Regardless of the size or industry of organizations, every month there is headline after headline about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during June and the lessons learned from them.

AMCA

What Happened?

Perhaps the most noteworthy data breach during June was caused by American Medical Collection Agency (AMCA), a healthcare collection agency, when unauthorized persons compromised their web payment page between August 1, 2018 and March 30, 2019. Thus far, it has been reported that AMCA’s data breach as impacted three of their clients and their clients’ customers including Quest Diagnostics, LabCorp, and Opko Health’s subsidiary, BioReference Laboratories. It is estimated that more than 20 million patients have been impacted by the data breach. Both Quest Diagnostics and LabCorp have since filed complaints with the SEC against AMCA, and AMCA’s parent company, Retrieval-Masters Creditors Bureau, has reportedly filed for bankruptcy.

Lessons Learned from the Data Breach

As a business associate, AMCA put the sensitive data of more than 20 million patients at risk, but the blame doesn’t solely fall on AMCA. When it comes to partnering with business associates, or any third-party vendor, covered entities must perform their due diligence to ensure that the third party they’ve entrusted to provide secure services will be able to follow through with their promises to protect their sensitive assets. This means that organizations must implement a formal risk assessment policy, understand shared risk, and undergo information security audits that validate the security of third-party vendors.

EatStreet

What Happened?

According to ZDNet, on May 17, 2019, EatStreet, a popular mobile and online food ordering service, identified that an unauthorized user was accessing partner information since May 3, 2019. Over the two-week period, the malicious users, identified as Gnosticplayers, gained access to EatStreet’s network and began stealing information, such as names, phone numbers, email addresses, and financial information, from the company’s data base, impacting their customers and partners. While there has been no official report on the number of impacted individuals, it is estimated that EatStreet’s data breach affected nearly 6 million individuals.

Lessons Learned from the Data Breach

EatStreet was not the first organization to fall victim to Gnosticplayers, but their data breach can point to one critical lesson that all organizations should consider when it comes to securing their customers’ data: effective monitoring of their organization’s networks. Although Gnosticplayers only had access to EatStreet’s network for two weeks, had EatStreet been monitoring their network more closely, the security incident could have been identified and mitigated more promptly and the impact might have been much less severe.

Riviera Beach, Florida

What Happened?

According to The Palm Beach Post, a Riviera Beach police department employee caused a city-wide data breach after they opened a phishing email causing a ransomware infection that encrypted and locked the city’s files. Impacted systems and services included the city’s email services, billing systems, and water utility pump stations. After initial discussions, the city council voted unanimously to have their insurer pay the ransom of 65 bitcoins or about $600,000. While investigations are ongoing, the Riviera Beach City Council has planned to allocate nearly $1 million to replace its computer systems, including 310 new desktops, 90 laptops, and other hardware.

Lessons Learned from the Data Breach

The Riviera Beach data breach points to a few key lessons all municipal governments must take into consideration. First, humans are always the weakest link, and one employee could cause an entire city to shut down. Does your local government require their employees to undergo regular security awareness training to stay current on cybersecurity best practices? Second, municipal governments must understand the value in implementing robust cybersecurity strategies for when a cyber attack occurs. Finally, local governments must make it a priority to ensure that their critical systems remain up-to-date to decrease the risks of being impacted by a cyber attack.

U.S. Customs and Border Control

What Happened?

In the second major data breach at the DHS this year, the United States Customs and Border Control (CBP) recently announced that it experienced a data breach impacting nearly 100,000 citizens. CBP explained that a malicious hacker compromised a federal subcontractor who stored photographs of travelers and their license plates.

Lessons Learned from the Data Breach

While the name of the federal subcontractor and border crossing location have not been identified, this data breach is a sobering reminder of the risks associated with increased government surveillance and the need for government agencies to protect the data they collect about citizens. For example, in an interview with The Washington Post, Oregon Democratic Senator, Ron Wyden, emphasized, “If the government collects sensitive information about Americans, it is responsible for protecting it — and that’s just as true if it contracts with a private company.”

Whether it’s a government agency or a private healthcare collection’s agency, at KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur – no matter what industry you’re in. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.

More Resources

Rebuilding Trust After a Data Breach

Business Continuity and Disaster Recovery Planning Checklist

Incident Response Planning: 6 Steps to Prepare your Organization

What happens after you receive your SOC 2 report? You’ve just used many resources – maybe even some that you were strapped to allocate – to go through a gap analysis, remediate the findings, and then begin the SOC 2 Type I and/or Type II audit. It’s a massive project that you should be proud to finish…but what now? What makes a SOC 2 audit successful? How do you make the most out of your compliance? Let’s take a look at four ways to prove that your SOC 2 audit was successful using one of our client’s SOC 2 audit journey as an example.

iPost’s SOC 2 Compliance Journey

iPost is a flexible and dynamic marketing automation solution for email and mobile needs, built for marketers by marketers. Like many others in the marketing industry, iPost was being asked by clients and prospects for evidence of their commitment to data security. When iPost decided to pursue SOC 2 compliance, it felt nerve-wracking to begin such a big project. After completing a SOC 2 Type I audit, though, iPost’s CEO, Cameron Kane, said, “The real value in the SOC 2 audit is that we’ve become a better company. The audit forced us to grow, and that’s not an easy thing – but we did it.”

So, how did iPost know that their SOC 2 audit was successful? How can you know that your SOC 2 audit was successful? We’ll give you four key ways.

How Do You Prove Your SOC 2 Audit was Successful?

1. C-Level Support

During a SOC 2 audit, it’s incredibly important that C-level executives and stakeholders understand and support the audit and the organization’s overall information security needs. Without their support, how can any policies or procedures be implemented? Who will approve funding? Who will care about the outcome of the audit?

iPost’s CEO supported and understood the SOC 2 audit and its purpose, and that made all the difference in making their SOC 2 audit successful. Kane and his team interacted with an Information Security Specialist and the President of KirkpatrickPrice, Joseph Kirkpatrick. When Kane met with Kirkpatrick, the tone for the SOC 2 audit was set: Kane knew that it would be a long process, but also understood that the auditor’s intention was not to find sensitive areas and pour salt in the wound. Instead, the auditor was there to help, point, and direct iPost into stronger security practices. Right away, iPost’s CEO knew that their SOC 2 engagement wasn’t going to be stereotypical audit and helped his team understand that there was no reason to be guarded. Kane knew that the KirkpatrickPrice team and iPost team were all working towards the same goal: to make iPost the best organization it can be. With that C-level support from iPost, it made their SOC 2 audit much more successful.

2. Seeing Real Change Within Your Company

SOC 2 audits are meant to strengthen and enhance your business, yet many organizations are fearful of the process, rather than seeing the benefits. At KirkpatrickPrice, we believe a SOC 2 audit is successful when you see real change at your company. This means that the audit isn’t something to be checked off of a list every year, or just another IT thing to include in the budget. Instead, the audit is an opportunity to improve your business processes and organization as a whole. At iPost, almost immediately following their SOC 2 Type I audit, they already felt a change within their employees. Phishing attempts were being reported like never before and their procedures were being followed; all because they had buy-in from their staff.

3. Using Compliance as a Competitive Advantage

When an organization leverages compliance achievements as a competitive edge, they are taking full advantage of the achievement. After all, you just used a lot of time and resources to complete a SOC 2 audit – why not use it in marketing materials and sales conversations?

One of the reasons why a SOC 2 attestation was so valuable to iPost is because it provided them with bigger, better sales opportunities. The opportunities are endless when you can demonstrate that you care about your customers’ data and have the evidence to prove it. iPost knows their competitors and others in their industry are being pushed towards a SOC 2 audit, and their proactivity has paid off. When they received their SOC 2 report, they were immediately able to close deals that depended on a SOC 2 attestation, use that achievement in sales conversations, and incorporate it into their marketing strategy.

4. Continuing the SOC 2 Journey

Many of our clients have the same feeling after completing an audit for the first time: it was a difficult process, but one that helped their company. After completing a SOC 2 Type I audit, iPost headed towards the next step: a Type II audit. They know that the next audit will still be difficult, but by following remediation guidance, they plan to become as prepared as possible for the SOC 2 Type II audit. It’s important to note that SOC 2 reports (Type I or Type II) are valid for a 12-month period. Industry standard is to engage in an audit annually to validate that your controls are still operating effectively. This may seem like a daunting new process to take on, but many of our clients actually begin to enjoy going through an annual audit. They know what to expect, how to use the Online Audit Manager, how to build a stronger information security program, and can show their auditor improvements they’ve made year-over-year.

When asked what he would say to other organizations considering pursuing SOC 2 compliance, Kane said, “First, it’s not going to be as bad as you think it’s going to be, even if you feel strapped for time and resources. Second, you really can use it in a sales environment. Lastly, your auditor is not there to ‘get you’ – they’re there to help you!”

Are you considering pursuing SOC 2 compliance, but don’t know if it applies to your business or where to start the process? Contact us today to talk through your compliance objectives.

More SOC 2 Resources

SOC 2 Academy

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Why Quality Audits Will Always Pay Off: You Get What You Pay For

In mid-April, KrebsOnSecurity reported that Wipro, one of India’s largest IT managed service providers, experienced a data breach impacting hundreds of thousands of their clients. The cause? An advanced phishing attack effecting a handful of employee accounts. These phishing attacks were then the gateway malicious hackers needed to target Wipro’s customers. What can we learn from this data breach? It all comes down to the need for effective third-party risk management.

How Can You Effectively Manage Third-Party Risk?

If you’ve entrusted a third party with access to your organization’s sensitive data, it’s understandable that you would want peace of mind that they’re doing everything they say they’re doing to protect that data. However, having effective vendor management programs isn’t a one-way street: both you and your third-party vendors are responsible for protecting sensitive assets. If you chose a bank and blindly trusted them to protect your money without performing your due diligence to understand just how they protect your assets and all of the sudden your money disappeared, it wouldn’t solely be the bank’s fault; it’d be yours too. The same goes for when you partner with a managed service provider. It can be easy to trust an established, well-known managed service provider, like Wipro, but that doesn’t mean you can ignore the obvious: any third party increases your attack surface and is likely to introduce new vulnerabilities into your environment if they aren’t vetted properly. What are some steps to effectively manage third-party risk?

5 Steps to Manage Third-Party Risk

We believe that effectively managing third-party risk begins with implementing the following five steps.

  1. Conduct a Risk Assessment Survey: Get input from management and department heads and so you can document specific risks or threats within each department.
  2. Identify Risks: Evaluate something like an IT system and identify the risks to the hardware, software, data, or IT personnel, and also identify the potential adverse events, like natural or man-made disasters.
  3. Assess  Risk Importance and Risk Likelihood: Ask, “What is the likelihood of a specific event having a negative impact on a sensitive asset?” Typically, this is expressed subjectively or quantitatively (high, medium, low, or 1, 2, 3).
  4. Create a Risk Management Action Plan: Develop control recommendations to either mitigate, transfer, accept, or avoid the risk using the knowledge gained from identifying risk and assessing the likelihood of those risks having a negative impact on sensitive assets.
  5. Implement a Risk Management Program: Put the four previous steps into action by training your personnel and implementing controls to mitigate risks.

Include Your Third-Party Vendors in Your Audit: Why They Need an Onsite Visit, Too

Another way to effectively manage third-party risk is by including your vendors within the scope of your information security audits. Let’s say that you’ve outsourced your IT services to an organization like Wipro – an organization located across the globe from you. While you think they have a good reputation for delivering secure services, have you ever physically inspected whether they’re doing what they say they’re doing? Have you ever received third-party assurance that their internal controls are in place and operating effectively? Chances are, you have not. By including your third parties in your audit, our auditors will make sure that who you outsource to lives up to your standards.

Are you a managed service provider looking to demonstrate your commitment to security? Do you outsource any of your business processes to a managed service provider and want to ensure that they’re providing secure services? KirkpatrickPrice can help! Contact us today to learn about our risk assessment services and how we can help ensure that your business remains secure when you partner with vendors.

More Vendor Compliance Management Resources

Risk Assessment Guide and Matrix

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Information Security Management Series: Risk Assessment

What is Risk Management?

What is a SOC 1 Report?

Once you’ve made it through the evidence gathering portion of the SOC 1 audit process, our specialized team of professional writers will take the information gathered by our auditors and provided by you in our Online Audit Manager to create a final SOC 1 report. What is a SOC 1 report? It is a report that is based on the Statement on Standards for Attestation Engagements Number 18, Section 320 (SSAE 18) and reports on the effectiveness of your internal controls that may be relevant to your client’s internal controls over financial reporting (ICFR). What’s included in this report? How do you use a SOC 1 report? Let’s find out.

What’s Included in Your SOC 1 Report?

When you’ve finished your SOC 1 audit, you’ll receive a SOC 1 report that begins with an opinion letter that’s issued by an independent certified public accountant. This opinion letter will include the following:

  • The scope of the engagement
  • What the service organization’s responsibilities were
  • An opinion on the design of the controls
  • The description of the controls that management provided
  • An opinion on whether or not the controls were in place and operating effectively
  • The auditor’s final opinion on the effectiveness of an organization’s internal controls

In addition to the opinion letter, the report will also include a description of the tests conducted throughout the audit as well as an analysis of exceptions to the effectiveness of internal controls.

How Do You Use a SOC 1 Report?

Once you’ve received your SOC 1 report, you might wonder how you can actually use your report. If you pursued SOC 1 compliance because a client requested it, you’ll provide this audit report to their auditors for review. If you proactively pursued SOC 1 compliance without being asked for it, there’s many ways to leverage your compliance efforts to give your organization a competitive advantage.

Want to learn more about how we can help you get started on your SOC 1 compliance journey? Contact us today.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

What is a SOC 1 report? A SOC 1 report is an audit that is specifically designed for service organizations. It’s based on a Statement on Standards for Attestation Engagements, and in this case, SSAE No. 18. Section 320. The way the report is formatted is that it starts out with an opinion letter. The opinion has to be issued by an independent certified public accountant. An auditor that is independent from the service organization issues an opinion that covers what the scope was of the engagement, it talks about what the service organization’s responsibilities were, it talks about what the service auditor’s responsibilities were, and ultimately, it provides an opinion on the design of the controls, the description that management provided, whether or not the controls were in place and operating effectively over a period of time for a Type II report, and what the auditor’s opinion was after conducting all of the testing and the examination. Once you  have the report in hand, the service organization can hand that to their clients, which are known as user organizations. User organizations rely upon that report usually in the course of their own audit as they are concerned with internal control over financial reporting. You should look for a qualified, independent CPA who has particular expertise in performing SOC 1 engagements.

The Difference Between SOC 1 Type I and Type II: The Audit Period

While SOC 1 Type I audit engagements evaluate a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) at a specific point in time, a SOC 1 Type II audit evaluates a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) over a period of time, usually between six and twelve months. How do go about choosing your audit period? There are a few things you need to know.

Choosing Your Audit Period for SOC 1 Type II Engagements

One of the first steps that organization’s must take when pursuing SOC 1 Type II compliance is choosing their audit period. When choosing your audit period for a SOC 1 Type II audit, you’ll pick a period of time from the past as auditors cannot make statements about what would happen in the future. Once you’ve determined the length of your audit period, your auditor will review the effectiveness of your organization’s internal controls during that time period.

To find out what audit period works best for your organization’s SOC 1 Type II compliance efforts, contact us today.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

One of the things that you have to do to prepare for a SOC 1 Type II audit is to define what the audit period is going to be. These reports are based on the AICPA’s standards, and just like in SSAE 18, the audit period will be a period of time that’s in the past. We’ll be looking back at what did happen during that period; we can’t make any forward statements about what would happen in the future. An audit period is typically six months or twelve months, and the auditor issues an opinion and performs testing on controls that were in place over a period of time. So, get with your auditor at KirkpatrickPrice and talk about what your audit period should be and what would be most appropriate for your situation.