What Makes a SOC 2 Audit Successful?

What happens after you receive your SOC 2 report? You’ve just used many resources – maybe even some that you were strapped to allocate – to go through a gap analysis, remediate the findings, and then begin the SOC 2 Type I and/or Type II audit. It’s a massive project that you should be proud to finish…but what now? What makes a SOC 2 audit successful? How do you make the most out of your compliance? Let’s take a look at four ways to prove that your SOC 2 audit was successful using one of our client’s SOC 2 audit journey as an example.

iPost’s SOC 2 Compliance Journey

iPost is a flexible and dynamic marketing automation solution for email and mobile needs, built for marketers by marketers. Like many others in the marketing industry, iPost was being asked by clients and prospects for evidence of their commitment to data security. When iPost decided to pursue SOC 2 compliance, it felt nerve-wracking to begin such a big project. After completing a SOC 2 Type I audit, though, iPost’s CEO, Cameron Kane, said, “The real value in the SOC 2 audit is that we’ve become a better company. The audit forced us to grow, and that’s not an easy thing – but we did it.”

So, how did iPost know that their SOC 2 audit was successful? How can you know that your SOC 2 audit was successful? We’ll give you four key ways.

How Do You Prove Your SOC 2 Audit was Successful?

1. C-Level Support

During a SOC 2 audit, it’s incredibly important that C-level executives and stakeholders understand and support the audit and the organization’s overall information security needs. Without their support, how can any policies or procedures be implemented? Who will approve funding? Who will care about the outcome of the audit?

iPost’s CEO supported and understood the SOC 2 audit and its purpose, and that made all the difference in making their SOC 2 audit successful. Kane and his team interacted with an Information Security Specialist and the President of KirkpatrickPrice, Joseph Kirkpatrick. When Kane met with Kirkpatrick, the tone for the SOC 2 audit was set: Kane knew that it would be a long process, but also understood that the auditor’s intention was not to find sensitive areas and pour salt in the wound. Instead, the auditor was there to help, point, and direct iPost into stronger security practices. Right away, iPost’s CEO knew that their SOC 2 engagement wasn’t going to be stereotypical audit and helped his team understand that there was no reason to be guarded. Kane knew that the KirkpatrickPrice team and iPost team were all working towards the same goal: to make iPost the best organization it can be. With that C-level support from iPost, it made their SOC 2 audit much more successful.

2. Seeing Real Change Within Your Company

SOC 2 audits are meant to strengthen and enhance your business, yet many organizations are fearful of the process, rather than seeing the benefits. At KirkpatrickPrice, we believe a SOC 2 audit is successful when you see real change at your company. This means that the audit isn’t something to be checked off of a list every year, or just another IT thing to include in the budget. Instead, the audit is an opportunity to improve your business processes and organization as a whole. At iPost, almost immediately following their SOC 2 Type I audit, they already felt a change within their employees. Phishing attempts were being reported like never before and their procedures were being followed; all because they had buy-in from their staff.

3. Using Compliance as a Competitive Advantage

When an organization leverages compliance achievements as a competitive edge, they are taking full advantage of the achievement. After all, you just used a lot of time and resources to complete a SOC 2 audit – why not use it in marketing materials and sales conversations?

One of the reasons why a SOC 2 attestation was so valuable to iPost is because it provided them with bigger, better sales opportunities. The opportunities are endless when you can demonstrate that you care about your customers’ data and have the evidence to prove it. iPost knows their competitors and others in their industry are being pushed towards a SOC 2 audit, and their proactivity has paid off. When they received their SOC 2 report, they were immediately able to close deals that depended on a SOC 2 attestation, use that achievement in sales conversations, and incorporate it into their marketing strategy.

4. Continuing the SOC 2 Journey

Many of our clients have the same feeling after completing an audit for the first time: it was a difficult process, but one that helped their company. After completing a SOC 2 Type I audit, iPost headed towards the next step: a Type II audit. They know that the next audit will still be difficult, but by following remediation guidance, they plan to become as prepared as possible for the SOC 2 Type II audit. When asked what he would say to other organizations considering pursuing SOC 2 compliance, Kane said, “First, it’s not going to be as bad as you think it’s going to be, even if you feel strapped for time and resources. Second, you really can use it in a sales environment. Lastly, your auditor is not there to ‘get you’ – they’re there to help you!”

So, what makes a SOC 2 audit successful? If you’ve gained C-level support that cultivates a culture of compliance, if you see real change within your company that supports security and privacy standards, if you utilize your compliance in sales and marketing, and if you want to continue the SOC 2 compliance journey, then you know you’re making the most out of your compliance efforts.

Are you considering pursuing SOC 2 compliance, but don’t know if it applies to your business or where to start the process? Contact us today to talk through your compliance objectives.

More SOC 2 Resources

SOC 2 Academy

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Why Quality Audits Will Always Pay Off: You Get What You Pay For

Wipro’s Data Breach: A Valuable Lesson for Managed Service Providers

In mid-April, KrebsOnSecurity reported that Wipro, one of India’s largest IT managed service providers, experienced a data breach impacting hundreds of thousands of their clients. The cause? An advanced phishing attack effecting a handful of employee accounts. These phishing attacks were then the gateway malicious hackers needed to target Wipro’s customers. What can we learn from this data breach? It all comes down to the need for effective third-party risk management.

How Can You Effectively Manage Third-Party Risk?

If you’ve entrusted a third party with access to your organization’s sensitive data, it’s understandable that you would want peace of mind that they’re doing everything they say they’re doing to protect that data. However, having effective vendor management programs isn’t a one-way street: both you and your third-party vendors are responsible for protecting sensitive assets. If you chose a bank and blindly trusted them to protect your money without performing your due diligence to understand just how they protect your assets and all of the sudden your money disappeared, it wouldn’t solely be the bank’s fault; it’d be yours too. The same goes for when you partner with a managed service provider. It can be easy to trust an established, well-known managed service provider, like Wipro, but that doesn’t mean you can ignore the obvious: any third party increases your attack surface and is likely to introduce new vulnerabilities into your environment if they aren’t vetted properly. What are some steps to effectively manage third-party risk?

5 Steps to Manage Third-Party Risk

We believe that effectively managing third-party risk begins with implementing the following five steps.

  1. Conduct a Risk Assessment Survey: Get input from management and department heads and so you can document specific risks or threats within each department.
  2. Identify Risks: Evaluate something like an IT system and identify the risks to the hardware, software, data, or IT personnel, and also identify the potential adverse events, like natural or man-made disasters.
  3. Assess  Risk Importance and Risk Likelihood: Ask, “What is the likelihood of a specific event having a negative impact on a sensitive asset?” Typically, this is expressed subjectively or quantitatively (high, medium, low, or 1, 2, 3).
  4. Create a Risk Management Action Plan: Develop control recommendations to either mitigate, transfer, accept, or avoid the risk using the knowledge gained from identifying risk and assessing the likelihood of those risks having a negative impact on sensitive assets.
  5. Implement a Risk Management Program: Put the four previous steps into action by training your personnel and implementing controls to mitigate risks.

Including Your Third-Party Vendors in Your Audit: Why They Need an Onsite Visit, Too

Another way to effectively manage third-party risk is by including your vendors within the scope of your information security audits. Let’s say that you’ve outsourced your IT services to an organization like Wipro – an organization located across the globe from you. While you think they have a good reputation for delivering secure services, have you ever physically inspected whether they’re doing what they say they’re doing? Have you ever received third-party assurance that their internal controls are in place and operating effectively? Chances are, you have not. By including your third parties in your audit, our auditors will make sure that who you outsource to lives up to your standards.

Are you a managed service provider looking to demonstrate your commitment to security? Do you outsource any of your business processes to a managed service provider and want to ensure that they’re providing secure services? KirkpatrickPrice can help! Contact us today to learn about our risk assessment services and how we can help ensure that your business remains secure when you partner with vendors.

More Vendor Compliance Management Resources

Risk Assessment Guide and Matrix

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Information Security Management Series: Risk Assessment

What is Risk Management?

Smart Cities vs. Secure Cities: Is There Really a Difference?

With technology ever-evolving, federal, state, and local governments across the globe have implemented new tools and processes to make their cities more accessible, efficient, and secure. From IoT devices, including cameras, traffic signals, and public transportation to city management systems and public data, cities all over the world are making an effort to become “smart” cities. But an increase in new smart technologies comes with an increase in cybersecurity risks; something that not all smart cities know – or are capable of – mitigating. This leaves us wondering: Can smart cities also be cyber-secure cities? What’s the difference between smart cities and cyber-secure cities?

What Makes a Smart City Different Than a Cyber-Secure City?

While smart cities utilize many innovative technologies with the intention of enhancing the lives of residents and increasing the efficiency of the city itself, smart cities are not technically always secure. Even if a city implements the latest, most innovative technology, it doesn’t always mean it’s secure. In fact, smart cities who rush to implement the latest innovative technologies may even increase the likelihood of experiencing a data breach or security incident because they don’t have effective cybersecurity strategies already established, leaving them even more susceptible to existing and new vulnerabilities. And even if a smart city does establish cybersecurity policies, new smart technologies increase the attack surface, introduce new vulnerabilities, are susceptible to DoS attacks, and often have encryption issues.

Examples of Smart Cities

To better understand the difference between smart cities and cyber-secure cities, let’s take a look at how the following cities have integrated new, innovative technologies into their infrastructure to change how their city and residents function.

  1. Barcelona: In 2012, Barcelona began rolling out technologies in an effort to become a smart city. This included adding smart technologies in various sectors including waste management, street lighting, public transit, and parking. For example, their waste management system became more efficient for citizens when they implemented a new smart waste device for waste disposal. Additionally, to solve their parking issues, they implemented a sensor that guides drivers to open parking spots.
  2. Sydney: Sydney has implemented various smart technologies including smart traffic controls, smart video surveillance, smart parking, smart public transportation, and smart waste management. Their smart public transportation system, like many other cities, offers a contactless fare collection system, making the ticketing and riding process much more efficient for passengers.
  3. Dubai: Known for its innovative architecture, Dubai is ahead of its time in many ways. Like Barcelona and Sydney, this smart city has implemented smart technologies including smart government services, smart energy and water, smart parking and traffic, smart cameras and security, and smart street lighting, and has plans to roll out even more smart city initiatives including an Artificial Intelligence Lab, paperless government, and a “happiness” agenda.

Examples of Smart and Cyber-Secure Cities

  1. New York City: A city known for its infrastructure, transportation system, government, and so much more, there’s good reason NYC was named the “smartest city” in 2017. This metropolis’ implementation of smart technologies, including surveillance cameras, traffic detection systems, smart street lighting, smart waste management, and wireless water meters – coupled with their Cyber NYC Initiative demonstrates their focus on improving the livelihood of residents through smart technology and also their commitment to keeping their citizen’s secure with strong cybersecurity policies.
  2. London: Much like NYC, London has positioned itself as one of the top smart and cyber-secure cities in the world. They’ve incorporated traffic sensors, surveillance cameras, smart street lighting, smart parking, and their famous underground railway system to make their citizens’ lives easier, all while continuing to focus on cybersecurity and protecting their citizens from experiencing the effects of a breach. For example, like Cyber NYC, London’s cybersecurity startup accelerator, Cyber London, or CyLon, is dedicated to helping businesses develop information security technology and products, furthering the city’s focus on cybersecurity. London is also home to some of the world’s most prestigious universities and research facilities, making it an attractive hub for cybersecurity professionals, and thus a smart and cyber-secure city.

Does the city you live or work in utilize smart technologies? Want to make sure that your city is both a smart and cyber-secure city? Contact us today to learn more.

More Cybersecurity Resources

What is Cybersecurity?

How to Lead a Cybersecurity Initiative

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

How Information Security Audits Can Lead to New Opportunities for MSPs

Managed service providers (MSPs) have a unique role: they are entrusted by other organizations to fulfill some or all of their business functions. Often times, organizations hire MSPs to create and maintain strong security postures, and when these organizations partner with managed services providers, they want to know that they won’t bring more risk into their environment. So, how can they ensure that they won’t increase risk?

How Can MSPs Demonstrate That They’re Secure?

What would it cost you if your organization compromised client data because of insecure managed services? How would you be impacted if your services were hacked? MSPs cater to various industries and are likely to interact with a number of various sensitive assets on a regular basis. After all, as vendors, MSPs rely on the data of other organizations to fuel their business. Because of this, MSPs must make it a priority to ensure that they offer secure services, and they can do this by undergoing annual information security audits.

Common Frameworks for Managed Service Providers

While managed service providers may be required to comply with various frameworks and legal regulations depending on the industry they’re in, types of organizations they work with, and services they offer, we believe that MSPs should consider undergoing audits for the following common information security frameworks. By doing so, managed service providers will be able to find and mitigate vulnerabilities in their security posture, assure their clients that they are secure, and get assurance by a third-party auditing firm that they are doing everything they need to be doing to keep their clients’ sensitive assets secure.

  • SOC 1: When you engage in a SOC 1 audit, an assessor will review your internal controls over financial reporting. For managed service providers who are outsourced to provide financial reports to other organizations, a SOC 1 audit may be necessary.
  • SOC 2: As an MSP, it’s likely that your customers will want to verify that you’re doing everything that you can to secure their sensitive assets. Undergoing a SOC 2 audit is a key way to demonstrate this. Why? By engaging in a SOC 2 audit, you can ensure your current and potential clients that their information is secure, available, and confidential.
  • PCI: Many businesses in the retail industry partner with MSPs to outsource some of their business processes. As an MSP, if your services get compromised by a malicious hacker and your clients’ payment card information is stolen, how would that impact your business?
  • HIPAA: Do you provide managed services to healthcare organizations? If so, you would be considered a business associate and are thus responsible for ensuring that you comply with the HIPAA Security, Privacy, and Breach Notification laws.
  • GDPR: If part of your managed services involves working with organizations located in the EU or with the personal data of EU data subjects, you’re responsible for complying with GDPR.

Benefits of Information Security Audits for MSPs

If your clients can’t trust you to ensure that their sensitive assets remain secure, then why would they do business with you? As a managed service provider, and trusted third-party vendor, undergoing information security audits is so much more than something to check off a to-do list. Instead, it’s an investment that will result in a stronger, more robust security posture, a competitive advantage, and most importantly: peace of mind for your clients.

Regardless of the industry or type of organization MSPs partner with, ensuring that people, processes, and technologies used to deliver your managed services must be a top priority.  Want to learn more about how KirkpatrickPrice can help you secure your managed services? Contact us today.

More MSP Resources

How Can a SOC 2 Bring Value to MSPs?

When Will You See the Benefit of an Audit?

5 Questions to Ask When Choosing Your Audit Partner

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

Secure Your City: Airports

Why is cybersecurity for airports important? According to the FAA, more than 2.6 million passengers fly in and out of US airports on a daily basis. That’s 2.6 million people who rely on – and expect – airports, airlines, and aircrafts to deliver secure services. As the cybersecurity threat landscape continues to evolve, it’s more important than ever that the airline industry understands and effectively mitigates the risks they’re faced with. After all, whether it’s an airport, an airline, or an aircraft, there are cyber risks in every facet of the airline industry.

Cybersecurity Threats Before You Get to the Airport

You don’t have to physically be inside of an airport to experience a breach. In 2018, British Airways announced that 380,000 transactions were compromised during a breach of the airline’s website and app. Fortunately, no travel or passport details were compromised, but payment information was obtained and linked back to Magecart, a threat group that has compromised over 800 e-commerce sites worldwide.

Air Canada experienced a similar breach of its mobile app, which resulted in compromised personal information, including passport numbers, of approximately 20,000 users.

When you consider all the components that make the airline industry successful and innovative, you realize just how important cybersecurity for airports must be because of how many attack surfaces are available to hackers. How could thorough, continuous penetration testing have changed or prevented these breaches? How could a tried and true detection and monitoring system have alerted airlines earlier?

Cybersecurity Threats Inside of Airports

Physical security is of the upmost importance to airports, but cybersecurity for airports goes hand-in-hand with physical security. Why? Cybersecurity attack vectors can be inside of airports themselves.

The US Customs and Border Protection (CPB) program called Biometric Exit, has caught privacy professionals’ and consumers’ attention. Biometric Exit is a facial recognition system currently being rolled out at departure gates in 17 airports across the US. By 2021, the CPB hopes that 97% of airports will be able to utilize this technology. The idea is to increase efficiency by replacing manual identity verification – no more interaction initially needed between a passenger and an airline employee. But biometric technology brings up so many privacy and cybersecurity issues: what other ways could airports use facial recognition technology? Who is collecting this data, and where is the cross-reference data coming from? Are they using the data in any way other than identity verification? How long is biometric data being stored? Is the public allowed to have an opinion on when, where, and how this technology is implemented? How will this program impact cybersecurity for airports?

The flight information displays at Cleveland Hopkins International Airport recently went blank, with all other systems functioning. Email temporarily went down, but no other operations were impacted. This incident is still under investigation by the FBI, plus city and airport officials. The immediate assumption is that this was some type of cyber hack, but no conclusions has been found yet.

In-Flight Cybersecurity Concerns

There is an obvious and major concern for protecting aircrafts themselves from cybersecurity attacks, but how else could an aircraft be compromised? Along with new technology in airports comes new technology in aircrafts. Cameras have been fitted to airplane seats, specifically when there is in-flight entertainment technology, and two senators have raised privacy concerns. They’ve asked 16 international airlines the following questions:

  • Does your airline currently use, or has ever used, cameras, microphones, or sensors to monitor passengers?
  • What purpose do the cameras, microphones, or sensors serve and in what circumstances may they be activated?
  • If you have or currently do utilize cameras, microphones, or sensors to monitor passengers, provide details on how passengers are informed of this practice.
  • Provide comprehensive data on the number of cameras, microphones, and sensors used by your fleet, and the type of information that is collected or recorded, how it is stored, and who within your airline is responsible for the review and safekeeping of this information.
  • Confirm what security measures you have in place to prevent data breaches of this information, or hacking of the cameras, microphones, and sensors themselves.
  • Are the cameras used in any biometric identity capacity, and if so, under what authority?

The senators have proposed bipartisan legislation, the Passenger Privacy Protection Act of 2019, in hopes of prohibiting airlines from having cameras in in-flight entertainment systems. If not properly secured, could this technology be the next attack vector for malware?

The Need for Effective Cybersecurity Strategies

Effective cybersecurity strategies for airports, airlines, and aircrafts keep passengers, their data, and their privacy safe. We haven’t seen a major cyber attack on an airport yet and we hope that cities across the globe take the responsibility of cybersecurity for airports seriously. If you’re interested in learning more about effective cybersecurity strategies, contact us today.

More Cybersecurity Resources

Ransomware Alert: Lessons Learned from the City of Atlanta

Horror Stories – 5 Cities Victimized By Cyber Threats

How Can Penetration Testing Protect Your Assets?