check. In order to be compliant and truly keep sensitive credit card data secure, the requirements delineated within the PCI DSS Standards should be followed and managed throughout the year.

Why Do I need to be ISO 27001 Certified?

Have you been thinking about having your organization ISO 27001 certified but not sure if it’s really “worth the hassle?” For those less familiar with ISO 27001: 2013, it is the global information security standard that delineates the best practices to manage information security risk.

Below are 4 items to consider before making your final decision.

1. It’s good business!

Being accredited by ISO 27001 gives you a competitive edge and is proof to existing and future customers that you are taking a proactive approach to protecting their data from information security threats. Winning or losing a tender can weigh heavily on whether or not you have this certification. Being ISO 27001 certified expedites the sales cycle, rather than stalling it due to compliance requirements that have not been met. Lastly, access to global markets may also be dependent on whether you are certified, due to ISO 27001 requirements in some countries.

2. Manage risks to safeguard data & intellectual property

Maintaining data privacy and other assets is a top priority for most organizations, especially for those that are holding private client information. ISO 27001 has set up the most systematic approach to identify, store, access and manage this data safely. By utilizing the ISO 27001 method of safeguarding data, the organization greatly reduces the severity of threats on its information.

3. Avoid financial losses and penalties associated with a data breach

Are you worried about how much ISO 27001 accreditation is going to cost you? Well, opting not to get accredited can cost you a lot more in the long run! You need to weigh the cost of compliance against the cost of potential fees associated with fixing a data breach as well as possible interruption of business.

4. Improve your processes

Companies are growing and changing fast and before you know it roles and responsibilities relating to data and other assets get blurred. As part of the process of ISO 27001, definition of roles and responsibilities are clearly spelled out thereby strengthening the organizational structure of your organization and allowing for clear and concise steps going forward.

Being ISO 27001 certified forces your organization to take a hard look at what’s working and what’s not when it comes to information security and create a clear and concise roadmap to improve processes going forward . The benefits of this process extend not only to the information security of the organization, but also opens up doors for increased revenue going forward.

A Worthwhile Resolution for 2019

New Year’s Resolutions. We all have them. They often sound something like this:

“This year I’m going to eat less, exercise more, and be a better spouse/parent/employee/person…” and the list goes on. Sometimes we follow through for a week, or even a month. But usually we don’t stick to it for very long.

Well here is a resolution that you can and should be making and sticking to in 2019 for both your personal and professional safety and benefit. It is time to take cybersecurity seriously. With the Identity Theft Resource Center (ITRC) reporting 1,027 breaches which includes 57,667,911 records compromised as of November 2, 2018, the statistics are pretty baffling.

Personal Security

Enable 2FA (Two Factor Authentication) whenever possible – This requires a name and password + an additional type of verification needed in order to access private info. This usually simple step of for ex: verification via your cell phone can greatly decreases the chance of a personal breach.

Manage passwords safely – Guess what?! Using your sweetheart’s name and birthdate for all your passwords while perhaps cute is not the smartest (or safest) way to keep your personal data safe. To really keep your information safe, you need to create unique passwords for each of your applications, e-mail, accounts etc. There are many password tools out there that can help keep all of your passwords safely in a single location.

Organizational Security

Risk Assessment – Are you able to make heads or tails as to where your organization is standing from a security standpoint? How well are your data and assets protected? Do we have the right policies and procedures in place to prevent a breach? Performing a risk assessment will provide your organization with an overview of your current security posture so you can then create a security roadmap and prioritize accordingly.

Penetration Testing – There are two major reasons that your organization will benefit from doing penetration testing:

1) Having a penetration test performed on your environment (aka ethical hacking), allows you to see how a potential attacker sees your organization and its vulnerabilities. With security breaches making headlines throughout 2018, now would be a good time for you to check!

2) You are looking to offer your product/services to companies A, B, & C. In most cases, the companies you’ll want to do business with require mandatory penetration testing. Be prepared today so you can sign new customers tomorrow!

Here’s to a safe and productive 2019!

Your company is going international. What about your cybersecurity?

If your company is approaching new markets overseas, cybersecurity should be a primary concern. Regulatory environments, compliance, and privacy laws differ significantly from country to country and protecting your data, as well as that of your customers, are of great importance.

Being prepared in advance will help you enter your new market quickly so you can hit the ground running.

Risk management: it’s a game-changer

Risk management is crucial, whether you are in a compliance-heavy industry or not. Having a good understanding of the regulatory environment in the countries you are doing business in is a good place to start.

Penetration testing (PT)

Assessing your risk is an important first step towards compliance. Penetration testing, sometimes known as a pen test, is a way to determine your risk through authorized hacking. Pen tests are conducted to find exploitable weaknesses in your system so that you can be better prepared for any potential threats.

The results of your PT will help you to address any security issues before you pursue the appropriate certifications.

Here are some of the essential credentials and standards you should be aware of when taking your company international:

ISO 27001 certification

ISO is an organization that deals with international standards. ISO 27001 is specifically geared to information security management and is recognized as a worldwide protocol to help companies manage risk to their data assets. ISO 27001 certification is a best-practices approach that shows your company is managing their data security in line with the highest international protocols.

PCI DSS compliance

PCI is a standard for securing the data surrounding online payments. It applies to all companies that process and store payment data for their customers and vendors and also covers third-party vendors who might also have access to this data. If you accept payments online with any type of payment card, PCI DSS standards apply to you.

GDPR compliance

The General Data Protection Regulation (GDPR) becomes law in May of 2018. This regulation protects the personal data of all EU citizens and businesses and any company that does business with EU people or entities must comply.

HIPAA compliance

The Healthcare Insurance Portability and Accountability Act (HIPAA) applies specifically to personal healthcare and medical data. If you store protected health information for your employees, you must be HIPAA compliant. This includes healthcare providers, healthcare insurance providers, and companies that handle third-party billing or data processing for any of the above.

Don’t let non-compliance be a show-stopper

Compliance with international standards is essential to your business continuity. In most cases, until you comply and show a certification, all contracts, deals or any other relations with partners or customers will be on hold.

Here are some of the methods you can use to ensure compliance and data safety:

Penetration testing (PT)

GRSee uses proven methods to discover vulnerabilities in your system through our own Application Penetration Test model.

IT Security Questionnaires

OWASP CISO Survey

The Open Web Application Security Project (OWASP) questionnaire asks a range of questions to help you determine your level of risk. Most of those questionnaires are based on the ISO 27001 standard, so if you are already in compliance with ISO, it will save you a lot of work. keep in mind, however, that your answers are simply a snapshot in time, so revisiting the questions periodically is always a good idea.

To help you manage the survey, GRSee offers CISO (chief information security officer) as a service. The CISO we assign will be in charge of answering the questionnaires and will provide solutions to any issues that are identified, functioning in a capacity that best suits your needs.

Bottom line, if your company is going international, you need to be prepared to answer to international compliance standards. GRSee Consulting is dedicated to supporting your compliance from every possible angle with specialized expertise and SaaS solutions you can depend on. Call today to schedule your cybersecurity audit.

Preparing for the GDPR: What You Need to Know

The GDPR becomes law in May of 2018. If your company does business with any EU citizen or entity, you need to be prepared for this new law, which is designed to protect and strengthen the privacy for all individuals residing in the European community.

The law applies to any business or public-sector entity that retains the personal or payment data of EU citizens. Under the law, companies will be required to be able to directly access this information for correction or deletion purposes and customers whose data is being held will have the option to “be forgotten” – meaning, if one of your customers asks for their data to be deleted, you must comply.

This is only one aspect of this very complex law, but it is a significant one. As a company looking to become compliant, it will be necessary to develop a workflow that makes it easy to accomplish these requests.

For many, this means a digital transformation will be necessary if indeed you have not yet initiated such as process. Modernization of data storage and security is absolutely crucial, especially for SMBs or enterprise, as the sheer volume of stored data will necessitate a capable data classification system in order to allow admins to isolate, manipulate, and delete data when needed.

KEY ELEMENTS OF THE GDPR

While this is by no means a complete guide to GDPR compliance, we have put together an
overview that covers the key points:

1. Data flow mapping & analysis

In order to understand what kind of data your organization processes, it will be necessary to create a data flow map to show the flow of your data from one interaction point to the next – for instance, from the supplier to the shipper, to the customer, and so on. This is meant to identify
any potential unintended use for the data and therefore requires that you consider what parties may be using the information and for what purpose.

2. Data type analysis

Your data flow maps should include the type of information being collected and how it was obtained – for instance, through a web form, direct data entry, or over the phone. Data needs to be analyzed as to the risk it may pose so that adequate measures are put in place. Being able to classify the type of data you are storing is key to assessing risk.

3. Analysis of currently implemented controls

This phase examines the legal and risk controls that you have currently implemented from a legal, organizational, physical, and technical point of view. This is primarily to control any identified risks prior to any processing of any new data.

4. Identify scope – processor or controller

The extent to which your company is liable under the GDPR largely depends on whether you are a “controller” or a “processor” of data. A data processor handles data on behalf of the data controller and so is not subject to as many obligations where the data is concerned. Though the
data controller is largely responsible for the disposition of this data, the data processor may still be liable to a degree if they are storing data on their servers, for instance, or are providing any other 3rd party service (such as a shipper).that uses the data.

5. Review of privacy policies

Data controllers will need to be more specific in crafting their privacy policies. According to the GDPR, you must provide clear information on how you are using your customer’s data. This information must be:

  • Concise, easy to understand and easily accessible
  • Written in plain language that would allow even a child to understand it
  • Provided free of charge

6. Review of third parties’ policies

The privacy policies of any 3rd party your company does business with should be thoroughly reviewed to ensure that their policies comply with GDPR regulations. This is meant to prevent unauthorized use of customer data. Article 28 of the regulation outlines in great detail how processor-controller contractual relationships should be worded.

7. Privacy review in SDLC

In addition to all the customer-facing data issues covered by the GDPR, the law also affects software development lifecycle and processes for any IT company that seeks to do business with or provide information systems for the EU. The GDPR has technical and functional implications that require a high degree of planning in the initial phases of SDLC. The earlier in the process that these items are addressed, the less complicated and costly it will be in the long run.

8. Reviewing core GDPR issues

  1. The Right to be forgotten: Article 17 of the GDPR states that customers whose data is being held have the right to ask for it to be removed.
  2. Data roaming: This issue affects the transfer of data on the open internet, as may happen in a mobile computing environment.
  3. User’s consent: users must consent to their data being used. This may take several forms, depending on how your organization used this data.
  4. Data destruction: data destruction poses a significant risk, especially when dealing with a hard copy (paper documents). If you use an asset disposal service (classified as a data processor under the GDPR) you must ensure they are compliant with GDPR regulations to reduce your risk.
  5. Review of special categories: this involves data that relates to a wide range of variables, including human resources and employee data, data relating to children, and health records for example. This area is quite complex, but it seeks to safeguard the privacy of the individuals whose data is being collected.
  6. Dispute resolution: article 65 of the GDPR sets forth the process for dispute resolution by the Board if the supervisory body finds any infringement.
  7. Cookie consent: the GDPR calls into question the current EU cookie consent laws. The GDPR sees cookies as a unique identifier, and so consent rules do apply. If cookie data is used for more than one purpose, there may be a need to establish separate consent for each use.

CREATION OF GDPR ALIGNMENT WORK PLAN

If you have not yet begun to map out your plan for GDPR alignment, GRSee can help. Though the law is multi-faceted and complex, as experienced auditors who have performed hundreds of compliance projects, including GDPR alignment projects, we have created an efficient and proven methodology that will get you up to speed quickly.

WHAT’S THE SMOKING GUN? FINES OF UP TO 20 MIL EUROS!

With so much at stake, it is imperative that your security practices need to be in place as soon as possible. Some of the mechanisms you can implement right away include privacy by design at the SDLC (development lifecycle) level, pseudo anonymization, opt-out mechanisms, redacting data, and destroying old or redundant data.

Boosting internal security is always a good idea as well, especially if you retain hard copies of any personal, payment, or other sensitive information that needs to be protected. Locked cabinets and file rooms are a good start, but establishing a secure digital storage solution is also important. Furthermore, for those who are ISO 27001 compliant, you’ve already fulfilled some of the requirements necessary for GDPR. For those not yet ISO compliant, it’s a great opportunity to kill two birds with one stone.

There’s never been a better time to start your digital transformation. Call GRSee today to set up a free consultation.

The GDPR is the Biggest Thing since SOX

To those of you who have been dealing with data governance and compliance issues since the Sarbanes-Oxley Act (SOX) appeared on the scene in 2002 – are you having flashbacks yet?
Once again, we are facing new, exceedingly strict regulations coming down the pike and once again, there are serious budgetary concerns around developing a compliance architecture. Many companies, in fact, still struggle with SOX compliance for various reasons. They adopt a reactive
rather than a proactive stance when issues come to light, which is, as we all know, an inefficient and costly way to do business.
While SOX applies to companies in the United States, the GDPR is focused on the EU. In both cases, however, there is an increasingly high degree of international overlap as companies continue to expand their global presence.
Bottom line, if you do any business whatsoever with EU citizens—even if you’re a B&B who occasionally has European visitors—you need to pay attention.
One major advantage we have heading into the GDPR is that these days, technology truly is on our side. That sign you’ve been looking for? This is surely it. If you have not yet begun your digital transformation, the time is now.

WHAT HAPPENS IF YOU DO NOTHING?

GDPR non-compliance has serious implications that will affect companies anywhere in the world who do business in Europe, or who do business with EU citizens. It’s a complex set of requirements meant to meet today’s increasing need for data protection against mounting cyber-threats as well as unauthorized use of personal data. This also extends to your marketing analytics as well as any online activities that involve collecting traceable personal identifiers.
The consequences of non-compliance are great: companies could face fines of up to €10-20M – certainly not small change. Depending on the type of breach at issue, you may also be subject to an audit, a review of your licensing, your certifications, and you could potentially face restrictions
on how you collect and process data in the future. If you are caught up in such an unfortunate situation, the damage to your company and your business reputation might be irreparable.

ACT NOW

There are so many layers of complexity in the GDPR that even the most seasoned CISO or other executive officer might be experiencing a few sleepless nights. Because of this, equally nuanced solutions are necessary. Above all, you want to avoid having to take a reactive stance in the instance that any of your systems or transactions are under scrutiny.
Even if you have an internal IT team, working with an external consultant who specializes in data protection and compliance is a good idea. Chances are, your team has their hands full with your day-to-day operations and they may not be particularly well-versed in data governance. Working with a highly specialized crew to establish your GDPR strategy will give you the peace of mind you need to move forward with confidence.

CONCLUSION

Preparing for the GDPR is a massive undertaking, but it doesn’t have to be painful. With GRSee’s proven GDPR methodologies which address data security & governance, combined with strategic policy restructuring, you can achieve compliance in far less time and for far less money than you
might think.
GRSee is America’s compliance specialist: schedule a free consultation today and find out how easy it is to get started.

5 simple steps for GDPR compliance

As the GDPR deadline of May 25, 2018 creeps closer, our thoughts turn to compliance and how to achieve it without losing any (more) hair in the process.

If you have been putting off making the necessary adjustments to your data security, privacy, and governance policies and procedures, keep in mind that the clock is ticking down rather quickly now. The good news is, by following a series of simple steps, you can clear that GDPR smoke screen and get back to doing what you do.

Here are five simple steps you can take to get you GDPR compliant with minimal pain.

1. Data flow mapping and analysis

Data classification is a major step towards GDPR compliance, but this can be particularly complex if your data is stored on physical servers, as any stored backup copies would also need to be accessible in case you needed to remove or edit a record. If you were still using tape backups, the undertaking would be virtually impossible, taking up countless IT hours for something that could be accomplished in a few keystrokes. You need to know how your data flows in and where it goes from there – including its interactions with 3rd party vendors such as shippers, email services, marketing platforms, and so on. With GRSee’s vast experience in governance risk & compliance projects, we have created methodologies that are efficient and has allowed us to successfully support your transformation.

2. Analysis of currently implemented controls

While you likely have some controls in place, each should be reviewed and considered in the context of the GDPR. This should be a step-by-step process in which you examine your data flow to see whether your existing controls are going to be adequate, if you merely need to make some adjustments, or start from scratch. This will include written policies as well as all applicable IT, hardware and software solutions.

3. Review of privacy policies

Privacy policies must be worded more precisely. You must now disclose exactly why you are collecting personal data and how it will be used, stored, and shared among your 3rd party processors. By proxy, this also mandates that you review your 3rd party vendors’ policies as well to ensure they are in compliance.

4. Review SDLC for privacy

Your software development cycle (SDLC), if this applies to you, is going to take a hit as well. The SDLC is affected substantially, in that GDPR requirements will need to be addressed in every stage of the software product lifecycle. This will be necessary in order to remain financially viable in production and avoid costly reworking later on. Problems can be avoided if these issues are addressed as early as possible in the process.

5. Creation of GDPR alignment work plan

Aligning your processes to support best practices in light of the GDPR is crucial. The earlier you begin to map out your transformation, the less tap dancing you will have to do when the law comes into effect on May 25, 2018. Preparation is the first step, followed by the implementation of effective procedures, and finally maintaining your protocols to assure ongoing accountability.

If you have not yet begun your digital transformation, the imminence of the GDPR may help you get started. Speak with GRSee to set up a free consultation.

PCI DSS Myths

Myth: Only large companies required and can undergo PCI DSS certification

Fact: Incorrect. PCI DSS applies to all entities involved in payment card processing including merchants and other entities that store, process and/or transmit cardholder data. They all must comply with PCI DSS requirements. In fact, PCI DSS was developed to enhance the security of cardholder data, that is why any entity that holds cardholder data should comply with the standard.
Non-compliance could mean high risk for these entities because when there is a security breach to cardholder data and they are not PCI compliant, they could be subjected to penalties such fine and other sanctions from banks and credit card processors. They may also be subject to lawsuits and/or governmental prosecution because of failing to protect customer data.

Myth: Using certified PCI DSS cloud (SaaS, PaaS, IaaS) which is certified, automatically becomes PCI Complaint

Fact: Incorrect, while many companies/merchants now use cloud services they still have to comply themselves with PCI DSS even though they use services from certified PCI-compliant providers.
When you are using cloud services, you have to clearly define the responsibilities of your own and your cloud service provider to maintain the compliance to PCI DSS requirements. In order to do that, you should understand the details of the offered services. Your provider should clearly identify which requirements of PCI DSS are covered by its PCI compliance program and which ones are not. The provider then has to document those aspects of its service which are not covered and make an agreement with the client (i.e. your company) that those aspects are your responsibility to manage and assess.

Myth: Once achieve PCI DSS compliant, the next year you have nothing to do.

Fact: The achievement of PCI-compliant does not mean you have reached your final goals. You still need to maintain the policies, procedures, and good practices that are consistent with PCI DSS requirements. Moreover, validation of compliance should be performed annually.
Beyond PCI DSS compliance, the standard was developed to protect cardholder data, then it is important that you implement all controls (such as policies and daily operational security procedures) that are consistent with PCI DSS requirements in your daily business activities. Only by continuously and consistently executing all these security controls including development and implementation of a security awareness program to make all relevant parties and personnel aware of the importance of cardholder data security, the objectives of PCI DSS can be achieved.

7 Benefits of PCI DSS compliance

That Will Energize You to Comply with The Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a standard that comes up as an answer from card issuing banks and branded card networks (i.e. Visa, MasterCard, Discover, American Express, etc.) to strengthen the protection of cardholder data after the major card breaching, back in 2005, when 40 million cards were compromised.

That was a correct action to regain the trust from cardholders so they can still feel comfortable when using their cards to pay their transactions.

To successfully implement the standard, every organization that has obligation to comply, need to understand what benefits they will gain by being PCI-compliant. By keeping these benefits in mind, the objective of protecting cardholder data can be achieved successfully and much easier, because they know the benefits that they will get.

Actually, to comply is both obligation and investment for any merchant or organization that processes, stores and transmits cardholder data, and their investment will return in the form of tangible and intangible benefits, as follows:

  1. Security improvement – decrease the risk of security breaches
    Like any other compliance programs, many organizations may have a question in their mind before they put efforts on a journey towards compliance: is this standard providing real impact and value if we implement it or just for the sake of compliance? This question is very important to address and should be answered seriously.
    For organizations that comply with PCI DSS requirements, there is a real value that they will get. A study conducted by Verizon stated that PCI compliant organizations are more likely to successfully resist a cardholder data breach significantly up to fifty percent.
    This means the PCI DSS with 12 requirements are an adequate set of security controls to protect cardholder data if we can implement them properly.
  2. Get peace of mind of you and your customers
    So, you will feel safe and your customers feel safe too. This is the result that you will get as you’ll be much less likely to suffer cardholder data breaches.
    You feel confident that you have done anything you should do to protect cardholder data. Your customers feel safe too, they believe that they provide their confidential data to a trusted company, that is you.
  3. Improve customer relationship
    According to a study conducted by Quirk’s Marketing Research Review in 2014 stated that 69% of consumers would be less inclined to do business with a breached organization. As an organization that complies with PCI DSS, you should be able to decrease the data breach significantly. This means you will have a better relationship with the customer. They will see you as a company that has a strong commitment to protect their data.
  4. Increasing profit
    This is a direct impact on the peaceful feeling that your customers get when they have businesses with a trusted company/merchant that comply with PCI DSS.
    In its turn, this will grow the loyalty of the customers to your company and they will obviously be your free great marketing agents as they will tell their friends and relatives about your good and safe services and recommend them.
    You’ll keep existing customers with more transactions and also get new customers. More customers, more transactions, more profit. Isn’t that what you really want?
  5. Avoid costly fines. The risk is much costly than the cost to comply
    Any company or merchant may understand the benefits of PCI compliant. They may also understand that it is their obligations to comply with the standard. But as a business entity, they always consider and think about cost and benefit in any decision they make.
    Well yes of course, in order to comply they should spend some money. The amount of this investment depends on how large your company handles card transactions per year. But when it comes to cost we should compare the cost to comply with the standard and the cost if we don’t comply.
    If a cardholder data breach happens (and it is possible to happen) any involved entity will be investigated. If say a merchant involved and in the time of breaching, it didn’t comply with PCI then they will get a costly fine. The acquiring bank may have to pay a fine of $5,000 to $100,000 per month to the payment brands for PCI compliance violations. The banks will most likely pass this fine down to the merchant eventually. And as stated above, the implementation of PCI requirements properly will decrease the data breaching. This is a real benefit for the company because its possibility of receiving fine will be decreased as well.
  6. Company Image building
    Most customers may not understand the details of the standard but your compliance will make them believe that you have a strong commitment to protecting their cardholder data.
  7. Sustain Your Business
    Any merchant even with one transaction of credit cards has to comply with the standard if it doesn’t comply they will be at high risk. Think the worst case: you are subject to fines and you may also face lawsuits because failing to protect cardholder data. You will lose some money and your reputation is damaged. This may put your business in danger. So, to be PCI compliant is a must for any organization that store, process and transmit cardholder data in order to sustain their existence in this business.

When Organizations understand those above benefits, they will see that to be PCI-compliant is not just because they have to, but also because they need to in order to sustain their business, gain benefits and manage the risk they may have.

Key Success Factors

This is Why Scoping, Segmentation & Tokenization Are the Key Success Factors Towards PCI DSS Compliance

So, what are the reasons organizations fail PCI Audit?

In December 2013, credit and debit card data breaching that happened to an American discount retailer, Target, that affected 40 million shoppers who went to the store in the three weeks after Thanksgiving. This incident shows us how actual and real the threat that many organizations such as merchants are facing today. The needs to protect cardholder data
And this is the primary objective of PCI DSS.

While being compliant to PCI DSS requirements is very important but many organizations still find it’s not easy to comply.
This article covers some issues that cause PCI audit failures so we can take a lesson and do it better when we prepare to comply with the standard.

  1. RIGHT SCOPE
    Scoping of PCI DSS assessment is very important. Scoping defines the certification boundaries. Successful PCI DSS compliance heavily depends on the correct identification of the scope of assessment. The right scope will make you much easier to comply and at the same time reduce the cost of compliance.
    If your scope of PCI DSS assessment is too narrow you could potentially put cardholder data in danger, but if too broad it will make your effort harder and costlier and adds unnecessary cost to achieving PCI compliance.
    The PCI DSS categorizes system components as being either in-scope or out of the scope of assessment. Open PCI DSS Scoping Toolkit has a good method to clearly categorize each system component that will help us define the scope of PCI DSS assessment.
    The toolkit defines three categories of system components, so we can categorize each component based on this. Then we can define which system components are the most important to protect, and which are less or not too important to protect.
    Every system component within an organization can be categorized into one and only one of the following:

    • Category 1 – System components that process, store or transmit cardholder
      data or are not isolated or restricted through controlled access from other Category 1 system components.
    • Category 2 – System components that have controlled access to a Category 1
      system component.
    • Category 3 – System components that are isolated from all Category 1 system
      components.

      Figure 1. System Component Categorization (source: Open PCI DSS Scoping Toolkit)

      After categorizing system components, we can define which components in-scope and which ones are out-scope of a PCI assessment, as shown by the following tables.

      Figure 2. Mapping System Components Categories and Scoping of Assessment (source: Open PCI DSS Scoping Toolkit)

       

  2. IMPLEMENT SEGMENTATION PROPERLY
    Not implementing network segmentation is one of the biggest reason why an organization fails to comply with PCC DSS.
    We can minimize the scope using network segmentation. Segmentation means separating system components or devices that store, process or transmit cardholder data with the other components, keeping PCI-protected payment information away from less important data. We consolidate cardholder data into fewer locations and more controlled environment (i.e. CDE or Cardholder Data Environment).
    According to the PCI DSS, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”
    So, it’s clear that segmentation can be very useful to reduce the scope of PCI DSS assessment and reduce the cost of the PCI DSS assessment.
    Without segmentation, for example, card-processing systems will be mixed with back office systems. This arrangement could cause the entire network in the scope for PCI DSS compliance. This will increase the amount of work to comply the standard which can increase the possibility to fail to comply the standard.
    We can implement segmentation by using several technologies, as follows:

    • Tokenization
      Tokenization can be done to reduce the scope of assessment. Tokens are used to replace sensitive data such as primary account number (PAN) data or credit card numbers.
      Credit card tokenization randomly generate a value to replace credit card data. Because tokens are randomly assigned, it’s impossible to compromise or reverse-engineer a token. The only way to see which credit card values associated to which tokens is through a token vault that is usually managed by a third party.
      By using tokens instead of PAN data or credit card numbers, merchants never see customer credit card information. They see only tokens, which are useless information for them.
      PCI DSS states that, “Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment.”
      This means that tokenization can reduce the number of system components that should be assessed because the system components no longer stores or process cardholder data, only tokens. This will reduce the scope of assessment and finally reduce the cost for compliance.
      The tokenization systems components such as card vault and de-tokenization are part of the cardholder data environment (CDE) and therefore in scope for PCI requirements. In the situation which the card vault is handled by a vendor, it will be out of scope of the business that taking the payment cards.
      Organizations that use tokenization provided by third party, must ensure their tokenization vendor has been approved through the PCI SSC, and that they protect tokenization systems and processes with strong security controls.
    • Implement strict access control
      According to PCI DSS Guidance for PCI DSS Scoping and Network Segmentation, in order for a system to be considered out of scope, controls must be implemented to give a reasonable assurance that the out-of-scope system cannot be used to compromise an in-scope system component, because the in-scope system could be used to gain access to the CDE or impact security of the CDE.
      Examples of controls that could be applied to prevent out-of-scope systems being used to compromise the in-scope systems, are as follows:

      • Host-based firewall and/or intrusion detection and prevention system (IDS/IPS) on in-scope systems that block connection attempts from out-of-scope systems.
      • Physical access controls that allow only designated users to access in-scope systems.
      • Logical access controls that permit only designated users to login to in-scope systems.
      • Multi-factor authentication on in-scope systems, such as two-factor authentication (2FA)
      • Restricting administrative access privileges to designated users and systems/networks.
      • Actively monitoring for suspicious network or system behavior that could indicate an out-of-scope system attempting to gain access to an in-scope system component or the CDE.
    • Access rule via proper firewall and router setting
      We can use firewall and router rules to ensure that there is separation between network components or device such as public servers, corporate LAN, and CDE (Cardholder Data Environment). For example, we can set rule to make no traffic that originated from the corporate LAN is allowed into CDE.
      Remember that all controls to establish segmentation (such as firewall setting that limits connections to specific ports or services on specific systems) should be included in PCI DSS assessment to validate their effectiveness.
  3. REMEMBER THIS GUIDELINE
    The PCI compliance may be less expensive and much less frustration if we use the above strategies and follow this guidance:

    • Do it wisely, do what you need and only what you need.
      For example, access to CDE should be given based on business needs only.
    • Consider business constraints.
    • Consider ALL business processes.
      The strength of your security is equal to your weakest link. A company may implement tokenization, but at the same time, if its employees leave out the voice recording system or fax system unattended, your tokenization will be useless.

Carefully considering the strategies and guidelines in this article will enhance your chance to successfully comply PCI DSS.