The global information technology industry is worth around $5 trillion. To put that in perspective, the global oil and gas market is worth $5.8 trillion. IT is an enormous industry because every business depends on IT infrastructure. That makes infrastructure security a priority for organizations, from sole proprietorships to multinational corporations and governments.

As a business owner or executive, you are responsible for creating and managing a secure infrastructure platform. But how can you build secure IT infrastructure when your business lacks infrastructure security expertise and experience?

Every business is unique, and there is no one-size-fits-all security solution. However, we can explore five strategies that help companies protect their data while complying with security and privacy regulations.

Why IT Infrastructure Security Is Important

We all understand why IT infrastructure security matters. Leaked private data may have catastrophic legal and financial consequences. Ransomware infections force businesses to choose between losing a valuable asset and handing money to criminals. Cybercrime can take down critical systems, disrupting business operations and damaging reputations.

But few are aware of cybercrime’s true scale, prevalence, and cost.

  • The average cost of a data breach in the U.S. is $8.64 million.
  • The global cost of cybercrime is an estimated $6 trillion and is expected to grow to $10 trillion by 2025.
  • There were 304 million ransomware attacks in 2020, double the previous year.
  • The average ransomware payout grew from less than $10,000 in 2018 to more than $233,000 by the end of 2020.
  • In 2020, 300 million people were impacted by data breaches.

Cybercrime is a risk every business faces. Asking whether criminals will attack your IT infrastructure is the wrong question. Your infrastructure will be attacked; it’s just a matter of time. The real question is what you can do to make sure that the attackers fail.

5 Steps to Outstanding IT Infrastructure Security

The specifics of IT infrastructure security depend on your business’s infrastructure needs and regulatory environment. An SME storing customer relationship management records in the cloud has different security and privacy requirements from a healthcare provider storing private healthcare information or a payment processor who must comply with PCI DSS.

However, the following high-level guidelines will help any business to build a more secure IT infrastructure.

Build on Secure Cloud Platforms

Cloud platforms are a more secure option than colocated or managed servers hosted in a data center. The self-managed non-cloud option may be suitable for companies with infrastructure security expertise and resources. But for the average business, cloud platforms offer a superior balance of control, cost,  and security.

Businesses hosting code on infrastructure they own and operate are entirely responsible for securing that infrastructure. That includes the servers, their operating systems and library code, services such as databases and web servers, application code, networks, and more.

In contrast, the cloud vendor takes care of the low-level security details on a cloud platform, including physical security. That doesn’t mean cloud platforms are intrinsically secure. They are not, but they help businesses with limited security resources to achieve better security outcomes than they otherwise could. They provide a solid foundation on which companies can build secure infrastructure.

Building in the cloud doesn’t absolve businesses of security obligations. Cloud security is a shared responsibility. Companies that don’t follow cloud security best practices put their data at risk, which brings us to our next infrastructure security strategy.

Create and Enforce IT Security Policies

IT infrastructure security starts at the top of the org chart. As KirkpatrickPrice Information Security Auditor Shannon Lane points out, “When building a foundation for a culture of compliance, you must start from the top.” The leadership team and senior executives must craft policies and implement organizational structures that support infrastructure security and compliance.

We explored this concept in more detail in How to Design Effective Security Compliance Programs. In essence, businesses who want to improve IT infrastructure security should:

  • Create policies that set minimum security standards for IT infrastructure.
  • Make executives, managers, and team members responsible for implementing those policies.
  • Monitor and audit infrastructure security to ensure that policies are complied with.

The last of these points is particularly important. Without a feedback structure, an organization’s leadership is likely unaware of how security policies are implemented or if they are implemented at all.

Employ Cloud Security Experts to Verify Your Cloud Configurations

As we mentioned in this article’s introduction, cloud platforms like AWS and Microsoft Azure operate a shared responsibility model for security. They provide secure foundations but don’t prevent misconfigurations that may lead to security vulnerabilities.

For example, businesses can store sensitive data securely in AWS S3 buckets if access permissions are correctly configured. However, S3 users often accidentally expose sensitive data with permissive access permissions. We explored several AWS security vulnerabilities caused by human error in Do These 8 Vulnerabilities Affect Your Infrastructure’s AWS Security?

We recommend hiring a third-party cloud expert to verify your cloud configurations. A Remote Cloud Security Assessment reviews AWS, Azure, and Google Cloud configurations to identify potential vulnerabilities and provide actionable guidance to help businesses mitigate cloud infrastructure security risks.

Invest in Security Awareness Training for Employees

A lack of security awareness is often the root cause of cloud security vulnerabilities and data breaches. Managers and employees make mistakes when they are not aware of the risks and how to deploy and configure cloud infrastructure securely.

Security firm Kaspersky Lab recently revealed that most cloud security breaches are a consequence of social engineering, not technology failures. Bad actors use phishing attacks, executive impersonation techniques, and other forms of social engineering to gain access. These attacks target senior executives (whaling) and other employees with access to sensitive data.

Correct cloud security configurations and access controls are of limited help. Bad actors manipulate insiders with legitimate access to bypass security controls. Security awareness training helps employees to understand security risks and comply with security and privacy best practices.

Conduct Regular Cloud Security Audits

A cloud security audit is a comprehensive review of a business’s cloud security controls. Cloud security auditors analyze and report on controls for data, operating systems, networks, and access controls, among other relevant factors. An audit helps businesses to verify that their cloud security policies, configurations, and training are effective.

Audits have two primary benefits:

  • An independent expert verifies cloud infrastructure security and highlights failings that may expose businesses to security and compliance risks.
  • The business can demonstrate to customers and clients that it takes security seriously and complies with recognized industry standards.

Cloud security audits are based on the CIS benchmarks for AWS, Azure, and GCP. Businesses required to comply with other information security frameworks such as PCI DSS, HIPAA, and SOC 2 benefit from audits tailored to those frameworks.

KirkpatrickPrice is a licensed CPA firm that specializes in information security audits for regulatory frameworks and industry standards that include:

To learn more about AWS security, visit our AWS Cybersecurity Services, which offers an extensive library of actionable cloud security guidance.

It is Cybersecurity Awareness Month! Every October we are reminded of the potential threats that are up against our cybersecurity. It is no surprise that employees make their way to the top of the vulnerability lists each year. It is time we created a culture of cybersecurity in the workplace.

Employees are often an organization’s weakest link. Whether it be the lack of funding or misunderstanding of cybersecurity best practices, security awareness training often becomes an afterthought. The reality is that security awareness training is a vital part of your cybersecurity that cannot go without doing. If there is even one person naive of cybersecurity best practices, they could unknowingly compromise the integrity of your security and dismantle your business processes. There is an endless number of ways this can happen, whether it be someone failing to recognize a phishing attempt, recycling weak passwords, not properly disposing of sensitive documents, neglecting company-wide security policies, or falling victim to any other attack tactics, techniques, and procedures (TTPs) of malicious hackers.

To battle the outbreak of human error in cybersecurity, many information security frameworks and regulations have made security awareness training a requirement.

  • What are the security awareness training requirements from each framework?
  • What does your organization need to do to ensure compliance with these standards?
  • How can security awareness training offer you peace of mind?

What Do Common Frameworks Require for Security Awareness Training?

  • SOC 2

    • AICPA (American Institute of Certified Public Accountants) explains that to earn compliance with common criteria 2.2, entities must “communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”
  • ISO 27001/27002

    • According to Requirement 8.2.2 of ISO 27001, “All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.”
  • PCI DSS

    • According to requirement 12.6 of the PCI (Payment Card Industry) DSS (Data Security Standard), entities must implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
  • NIST 800-53

    • According to requirement AT-2, an organization is responsible for “providing basic security awareness training to information system users.” There are also two control enhancements that encourage the practical exercise of insider and outsider cyber-attack simulations.
  • HIPAA Security Rule

    • According to the administrative safeguard, 45 CFR 164.308(a)(5), covered entities and business associates must “implement a security awareness and training program for all member of its workforce.”
  • HIPAA Privacy Rule

    • According to administrative requirements under the HIPAA Privacy Rule, 45 CFR 164.530(b)(1) says, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information… as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
  • GDPR

    • According to article 39(1)(b), Data Protection Officers are responsible for “monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits…”
  • FISMA

    • According to U.S.C. 3544. (b). (4). (A), (B) under FISMA, entities are required to implement “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.”

Prepare Your People for Cyber Threats

How can the regular training of your employees be a critical component of your organization’s compliance and security? It can have everything to do with it. By offering these resources to your employees you are ensuring that they are aware of your company’s cybersecurity policies and industry’s best practices. Security awareness training can help minimize your organization’s risk of a data breach, thus protecting your sensitive company data and your brand reputation. Security awareness training costs less than 1% of what the average breach costs, this makes the regular training of your employees worth the investment 100 times over.

It’s become quite common to see reports in the headlines about data security breaches as different types of organizations are targeted every day. The types of information or data that is stolen as a result of a breach are things like social security numbers, credit card numbers, Protected Health Information (PHI), and Personally Identifiable Information (PII), trade secrets, or intellectual property. The most important thing to consider when it comes to protecting against data breaches is it’s not a matter of if, but when, so be sure to prepare for a breach with both prevention and recovery in mind. It’s also important to be aware of what state and/or federal data breach notice laws may apply to you in the event of a security incident at your organization.

There seems to be a lack of distinction between a security incident and a data breach; not every security incident constitutes a security breach. A breach has occurred when sensitive, protected, or confidential information has been accessed or stolen by someone without the proper authorization to do so. Maybe it’s a lost laptop, a malicious hacker, or accidentally sending sensitive information to the wrong person, it’s important to carefully evaluate every security incident to ensure you are following all applicable data breach laws in the event of an actual breach.

KirkpatrickPrice uses the Six Steps of Incident Response to help organizations determine the severity of a security incident and how to efficiently and effectively remediate. When developing your own incident response plan, take a look at these six common stages of incident response:

1. Preparation

Always document policies and procedures for appropriate disaster recovery to ensure that recovery and remediation will happen quickly. Are you prepared to handle an incident that could happen today?

2. Detection and Identification

What kind of incident has occurred? What is the severity? Has there been loss or exposure of sensitive data? Were any laws or contracts violated? How much information was impacted by the incident?

3. Containment

Notify the right people at the right time to help reduce the damage of a security incident and isolate the infected or compromised area.

4. Remediation

Resolve any issues, malicious code, responsible personnel, threat, etc. What security gaps need to be addressed at this time?

5. Recovery

Implement all appropriate policies and procedures to get back up and running and continue to monitor that the incident has been fully resolved.

6. Lessons Learned

Make sure you know why the incident occurred so you can ensure that the same incident will not happen again.

For more insights on data security, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you meet your compliance objectives, contact us today!

 

 

A topic in the news is Data Security Breach. We see a lot of reports about organizations notifying the public that they’ve suffered some kind of a breach of information security. So an example of Data Security Breach could be that social security information has been compromised, or maybe credit card information is no longer protected. There are many laws covering Data Security Breaches. Those laws can be state laws, federal laws, or they might be the laws of other countries. These laws  are not uniform and therefore it can be quite confusing for an organization to figure out exactly which law applies when the organization thinks it may have a security breach.

Not every security incident constitutes a Data Security Breach. You may have a lost laptop computer, maybe an employee loses a smart phone, maybe an employee accidentally sends sensitive information to the wrong people. Not every one of these kinds of incidents turns out to be a Data Security Breach under the relevant laws for which you need to give notice. Therefore, when an organization sees that it has an incident, it needs to conduct an appropriate investigation and follow the rules of law in order to determine, “have I achieved the point of having a breach? If I have, then I need to give the appropriate notices under the laws that apply.”

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

 

 

Attorney Benjamin Wright helps others navigate the law of technology.

He teaches the Law of Data Security and Investigations for SANS Institute, the premier authority for training information security professionals and digital forensics experts. That 5-day bootcamp is unique in the world.

Wright is author of The Law of Electronic Commerce (Wolters Kluwer) and Business Law and Computer Security (published by SANS).

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Joseph R. Swedish, CEO of Anthem Inc., one of the largest healthcare providers in the US, announced Wednesday, that despite efforts to appropriately safeguard their information, they suffered a major cyberattack. This attack is said to have affected as many as 80 million people.

According to Anthem, this attack compromised both patient and employee information, names, birthdays, medical ID’s, Social Security numbers, street addresses, email addresses, and employment and income information. Swedish said in a letter published on a website about their response to the incident, “Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating in the investigation.” (www.AnthemFacts.com) They have since taken measures to improve their security environment by fully evaluating their systems.

HIPAA laws mandate that you properly safeguard the Personally Identifiable Information (PII) that you collect, and data breaches such as this can often result in heavy fines. There are specific guidelines in regards to protecting this information as well as reporting a breach once it has been discovered. In too many cases, businesses scramble to pick up the pieces as a result from a breach rather than already having in place a strong defense to protect the PII for which they are responsible. This is a scary time for the cyberworld, and with the discovery of this massive data breach we should be encouraged to continue to improve and strengthen our security measures as the landscape continually evolves.

If you need help assessing your current security environment or need help developing your Incident Response Plan, call us today at 800-770-2701 for a free consultation.

Download and share this Infographic here.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Text Recap: Information Security Tips for 2015

The New Year is here, and if Information Security trends from last year are at all telling, 2015 will be a very important year to pay close attention to the security of your sensitive data. Here are 5 Information Security Tips to keep in mind to protect yourself and your organization in 2015.

  1. Cybersecurity – Organized crime in the 21st century has a new name – Cybercrime. We are all too familiar with the headlines declaring the most recent retail hack. However, in 2015, the possibility of a breach is not only threatening to our credit card numbers, but also healthcare information, intellectual property, personally identifiable information, and more. Now that companies are beginning to “understand” the increasing severity of these attacks, they need to fully prepare to withstand any attack by investing in security.
  1. Privacy and Regulation – Laws and regulations that mandate safeguards and the use of Personally Identifiable Information (PII) are nothing new. What’s changing? Reactionary fines have been replaced with proactive supervisory The government isn’t waiting for a breach to inspect your compliance. However, thinking about implementing appropriate safeguards only for the sake of compliance with these laws to avoid heavy fines and penalties can be dangerous. Privacy should be looked at from a risk-based perspective. Following these laws and regulations can help prevent against loss of business and reputational harm.
  1. Vendor Management – Strategic outsourcing of consumer focused business processes comes with significant risk. According to federal legislation, the risk itself cannot be outsourced, it must be managed. Increasing governmental scrutiny has only magnified that risk. Threats from third-party providers demand that you control the supply chain. Do you have evidence to support that your vendors are compliant?
  1. Wearable Technology – Wearable technology is everywhere. While simplifying the ability to “connect”, these new pieces of technology also introduce new risk to your organization. Be proactive about securing wearables just like any other mobile device, and make sure your BYOD policy is up-to-date and enforced. Minimize the threat of a data leak.
  1. Your Weakest Link – Your People – Everyone’s heard “you’re only as strong as your weakest link”. In the world of Information Security, this adage should be on the forefront of every business owner’s mind. Protect your people. Educate your people. Setting the tone from the top is essential when promoting healthy security awareness in the workplace. When those who “sign the checks” focus on security, everyone else will too.