What is SOC for Cybersecurity?

Reputational damage, disruption of business operations, fines, litigation, and loss of business can all be consequences of a cybersecurity attack. Because of these consequences and the vast threat landscape, the AICPA saw a need in the industry that it could fill: a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls. Thus, SOC for Cybersecurity was created. In April 2017, the AICPA announced its new cybersecurity risk management reporting framework, paired with a market-driven, voluntary SOC for Cybersecurity examination.

Benefits of a SOC for Cybersecurity Report

What organizations do, who they are, and what data they possess opens them up to new levels of cyber risks. Managing cybersecurity risks is challenging, even with a sophisticated cybersecurity risk management program. Organizations should do everything possible to prevent, detect, and mitigate cybersecurity risks. It’s more important than ever to demonstrate the extent and effectiveness of your organization’s cybersecurity risk management program. So, how could a SOC for Cybersecurity report benefit your organization? We believe these are the top four benefits of undergoing a SOC for Cybersecurity examination.

1. Protect Your Organization from Cyber Risks
Is any portion of your business conducted in cyberspace? If so, you’re open to new, complex threats and SOC for Cybersecurity was developed with you in mind. At its core, the purpose of a SOC for Cybersecurity assessment is to analyze the extent of effectiveness of your organization’s cybersecurity risk management program and better prepare it for the evolving threat landscape.

2. Move Your Organization into the Future
We’re seeing a shift in everyday language. It’s not all about information security anymore – it’s about cybersecurity. Cyber risks and threats impact businesses of any size, in any industry, anywhere around the globe. A SOC for Cybersecurity assessment could help your organization to keep up with trends and mature your organization.

3. Provide Assurance
Senior management needs information about their organization’s cybersecurity risk management program in order to meet business and cybersecurity objectives. There are all types of people who have a stake in your business and may ask for your cybersecurity information to fulfill their own oversight responsibilities – boards, investors, business partners, regulators, and even users.

A SOC for Cybersecurity examination does not report on the details of controls, the list of tests of controls
performed, or the results, which is why it is a general use report. A SOC for Cybersecurity examination also does not result in an expressed opinion on compliance with laws and regulations or privacy and processing integrity criteria. It does, though, validate cybersecurity controls that are in support of compliance, privacy, and processing integrity. After going through a SOC for Cybersecurity assessment, your organization should be able to answer questions like:

• Has your organization conducted a formal risk assessment specifically centered around cybersecurity?
• Has your organization established a set of policies, procedures, and controls related to cybersecurity?
• Is software, hardware, and infrastructure updated regularly as necessary?
• Has your organization developed and tested incident response procedures?
• What are your data backup and recovery policies?
• How is your organization protecting confidential information against unauthorized access, use, and disclosure?

4. Stand Out from the Competition
Because cyber threats are so prevalent and information systems are so interconnected, organizations want to work with business partners who are proactive in their cybersecurity efforts. Leveraging a SOC for Cybersecurity report as marketing collateral can help maintain loyal clients and attract new ones through your organization’s commitment to defending itself from cyber threats and assuring clients and prospects that their information is protected.

To learn more, contact a KirkpatrickPrice information security specialist today.

In September, British Airways announced that 380,000 transactions were compromised during a breach that took place between August 21 and September 5. Fortunately, no travel or passport details were compromised, but payment information was obtained through digital skimming of the airline’s website and app. The UK’s National Crime Agency, National Cybersecurity Centre, and Information Commissioner’s Office are investigating this incident.

This breach is being linked to Magecart, a threat group that has compromised over 800 e-commerce sites worldwide. As the year goes on, we expect Magecart’s skimming campaign to be recognized as one of the most damaging of all time.

Magecart and British Airways: What Happened?

RiskIQ has linked this attack to Magecart, a threat group orchestrating massive skimming campaigns since 2015. Magecart’s pattern seems to be targeting third-party software companies that build and provide code to their customers who use it on their website or app, then Magecart hackers break in and alter the code so that it impacts every website that the code runs on. In British Airway’s case, many believe that the attack seems more tailored to specifically target British Airways.

The information compromised are names, email addresses, and credit card information. Because the attackers managed to acquire CVV numbers, yet British Airways does not store CVV numbers per the PCI DSS, security researchers believe that these details were intercepted, not taken from a British Airways’ data base.

RiskIQ searched the unique scripts of British Airway’s website and found 22 lines of code added by Magecart; it appeared to be a slightly modified version of their trademark, which is why this hack is being attributed to Magecart. This code is what enabled digital skimming; it recorded customer information, then transmitted it back to the attackers’ server once the customer submitted it. The sophistication of this attack is shown in two ways. First, the attackers had an SSL certificate for their server, which helped to create the assumption of legitimacy and security. Second, this attack was undetected for 15 days. To go that long without anyone noticing shows a mature skill level. RiskIQ also reported, “While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.”

Lessons Learned from Digital Skimming

Discovering an undetected cybersecurity attack must have been a complete nightmare for the airline. Prevention, monitoring, and detection methods must work together to protect organizations. Time and time again, the PCI DSS requires an implemented methodology for preventing, monitoring, and detecting threats because it’s just that crucial to the protection of data.

From other Magecart victims, we’ve seen their pattern of compromising vendors. The importance of vendor compliance management cannot be overstated. In TicketMaster’s recent breach, a customer support chatbot vendor was the key Magecart needed to compromise their website. You’re putting a great deal of control and responsibility into vendor’s hands and they must take that responsibility seriously. Perform your due diligence to ensure your vendors are committed to information security and cybersecurity.

More Resources

7 Deadly Breaches of 2018 (So Far)

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

The First Step in Vendor Compliance Management: Risk Assessments

In an industry that is based on customer trust, the healthcare industry must take the appropriate measures to ensure HIPAA compliance. The integrity of the industry relies on keeping Protected Health Information (PHI) just that: protected. HIPAA non-compliance means more than just organizational, financial, and reputational implications for healthcare organizations, it could be life-threatening to patients. And with more and more healthcare security breaches being reported to the HHS, it’s more important than ever for covered entities and business associates to be HIPAA compliant.

How Can Business Associates and Covered Entities Prepare for HIPAA Compliance?

To start preparing for HIPAA compliance, we suggest that organizations begin with conducting a risk analysis. Understanding the risks associated with using PHI is critical to understanding where your organization has the greatest exposure. A formal risk analysis is a starting point for understanding what risks threaten your organization. These are the three basic steps to a risk analysis:

  1. Plan: Determine your goals, identify your team, establish your scope, and begin to gather information that you’ll need during the analysis.
  2. Conduct: Identify potential threats and vulnerabilities, determine the likelihood of threat occurrence, determine the potential impact of threat occurrence, evaluate current controls, determine the level of risk, and finalize documentation.
  3. Use: Create an internal report, give management the chance to analyze the findings, take corrective action, and provide direction for monitoring and auditing activities.

Once a risk analysis has been conducted, business associates and covered entities should review contracts. This is because, in order to maintain compliance, business associates and covered entities must enter into a Business Associate Agreement. A Business Associate Agreement must include the following elements:

  • Uses
  • Least Accesses Necessary
  • Safeguards
  • Incident Reporting
  • Disclosure
  • Privacy Rule Considerations
  • HHS Availability
  • Subcontractors
  • Termination

Are you ready to begin your journey toward HIPAA compliance?

Get the next steps.

Download Now

HIPAA sets a national standard for the protection of consumers’ PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the OCR enforces compliance with the HIPAA Security, Privacy, and Breach Notification Rules.

  • The goal of the Security Rule is to create security for ePHI by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. When learning the basics of the Security Rule, it’s vital to learn about the three types of safeguards: administrative, technical, and physical. As you’ll see in this checklist, administrative safeguards cover personnel, training, access, and process while technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover facility access, workstations, and devices.
  • The Privacy Rule regulates things like appropriate use and disclosure of PHI, patient access to PHI, and patient rights. The Privacy Rule is crucial for HIPAA because without it, healthcare organizations could disclose and distribute protected health information (PHI) without the consent of the individual. If this sensitive data were to end up in the wrong hands, it could negatively impact the individual. There are five main areas of the Privacy Rule according to 45 CFR Part 160 and Subparts A and E of Part 164. A Privacy Rule assessment evaluates policy and procedure documentation relating to these areas, which include: Notice of Privacy Practices, patient rights, minimum necessary standard, administrative requirements, and uses and disclosures.
  • The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unprotected PHI or ePHI. Covered entities have three parties that they need to notify of a breach: patients, HHS, and potentially the media. When you have a breach, you will always need to notify affected patients and HSS – no exceptions. If over 500 individuals have been affected, your covered entity will need to alert the media. Business associates always need to notify their covered entity of a breach. In order to properly comply with the Breach Notification Rule, there are several aspects of the breach your organization needs to communicate to the affected parties: what happened, what kind of PHI was disclosed in the breach, what patients should do to mitigate harm, what you’re doing to investigate and mitigate future harm, and how they can contact you.

If you need assistance walking through the requirements of the HIPAA Security, Privacy, and Breach Notification Rules, contact a KirkpatrickPrice information security specialist today.

Hospitals, airports, police departments, educational systems, court records, water services, payment portals, technology infrastructure – these cornerstones of the public sector are under attack every day from complex cyber threats. ICMA and Microsoft’s cybersecurity report claims that 44% of local governments are under attack daily. The FBI reports that over 4,000 ransomware attacks occur daily. This year, when the City of Atlanta was compromised by a ransomware attack, the nation realized the maturity of today’s cyber threats. Hackers from around the world are able to hold our cities hostage through cybersecurity attacks. Why are cities so vulnerable to cyber threats, and how do these cybersecurity attacks even work?

Why Are Cities So Vulnerable to Cyber Threats?

  1. Atlanta – In March 2018, the City of Atlanta suffered from a devastating ransomware attack by SamSam, costing the city more than $2 million in recovery. Multiple types of applications, both internal and customer-facing, were compromised. Thousands of city employees could not access their computers, court dates were rescheduled, water bill payments had to be made in person by check, traffic tickets could not be processed—this ransomware attack completely obstructed the day-to-day operations of the City of Atlanta. The City of Atlanta’s ISO/IEC 27001 ISMS Precertification Audit Report from January 2018, just two months prior to this ransomware attack, reveals that critical cybersecurity best practices were not being met from gaps in policies and procedures, definitions of scope, formal risk assessment processes, vendor management processes, data classification policies, and measurement, reporting, and communication related to risk.
  2. Los Angeles – In December 2016, L.A. County announced that 108 employees fell for a phishing email on May 13. Through this type of cybersecurity attack, the malicious individual was able to gain usernames and passwords for employees who had access to confidential information. Through a forensic investigation, the county found that the names, dates of birth, Social Security numbers, driver’s license numbers, banking information, payment card information, and medical treatment information of 756,000 individuals were potentially impacted by this phishing email.
  3. Baltimore – In March 2018, Baltimore’s 911 dispatch system was attacked, causing staff to manually relay the details given by incoming callers. Obviously, this put a critical hold on the city’s ability to respond to emergencies. Fortunately, although this cybersecurity attack caused inefficient processes, the city didn’t see a slowdown in responders’ response times. Within a week of this hack, the city determined it was caused by a ransomware. Frank Johnson, CIO in the Baltimore Mayor’s Office of Information Technology, called the attack a self-inflicted wound. Their IT team had inadvertently changed a firewall and left a port open for about 24 hours, likely letting the hackers into their network.
  4. San Francisco – When ransomware hit San Francisco’s light rail transit system in November 2016, the San Francisco Municipal Transportation Agency (SFMTA) had two choices: shut down the light rail or let users ride for free. On one of the busiest shopping weeks of the year, the agency let users ride for free. Fortunately, this cybersecurity attack did not impact the functionality of San Francisco’s buses, light rail, street cars, or cable cars. The attacker demanded a $73,000 ransom, but the agency informed the public, “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”
  5. Charlotte – In December 2017, a hacker was able to access one Mecklenburg County employee’s log-in credentials through a phishing email. From there, the ransomware attack was launched. About 200 systems were impacted, causing the county to shut down many parts of its network. Fortunately, back-up data was available so that the county did not have to consider paying the $23,000 ransom. IT Chief, Keith Gregg said, “We could not be in the recovery process if we did not have back ups.” To prevent a second attack wave, the county disabled employees’ ability to open certain types of emails. It took almost six weeks and thousands of dollars to rebuild servers, get employee email up and running, and secure the rest of their systems.

Lessons Learned from Cybersecurity in the Public Sector

The number and maturity of cyber threats targeting cities is growing every day. Oftentimes, local governments don’t see it coming or, even after the attack, can’t identify what type of cybersecurity attack hit them. This poses a major issue in mitigating cyber threats. Organizations within the public sector must cover all their bases, casting their preparation net far and wide.

In the five cities we discussed, data was not breached, and ransoms were not paid, but many cities aren’t that lucky. IBM Security and the Ponemon Institute report that in 2018, the average total cost of a data breach in the United States is $7.91 million, with the average stolen record costing $233. There are headlines of new data breaches every day – and the cyber threats are becoming more complex. As the cyber threats mature and the cost of a data breach becomes higher, cities must protect their technology infrastructures.

What are the obstacles? Lack of funds, lack of support from elected officials or management, lack of availability to train personnel, lack of cybersecurity awareness within the organization, and too many IT networks/systems within local government.

What should public sector organizations invest in? Cybersecurity awareness to citizens and elected officials, use of forensic services after incidents or breaches, cybersecurity exercises, vulnerability scanning and penetration testing, and competitive compensation for IT personnel.

These five cities don’t even come close to the number of reported breaches by municipalities. Have you been victimized the cyber threats targeting the public sector?

More Cybersecurity Resources

National Cyber Strategy of the United States of America

Ransomware Alert: Lessons Learned from the City of Atlanta

When Will It Happen to You? Top Cybersecurity Attacks You Could Face