Phishing, or the act of trying to deceive folks into thinking you are someone else in the hopes of scamming either user credentials, data, or money out of them, is occurring at an alarming rate. This is also becoming a delivery mechanism for ransomware.
Some popular ones over that last few weeks to be aware of:
DocuSign Document is waiting for you
UPS Quantum Shipment - About a recent attempt to deliver a package to your address.
accounting@<yourcompany>com - An invoice or statement from a vendor that was sent to your company's accounting department.
"You have a fax message from RingCentral"
USPS HoldMail - The email is letting you know that your mail is on hold.
E-mails from your social media contacts whom you don't usually get emails from.
AppleID - A supposed receipt from Apple about some recent purchases you didn't make.
LinkedIn Connection Requests from fake LinkedIn profiles posing as if they worked at the same company as you at some point. The tells are a low number of connections (under 50) and usually no profile photo. Best practice is if you don't know them, don't connect with them.
Remember, if you are not expecting an e-mail, don't open it, and always be suspicious of attachments or links. If you are not sure if it is legit or a scam, call the company from a verifiable phone number, don't click on anything in the e-mail.
Be secure!
Friday, February 16, 2018
Friday, February 2, 2018
You are Only as Secure as Your Service Provider
Many businesses recognize the need to handle sensitive customer and employee information in a secure manner. They may be using encryption on their hard drives, masking data fields like credit card numbers and social security numbers, and using secure methods to send data to their service providers for processing. Where most organizations fall short is their lack of due diligence in finding out if their service providers treat their data with the same level of care that they do.
In banking, the federal regulators mandate that banks must perform upfront vendor due diligence before contracting with a vendor who will be handling customer information, specifically NPI, or Non-Public Information. This is credit/debit card information, social security numbers, dates of birth, drivers license or passport information, bank account information, and user login information such as userids, passwords, security questions, or PINs in combination with identifiable information such as customer name, address or phone number.
The bank regulations also require that the banks perform ongoing vendor monitoring, even to the extent of sub-contractors who may have access to the banks sensitive data.
Businesses of all sizes need to hold their vendors accountable just as the large banks do. As a small business you of course do not have the time or resources that a bank has to do vendor risk management to the same level. But at a minimum, the following are some quick and easy tips to give you some comfort that your service provider is employing reasonable security measures regarding your data:
1. Ask for and read their Information Security Policy. (And yes, you should have one too.)
2. Ask for and read their Data Backup Process as well as their Business Continuity Plan (BCP). Make sure their backups are encrypted. Is their BCP tested at least annually? Can you get a progress report on the issues noted during the last BCP test. If they don't have a BCP, then you need to make sure you can switch to a secondary provider in the event this vendor can't service your needs due to a business disruption.
3. Do they have either an employee, or a contractor that is responsible for Information Security? You should have a brief conversation with them to see if they are a knowledgeable security professional, or just a management person that got a title CISO because someone need to be listed to make it look good. (Yes, this does happen more than you know.)
4. Does the vendor have a network penetration test performed (at least annually), by an independent Ethical Hack firm? They may not want to provide you with the entire report, and that is fine, but they should be able to give you the Executive Summary, and a progress report on resolving any issues noted during the exercise that could affect the security of your data.
5. Insurance coverage (E&O and general liability) Make sure you get an Evidence of Insurance certificate. And ensure that the coverage amount is adequate given your business and your data.
6. Make sure there is contract language that holds the vendor responsible for maintaining reasonable security practices regarding the storage, processing, and transmission of your data. If possible, spell out what your definition of "reasonable" includes.*
7. Does the vendor have any type of third party controls review performed, ex. SOC1, SOC2, SOC3 or PCI? If so ask for a copy of the report and read it.
8. Does the vendor use encryption for the transmission and storage of your data?
9. Are user account entitlement reviews performed quarterly?
10. Do they have a Security Awareness Program in place to train their employees about good security practices?
11. Do they perform quarterly vulnerability scans of their computer environment?
12. How are you sharing data with the provider? Is it a secure method?
*For item #6, this is a requirement by the Maryland Personal Information Protection Act. So if you have any customers or employees that are Maryland residents, this new law (effective 1/1/18) mandates that you have security language in your service provider contracts if you are sharing customer or employee NPI.
For more details visit:
http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx
Be Secure!
In banking, the federal regulators mandate that banks must perform upfront vendor due diligence before contracting with a vendor who will be handling customer information, specifically NPI, or Non-Public Information. This is credit/debit card information, social security numbers, dates of birth, drivers license or passport information, bank account information, and user login information such as userids, passwords, security questions, or PINs in combination with identifiable information such as customer name, address or phone number.
The bank regulations also require that the banks perform ongoing vendor monitoring, even to the extent of sub-contractors who may have access to the banks sensitive data.
Businesses of all sizes need to hold their vendors accountable just as the large banks do. As a small business you of course do not have the time or resources that a bank has to do vendor risk management to the same level. But at a minimum, the following are some quick and easy tips to give you some comfort that your service provider is employing reasonable security measures regarding your data:
1. Ask for and read their Information Security Policy. (And yes, you should have one too.)
2. Ask for and read their Data Backup Process as well as their Business Continuity Plan (BCP). Make sure their backups are encrypted. Is their BCP tested at least annually? Can you get a progress report on the issues noted during the last BCP test. If they don't have a BCP, then you need to make sure you can switch to a secondary provider in the event this vendor can't service your needs due to a business disruption.
3. Do they have either an employee, or a contractor that is responsible for Information Security? You should have a brief conversation with them to see if they are a knowledgeable security professional, or just a management person that got a title CISO because someone need to be listed to make it look good. (Yes, this does happen more than you know.)
4. Does the vendor have a network penetration test performed (at least annually), by an independent Ethical Hack firm? They may not want to provide you with the entire report, and that is fine, but they should be able to give you the Executive Summary, and a progress report on resolving any issues noted during the exercise that could affect the security of your data.
5. Insurance coverage (E&O and general liability) Make sure you get an Evidence of Insurance certificate. And ensure that the coverage amount is adequate given your business and your data.
6. Make sure there is contract language that holds the vendor responsible for maintaining reasonable security practices regarding the storage, processing, and transmission of your data. If possible, spell out what your definition of "reasonable" includes.*
7. Does the vendor have any type of third party controls review performed, ex. SOC1, SOC2, SOC3 or PCI? If so ask for a copy of the report and read it.
8. Does the vendor use encryption for the transmission and storage of your data?
9. Are user account entitlement reviews performed quarterly?
10. Do they have a Security Awareness Program in place to train their employees about good security practices?
11. Do they perform quarterly vulnerability scans of their computer environment?
12. How are you sharing data with the provider? Is it a secure method?
*For item #6, this is a requirement by the Maryland Personal Information Protection Act. So if you have any customers or employees that are Maryland residents, this new law (effective 1/1/18) mandates that you have security language in your service provider contracts if you are sharing customer or employee NPI.
For more details visit:
http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx
Be Secure!
Subscribe to:
Posts (Atom)