Chicago, IL – Following a thorough audit of its data security procedures and controls, American Litho of Carol Stream, Illinois, has received a SOC 2 Type I certification report from KirkpatrickPrice, a worldwide provider of assurance services.

The report confirms that American Litho’s data handling processes meet or exceed tough standards established in accordance with the American Society of Certified Public Accountants’ Trust Services Criteria. SOC 2 audit reports focus on a company’s non-financial reporting controls in terms of the security, availability, processing integrity, confidentiality and privacy of specific systems.

“American Litho delivers trust-based services for clients, and by communicating the results of this audit, the company’s clients can be assured of their reliance on American Litho’s controls,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice, following the release of the report.

“Meeting or exceeding SOC 2 standards is not an easy task,” said American Litho President and Co-Founder Mike Fontana, “but for us, it is simply a matter of accepting responsibility for the massive data sets our clients entrust to us.”

Data-driven strategies such as predictive modeling are the path to growth and strong customer engagement, Fontana added. “This reality has made direct mail data security a crucial priority for our entire team.”

About American Litho

American Litho, Inc. is a privately held company providing brand-building services for retail, insurance, financial services, manufacturing, automotive, food and beverage, non-profit development and many other industries. A team of 600+ full-time-equivalent employees work in the company’s 300,000-square-foot headquarters in Carol Stream, Illinois, with additional team members in support offices countrywide.

The company delivers full-service planning and production of commercial print, direct mail and omnichannel marketing programs. Company revenues topped $120 million in 2017. View the full roster of American Litho’s capabilities here.

Independent Audit Verifies SightCall’s Internal Controls and Processes

San Francisco, CA  KirkpatrickPrice announced today that SightCall, a global cloud software company that provides Augmented Reality-powered remote video capabilities to businesses, has received their SOC 2 Type II attestation report. The completion of this engagement provides evidence that SightCall has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the American Institute of Certified Public Accountant’s (AICPA) Trust Services Criteria. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of SightCall’s controls to meet the standards for these criteria.

“At SightCall, we understand that security, transparency and integrity are responsibilities that must be taken seriously,” said Thomas Cottereau, SightCall CEO. “We have partnered with a well trusted, third-party auditor to provide ourselves, and most importantly our customers, with an independent validation of our processes. Our clients can be confident that we are committed to maintaining the most rigorous processes and controls required to ensure the highest level of security.”

“The SOC 2 audit is based on the Trust Services Criteria. SightCall has selected the security principle for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “SightCall delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on SightCall’s controls.”

About SightCall

SightCall is the world’s leading augmented-reality powered video cloud platform, delivering live, remote interactions between business and customers on every continent around the globe. In a connected, mobile-first world, businesses leveraging SightCall have the ability to see what their customers see and guide them remotely. With over 10 years experience in remote video assistance, SightCall helps businesses transform their customer service and field service with the power of augmented reality and live video. For more information, visit www.sightcall.com.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

What Happened in Atlanta?

On March 22, the City of Atlanta suffered from an incredibly damaging ransomware attack from SamSam. Multiple types of applications, including internal and customer-facing applications that allow bill payment and access court-related documents, were compromised. For over a week, a cross-functional incident response team made up of the FBI, Department of Homeland Security, Microsoft, Cisco Security, and Dell SecureWorks have been working to find a resolution. In the meantime, the city’s operations have been completely disrupted. Thousands of city employees could not access their computers, court dates were rescheduled, water bill payments had to be made in person by check, traffic tickets could not be processed—this ransomware attack has obstructed the day-to-day operations of the City of Atlanta.

Fortunately, some key departments were left unharmed by this attack, including public safety, the water department, and Hartsfield-Jackson Atlanta International Airport. The city reported that there’s been no evidence so far that customer or employee data has been compromised.

Why Did This Ransomware Attack Happen?

The city hasn’t given an official statement on why, but speculation is that critical cybersecurity best practices were not being met. The City of Atlanta’s ISO/IEC 27001 ISMS Precertification Audit Report from January 2018, just two months prior to this ransomware attack, reveals that the city’s current Information Security Management System (ISMS) may not pass a certification audit based on gaps in policies and procedures, definitions of scope, formal risk assessment processes, vendor management processes, data classification policies, and measurement, reporting, and communication related to risk. This gap analysis speaks to the city’s current cybersecurity posture; in the past, we’ve seen that the city hasn’t always followed cybersecurity best practices.

In 2017, the City of Atlanta had five systems compromised by critical patches left not updated. Rendition Infosec’s scan indicates that the city was not patching its Internet-facing hosts that were vulnerable from April 13, 2017 to May 1, 2017—more than a month after critical patches were released my Microsoft on March 14, 2017. This specific incident of a lack of patching hasn’t been proven to be linked to Atlanta’s recent ransomware attack, but it at least shows that the city’s cybersecurity best practices are not sufficient.

How to Prepare for a Ransomware Attack

The City of Atlanta isn’t the only municipality to fall victim to ransomware, but this attack does represent a major escalation from ransomware attacks we’ve seen so far. This year, Connecticut state agencies, the Colorado Department of Transportation, and the City of Allentown have all been hit by ransomware attacks. We see a trend of attackers targeting victims with limited IT budgets, hoping they will tradeoff a ransom for the risk of systems being down. This trend is the state of affairs for many sectors, not just the government.

Cybersecurity best practices offer protection from ransomware attacks. Because public safety services like 911, waste management and water control, and the airport were left unharmed by this attack, this tell us the City of Atlanta had implemented a critical cybersecurity best practice: segmentation. These essential departments were segmented from the rest of the city’s government services. But, the City of Atlanta has been compromised for over a week—this length of time tells us they were not fully prepared for a cybersecurity attack.

From the recent cases, we’ve found that vulnerability management, backup systems, incident response, disaster recovery, and business continuity seem to be the most vulnerable areas among victims. To proactively prepare for a ransomware attack, we recommend implementing cybersecurity best practices in these areas:

  1. Vulnerability Management: We urge you to patch your systems in a timely manner, especially critical updates. The number one target of cyber criminals is known flaws left unpatched. Don’t leave a known vulnerability open to attack.
  2. Backup Systems: Victims of ransomware attacks are often pressured to pay a ransom from the threat of not being able to get back all of their data. Performing regular backups on entire machines can ensure that the data that is critical to your business will still be available after an attack, and can also help make the recovery and restoration process quicker and easier. You should also maintain and test offline backups since some online services are compromised during these types of attacks.
  3. Practicing Incident Response: Your organization’s response to a ransomware attack can’t be made up on the spot. It has to be documented, tested, and implemented. Failure to have an implemented incident response will leave your organization struggling to pick up the pieces following a breach.
  4. Practicing Disaster Recovery and Business Continuity Plans: Day-to-day operations will most certainly be impacted by a ransomware attack. Have you practiced the manual processes that you’ll need to implement if your systems go down?

Over a week later, the City of Atlanta is still working to fully recover from this ransomware attack. The city is updating the public whenever new services have been restored.

Does your organization update patches in a timely manner? Are your systems regularly backed up? Is your incident response plan in place? Don’t let your organization be the next headline. For more information on employee training, incident response, risk assessment, penetration testing, patch management, and other cybersecurity best practices, contact us today.

More Ransomware Preparation Resources

Compliance is Never Enough: Hardening and System Patching

PCI Demystified: Ensure All Systems and Software are Protected from Known Vulnerabilities

The Rise of Ransomware: Best Practices for Preventing Ransomware

Ransomware Alert: Defend Yourself Against WannaCrypt

Advancements in cloud technology have completely changed the way organizations use, store, process, and share data, applications, and software. Cloud environments tend to be more cost-efficient and time-efficient…so why wouldn’t you put your data in the cloud?

Because so many organizations are putting so much sensitive data into cloud environments, they have inevitably become targets for malicious attackers. New security vulnerabilities are consistently being discovered and, in a vicious cycle, traditional security vulnerabilities still show up in cloud environments.

In response to the ever-growing threat landscape, the Cloud Security Alliance (CSA) has created industry-wide standards for cloud security. Their report, “The Treacherous 12 – Top Threats to Cloud Computing + Industry Insights,” arms cloud users and cloud providers with guidance on risk mitigation for their cloud strategies.

Based on research from the CSA Top Threats Working Group, the CSA determined the following 12 risks for cloud security to be the most critical issues.

12 Cloud Security Risks

Data Breach

The CSA defines a data breach as an incident in which sensitive, protected, or confidential information is released, viewed, stolen, or used by an individual who is not authorized to do so. Data breaches in cloud environments can permanently damage your organization’s reputation, cause you to lose current and future clients from a lack of trust, cause lawsuits to develop, and cause a costly process for investigation of the data breach and notifying customers.

Insufficient Identity, Credential, and Access Management

Centralized passwords and interconnected identity systems are conveniences creating huge risks for cloud security. Once an attacker exploits insufficient identity, credential, and access management systems, they can enter your cloud environments and have the potential to read, modify, or delete sensitive data and release malicious software into the system.

Insecure UIs and APIs

Weak user interfaces (UIs) and application programming interfaces (APIs) expose security vulnerabilities in the availability, confidentiality, and integrity of a cloud environments.

System Vulnerabilities

According to the CSA, system vulnerabilities are exploitable bugs in programs that attackers use to infiltrate a system, steal data, and take control. System vulnerabilities within cloud environments put the security of all services and data at risk.

Account Hijacking

When accounts are hijacked in cloud environments, that account becomes the base for an attacker. The attacker can then eavesdrop on and manipulate activities, transactions, and data.

Malicious Insiders

A malicious insider could be a current or former employee, vendor, or business partner who has or had authorized access to a system or data and is now intentionally exploiting that access to impact the availability, confidentiality, and integrity of cloud environments.

Advanced Persistent Threats

The CSA defines an advanced persistent threat as a parasitical cyberattack that breaks into systems and establishes a foothold in the computing infrastructure, and from there, they can steal data, intellectual property, etc.

Data Loss

It may not seem like it, but data is one of the most valuable assets that a company can possess. Even if lost on accident and not the result of a malicious attack, permanently losing data could be devastating to an organization.

Insufficient Due Diligence

When considering migrating to the cloud, an organization that does not perform extensive due diligence and rushes to adopt cloud technologies exposes itself to commercial, technical, legal, financial, and compliance risks.

Abuse and Nefarious Use of Cloud Services

The CSA says that this risk could look like poorly secured cloud deployments, free cloud service trials, or fraudulent payment for account sign-up. This lessens the availability, confidentiality, and integrity of cloud environments for legitimate customers.

Denial of Service

DoS attacks are meant to prevent users from being able to access their data or applications.

Shared Technology Vulnerabilities

Cloud providers deliver services by sharing infrastructure, platforms, and applications, but this comes with an underlying risk. Shared technology vulnerabilities are dangerous because they could affect an entire cloud environment at once.

How to Mitigate the 12 Risks for Cloud Security

There are several ways to mitigate each of the CSA’s 12 risks for cloud security, but we see five overarching themes when reviewing the CSA’s guidance:

  • Multifactor authentication
  • Cultivating cybersecurity awareness among your employees
  • Controlling access based on business need to know
  • Encryption and key management
  • Effective incident response plans

Multifactor Authentication

Multifactor authentication (MFA) can help cloud users and cloud providers mitigate multiple areas of risk.

MFA is an extra security measure that could prevent a single stolen credential from being the key to gaining full access to a cloud environment. It’s a key step in preventing data breaches, account hijacking, breaches caused from shared resources, and creating a secure identity and access management (IAM) system.

Cultivate Awareness

Creating proactive security measures within your organization encourages a culture of security and compliance. Providing your employees with educating and training related to cybersecurity awareness helps them spot advanced persistent threats, malicious insiders, system vulnerabilities, DoS attacks, and other suspicious activities in cloud environments.

Controlling Access

Controlling access to sensitive areas based business need to know and identifying and authenticating that access is a best practice that helps prevent data breaches, insufficient IAM, system vulnerabilities, account hijacking, and malicious insiders. The more people who have access to sensitive areas, the more risk there is.

Encryption Best Practices

Encryption, key management, hardening, and patch installation are also valuable ways to mitigate the 12 risks for cloud security. Encrypted data is worth nothing to hackers. Key rotation and management prevents insufficient IAM and malicious insiders from entering cloud environments. Installing new patches when they’re issued helps identify and mitigate system and shared technology vulnerabilities.

Incident Response Plans

Incident response plans play a large role in mitigating the 12 risks for cloud security. Is a DoS is detected, how does your organization respond? Does your cloud provider have an incident response framework that addresses the misuse of resources? What’s the first step your organization takes after an advanced persistent threat is identified? Incident response plans could save your organization.

What would you add to the CSA’s list of 12 risks most critical issues for cloud security? How has your organization mitigated these risks? What risks do you identify as critical?

Whether you’re a cloud user or cloud provider, we want you to make informed decisions about risk mitigation for your cloud strategy. Contact us today to start learning about protecting your cloud environments.

More Cloud Security Resources

CSA’s Top Threats to Cloud Computer Plus: Industry Insights

CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing

CSA’s Security as a Service Implementation Guide

Compliance is Never Enough: Webinar Series

The Need for Security

CompuMail began pursuing comprehensive audits in 2009 to ensure efficient, compliant business operations and to maintain a strong multi-industry reputation. Since then, they’ve achieved many compliance goals and excelled to greater levels of assurance. In 2010, they achieved PCI and HIPAA compliance, and soon after, became compliant with FISMA, GLBA, and ISO 27002. Most recently, CompuMail completed further auditing and achieved SOC 1 and SOC 2 attestations. The time, financial investments, and company-wide dedication that CompuMail gives to security shows their perspective on how important security and compliance is.

CompuMail has gained invaluable insight while undergoing the audit process. CompuMail has gained invaluable insight while undergoing the audit process. CompuMail’s Chief Security Officer tells us, “We believe that undergoing annual internal and third-party audits is crucial to our business. Simply stating that you have the controls in place is unacceptable for the industries we focus on and the clients we serve.”

How to Create a Culture of Compliance

Creating a positive culture of compliance and driving cultural change within your organization requires strong leadership skills and a clear strategy. Does your organization have a person or team directly responsible for security and compliance management system (CMS)? Having this in place can make a significant difference for your organization. CompuMail’s strategy for involves an internal team dedicated to creating a culture of compliance.

Christine Fribley, CompuMail’s Chief Security Officer, is responsible for managing all data and physical security efforts across the organization. Her duties include, but are not limited to: management of CompuMail’s security certifications, conducting internal risk assessments and auditing, facilitation of vendor management function, and ensuring that security training requirements are met. The information security component of CompuMail’s CMS program is extremely vital to protecting the integrity and reputation of the organization and its clients. Leona Augerlavoie, CompuMail’s Compliance Officer, is responsible for establishing and maintaining CompuMail’s CMS. Her duties include, but are not limited to: oversight of the development, implementation and success of all required CMS elements, promotion of compliance activities in accordance with both internal and client core values, maximizing organizational integrity and quality of service, coordination of onsite audits, and maintaining current knowledge of regulatory/legal updates specific to the financial, healthcare and collection industries. This team allows CompuMail to continuously evaluate and add to their list of externally-validated certifications and standards to ensure ongoing compliance with the highest industry standards.

In addition to the above roles and responsibilities,CompuMail’s culture of compliance is reinforced through documentation. The Chief Security Officer and Compliance Officer continuously assess compliance needs and plan for risk mitigation, but they also create, modify, and uphold policies and procedures. This comprehensive documentation standard across the organization reinforces CompuMail’s culture of compliance and has allowed the establishment of strong continuous quality improvement practices.

When establishing your organization’s culture of compliance, communication and training is crucial for employee engagement. CompuMail’s Compliance Officer tell us, “CompuMail employees understand that their commitment to and cooperation with security and compliance, as well as established controls, is a critical component to their job and to our business. All CompuMail employees receive data security and compliance training immediately upon hiring and then on a annual mandatory basis. Security and compliance tips and updates are shared in monthly internal newsletters and in emails to keep compliance at the forefront.”

How Can Security and Compliance Benefit Your Clients?

Every organization wants their clients to be satisfied with the services they receive and confident that their sensitive data is secure. By achieving compliance with so many standards and frameworks, CompuMail demonstrates that they are accountable for upholding high standards of confidentiality and integrity while hosting, processing and printing clients’ data.

CompuMail’s Chief Security Officer states, “Without a doubt, the greatest security risks that we face are data breaches and identity theft. In this day and age, data security is not optional, as data breaches have become front page news stories, and identity theft and phishing scams are constant threats. CompuMail recognizes that there are numerous factors that can impact an organization’s risks, including but not limited to: culture, technology, innovation, new services, laws, rules, and regulations, as well as the existence and sufficiency of policies covering all areas of risks. Our security and compliance team is dedicated to protecting our assets and the assets of our clients, and our compliance achievements attest to the high standards that we have committed to upholding.”

More About CompuMail

CompuMail Official LogoSince 1994, CompuMail has been delivering innovative communication solutions and print and mail services to clients that span across multiple industries. They offer a robust list of solutions with unique platforms for service delivery that can meet all of your business essentials; physical and digital communications, data protection and secure portals, coupled with superior customer service and support. CompuMail cultivates lasting partnerships with their valued customers to ensure that they see the best possible results under the highest level of data security, at the most competitive price.  Technology changes and business changes, but CompuMail’s commitment to service does not.

Find CompuMail on LinkedIn, Twitter, and Facebook.

More About Cultures of Compliance

Chief Compliance Officer Webinar Series

Creating a Culture of Compliance Within Your Organization

The Keys to a Successful Audit