Shark in Water: 5 Things to Avoid a Costly Data Breach

Is your organization swimming in information security concerns? Recent and startling new malicious attacks are causing organizations to re-think everything we know about our security posture – from breach prevention to response. Organizations are beginning to shift their focus on security when they have realized that sometimes, compliance isn’t enough. With this “shark in water” reality, here are 5 things your organization should be doing to avoid a data breach.

  • Perform an Annual Risk Assessment

The number one thing all organizations should be doing is performing an annual risk assessment. Without this critical component of an information security program, organizations are left in the dark about where their assets reside, and what the risks to those assets are. How can you protect your critical and sensitive assets from a malicious data breach if you don’t know what you’re protecting them from? A risk assessment will help you identify all assets and prioritize risks based on an individual threat level. A formal, risk-based approach is key to any organization’s security posture, and should be the basis of your risk management program.

  • Create a Culture of Security

Calling all management, board of directors, and stakeholders! Information security auditors can’t stress enough how important it is to create a culture of security within your organization. The best way to accomplish this is by having a solid tone from the top. What does this mean? Upper-level management must understand the importance of information security and let this understanding permeate throughout the organization, all the way down to the operations level and beyond. An important way to ensure that all employees are aware of their security obligations is to develop and maintain a policy that addresses information security for all personnel, and conduct annual security awareness training programs.

  • Update Software and Install Patches

When WannaCry, the infamous ransomware attack, hit earlier this year, organizations were left scratching their heads in disbelief that it all could have been avoided if they hadn’t ignored a Microsoft software update. Why leave a known vulnerability open to attackers? Software updates are critical for preventing a data breach and safeguarding your sensitive data.

  • Closely Manage your Vendors

Most businesses today outsource critical business functions to third-party service providers. However, it’s important to note that it’s best practice (and often required by regulation) to perform due diligence by fully vetting your vendors to ensure they, too, are implementing appropriate and effective controls to protect your assets, and will not negatively affect the security of your organization. Even after you are contractually working with a third party, organizations should issue temporary passwords to any vendor connecting to your network, monitor and log all user activity, and immediately disable temporary vendor accounts after use. Doing so can help you detect any malicious activity promptly, and respond accordingly.

  • Know your Incident Response Plan

While organizations spend so much time focusing on how to keep malicious attackers at bay, sometimes they can overlook what they should do in the event of a breach actually occurring. Incident response plans are not only important when it comes to dealing with a flood or power outage. Don’t be caught with your sails down if your organization is compromised and ensure you have a fully developed incident response plan that has been both documented and tested. Organizations should have a designated team who is available 24/7 to handle any type of security incident. These teams must be fully aware of their responsibilities in the event of a data breach and undergo regular training. Here are the six steps of an incident response plan:

      1. Preparation
      2. Detection & Identification
      3. Containment
      4. Remediation
      5. Recovery
      6. Lessons Learned

In today’s cyber threat landscape, we’re swimming with sharks. So, remember, when compliance isn’t enough, focus on hardening your systems and fully developing your information security program. It’s never too late to re-think your organization’s security posture. If you’d like help with your security program or would like to see where your security posture currently stands, contact us today.

3 Steps for an Effective Disaster Recovery Plan

When Disaster Strikes, Will You be Prepared?

To ensure that operations remain up and running during hurricane, tornado, or rainy seasons, businesses must have a Disaster Recovery Plan that has been developed, tested, and is in place and known to all relevant parties. Hurricanes like Matthew and Sandy have devastated businesses over the last couple of years, and without a well-developed Disaster Recovery Plan, many businesses were left inoperable, damaging their revenue and reputation.

What is a Disaster Recovery Plan?

So, what is a Disaster Recovery Plan (DRP)? Disaster Recovery Plans define an organization’s processes for protecting and recovering its business in the event of a disaster, such as a hurricane, flood, tornado, power outage, etc. These documented sets of policies and procedures can be the lifeline of an organization following a disaster, and determine loss of operations, reputation, and revenue. How will your organization stay running in the event of a disaster? Where will employees continue to carry out their work duties? How will incident response be communicated throughout your organization? These are the types of questions you should ask yourself when preparing for a potential disaster.

3 Steps for an Effective Disaster Recovery Plan

When it comes time to develop your Disaster Recovery Plan, there are three main steps to be considered, including:

  • Business Impact Analysis: The first thing your organization should do when preparing your DRP is to conduct a Business Impact Analysis. This process will allow you to review existing business continuity capabilities by evaluating the risk to business process failures, identify critical and necessary business functions and their resource dependencies, estimate any financial and operational impacts of disruption and the required recovery timeframe for critical business functions, and to assess the effectiveness of any existing risk reduction measures.
  • Strategy Selection: Once you’ve identified and prioritized critical functions for business continuity, the next step in the process is to determine which recovery strategy to move forward with. Identify a range of specific recovery strategies that address interruptions of business processes, identify the computing resources that are required to recover the various distributed processing environments, and document alternative recovery strategies.
  • Disaster Recovery Plan Documentation: It’s time to create your physical plan for responding to a potential disaster. This plan should include the following:
  1. Emergency notification and disaster declaration procedures
  2. Recovery team procedures
  3. Facility and business restoration procedures
  4. DRP testing and maintenance cycles
  5. Appendices for master contact lists, equipment inventories, connectivity schematics, etc.

Once you’ve developed, tested, and disseminated your Disaster Recovery Plan, you can rest assured that you’ll be prepared if disaster strikes. For additional help on disaster recovery planning or for help with determining the effectiveness of your current Disaster Recovery Plan, contact us today.

More Disaster Recovery Resources

Business Continuity and Disaster Recovery Planning Checklist

Cloud Security: Business Continuity and Disaster Recovery Planning Checklist

What is Threat and Vulnerability?

HIPAA Update: Lessons Learned from 2016 Phase 2 HIPAA Audits

Now, with more than 200 Phase 2 HIPAA desk audits completed, Devin McGraw, Deputy Director of the Department of Health and Human Services’ Office for Civil Rights, is encouraging healthcare organizations to take a look at lessons learned from the completed desk audits to prepare for future HIPAA audit enforcement.

Understanding and navigating HIPAA audit enforcement has been on the minds of healthcare professionals for several years. Many covered entities and business associates have struggled to know what to focus on and in which areas they are lacking safeguards. Devin McGraw made an exclusive address at HIMSS17 to share with the healthcare industry the top findings from the 2016 Phase 2 HIPAA audits.

Top 8 Lessons Learned from Phase 2 HIPAA Desk Audits

Let’s look at the top 8 lessons learned from the Phase 2 HPAA audits and make sure you have all of these things in place before you’re audited by the OCR.

  • Lack of Business Associate Agreements

HIPAA law mandates that you have a signed agreement in place with any contractor or subcontractor who is considered a business associate. This means any vendor or third party that has access to protected health information (PHI) is required to sign a contract pertaining to the protection and use of that PHI. This also applies to any business associates using subcontractors.

  • Incomplete or Inaccurate Risk Analysis

An incomplete or inaccurate risk analysis has still been a prevalent issue, mainly for organizations who are underestimating their full scope and leaving out major systems. Don’t forget that the HIPAA risk analysis is a risk-based, prescriptive approach to HIPAA compliance and should be step number one for any organization working towards HIPAA compliance. KirkpatrickPrice has published numerous resources for a step-by-step approach to performing a HIPAA risk analysis.

  • Failure to Manage Risk

Once your risks have been identified, it’s important to mitigate and properly manage those risks. If there are un-addressable risks, then be sure to document those and what you will be doing to manage those risks in the meantime and fully document your remediation plan. Risk management is a critical component of any information security program.

  • Lack of Transmission Security

Encrypt everything! Any and all electronic transmission of protected health information (PHI) MUST be encrypted. No exceptions. And as always, if there is something that for whatever reason is not addressable, then it needs to be formally documented along with ways that you are able to address and mitigate that particular risk.

  • No Patching of Software

We all saw the wake of WannaCrypt in the headlines this month and how not updating critical patches can lead to a devastating loss of business and operability. WannaCrypt targeted more healthcare organizations than any other kind of organization, so don’t learn this lesson twice! Patches must be up to date, as you will become an easier target with outdated software and patching. If there is a critical piece of software that you must use that comes with outdated patches, be sure you’re documenting that and what you are doing to address any associated concerns.

  • Insider Threat

Whether your organization is small or large, it’s always important to have employee termination policies clearly defined, in place, and to ensure that you’re following them. Do you remove employee access from terminated employees? Are you using default passwords that can be easily cracked? Don’t fall victim to insider threat.

  • PHI Disposal

What good are strong administrative and technical safeguards if you’re exposing the low-hanging fruit? Improper disposal of PHI was a common issue found in the Phase 2 HIPAA audits. Make sure you’re properly disposing of PHI and don’t leave anything available for dumpster divers.

  • Lack of Incident Response Plan

Another common finding from the Phase 2 HIPAA audits is insufficient backup and contingency planning. With the risks of ransomware, we must not only be focusing on prevention but also have an Incident Response Plan tested and ready to deploy if, and when, necessary. Regular data backups also go hand-in-hand with incident response as a way to help minimize the damage from a breach or malicious attack.

Preparing for HIPAA audit enforcement may seem like an overwhelming task. Start with a risk analysis and don’t forget these common 8 findings when developing your HIPAA compliance program. If you have any questions or would like help preparing for Phase 2 HIPAA audits, contact us today.

Ransomware Alert: Defend Yourself Against WannaCrypt

On Friday May 12th, 2017, a large ransomware attack was launched, known as WannaCrypt (a.k.a. WannaCry), which infected more than 230,000 computers across 150 countries, and counting. This unprecedented cyberattack has left organizations struggling in the aftermath as they try to recover. WannaCrypt demands payment of ransom in bitcoin and has spread in several ways; phishing emails and as a worm on unpatched computers.

The attackers responsible for WannaCrypt used the EternalBlue exploit which attacks computers running Microsoft Windows operating systems. Unfortunately, this could have been avoided by many had they installed the updated patch that was released as “critical” by Microsoft to mitigate this vulnerability on March 14th, 2017.

KirkpatrickPrice is urging organizations to update this patch immediately, and to always update patches in a timely manner – particularly critical updates. Organizations must be proactive with their security in order to defend against potential ransomware attacks. Here are four things your organization should do today to protect against a ransomware attack.

4 Things your Organization Should do Today to Prevent WannaCrypt Ransomware Attack:

  1. Update – Updating security patches and keeping operating systems up to date is a critical activity for preventing a malicious cyber-attack, such as WannaCrypt. As organizations have learned from this devastating ransomware, weaknesses in applications and operating systems are the target of malicious hackers. Don’t leave a known vulnerability open to attack.
  2. Backup – When organizations are victims of ransomware attacks, they are pressured to pay a ransom to get back all of their data and files that have been stolen and encrypted by the attackers. Performing regular backups on entire machines can ensure that the data that is critical to your business will still be available. Regularly performing backups for critical data, files, and systems can help make the recovery and restoration process quicker and easier.
  3. Train – Your weakest link will always be your employees. Ransomware targets the human element. By regularly training your employees to recognize and avoid phishing attempts and other strategically crafted social engineering attacks can lessen your chances of being the next WannaCrypt target. KirkpatrickPrice offers phishing assessments and security awareness training that can help spread awareness and educate the workforce.
  4. Test – Performing an advanced external penetration test is a strategic approach to identify weaknesses in network and application security, as would a hacker. Penetration tests allow you to identify and prioritize your risks in order to prevent hackers from infiltrating your critical systems. It can also help you avoid a costly breach and loss of business operability that ransomware attacks will cause.

Don’t wait until it’s too late and you’ve become the next victim of a devastating ransomware attack like WannaCrypt. Do these things to prevent a ransomware attack today and don’t forget to perform regular risk assessments to ensure that you’re properly protecting your organization against any and all malicious threats. For more information about ransomware prevention or risk assessments, contact us today.

5 Reasons Why Internal Audit is Important

People often ask, is internal audit necessary? What if we’re a smaller organization, should we be spending our already limited resources on an internal audit program? If your clients depend on you to provide efficient, compliant, and secure services, then the answer is a resounding “yes”. Internal audit is an important function of any information security and compliance program and is a valuable tool for effectively and appropriately managing risk. Are we ensuring we are doing what we say we’re doing? Are there gaps in our policies and procedures? Areas for improvement? Are we meeting our compliance goals? These important questions are addressed through internal audit.

What is Internal Audit?What is Internal Audit?

According to the Institute of Internal Auditors, “the role of internal audit is to provide independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively.” Internal audit is conducted objectively and designed to improve and mature an organization’s business practices.

Internal auditing provides insight into an organization’s culture, policies, procedures, and aids board and management oversight by verifying internal controls such as operating effectiveness, risk mitigation controls, and compliance with any relevant laws or regulations.

5 Reasons Why Internal Audit is Important

Internal audit programs are critical for monitoring and assuring that all of your business assets have been properly secured and safeguarded from threats. It is also important for verifying that your business processes reflect your documented policies and procedures. Here are 5 reasons that Internal Audit is important:

1. Provides Objective Insight

You can’t audit your own work without having a definite conflict of interest. Your internal auditor, or internal audit team, cannot have any operational responsibility to achieve this objective insight. In situations where smaller companies don’t have extra resources to devote to this, it’s acceptable to cross-train employees in different departments to be able to audit another department. By providing an independent and unbiased view, the internal audit function adds value to your organization.

2. Improves Efficiency of Operations

By objectively reviewing your organization’s policies and procedures, you can receive assurance that you are doing what your policies and procedures say you are doing, and that these processes are adequate in mitigating your unique risks. By continuously monitoring and reviewing your processes, you can identify control recommendations to improve the efficiency and effectiveness of these processes. In turn, allowing your organization to be dependent on process, rather than people.

3. Evaluates Risks and Protects Assets

An internal audit program assists management and stakeholders by identifying and prioritizing risks through a systematic risk assessment. A risk assessment can help to identify any gaps in the environment and allow for a remediation plan to take place. Your internal audit program will help you to track and document any changes that have been made to your environment and ensure the mitigation of any found risks.

4. Assesses Controls

Internal audit is beneficial because it improves the control environment of the organization by assessing efficiency and operating effectiveness. Are your controls fulfilling their purpose? Are they adequate in mitigating risk?

5. Ensure Compliance with Laws and Regulations

By regularly performing an internal audit, you can ensure compliance with any and all relevant laws and regulations. It can also help provide you with peace of mind that you are prepared for you next external audit. Gaining client trust and avoiding costly fines associated with non-compliance makes internal audit an important and worthwhile activity for your organization.

Still have questions about developing your own internal audit program? Contact us today in the form below and let’s start building your internal audit program.

More Internal Audit Resources