Staying Secure While Working from Home

When your employees begin working from a remote workplace, there’s a number of new security threats they can face. While you may already have thorough information security policies and procedures implemented in the workplace, these detailed security controls don’t always transfer to remote work. To mitigate vulnerabilities and protect your remote employees from malicious attacks, make sure you’re following these five tips for remote employees and remote workplaces.

5 Work from Home Security Tips

  1. Provide training on security and technology – The first secure work from home practice is to train your employees on security protocols, technology use, and basic communication tools. Include instructions on securing WiFi routers, using MFA, deploying a VPN, and any other relevant security processes in your training. You should also encourage or require your employees to complete training that is specific to work from home environments. KirkpatrickPrice provides Security Awareness Training that can provide you with the tools to equip your remote employees with secure, up-to-date practices.
  2. Reset default passwords and implement MFA – Default passwords on home routers, passwords that don’t meet industry best practice guidelines, and insecure storage of passwords are major security threats. By performing a password audit and implementing MFA for all devices, you’re increasing the security of the information your remote employees store.
  3. Backup data on the cloud – The beauty of the cloud is its ability to provide a space for remote employees to regularly back up their work in secure ways. Automatic backups can be initiated so that you don’t have to rely on employees to initiate the backup process in their remote workplace on their own. Don’t forget to focus on cloud security best practices to ensure the data you’re storing in the cloud isn’t vulnerable to threats.
  4. Update all software and patch vulnerabilities regularly – The latest antivirus, firewall, web filtering, and encryption updates need to be implemented regularly to ensure your remote employees’ devices and applications are secure. The same guidelines should be followed for a remote workplace as are written in your company-wide security policy regarding the schedule of software updates and patch management. Keep your eye out for vulnerabilities in the new tools you’re using.  For example, with so many new users on Zoom, it’s lucky that security researchers discovered an unpatched Zoom bug that could lead to UNC path injection.
  5. Engage in penetration testing to assess your remote securityPenetration testing is beneficial to your organization because it gives you the opportunity to find gaps in your network, applications, and code before an attacker does. For remote work, IT staff will often opt for quick solutions rather than the most secure. Penetration testing can check their work and help you ensure your remote employees are operating securely.

Policies You Need to Implement for a Secure Remote Workplace

With the increase of remote workplaces comes a number of policies that need to be updated to encourage productivity, security, and efficiency. The information security policy that you’ve developed for your company should be adjusted to fit the needs of your remote employees, although there needs to be a deeper focus on remote security. Take a look at this list of relevant policies you should develop for remote employees:

  • Equipment Access Policy
  • Physical Security Policy (Remote Office)
  • Acceptable Use Policy
  • Password Protocols
  • Remote Access Policy
  • Network Security Policy
  • Hours of Availability Policy
  • Response Rate/Communication Policy
  • Confidentiality Policy
  • Encryption Policy

If you need help developing a set of information security policies to address issues you may find in a remote workplace and other helpful work from home procedures, KirkpatrickPrice is here to help. Our information security experts are available to discuss your organizational needs and help you develop policies and procedures that will help keep you secure. Contact us, today, to learn more.

More Resources

Are Your Remote Employees Working Securely?

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

15 Must-Have Information Security Policies

Security Awareness Training Tools You Need

Security awareness is important. That’s not a new concept to anyone in IT or even employees who have had to complete some level of security awareness training. But, how can you ensure your security awareness training program is meeting industry standards? How can you get the most of out the training your employees complete? In a time where many people are transitioning to remote workplaces and work from home setups, how can you conduct security awareness training for remote employees? Let’s talk about the tools you need and how they can give your organization the upper hand it needs to combat security threats.

Why Security Awareness Training is Important

Shred-It’s 2019 Data Protection Report claims 47% of c-suite executives who reported a breach cited human error, employees, or insiders as the main cause. The realization that nearly half of these reported breaches were caused simply by error on the part of employees should encourage all organizations to implement effective security awareness training – especially with the looming threats that come with remote workplaces.

Additionally, to comply with PCI, SOC 2, HIPAA, and other regulations, security awareness training is required. The training you conduct should touch on topics like a clean desk policy, BYOD policy, data management, removable media, safe internet tips, physical security controls, phishing, social network threats, password security, social engineering, and malware.

4 Accessible Security Awareness Training Tools

You know you need to implement quality security awareness training, but how can your employees complete the training? Luckily, there are a number of great online resources you can use to ensure a high level of training. Without the need to have a physical training, you can conduct the annual online training for your remote employees conveniently. We’ve put together a list of 4 accessible security awareness tools you can use to conduct your own security training.

  1. Inspired eLearning: KirkpatrickPrice uses the capabilities of Inspired eLearning’s Cybersecurity Awareness Training to train our own employees, but also to help our clients. When you share a desire to engage in security awareness training with KirkpatrickPrice, you can expect us to utilize this thorough and effective online tool.
  2. Proofpoint: The interactive tools Proofpoint’s Security Awareness Training uses in its program allow for hands-on training that should prepare your employees to recognize various common security attacks.
  3. Enterprise Integration: EI’s Security Awareness Training is personalized to meet your training needs, whether you’re a small institute or a large company. This training tool could be the resource your organizational needs.
  4. KnowBe4: KnowBe4’s ASAP tool is an automated security awareness program builder which builds a customized training program for your organization. To develop a program that is built according to your specific requirements, KnowBe4’s tool provides actionable tasks, helpful tips, coursework suggestions, and a management calendar.

The online access to these security training resources makes the task of implementing regular security awareness training simple. While many of your employees are in a work from home atmosphere, now is the perfect time to focus on accessible security awareness training. Make sure your remote employees have the right tools to keep your organization secure.

How KirkpatrickPrice Can Help

KirkpatrickPrice offers various courses that touch on healthcare, privacy, security awareness, PCI, and general security training. These resources provide your organization with valuable tools to conduct thorough security awareness training for all employees, including those in remote workplaces. The value in purchasing these resources through KirkpatrickPrice is that you receive quality training tools from someone you trust. Whether you’re already in the process of completing an audit or just starting your compliance journey, security awareness training is a necessary step. Let us help you as you make sure your employees are up-to-date on security best practices. Contact us, today, to learn more about our security awareness training services.

More Resources

Staying Secure While Working from Home

Reviewing Your Information Security Program for 2020

 

Reviewing Your Information Security Program for 2020

As organizations assess whether their information security program will overcome the 2020 threat landscape, we often hear a lot of confusion and frustration about frameworks modifying their requirements, the cost of audits rising, the cost of pen tests rising, scopes getting larger, and testing being more difficult. There’s a reason for this – the threats are advancing. Your data and systems need more protection than they did in 2019 or 2018. When pricing, scope, or frequency of testing increases, here’s what we’re really asking you: Don’t you want more protection in 2020 than you had in 2019?

Annual Checklist for Your Information Security Program

What are you going to do about the threats coming in 2020? How are you going to modify your information security and cybersecurity efforts to adapt to new requirements? Here are a few areas to consider as we head into a new year.

Risk Assessment

When was the last time you performed a risk assessment? Do you have your next one scheduled? A formal risk assessment should be conducted every year, and especially after any significant changes in your organization. A risk assessment is a proactive way that organizations can identify and assess organizational risk, getting ahead of the threats for 2020.

Incident Response Plan

IBM reports that when an organization’s incident response team extensively tests their incident response plan, the average organization saves $1.23 million when a data breach does occur. Testing is incredibly crucial to the success of an incident response plan and can be done through tabletop exercises or simulations. Have you tested your incident response plan within the last year?

Business Continuity Plan

Just like incident response plans, business continuity plans must be tested to ensure they actually work. There’s no telling how extreme a disaster will be, so practicing different scenarios on a regular basis should be a top priority each year – especially if you live in areas prone to natural disasters.

Policy Review and Acknowledgement

Because of the amount of policies your organization must have and their importance not only day-to-day but also during an audit, your policies and employee handbook should be reviewed and updated annually. After those updates, you should require employee acknowledgement to ensure that all changes are communicated to your personnel.

Security Awareness Training

It’s hard to admit, but employees are the weakest link when it comes to information security and privacy – no matter what department they are or high they are on the org chart. How will you hold them accountable if you don’t require annual security awareness training? At a minimum, this training should cover what the encounter on a day-to-day basis, like weak passwords, what a phishing email looks like, social engineering examples, and physical security policies.

Security Automation Tools

Organizations that do not utilize automated security tools will experience 95% higher data breach costs than organizations that do, according to IBM. What security automation tools would be a valuable investment for your organization? With all the new technology available to identify and contain an attack, it’s worth a conversation about which tools could be valuable for your organization.

Penetration Testing

Do you need to change what type of pen testing you receive, how frequently you do it, or who performs the testing? Do your compliance obligations require a more-frequent pen testing schedule? Investing in pen testing is one way to show clients, prospects, and competitors that you are willing to take every step necessary to safeguard the data that has been entrusted to you. At KirkpatrickPrice, we offer seven different types of advanced pen tests as well as code review and social engineering.

Information Security or Privacy Audits

Do any of your upcoming deals rely on a SOC 2 report? Have you taken on new clients that require HIPAA compliance from you? Are your competitors going through privacy audits? These are all things to consider as you plan how your information security program needs to adapt. The benefit of using our Online Audit Manager is that it can gauge how much crossover there is between specific audits so you know how much additional effort a second, third, or fourth audit would require from your team.

The global average cost of a data breach in 2019 landed at $3.9 million, usually impacting 25,575 records. In 2020, we expect to see that cost rise just as it has year after year. Do you want to fall victim to financial and reputational damage of new threats, hackers, malicious insiders, and internal weaknesses this year? Performing an annual risk assessment, updating and testing your incident response and business continuity plans, performing policy review, requiring security awareness training, and determining which tools, pen tests, and audits you need will help defend your organization. Let’s work together to create the best information security program for your organization.

More Information Security Resources

How to Hire a CPA Firm for Information Security Audits

What Type of Compliance is Right for You?

Why Bother with an Information Security Program?

When headlines about companies like Capital One, Imperva, Marriott, Target, or Home Depot becoming victims of a data breach are released, we understand why small and medium size businesses start wondering if their efforts put towards an information security audit are worth it. If enterprise-level companies and household names can’t protect themselves, why should startups and smaller companies even try? If they can’t do it, no one else can either, right? Wrong. If your organization tends to align with this dangerous, unproductive line of thinking, then this blog post is for you. The threats you’re up against are real, but you can protect yourself and your clients’ data – you may just need some help establishing an information security program.

You vs. Them

Hackers don’t discriminate based on company size, industry, or location. They’re after sensitive assets like PHI, CHD, passport information, dates of birth, travel reward numbers, and Social Security numbers. The methods they use to go after small, medium, and enterprise-level businesses are different, though.

Hackers cast a wide net to catch small and medium businesses in their areas of weakness. When they can send phishing emails to 100 companies with 100 employees, the odds are good that an untrained, unaware employee will fall for it – even better if it’s an employee who should know better. There are plenty of breaches that happen each day that could have easily been prevented by security testing, employee training, or a basic information security program. How frustrated would you be if one employee clicked on a malicious link and it cost you hundreds of thousands of dollars, when security awareness training could’ve prevented this entire situation?

For enterprise-level businesses, hackers have more to gain, so they can spend more time planning and executing an attack. They can spend months testing their methods and observing vulnerabilities, maybe even collaborating with other hackers. This is something that, unless you have extremely sensitive data, you probably don’t have to worry about. Does that mean you shouldn’t have an information security program? Absolutely not.

Protect Yourself

When a data breach happens, it’s not just your clients who are impacted. Your name is in the headlines, and you’re the one who will pay for it (literally).

Legal Ramifications – New, state-level breach notification, cybersecurity, and privacy laws are consistently passed, with non-compliance resulting in hefty fines. When you ignore these laws or try to find loopholes, there will be legal ramifications to face.

Regulatory Responsibility – If you are subject to a regulatory body, what will happen if they find your organization non-compliant?

Costly ConsequencesAccording to IBM, the average cost of a data breach in the United States is $8.19 million, with 67% of the cost occurring within in the first year, coming from data breach detection and escalation, notification cost, incident response, and lost business. Does this cost outweigh your hesitancy to establish an information security program?

Competitive Disadvantage – If you don’t establish an information security program and have a data breach, your competitors can learn from your mistakes and use your data breach during sales conversations. If you don’t establish an information security program and haven’t been a victim of an attacker yet, your competitors can still have an advantage over you by pursuing information security audits to prove their commitment.

Protect Your Clients

When a client trusts you with their sensitive data and you can’t even provide them with evidence of your commitment to protect that data, do you think they’ll be loyal clients? Is the cost of an audit or information security personnel worth more to you than client data being sold on the dark web? According to Symanetc, here’s what hackers earn after stealing the personal data you are responsible for:

  • Online banking account – 0.5%-10% of value
  • Cloud service account – $5-$10
  • Hacked email accounts (groups of 2,500+) – $1-$15
  • Hotel loyalty from reward program accounts with 100,000 points – $10-20
  • Stolen medical records – $0.10-$35
  • ID or passport – $1-35

When you have no formal information security program in place and no way of showing it even if you do, your clients won’t be satisfied with your service. In some cases, a client legally cannot contract your service without seeing your audit report or policies.

Partner with KirkpatrickPrice

When you have the right partner, information security best practices can be an integral, sustaining part of your business. Audits are hard. We get it. But, they’re the only way to prove your commitment to protecting your clients and protecting yourself. Let’s partner together to define an accurate scope, implement industry best practices, and establish an information security program that will protect you and your clients.

KirkpatrickPrice is an audit firm whose goal is to provide the guidance you need to embark on a successful compliance journey. You don’t have to settle for choosing a partner that conducts an audit and leaves you with unanswered questions and worries, or who holds you to unrealistic expectations. Contact KirkpatrickPrice to get the partner your organization deserves to have on its compliance journey.

More Information Security Resources

Was the Audit Worth It?

Audits are Hard, Period.

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

How to Scale Your Information Security Program as You Grow

It’s a great accomplishment for startups to meet compliance goals, like gaining SOC 2 attestation or becoming HITRUST CSF certified – but what happens after you receive your report? How do you continue to implement the lessons you learned and the controls you developed? What happens when a CISO or an IT director leaves the company? Will your information security program withstand your projected growth? These are all things to consider when developing your information security program.

Why is an Information Security Program Important for Startups?

Information security tends to be sacrificed due to the resources it requires – resources that could be used or spent elsewhere. There are always more prospects to pursue, contracts to sign, growth to focus on, and more problems to fix. Initially, an information security program is typically viewed as a headache that seems to get worse year after year, requiring more time, money, and attention. And yet as an assurance firm, we know that a business built with an information security program at the foundation has an advantage because a business process or IT solution is so hard to change once it becomes core to the enterprise and its operation. Every shortcut taken during the design processes, technology solutions, or internal systems will haunt your startup forever – even when you’re not a startup anymore. That’s why creating an information security program must be a priority from the very beginning.

Creating a Scalable Information Security Program

What does it mean for startups to create information security programs that scale as they grow? It means that the work you put into your program at the inception of your organization will pay off in the long run. You will reap the benefits of your information security program long after you’ve graduated from being a startup. What are some ways to create a scalable information security program?

  • Bake information security into the foundation of your organization, but don’t overwhelm your personnel. What are the information security basics that you need to cover? How can you configure AWS in a secure way? Have you created an incident response plan? Have you installed 2FA? A business that is driven by security and integrity will create a quality service or product.
  • Even if it’s not a full-time position, someone needs to be responsible for information security efforts. Maybe it’s something that grows into a full-time position, but if no one is in charge of the information security program, you will regret it down the line. Eventually, you will get to the point that you have a full-time position heading up your information security program.
  • Conducting a formal risk assessment is not only a way that startups can identify and assess organizational risk; the findings can be used to prioritize risks to your organization’s business continuity, reputation, and financial health. Risk assessments will be essential as a startup grows; what new risks are you exposed to that you weren’t a year ago? How can you mitigate them? How can you monitor them?
  • When startups have a product, customers, and the customers’ data (and possibly their customers’ customers’ data), they are a more interesting target to hackers. Do you have engineers and developers who know how to design a secure system? Can they review code? Do they know how valuable penetration testing is? Do controls scale alongside your infrastructure?

What Our Clients Say

What do we hear from our clients about creating an information security program that is scalable?

  • “As a startup, if you’re going to deal with data that has privacy and compliance requirements or talk to customers that are heavily regulated, you have to think about that in your initial design and business strategy because that’s the success. That’s the difference between being profit-positive inside of one year and being profit-positive at year seven.”
  • “We want to be able to tell our clients and our clients’ customers that the framework that we’ve built and the design or architecture that we’ve built is as secure as is available on the market. We knew that the sooner we could close that gap and prove to our customers and prospects that we’ve rolled out an information security program, thought about the processes and procedures, and considered privacy laws and requirements around the globe, that opens the door to more conversations and builds confidence in us as a vendor.”
  • “Compliance cannot be an afterthought. If you’re starting a business, please think about information security first.”
  • “[Going through] a gap analysis was the best thing that we ever did.”
  • “[Going through an audit made] our documentation lightyears beyond what it was.”
  • “We’re a small company, but as we grow, the Online Audit Manager is architected in such a way that you can delegate the questions out to the right people in your team and get accurate answers. It also alleviates businesses from having a single point of contact that must do it all. Having an online platform with delegation and tracking capabilities plus the feedback from the auditor in a digital format, along with the daily email reminders, is a great way to keep the audit process moving forward.”

If your organization is a startup considering undergoing information security assessments or penetration testing for the first time, KirkpatrickPrice wants to be your resource for building a scalable, solid information security program. Want to learn more? Contact us today.

More Resources for Startups

Auditor Insights: Compliance from the Start

You’re a Target for Cyber Attacks No Matter Your Business Size

5 Strategies to Keep You From Wasting Time on Security Questionnaires

5 Information Security Considerations to Make Your Startup Successful