It’s the beginning of a new year, and everyone wants to know what cybersecurity trends to look out for in 2018. 2017 left a lot of destruction in its wake from cybersecurity attacks and high-profile breaches. And while we can’t 100% say what is to come, we’ve compiled a few cybersecurity predictions based on what we do know. Here are five of the top cybersecurity trends for 2018:

Five Cybersecurity Trends to Look Out for in 2018

1. More Major Breaches

We remember several of the top breaches from 2017: Equifax, Uber, and Verizon. These breaches were a result of poor security practices such as patching, outdated systems and applications, and human error. Ransomware was another hot topic in the cybersecurity world in 2017 with WannaCry and Petya. Unfortunately, these types of threats are not a thing of the past. In 2018, we must prepare for similar attacks, ramp up our security defenses, and continue to train employees to recognize such attacks. Additional cybersecurity predictions for 2018 include the potential for international cyber warfare on critical infrastructure, and AI vs AI. With hackers now beginning to use Machine Learning and AI for criminal activity, organizations will need to utilize their own AI tools in order to combat such threats.

2. Stricter Compliance Regulations

On May 25, 2018, GDPR comes into effect, prepared to impose fines for non-compliance of up to €20 million or 4% of annual global turnover – whichever is greatest. Many organizations, particularly in the US, are unaware of how fast and hard this is going to hit them, and as we all scramble to prepare for this coming regulation, we wonder, what else is next? With all of the reported high-profile breaches of 2017, it’s safe to assume that stricter, and more compliance regulations will be a cybersecurity trend to look out for in 2018.

3. Stronger Security Practices

Security professionals should be looking at 2017 for lessons learned when it comes to creating and implementing stronger security practices. Some important security practices to keep in mind as top cybersecurity trends for 2018 are password strength and two-factor authentication, patching, regularly updating anti-virus, monitoring, regularly updating OS and applications, endpoint security, and stronger encryption.

4. Cyber Insurance

Cyber insurance is something that has been around for a while now, but as the financial impact of cyber-attacks continues to rise, many businesses will likely be looking to cyber insurance in 2018. According to the Ponemon Institute, the average total cost of a data breach in 2017 was $3.62 million. Purchasing cyber insurance will help organizations not only with prevention, but also protection, when it comes to cybersecurity.

5. Individual Training

As is important every year, continuing to train the workforce on the ever-evolving cyber-threat landscape will be among the top cybersecurity trends for 2018. A good place to start is by going over cybersecurity predictions for 2018, looking to robust cybersecurity standards such as the NIST Cybersecurity Framework, dedicating a team to looking for updates in the cybersecurity world, and creating a culture of security throughout your organization.

As we’ve seen in years past, we can expect the threat landscape to continue to change and evolve in 2018. By being aware of these cybersecurity trends to look out for in 2018, we can get a head start on preparing and preventing an attack on our organizations. For more information on how your organization can build up your cybersecurity practices, contact us today.

Are You Doing Enough to Protect Customer Data?

In a highly data-driven world, protecting the privacy of customer data is more important than ever. January 28th, a day dedicated as Data Privacy Day, is an international holiday meant to help raise awareness about data privacy best practices. Encouraging companies and individuals to value privacy will help to create a culture of privacy and embolden everyone to properly safeguard data and protect our customers. Are you doing enough to protect customer data? Take a look at these data privacy best practices and make sure you’re doing everything you can to ensure data privacy.

Know Your Data and How You Collect It

As technology continues to advance, so do the number of data breaches. When reviewing and maturing your data privacy practices, it’s important to fully understand the data you are collecting and how you are collecting it. Personally identifiable information (PII) comes in many forms. Names, addresses, birthdates, social security numbers, credit card numbers, and medical data are all types of data that must be protected. Personal data can also be collected in many ways. Do you collect customer data via the internet? Do you collect customer data through a third party or an app? Do you collect customer data in person? Understanding the type of data you collect, and how you collect and store that data, should be among the first considerations when assessing whether or not you’re doing enough to protect customer data.

Four Things to Enhance Data Privacy Practices

Data privacy means proper and secure collection and storage of proprietary data. So, what are you doing as part of your data privacy program to accomplish this? Here are four things you can do today to mature your data privacy practices:

1.  Have a formal information security and privacy policy

  1. Your information security and privacy policies should be reviewed, tested, and updated at least annually. The best way to ensure your policies are covering all your bases is to start with your annual risk assessment. Are there controls that are missing entirely? Are there controls that are lacking important elements? Spelling out each of your risks and knowing where all your data exists will help you verify that your policies and procedures accurately reflect all the precautions you must take.

2. Implement strong access controls

  1. Strong access control measures can help thwart unauthorized access to sensitive customer data. Password requirements like strong passwords and password expiration policies are important in keeping passwords hard to crack. Maintaining permissions are another strong access control to have in place. Limiting access to sensitive customer data to only those with a specific need, such as privileged access, can help minimize the risk that the data will be accessed or compromised by an unauthorized source.

3. Ensure secure disposal of data

  1. Data retention and disposal policies help companies minimize the risk that data can be compromised. If there is no further business need to store sensitive data, get rid of it. When it’s time to dispose of or destroy sensitive data, be sure you’re doing it in a secure and appropriate manner. Commonly used methods for destroying non-electronic media include cross-cut shredders, pulverizers, and incinerators. Electronic data should be disposed of by appropriate data deletion methods to ensure that the data cannot be recovered.

4. Monitor access and use of data

  1. Who accesses customer data? How frequently do they access the data? What do they do when accessing the data? Monitoring access and use of data can help organizations recognize suspicious activity and prevent unauthorized use or access of sensitive, privileged data.Providing constant training, tips, and reminders on data privacy and security best practices will help raise awareness of privacy and security concerns. This collaborative effort can help your data privacy and security practices to continue to mature, and ensure you’re doing the most you can to protect sensitive data. Help spread the word this Data Privacy Day on these best practices for securing customer data. For more tips or an evaluation of your data privacy practices, contact us today.

What is GDPR?

The European Union’s General Data Protection Regulation (GDPR) is not just one of many other data protection frameworks or requirements. GDPR is the top regulatory focus of 2018, even among US companies, and is considered to be one of the most significant information security and privacy laws of our time. The applicability of the law follows the data, rather than following a person or location. The scope is big and the sanctions are even bigger. Born out of cybercrime threats, technology advances, and concerns about data misuse, GDPR will require all data controllers and data processors that handle personal data of EU residents to “implement appropriate technical and organizational measures…to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”

What is My Role?

GDPR requirements depend on roles, so determining what role your organization plays sets the groundwork for determining which GDPR requirements apply to you. Is your organization one of the following?

  • Data Controller: The person or organization that determines the purposes and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization is a data controller.
  • Joint Controller: Multiple organizations having authority over personal data. The purposes and means for processing personal data are jointly determined and the requirement is to clearly define the responsibilities among joint controllers. The organizations must share authority over the data, not just share a data pool. For example, if a few organizations make an agreement to collect, use, or combine personal data and have mutual authority over that data, you might have a joint controller relationship.
  • Data Processer: The person or organization that processes personal data on behalf of a data controller. Data processors cannot process data without the authority of the data controller. They must notify the data controller of any breaches or using/changing of sub-processors. Data processors must provide sufficient compliance guarantees to the data controller.
  • Controller-Processor: You can have situations where a person or organization is both a controller and a processor. A SaaS provider could serve as a data processor based on the data they receive from their clients, but they could also serve as a controller based on the fact that they’re an employer that has EU citizens as employees. Two sets of data exist, and the SaaS provider has difference authority over the two sets.
  • Data Protection Officer: An individual that has expert knowledge of data protection law, is independent from an organizational reporting perspective, cannot be told how to do their job, and cannot be penalized for their job. This could be a person who’s also fulfilling other roles within an organization (without a conflict of interest), but it could also be an outside contractor.
  • Supervisory Authority: Independent, public authorities for each EU member state. Supervisory authorities are responsible for monitoring the application of GDPR and addressing non-compliance. These are the government organizations that you will be interacting with and they have the authority to create additional GDPR compliance.

We know that determining your role can be confusing; there’s a lot of overlap and a lot of questions. Here’s one more example to consider: a manufacturer of shoes. The data controller is the manufacturer. Whenever they sell a pair of shoes, a customer fills out a form that obtains their name, physical address, and other personal data. Now, the data controller (manufacturer) must decide what to do with that data. A data processor, in this situation, could be a marketing company that produces marketing materials on behalf of the shoe manufacturer. The marketing company has the control over color, font, images, or marketing channels to use, but they wouldn’t necessarily have authority over what data to use or who to market to. This makes the marketing company a data processor.

Where Do I Start?

Have you been wondering, “Where do I start with GDPR? What’s my next step?” but you can never get a straight answer? Well, here’s ours: start with data mapping. Consider where personal data enters and exits your organization, even if it’s somewhere that’s not a part of your core services. Who has access to that data? What controls surround it? Be thinking about customer satisfaction surveys, messaging forums, talent acquisition, your HR department, and other areas where personal data could enter your organization. Data mapping helps you to find areas where personal data resides, but you might otherwise overlook.

Another first step towards GDPR compliance is determining what your organization’s posture is under the law. Do you know if you’re a controller, processor, or a joint controller? If you’re a processor, do you use other sub-processors? Do you have legal basis for all of your methods of processing data? Do you have valid transfer mechanisms for international transfers?

Another practical implication to think about is change management. When considering GDPR, you must ask if you have to conduct a Data Protection Impact Assessment. Is a change going to require the use of one or more new processors, new consent from data subjects? Is new technology or a new service going to change the way you facilitate data subjects’ rights? We recommend that you create some type of decision-tree that outlines what the downstream impact of changes are.

Because GDPR law does not go into effect until May 25, 2018, we don’t have enforcement action yet to give us case studies or tell us what is compliant and what isn’t. In this pre-implementation phase, it’s crucial to monitor regulatory developments as they come out.

Listen to the full webinar to learn about industry-specific issues and hear Q&A from Regulatory Compliance Specialist, Mark Hinely. For more information on GDPR readiness, contact us today.

Independent Audit Verifies LogicBay’s Internal Controls and Processes

Wilmington, NC –  KirkpatrickPrice announced today that LogicBay Corporation, a channel management technology provider, has received their SOC 2 Type II attestation report. The completion of this engagement provides evidence that LogicBay has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of LogicBay’s controls to meet the criteria for these principles.

“Mission-critical systems, like ours, that companies depend on to support their sales channel partners must be secure and always accessible.  Companies that rely on LogicBay can now be rest assured that our systems and processes adhere to best practices as audited by a respected third-party auditor – not unverifiable claims used for marketing purposes,” said John Panaccione, CEO of LogicBay.

“The SOC 2 audit is based on the Trust Services Principles and Criteria. LogicBay has selected the security and availability principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “LogicBay delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on LogicBay’s controls.”

About LogicBay Corporation

Founded in 2003, LogicBay delivers technology-enabled channel management solutions to companies that need to build, scale, or optimize their indirect sales channels. At the core is the Channel Technology StackTM, combined with a proprietary Channel Profit CenterTM methodology that helps companies achieve growth through their sales channels. LogicBay’s technology and services have delivered substantial and consistent value to many of the world’s leading companies such as Caterpillar, Daimler Trucks North America, Hyster-Yale Group, and Texas Instruments. In addition to these enterprise solutions, LogicBay has contributed significantly to the success of many small and midsize businesses.  For more information, visit www.logicbay.com, follow LogicBay on Twitter (@LogicBay), or connect with LogicBay on LinkedIn.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Independent Audit Verifies National Loan Exchange’s Internal Controls and Processes

Edwardsville, IL – KirkpatrickPrice announced today that National Loan Exchange (“NLEX”), a leading loan sales advisory firm, has received their SOC 2 Type I compliance report. The completion of this engagement provides evidence that National Loan Exchange has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of National Loan Exchange’s controls to meet the criteria for these principles.

“NLEX is committed to bringing our clients best-in-class services and information security,” said Tom Ludwig, General Counsel and Executive Vice President of NLEX. “Large-scale institutions reentering the debt sales market, as well as all debt sellers in this environment, should ensure their service providers provide high data protection standards, and the SOC 2 attestation demonstrates NLEX’s commitment to meet those needs.”

“The SOC 2 audit is based on the Trust Services Criteria. NLEX has selected the security and confidentiality principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “NLEX delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on NLEX’s controls.”

About National Loan Exchange, Inc.

National Loan Exchange, Inc. (“NLEX”) has completed over 5,000 sale transactions across numerous asset classes with a total face value in excess of $150 billion, including $2.7 billion in 2017 alone. Along with best in class sale advisory services, NLEX provides reliable market evaluations and recovery strategy analysis, using its experience from consecutive monthly sales for over 20 years. More information available at www.nlex.com

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.