Protecting Your Office 365 Accounts

A key part of your organization’s information security strategy is correct configurations for Office 365, because compromising your Office 365 accounts is a gateway to much more sophisticated attacks. Many industry breach reports speculate that hacking Office 365 email accounts is the first thing an attacker wants to do, because it has the potential to give them access to so much more information. Phishing is an obvious attack method when it comes to email. In fact, in 2017, the Microsoft Office 365 security research team detected between 180-200 million phishing emails each month. These types of bulk attacks can pay off for attackers. According to Symantec, hacked email accounts in groups of 2,500 or more can be worth anywhere from $1 to $15.

Although more and more organizations are incorporating strong security measures into their strategies, it’s still crucial to actively protect Office 365 accounts. Following Office 365 best practices, receiving CISA alerts, and keeping up with new patches are three ways that you can stay up-to-date in your security measures. Microsoft has named 10 best practices for Office 365 business plans:

  1. Set up MFA
  2. Train your users
  3. Use dedicated admin accounts
  4. Raise the level of malware protection
  5. Protect against ransomware
  6. Stop auto-forwarding for email
  7. Use encryption
  8. Protect emails from phishing attacks
  9. Protect against malicious attachments and files
  10. Protect against phishing attacks using ATP Safe Links

Let’s highlight auto-forwarding – does your organization know how to check whether your Office 365 mail accounts have forwarding rules turned on and configured? This will let your team know if any emails are auto-forwarded outside of your domain – which could be a sign of a compromised account. This is a default alert in Office 365 – but do you how to you verify it?

Download this guide to learn how to correctly configure your forwarding rules.

How to Verify Office 365 Forwarding Rules
1. Login to Microsoft Admin Center
2. Navigate to Office 365 Security and Compliance
3. Alerts > Alert Policies
4. Verify that rule “Creation of forwarding/mail redirect rule” is turned on and set to notify the
appropriate parties

How to Block Auto Forwarding with Exchange Mail Flow Rules
1. Log in to Exchange Admin Center
2. Navigate to Mail Flow
3. Create new rule, “Disable auto forward outside domain”

• Apply this rule if > the sender is located > inside the organization
• And
• The recipient is located > outside the organization
• And
• The message type is > Auto Forward
• Do the following
• Reject the message with the explanation > auto forward outside the
organization is not allowed

4. Save

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Because of the ever-changing landscape of privacy laws, standards, and guidelines, it has become difficult for businesses to know what their obligations are, and even harder to determine what could constitute non-compliance. Fortunately, Twitter’s mistakes now provide us with an example of what a violation looks like. Twitter has been in the spotlight for a recent hack, and now the Federal Trade Commission is investigating its privacy practices regarding targeted ads.

What Led to the FTC’s Investigation at Twitter?

In October 2019, Twitter admitted to using personal data obtained for security reasons for targeted ads purposes. The company stated, “We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.”

We now know, through Twitter’s SEC filing, that the FTC began its investigation after this announcement and Twitter received a complaint on July 28, 2020. Twitter faces a fine of up to $250 million for the violation.

3 Takeaways from Twitter’s Privacy Choices

We asked our privacy experts to comment on the FTC’s investigation and they found three key takeaways for businesses looking to avoid privacy mistakes.

  1. Qualified, third-party verification of privacy practices is critical because almost every organization believes they are using personal data appropriately. Twitter does not admit to intentionally misusing personal data (i.e. using the data for a purpose other than what the data was originally collected for). Twitter says the use of the personal data collected for security purposes in advertising was “inadvertent.” This is why privacy auditing is so important. An auditor can help you verify that your business is not misusing personal data and provide that assurance as a third party.
  2. There are legal and compliant ways to use existing personal data for new purposes. Twitter could have addressed this issue by getting a second level of consent, prior to using the personal data in ads, by asking users for permission to use the personal data obtained for security purposes in targeted advertising. If you’re a Twitter user, you may have been asked about this on your account recently, because the platform is now obtaining that second level of consent – but it’s too little too late for Twitter.
  3. Voluntary privacy commitments are just as significant as legal requirements. Twitter is in the hot seat because they broke their own promise that they make in their privacy commitments, not because they broke a law. You may not even be aware of it, but your business could be at risk for privacy sanctions even if there isn’t a specific law that applies to the collection and use of personal data for your industry, clients, or location. If an organization makes a promise regarding the use of personal data and breaks that promise, the FTC can fine them.

8 Elements of Privacy

As you navigate the privacy practices and obligations of your business, it is crucial to follow the industry best practices that already exist. This will empower your organization to develop appropriate processes for collection and use of personal data that are adaptable to new laws, regulation, and enforcement activity. We recommend reviewing and following the eight privacy criteria under SOC 2, stipulated by the AICPA, which are organized as follows:

  1. Notice and Communication of Objectives
  2. Choice and Consent
  3. Collection
  4. Use, Retention, and Disposal
  5. Access
  6. Disclosure and Notification
  7. Quality
  8. Monitoring and Enforcement

Could your organization unintentionally fail to meet any of these eight criteria? Twitter’s issues stem from failing to provide proper notice and communication of its objectives related to privacy, failure to obtain consent for the use of personal data for targeted advertising, improper use of personal data collected for security purposes, and potentially failing to perform proper monitoring.

At KirkpatrickPrice, we want to help your organization navigate your privacy obligations and enhance your privacy practices. We have a built a team of privacy experts to perform assessments, and they are watching enforcement trends, state laws, and federal legislation closely to ensure that you protect the personal data you are responsible for. Let’s talk today!

Privacy audits can feel overwhelming.

Privacy laws and regulations are constantly changing, and the process feels overwhelming. This guide will help you feel more confident as you prepare for your next privacy audit.

Get the Guide

The Latest With Privacy Shield

On July 16, the Court of Justice for the European Union made a landmark decision to invalidate the EU-US Privacy Shield arrangement for international data transfers. Prior to this announcement, Privacy Shield was one of several mechanisms for meeting GDPR data protection requirements for data leaving the EU for the US. The Court’s decision impacts the thousands of organizations participating in and relying on Privacy Shield to facilitate international commerce.

Privacy advocates and the Court’s real contention was not with Privacy Shield itself, but with the nature of US federal surveillance abilities and practices. The Court’s statement explains, “In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the EU to that third country…not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”

How Does This Impact Your Business Today?

First, data transfers between the EU and the US will still be permitted, but the invalidation of the EU-US Privacy Shield agreement will require US businesses receiving EU data to find an alternative compliance solution. Specifically, US organizations will need to use either the standard contract clauses or binding corporate rules to satisfy GDPR’s international data transfer requirements.

Second, just because Privacy Shield no longer satisfies GDPR does not mean that you can stop following Privacy Shield requirements. The Federal Trade Commission commented, “We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers.”

Third, now is the time to review your contracts and requirements of your processors or sub-processors. What is their plan to replace Privacy Shield? How will their plan impact you?

What Will Happen to EU-US Data Transfers in the Future?

The bottom line is that we are operating in a period of uncertainty. Fortunately, we now have a baseline for privacy best practices, but it gets complex when then there are specific regulations and requirements for your business. That is why it’s crucial for your organization to continue to meet the baseline, but also assign responsibility to someone internally to monitor new developments.

In the future, the US may create a Privacy Shield replacement. U.S. Secretary of Commerce Wilbur Ross stated, “While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-US Privacy Shield, we are still studying the decision to fully understand its practical impacts. We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector.”

KirkpatrickPrice’s team of privacy experts will be closely watching new developments with Privacy Shield and other data privacy regulations. If you have concerns or questions about this update’s implication for your business or if you need GDPR compliance solutions, let’s talk.

More Privacy Resources

CCPA Roadmap for Compliance

How to Write a Privacy Policy

Trends in Privacy, Breach Notification, and Data Security Legislation

Independent Audit Verifies Tower MSA Partners’ Internal Controls and Processes

Delray Beach, FL â€“ Tower MSA Partners, a Medicare Secondary Payer compliance and Medicare Set-Asides services company, has completed its SOC 2 Type I audit. Performed by Kirkpatrick Price, this attestation provides evidence of Tower’s strong commitment to security and delivering high-quality services to its clients by demonstrating that it has the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, an organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design of Tower’s controls to meet the standards for these criteria.

“Tower’s processes have been technology driven from its beginning with the privacy and security of client data at the forefront of internal policy and procedure development,” said Tower CEO Rita Wilson.  “We are pleased to receive this affirmation from an independent analysis.”

“The SOC 2 audit is based on the Trust Services Criteria. Tower MSA Partners has selected the security and confidentiality criteria for the basis of their audit,” said Kirkpatrick Price President Joseph Kirkpatrick. “Tower delivers trust-based services to its clients and by communicating the results of this audit, its clients can be assured of their reliance on this company’s controls.”

About Tower MSA Partners

Headquartered in Delray Beach, Florida, Tower MSA Partners’ services include pre-MSA Triage, conditional payments, MSA optimization, preparation, CMS submissions and oversight, along with medical cost projections, life care plans, and Section 111 reporting. Visit www.towermsa.com and https://towermsa.com/blog/.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com.

Independent Audit Verifies Accudata Systems’ Internal Controls and Processes

Houston, TX – Accudata Systems, Inc., a leading IT consulting and systems integration firm, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that Accudata has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of Accudata’s controls to meet the standards for these criteria.

“Due to Accudata’s dedicated team and advanced capabilities, we felt very confident that we would excel in this year’s audit,” said Accudata Chief Technology Officer Brian DiPaolo. “To have KirkpatrickPrice confirm that we have strong security practices and internal controls provides the assurance our customers value. Achieving compliance with the AICPA standards aligns with Accudata’s unwavering commitment to protecting customers’ data.”

“The SOC 2 audit is based on the Trust Services Criteria. Accudata has selected the security, availability, and confidentiality criteria for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Accudata delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Accudata’s controls.”

About Accudata Systems, Inc.

Accudata Systems is an IT consulting and integration firm with 38 years of experience providing high-impact IT infrastructure services and integrated solutions. As a trusted advisor, Accudata Systems helps its clients incorporate innovative networking technologies into their IT environments while preserving performance, availability, and security. With an unwavering commitment to customer service and satisfaction since its founding in 1982, Accudata Systems has grown to become one of the largest and most trusted IT integrators in the country. To learn more about Accudata Systems, visit www.accudatasystems.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, connect with KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.