Category: Compliance

It Doesn’t Matter What Business You’re In—Regulatory Compliance Matters

We all used to think “regulatory compliance” is something for banks, the financial sector, the pharmaceutical industry, healthcare, and a few others. It’s not for a business outside of those sectors. Those businesses are regulated; I’m just (fill in whatever business you’re in), I don’t need to worry about that.
Not anymore.
In the era of GDPR, CAN-SPAM, HIPAA, CASL, PIPEDA, CIPA and the rest of the alphabet soup of privacy regulation acronyms, all businesses need to think about—and manage—regulatory compliance. The question for many is how to get started, what to worry about, and how to both achieve and maintain compliance. This guide covers the foundational elements—from GDPR and HIPAA to finance and healthcare—needed to start building a regulatory-forward mindset.
What does regulatory compliance mean to you?
The most important part of this guide is understanding what regulatory compliance means and more specifically, what it means for your company. Our regulatory compliance overview—What is Regulatory Compliance?—should be the first thing you open in a new tab and start reading. Compliance is more than crossing T’s and dotting I’s, it’s about making sure your company knows what to track, how to track, and how to fix compliance issues.
Today the biggest concern is protecting customer’s personally identifiable information (PII). The heart of GDPR, PIPEDA, CIPA, HIPAA, and CCPA is safeguarding personal privacy. The right to be forgotten, penalties for data breaches, and even how you can communicate with people, hinge on privacy. The first step to compliance, and building a compliance mindset, is learning more about the privacy laws worldwide and understanding which ones apply to you.
For most businesses, it is critical to know the requirements in any of the countries you are doing business in, such as:

GDPR (EU)
CAN-SPAM (U.S.)
CCPA (U.S.)
PIPEDA (Canada)
CASL (Canada)

This will provide you with a strong foundation for data privacy. Many requirements found in one regulation are also in others, for example becoming compliant with CAN-SPAM lays a foundation for CASL and complying with PIPEDA gets you part way towards GDPR. This is not to say there aren’t details in each regulation to account for, but in broad strokes they all require many of the same things.
Healthcare and HIPAA Compliance
For the healthcare industry in the U.S., HIPAA is the regulation to you must fully comply with. The stakes for not being in compliance, or breaking one of the HIPAA-mandated protections, are quite severe….as in millions of dollars in fines for losing a single laptop severe. Some of the resources you should review are:

What is HIPAA Compliance and Why Is It Important to Healthcare Security?
Avoid Security Breaches in Healthcare with Data Visibility
HIPAA Privacy Is About More than Just Compliance
Escalating Risks to Healthcare Data
HIPAA Security Rule: Protecting Privacy and Improving Patient Care
HIPAA Compliance Checklist

GDPR Spans Far Beyond the EU
For over a year now we’ve been asked to accept cookies visiting websites. Why all of a sudden? When GPDR came into effect, anyone who had visitors from the EU needed to let EU residents know a website used cookies and give visitors an option to not accept them. So why are we seeing these notices everywhere? Because it’s easier to put up a cookie notice for the whole world than have to segment your visitors according to region.
And, as it turns out, it’s not so bad to let people know about the cookies being used on a website. One of the interesting outcomes of GDPR has been websites outside of the EU following GDPR guidelines. The end result is everyone, EU citizen or not, is a little more protected. As with HIPAA, Absolute has a number of resources for you to learn about GDPR compliance and how get started.

Weighing Privacy with Security Under GDPR
GDPR: The Why and How for Financial Services
Yes, GDPR Applies to You
Critical Actions for Finalizing Your GDPR Compliance Program
What You Need to Know about GDPR Breach Disclosure, Response
Ensure Compliance with GDPR Data Protection Impact Assessments
How Ready Are You for GDPR Enforcement?
5 Tips for Compliance Officers Dealing with GDPR

This case study from Absolute customer KCOM on becoming GPDR compliant and increasing their overall security posture illustrates some best practices you can apply to your business.
Other Privacy Regulations
California has its own privacy legislation—Will CCPA Pave the Way to a Federal Data Privacy Law?—that came into effect January 1, 2020 and covers many of the same aspects of GPDR (controlling and opting into how your personal information is collected). New York has passed similar legislation—Personal Privacy Protection Law | OTDA—with many other U.S. States are likely to follow suit. You need to stay on top of regulations in your jurisdiction. For now, companies must be familiar with new and emerging state laws until such time data protection is addressed at the federal level, as was done in the EU.
Building a Compliance Mentality
Following rules for sending emails, how your website works, or how customer data is handled is only part of regulatory compliance. The bigger picture is developing a mentality in your company for becoming and staying compliant. It’s much more than a check the box exercise. A compliance mentality means everyone in the company thinks about:

How data is stored
Who has access to data
What devices are on the network
How new devices are added to the network
How data on devices is managed
What happens if something goes wrong

For example: You’re working on a big customer analysis project. You have purchase data and detailed personal information for thousands of customers. You do most of your work from the office, but during a crunch time you bring your laptop home to finish things up. You need to make sure:

Your VPN is set up
Your home WiFi network is secured with a password
Your laptop has a password on it, full disk encryption, and a password on your screensaver
You have laptop tracking and location software set up
You don’t leave your laptop in plain view in your car
You don’t leave your laptop unattended at a coffee shop
If you must connect to free WiFi, you use the company VPN to protect your connection
You don’t download personal apps on your work machine
You are suspicious of links you click and documents you open

If you miss any one of these points, your laptop could be compromised, customer data lost, and your company is now out of compliance with any number of regulations—not to mention possibly the next unfortunate headline with “Acme Company Data Breach Linked to Laptop Left in a Cab” or “Acme Network Hacked and Crippled By Ransomware By a Phishing Attack”. Remember, damage to your brand is both costly and lasting.
This is the essential part of how to manage regulatory compliance—understanding it’s not the job of IT or the Compliance Officer or someone who is nagging you about following rules. For a company to be compliant, everyone in the company must be compliant too. A compliance mentality—whether for privacy protection or reporting like Sarbanes-Oxley—is about understanding there are rules in place your company must follow and the consequences for breaking the rules can be severe.
How Absolute Can Help
While this post focused on privacy-related regulations, many regulations outside of privacy hinge on your company having ready access to records, data, and information. If you need to show financial regulators you are following their rules, you need the data to back it up. If you can’t do that—you’re out of compliance. You need to be able to pinpoint where sensitive data sits, who has access to it, and how you monitor data.
Absolute has solutions tailored to becoming and staying compliant with a range of regulations, including solutions especially for GDPR compliance. These solutions help you track data, devices, access, and security policies across your organization—even remote and distributed workforces.
Learn more about compliance solutions from Absolute and request a demo.
 
This article is for informational purposes only.  The information in this article is not legal advice, is not to be acted on as such, is not intended to substitute for professional legal advice, may not be current, and is subject to change without notice.  You should contact a licensed lawyer in your area to assist you in legal and regulatory matters.  Absolute expressly disclaims all liability with respect to actions taken or not taken by a reader based on any or all of the information and commentary in this article.
©2020 Absolute Software Corporation.  All rights reserved.  ABSOLUTE and the ABSOLUTE logo are trademarks of Absolute Software Corporation. Other names or logos mentioned herein may be the trademarks of their respective owners.
 

Trust But Verify: Automated Solutions Keep Remote Employees Productive and Secure

How endpoint management keeps employees secure and helps IT rest easy
As our work from home “experiment” drags on, IT is probably wondering how all those laptops are doing. Are OS updates getting done? Have people messed up their VPN settings, or worse do they think their VPN settings are okay, but have they been tampered with? What about installing apps? Visiting suspect sites? People aren’t behind the firewall most of the time, so the usual filters and blocks aren’t there to protect people (and the network).
This could become a real IT disaster in the making. There is a solution, and as Reagan said: Trust, but verify.
Trust your employees, but not blindly
One of the biggest challenges for making working from home work is building trust. I touched on trust in my last post on leading IT teams remotely. The twice daily update meetings and über project dashboard so everyone could see what was going on. It took a while for everyone to trust people we’re working in place and not Netflixing in place.
In the office, it’s easy to trust that people aren’t going to install software willy-nilly. There is a certain amount of “everyone is watching” that keeps things in check. At home is another matter. Left to our own devices or left to troubleshoot problems ourselves—“oh I can fix that glitch no problem…”—everyone can get into trouble.
Here’s where the “verify” part comes in.
Proactive protection solutions for remote employees
One of the biggest challenges of remote work is making sure everyone keeps their computers up to date and secure. From OS updates to VPN settings, and app restrictions to malware protection, maintenance tasks that are simple while everyone is connected to the company network become cumbersome when employees pop on and off your VPN and go on and offline seemingly randomly. Even the most well-meaning and tech savvy people forget to run system updates.
The last update security update for MacOS didn’t get installed on my personal machine right away. I got the prompt to install it, but “oh jeez I have to restart and I have to get this thing done right now, I’ll do it tomorrow…” “Tomorrow” became over a week. Thankfully nothing bad happened because I ignored an update for a while—but it could have. OS updates are just part of the puzzle. What about making sure virus scans haven’t been disabled? What about someone accidentally messing up their VPN settings (hey it happens to all of us once in a while)? How do you deal with those issues?
Absolute has two solutions for these problems:

Absolute Reach gives IT hundreds of pre-built scripts to push and run on employee machines for regular and critical maintenance
Absolute Application Persistence for VPN ensures everyone is connecting to your network securely with self-healing VPN settings

If you’re an existing Absolute customer, both of these solutions are available at no cost until August 31st. Now is not the time for IT to be worrying if people aren’t keeping their machines secure while at home. IT’s job is hard enough as it is—been there, done that as front line tech support, thank you very much—without wondering if people trying “that fun new app” on their work machine has opened a security hole in the network.
Absolute Reach keeps things in shape
With over 130 scripts available you can make sure patches are applied, security settings are still secure, and policies are still in place. And employees don’t have to be connected to your network for it to work. Absolute extends IT’s reach to help remote employees stay safe and secure—and by extension your company, your network, and your data.

Learn more about Absolute Reach and how current customers can add it for free right now.

Persistence pays off for VPN connections
Your VPN is a critical part securing remote employees—not just when they are working from home, but traveling, at a conference, or any other untrusted network too. Absolute Application Persistence for VPN keeps that VPN set up and configured on every remote machine automatically. You don’t have to worry if someone deletes the VPN because they think that’s why the laptop won’t connect to Wi-Fi. You don’t have to worry if someone accidentally installs some malware or spyware that tries to circumvent, man-in-the-middle, or outright remove VPN settings and replace them with theirs.
Application Persistence for VPN resets, self-heals, and protects the best protection your network has—your VPN.

Learn how Absolute customers can start using Application Persistence for VPN right now.

Business continuity for when business unusual is becoming business as usual
At Absolute we’re all in the same boat you are. These past few weeks have put everything in our lives under stress. Businesses are trying to make the best of things and stay running. Many of us are working from home for the first time and finding it tough to work and be parents. Stress all around and no easy answers for when it will all be over.
We can’t fix the stress everyone is under. Not even close. What we can do though is help with tools and solutions to help businesses keep running and running securely.
Stay safe out there.

HIPAA Compliance Checklist for 2020

HIPAA was adopted in 1996 and since then, Covered Entities (CEs) have been required to protect individuals’ personal health information or face hefty fines for non-compliance. The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA; the fines they have issued have grown exponentially in recent years.
In 2018, Anthem, one of the nation’s largest health benefits companies, paid what is still the largest HIPAA fine in history of $16 million in for a data breach that exposed the electronic protected health information (ePHI) of 79 million individuals. The next largest settlement was $5.5 million paid by Memorial Healthcare Systems in 2017 for the inappropriate access of PHI of 115,143 individuals. Earlier this year, we learned hackers compromised two employees’ email accounts at a Michigan healthcare group which exposed patient data and went undetected for six months.
With increasingly severe HIPAA non-compliance fines on the line, healthcare organizations must exercise extreme diligence in the protection of PHI. But it isn’t an easy task. Compliance requires that CEs adhere to two primary rules: the HIPAA Privacy Rule, which details which data must be protected, and the HIPAA Security Rule which establishes how that data is protected.
The Privacy Rule defines identifiable health information as demographic data that relates to:

an individual’s past, present, or future physical or mental health or condition
the provision of healthcare to the individual
the past, present, or future payments for the provision of healthcare to the individual

The Security Rule outlines three categories of safeguards – administrative safeguards, physical safeguards and technical safeguards – to help you ensure data is protected and standards are followed accordingly.
Achieving and maintaining HIPAA compliance requires both thoughtful security and ongoing initiative. While there is some irony in providing a compliance checklist when we often hear ‘compliance is much more than checking a box,’ there are program elements that can – and should – be checked off. When marked complete, your level of confidence in your organization’s HIPAA adherence will increase.

The below 7 areas have been excerpted from the OCR’s recommended essential elements of an effective HIPAA compliance program.
Complete the following assessments / audits and be able to provide all appropriate documentation that they have been conducted for the past 6 years.
[ ] Security Risk Assessment
[ ] Privacy Assessment
[ ] HITECH Subtitle D Audit
[ ] Security Standards Audit
[ ] Asset and Device Audit
[ ] Physical Site Audit
Educate staff.
[ ] Have all staff members undergone annual HIPAA training, and do you have documentation to prove that they have completed annual training?
[ ] Is there a staff member designated as the HIPAA compliance, privacy and/or security officer?
[ ] Have all staff members received security awareness training and do you have documentation to prove they have completed it?
[ ] Do you provide periodic reminders to reinforce security awareness training?
Conduct risk analyses to assess whether encryption of electronic protected health information (ePHI) is appropriate and provide documentation on the decision-making process.
[ ] If encryption is not appropriate, have you implemented alternative and equivalent measures to ensure the confidentiality, integrity, and availability of ePHI?
[ ] Have you implemented controls to guard against unauthorized accessing of ePHI during electronic transmission?
Implement identity management and access controls.
[ ] Have you assigned unique usernames/numbers to all individuals who require access to ePHI?
[ ] Is access to ePHI restricted to individuals that require access to perform essential work duties?
[ ] Have you implemented policies and procedures for assessing whether employees’ access to ePHI is appropriate?
[ ] Have you developed policies and procedures for terminating access to ePHI and recovering all electronic devices when an employee leaves an organization or their role changes?
[ ] Does your system automatically logout a user after a period of inactivity?
Create and monitor ePHI access logs.
[ ] Routinely monitor logs to identify unauthorized accessing of ePHI.
[ ] Implement controls to ensure ePHI may not be altered or destroyed in an unauthorized manner.
Develop policies and procedures for the secure disposal of PHI.
[ ] Develop policies and procedures for rendering PHI unreadable, indecipherable and incapable of being reconstructed.
[ ] Develop policies and procedures for permanently erasing ePHI on electronic devices when they are no longer required.
[ ] Ensure all devices that store PHI are stored securely until they are disposed of in a secure fashion.
Define a clear process for security incidents and data breaches.
[ ] Ensure you have the ability to track and manage all incident investigations.
[ ] Be able to provide the required reporting of minor or meaningful breaches/incidents.
[ ] Implement a procedure by which employees may anonymously report a privacy/security incident or potential HIPAA violation.
Successfully completing this checklist does not guarantee your organization is HIPAA compliant – nor does it ensure that your organization will avoid potential data breaches. However, it will get you off to a very good start. For more information on implementing a successful program, download our whitepaper: Achieving HIPAA Compliance: Your Guide to Avoiding HIPAA and HITECH Penalties. 

What is Cyber Resilience and How Can You Achieve It?

What Is Cyber Resilience?
As the cyberthreat landscape darkens each day, the term, cyber resilience is increasing in importance.
A cyber resilient company is in the best position to prepare for, respond to, and recover from a cyberattack. Being resilient, however, means much more than attack prevention or response. A cyber resilient enterprise can continue to function during an attack and is agile enough to adapt and recover from the incident.
While a protection-focused approach may have worked in the past, today’s enterprise must now move to adopt a strategy that is based more on endpoint resilience which, beyond protection, emphasizes adaptability, exposure reduction, information gathering and discovery.
Cyber resilience transcends technology and can protect the interests of everyone involved, including the C-suite, staff, shareholders, and the board of directors.
Resilience comes down to having a self-healing capability. Think of it this way: if your company must rely on an external source to resurrect you, then you can’t call yourself resilient. Only those organizations with a self-healing property (being able to recover without human intervention) can be truly classified as resilient.
Ultimately, if the organization has its eye on becoming more resilient, then it must incorporate technologies with the capacity of self-healing. Running around putting things back together isn’t the preferred state of a resilient enterprise.
Self-healing: The Only True Resilience
In the hardware world, we buy and deploy redundant systems: multiple firewalls, routers, switches, clouds, and cables. We do this because we expect our hardware defenses to fail; there’s even a name for it: “failover”. The other term used often is High Availability, which just means more hardware deployed for failover.
In the software universe, the equivalent is resilience. But unlike hardware, you can’t just have clones of the same tools, controls, apps, and agents that play understudy to the primary control. When the primary control fails, the clone steps into the spotlight is not an idea that exists with software.
So, enterprises need to rely on resilient software controls, apps, and agents. But the only way you can claim you are resilient is if you have a self-healing capability. Without it, you don’t have the replacement, so there is no failover. It’s a crack in your security fabric.
It All Starts With A Framework
While this resiliency may sound daunting and difficult to achieve, thankfully there is an existing framework from which the enterprise can leverage to improve their resiliency. The NIST Cybersecurity Framework (NIST CSF) outlines specific actions that organizations can perform to see success in their cybersecurity programs.
Related: See Everything With the NIST Cybersecurity Framework
The five pillars or actions of the NIST CSF are:
IDENTIFY

Identify each endpoint for a comprehensive inventory
Identify authorized and unauthorized hardware and software
Prioritize endpoints based on classification, criticality, and business use
Benchmark device controls against security standards and policy
Quantify risk based on device vulnerabilities and exposures
Catalog device, data, user, and application relationships across the end point population

PROTECT

Gain physical access control and geofencing for distributed endpoints
Freeze, delete, and wipe devices through remote commands
Enable secure remote access systems (e.g. VPN) on all endpoints
Validate and restore encryption for at-risk data
Automate validation for data integrity in software, firmware, and cloud storage apps
Control communication from endpoints to the corporate network or domain
Authorize telemetry analysis and remote command for maintenance and repair

DETECT

Establish baseline behaviors for users, data, devices, and applications
Unify asset intelligence across the device population
Monitor user activity and enforce role-based security controls
Score high-risk users with access to sensitive data
Access geo-tracking and user-device awareness
Detect and log configuration changes

RESPOND

Utilize dynamic remediation and control changes
Perform role-based access control for in-console response commands
Deliver continuous device logs and forensic documentation
Isolate a device or group of devices for containment
Push control changes to prevent spread of detected compromise
Command hotfixes to mitigate indicators of exposure (IOEs)

RECOVER

Enforce policies within device controls
Monitor device use and locally accessed sensitive data
Control incident investigations, digital forensics, and documentation
Augment and push new controls for endpoint hygiene
Access documentation instantly for continuous improvement to endpoint hygiene and data protection

A Blueprint for Resilience
Each focal point of the NIST CSF is designed for resilient cyber defense and protection and aims to ensure data confidentiality, integrity, and availability. Much of the work that’s needed to be resilient is simply doing the basics: patching, strong authentication, control monitoring, etc.
What’s practical about something like NIST CSF (or CIS Top 20 or ISO or any others for that matter) is that it is a blueprint. Just like a blueprint to a building, the CSF is like having the architect’s plans for a well-engineered structure.
With NIST in particular, the goal is resilience —especially in the protect and recover sections. The Protect (initial resilience) and Recover (learn and grow more resilient) steps are emphasized as the target/goal.
Learn more about Absolute Persistence technology. With it, IT and security teams get an unrivaled view and command of their device population to enable data protection and improve security posture — all through automated endpoint hygiene.
 

How to Improve Data Security in the Financial Sector

Financial service organizations including banks, wealth advisors, insurance providers and others rely on data to power their business. As a result, they hold vast amounts of highly sensitive, personal information and today, all of it is of course digital. This treasure trove of data makes the financial services industry a highly valued target for cyber criminals and a quick check of headlines prove they have been busy taking what they want from many. From Capital One to Equifax and countless others in between, data breaches across the financial sector are massive both in scope and cost.
High Cost of Data Breaches
As this year’s Cost of a Data Breach Report by the Ponemon Institute again shows, the price tag for falling victim to hackers continues to climb. The global, cross-industry average cost is now $3.92 million – an increase of 12% over what it was just 5 years ago. Driving the rising costs for all U.S. organizations is the lost business that results from a breach including lost customers, system downtime and general business disruption.
Adding further insult to injury, the financial impact of a data breach can last for years, particularly for highly regulated industries like financial services. Long, complex governance processes in which legal fees and fines are dragged out for long periods of time are painfully common. As the regulatory environment continues to evolve, with new state data protection laws such as the California Consumer Privacy Act (CCPA) coming onto the scene for example, compliance challenges and associated fines for financial services and other industries will only grow.
3 Steps to Better Data Security
How are cyber attackers getting in? There are several studies on this and for the financial services industry specifically right now, most point to phishing attacks as the primary culprit. Intended targets include both the institution’s employees and their customers.
Regardless of tactic however, there are a few steps you can take to improve your security posture.

Know your endpoints. Comprehensive asset intelligence equips IT and security teams with the full story of their device population and provides a single source of truth into where your devices are, how they are being used, and whether or not your security controls are working as they should. The 2019 Endpoint Security Trends report found 42 percent of all endpoints are unprotected at any given time and 100 percent of endpoint security agents eventually fail. Timely insight into your users, device fleet, the apps they run, and the data they touch will help you identify blind spots that often represent a breach waiting to happen.

Fortify endpoint resilience. To mitigate risks and potential security exposures, ensure your endpoints are self-healing machines capable of safeguarding distributed data without the need for human intervention. Automated self-healing is critical when it comes to fending off the barrage of attacks you (and your users) face every day. Absolute is already embedded in your devices; you just have to activate it. OEMs, including Dell, HP, Lenovo, and Microsoft, ship their machines with Absolute’s firmware-enabled Persistence™ module. With this unshakable connection to every device, Absolute examines hygiene and compliance drift, regenerates controls and boosts the resiliency of all your endpoints.

Implement the NIST Cybersecurity Framework (NIST CSF). Because much of the high cost of a data breach comes from compliance failures, continuous compliance must become your new normal. Ongoing, flexible checks that adapt to any standard like GDPR, SOX, PIPEDA (among others) are needed to identify and restore critical security controls including AV, encryption, EDR, DLP, VPN and others that cause compliance drift when disabled or outdated. One-way organizations are responding to this continuous need for visibility and control is by adopting the NIST CSF. The repeatable framework supports proactive cybersecurity disciplines and enables scalable operations. For more, read: How to Use the NIST Cybersecurity Framework.

The financial services industry doesn’t have the sole attention of cyber criminals – no industry is immune to attack anymore. But knowing your specific risks is the first step in providing better protection for your organization as well as your customers.
For more information on how Absolute helps financial organizations protect data and remain compliant, see our solution sheet.
 

Why a Vulnerability Management Program Is Critical For Your Company: All Your Questions Answered

What is a vulnerability management program, anyway?
A vulnerability management program (VMP) is used to identify and manage weaknesses within an organization that could be used to exploit or gain access to the company’s computers and stored data.
Companies must understand that a VMP is much more than just patch or inventory management. While these elements are crucial to a good VMP, even more critical to the program are the employees. 
Why are employees so critical to the success of a VMP?
By training employees not to click on suspicious email links, open unknown documents, or even allow someone to enter a secure area without badging in, companies can go a long way to minimize potential vulnerabilities within the organization.
I often think of the “In this corner we have Dave” cartoon. We all have good intentions and a desire to be effective. Without proper education, our intentions often lead us to very vulnerable places.
In the “User Dave” scenario, you have to educate employees on issues like phishing and things like not letting somebody tailgate and walk into the building behind you. Because at the end of the day, the best tools in the world aren’t going to defeat Dave, who may leave his laptop open as he’s picking up his coffee at Starbucks while he’s VPN’d into the network.
It’s really about the education.
There should be an understanding among employees about why it’s important to accept that patch, why it’s important to have VPN on when you’re at Starbucks, and why you should also the at the very least lock your computer if you’re going to walk away from your laptop.
Where do I even start in developing a VMP?
Start with the NIST cybersecurity framework. If you really peel back the onion on the cybersecurity framework, it’s not about telling you that you must have VPN, or a password that’s 12 pages long and you must change it every 90 days. It’s a tool for you to start getting your organization to ask questions.
For example, how do we feel about this type of vulnerability and how are we doing perimeter management? How are we securing PII and things of that nature?
So if I were going to start anywhere, it would be the higher level of the NIST cybersecurity framework. And then once you’ve gone through that, you can score yourself on where you are risky and where are you not risky. Are you doing patch management and are you rolling it out at the appropriate time?
Then you’ll hopefully have a grasp on the posture of your risk tolerance and can find a program that works for your organization.
That’s where I think the VMP falls into place. If your risk tolerance isn’t matching up to your perceived level of protection, then you need to start looking into how to protect yourself.
Essentially, you need to ask yourself how to best assess your vulnerability management to ensure that you can put your head on your pillow and sleep at night.
Read: NIST CYBERSECURITY FRAMEWORK: FIRST, SEE EVERYTHING
Why is it important for an organization to have a VMP?
Without a VMP, it would be difficult for an organization to determine its posture on cybersecurity risk.
Because without the vulnerability management program, everything else becomes a shot in the dark.
Which elements are a must to include in your VMP?
I can’t stress enough the importance of training everyone connected to the organization, which includes full-time employees, contractors, receptionists, and C-level staff.
But it is also critical to understand the true state of every device connected to your environment.
For instance: How out of date are the browsers being used in your networks? What are employees using multimedia software platforms for? What happened to that laptop that was issued two years ago to the employee who is no longer working for you?
Finally, include an “end of life” strategy for everything and review it regularly. It includes devices, software, cloud service providers, VMPs, etc. Don’t just assume that once you have started a program that everyone is on board and it will be executed properly tomorrow. It needs constant maintenance.
Which company departments should be involved in creating the VMP?
At a high level, to get the proper buy-in for a successful VMP you need stakeholders from HR, legal, governance, IT Ops, security and the C-staff.  Buy-in needs to come from the top and demanded from everyone throughout the organization.
While you may not want frontline employees to dictate policy, getting them involved and encouraging feedback is important. You want a rational conversation where the company can find the right point at which employees feel less productive because of security measures. Once you find that line, you don’t want to step over it.
As long as you have that open dialogue, I think buy-in is easier.
What are the tangible benefits of having a VMP? 
There are three tangible benefits to having a VMP:

Once completed, you will have a better understanding of your organization’s risk posture.
You will be better prepared on how to react when — not if — you have a vulnerability that is exploited.
Your organization can experience a sense of unity in coming together as a team to protect and defend against malicious actors.

What questions should CIOs ask themselves when creating a VMP?
You need to understand your environment.
Do you have a “Single Point of Truth” of the state of your environment? From BIOS up to the latest browser plugin? Can you logically group assets by location, by user role, by privilege?
All of these make it easier for IT Ops and Security to more quickly identify and isolate more critical issues than ones that are less likely to cause concern.
More questions: Is your outside sales organization using an older version of a VPN tool because their systems are regularly missing patch management events? Does this suggest a greater vulnerability than a computer sitting in a training lab with the same old VPN client installed?
Do you have users that are technically savvy enough to change a hard drive, boot from a USB device, or even try to circumvent existing processes to satisfy their own needs? Can you track that behavior today, and if not, how can you ensure that your data and the PII data that you are protecting is safe?
Is a VMP useful for small businesses?
A VMP is useful for all organizations, but it’s understandable to wonder how to get this kind of thing going with limited resources.
But when you think about it, I don’t think any company has enough resources to deal with these problems. Whether you’re a Fortune 500 or Fortune 1 Million you’ve got to make decisions and prioritize how you’re going to act. You still have to make that concerted effort to think about your tolerance to risk management and vulnerability management, and then assess how to prioritize to arrive at the key things that’ll make everybody sleep a little bit better at night.
How can technology help in creating a VMP?
With Absolute, we offer that “Single Point of Truth” that provides visibility into the (approved and unapproved) software on a device, and logically group those devices by location, role, type, software, BIOS and more — to help your organization better understand how the device is being used. Absolute provides visibility and resilience for every endpoint with self-healing endpoint security and always-connected IT asset management to protect devices, data, applications and users — on and off the network.
I want to start with the NIST Cybersecurity Framework. How do I begin?
The threat landscape has evolved, the attack surface has mutated, and everywhere you look, the cybersecurity skills shortage leaves more work to do than there are people to do it. As I mentioned before, the NIST Cybersecurity Framework is a great way to get the ball rolling.
Download our NIST CSF Implementation Overview whitepaper to learn how the NIST Cybersecurity Framework (NIST CSF) supports organizations who want to formalize their security discipline and scale their operations.
 
 
 

Creating an Information Security Policy that Works

Before we talk about how to create an information security policy, it is important to clarify what information security really is.
Information security — sometimes shortened to InfoSec — is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.
CIA Triad: Confidentiality, Integrity, Availability
If you’ve been in the security field for a while, you probably know that information security is threefold. However, for those new to the field, information security involves three critical components of confidentiality, integrity, and availability (CIA):

Confidentiality: protection from unauthorized access
Integrity: protection from unauthorized alterations of data
Availability: ensuring timely and reliable access to and use of information

Understanding the security CIA Triad, the various principles behind it, and how it applies to your organization will help you implement a sound security policy.
Why Create an Information Security Policy?
Organizations commonly create an information security policy because “ISO 27001 says we should have one” or “it’s required for the audit.” Sure, but that’s not the primary reason for having a policy.
A security policy, or policies, are designed to mitigate risk (e.g., data breach) and are usually developed in response to an actual or perceived threat (a situation that could potentially cause undesirable consequences or impacts). The policy will contain a high-level statement of management intent and direction and should be developed or modified to support an organization’s strategic objectives.
Security policies on their own are not enough. Employees must understand what the rules are for protecting information and assets, and the reasons why security standards are developed.
Security standards are developed to set boundaries for people, processes, technologies, and procedures to help maintain compliance with policies and support the achievement of the organization’s goals and objectives.
Best Practices in Creating an Information Security Policy
After over a decade of creating security policies, perhaps the most important advice I can give any organization for creating a successful policy is to write it specifically with the organization’s strategic objectives, risk appetite and tolerance, and culture in mind.
Ensure that the policy is written by an individual that can translate security requirements at a high level in business terms. It should be written in a way employees can understand; just like a good app, it should be user-friendly. It should explain why security is important within the organization, and define everyone’s responsibilities for protecting the organization’s information and assets.
What Makes an Effective Security Policy?
What you don’t want to include in your policy is a list of “thou shalt nots.” Because in my experience, whenever a policy is full of strict directives that sound more like commandments it’s doomed to fail and it’s difficult to monitor compliance. You can avoid bloating your policy by constructing one that is clear, concise, relatable and easy to understand.
A good rule of thumb is to write it for the average, non-technical person. Within 60 seconds, it should be clear to the reader what the security policy is about. Any struggle comprehending it, and you may need to go back to the drawing board.
As mentioned earlier, an effective security policy should not only align with an organization’s strategic objectives but it should also consider the organization’s overall risk profile.
You should be able to answer these questions: How much security risk is the organization willing to tolerate? What is the consensus on security risk and do the policies and corporate mandate address that? How is the tone at the top? What is the organization’s culture towards security?
Finally, your policy should be updated annually as it helps your organization keep up to date with regulations, changes in technology and threat landscape, and industry best practices.
But the truth is too many organization’s searches for a boilerplate policy and don’t make many changes. If the policy isn’t tailored to your organization, it probably won’t be followed — I’ve seen it happen far too often.
What Should Your Security Policy Cover?
To get you started, here are 10 potential policy elements and relevant questions that should be answered when designing an enterprise security policy:

Purpose: Why do you need this policy?
Scope and Applicability: What’s the scope of the policy? Whom does this policy apply to?
Policy Authority and Review Cycle: Who has the Board or CEO granted authority to establish security policies and standards? Who can approve the policy? Who can update the policy? If there is a requirement in the policy that cannot be met, is a policy exemption request submitted?
Policy Review Cycle: How often will the policy be reviewed?
Company Culture: How can the policy adapt to your corporate culture? Does your organization’s culture support your security efforts? Do you have commitment and support from senior executives?
Topics of Focus: What topics (e.g., Email & Internet, BYOD, Social Media), should be included in your policy that you would like employees to be aware of as it relates to security responsibilities around your organization’s information and assets?
Specific Information Security Policies: What policies will cover a subsidiary area of information security (e.g., Key Management, Security Incident Response, Firewall) that further mandates the information security controls required at an operational level?
Training: How does the organization approach security awareness? What methods are used for awareness training and how often does training occur?
Communication: Who do employees contact when they have questions about anything security-related? How will you communicate the security policy? Will you require employees to acknowledge and sign off on your policy?
Compliance: How will you monitor compliance with this policy?

Read: 5 Quick Tips To Mitigate Insider Threats
The Importance of Policy Enforcement
A security policy can only be effective if employees are confident that rules will be enforced. There must be clear responsibilities defined for compliance as well as stipulations regarding steps that will be taken for non-compliance.
Depending on an organization’s industry, the security policy should reference the importance of adherence to that industry’s regulations. This may include the PCI Data Security Standard, the Dodd-Frank Wall Street Reform, the Federal Risk and Authorization Management Program (FedRAMP), the General Data Protection Regulation (GDPR) or HIPAA (Health Insurance Portability and Accountability Act), to name a few.
Read: What Is Regulatory Compliance?
To achieve best enforcement results, your policy should be in-sync with the current threat landscape as well as privacy regulations. When a policy reflects what is happening online (think phishing, ransomware (malware), privacy fines etc.), you have a better chance of employees following along. If that policy is clear and understandable, enforcement is easier.
When writing your policy, keep compliance and enforcement in mind. If you don’t think you can follow through with the rules for a specific element of the policy, it may need to be re-written.
Ultimately, the policy must not impede the organization and its employees from achieving its mission or goals.
To find out how to benchmark your security posture, download our Cybersecurity Frameworks Solution Sheet 

Brexit Uncertainity and Resulting Cybersecurity Concerns

Will it be deal or no-deal? With Theresa May no longer officially the Prime Minister and the race to name her next successer in full swing, British exit (Brexit) deal negotiations have been called further into question while the successor is sought. The previous European Parliament election results further complicated the matter, with both the far-right and liberal parties gaining ground, shaking up the traditional system.
The biggest question surrounding the next phase of changes we are seeing is whether the UK will leave the European Union with an agreement designed to minimise economic disruption and create a beneficial agreement or will they step out with a no-departure pact?
Securing the necessary votes in the House of Commons will require concesssions from the EU around some areas of the deal, and a potential compromise on elements of the backstop agreement with MPs.  The clock is ticking and the next Prime Minister, whatever their political stance on the issue, will have a huge task on their hands.
Since UK citizens voted to withdraw from the EU in 2016, Brexit details have been a delicate and complicated dialogue. The resulting fragmented international architecture could have far-reaching impact on business relations, information flow, regulatory standards and of course, cyber-security concerns with many businesses concerned about what this means for their future.
Information sharing
One early concern surrounding Brexit and cybersecurity practices is information sharing, or lack thereof, among intelligence organisations in the UK and the EU. Particularly in the case of a no-deal Brexit, could and would European countries continue to work together efficiently to fight cyberattacks? In the absence of timely information sharing and a cooperative response, cyber-criminals — who regularly sell exploit kits and vulnerability details with other hackers — are at a distinct advantage. That leaves everyone vulnerable to a breach and opens up a problem that doesn’t necessarily need to exist.
GDPR
While sharing threat intelligence is a real concern, so is GDPR compliance. The new legislation around data protection is only just finding its feet within Europe and Brexit is set to affect this. Both the UK government and the GDPR’s enforcement arm, the Information Commissioner’s Office (ICO) maintain the one-year-old data protection regulation will remain law in the UK post-Brexit.
The challenge, however, is that GDPR contains provisions prohibiting the transfer of personal data to ‘third countries’ outside the EU that do not ensure adequate protection. Post-Brexit, the UK could become a ‘third country’. In this scenario, EU Member states would not be able to transfer personal information to the UK unless an appropriate data transfer solution is in place.
With so many unknown factors around Brexit, most organisations are moving forward with the better-safe-than-sorry principle when it comes to complying with GDPR which is ultimately what we need to see. Smarter security, including heightened visibility over your growing number of endpoints and formalised data breach notification procedures are but two ways they are staying audit-ready.
Whilst many have feared the heafty fines the ICO have set (Up to €10 million, or two percent annual global turnover – whichever is greater or up to €20 million, or four percent of annual global turnover – whichever is greater depending on the seriousness of the breach) we have only now seen an organisation in the UK hit by GDPR, with yesterdays BA fine of £183 million.
Earlier French data protection authority CNIL issued Google a €50m fine for violating GDPR transparency rules and failing to have a legal basis for processing user data in advertising.
Adapting to change
The international business climate can be tenuous at the best of times. It often seems as if there is little we can do about sweeping global change but adapt to it. Continuous endpoint device compliance can be achieved with active compliance checks, sensitive data discovery, and automated workflows to restore protections.
Whilst the road ahead may be complex, ensuring the highest standards of data security across borders and within businesses is paramount. Whatever the final outcome of Brexit, companies need to have the highest standards of data security in place, at all times.
This article was originally published in SC Magazine UK.
Learn more about how Absolute helps organizations comply with GDPR on our website.
 

Escalating Risks to Healthcare Data

The challenges of securing medical devices from cyberattacks made headlines again last week as the U.S. Food and Drug Administration (FDA) warned that some insulin pumps made by Medtronic MiniMed may be at risk for a cybersecurity breach. In response, Medtronic recalled the affected Minipumps and is providing patients with alternative pumps.
As the healthcare industry quickens its pace toward incorporating more IoT devices and wearables for the sake of improved patient care, there is also a clear downside to the trend. The connectivity inherent in these same medical devices can also pose a serious threat to patients and providers. Device vulnerabilities can lead to security breaches that could potentially impact the safety and effectiveness of the device. Due to the high value of healthcare data, the risks are escalating rapidly.
Weighing Risks and Rewards
Healthcare organizations and patients alike must weigh the risks and rewards of relying on such medical devices the same way they already consider the pros and cons of their network connected endpoints. Laptops, tablets and phones have proven to be a critically important piece to delivering cutting-edge patient care as well as growing organizational efficiency. For large hospitals, small doctors’ offices and every healthcare provider in between, mobile medical technology is how modern patient care is delivered.
But securing patient data — including personal information, payment details, health histories and more — on vulnerable endpoints has long been a real problem for the industry. More than 2 million people saw their information exposed via a healthcare data breach in May alone.
Government regulations that oversee the protection of personal information — including HIPAA and a host of others — are busy trying to keep up with breach investigations. Large fines are regularly doled out, yet the pilfering by hackers continues at a relentless clip. At the same time, security spend is also on the rise, motivated by organizations scrambling to fend off attackers.
Read: The State of Endpoint Health in 2019
Now What?
A strong security posture must start with unparalleled visibility — because you can’t secure what you can’t see. This is the approach Allina Health, the major healthcare provider for the state of Minnesota took when they implemented Absolute across their more than 10,000 devices.
With Absolute, Allina Health can see all of their devices, whether they are on the network or not, identify devices that are missing or not being used, and prove that security controls such as patch management, antivirus and encryption are always in place. In addition, Allina Health has been able to save over one million dollars by identifying underutilized assets, prove compliance with HIPAA by validating that encryption is in place on all devices, at all times, and achieve 95 percent laptop auditing accuracy.
“I sleep better at night knowing that if a device goes missing, we have the tools and services that Absolute provides to track it down…and validate that encryption was in place [when the incident occurred],” said Danielle Bong, IT Asset Manager, Allina Health.
Healthcare endpoints are key to providing better patient care and improving organizational efficiency – security improvements must be made for the benefit of everyone but the hackers.
To learn more about how Allina Health uses Absolute, download our case study: Allina Health Ensures HIPAA Compliance.
 

Education & Internet Safety: Prove CIPA Compliance with Absolute

As technology continues to be rapidly adopted in education, the pressure is on to secure and retain the grants that make devices in the classroom possible. Schools must compete to prove effective technology utilization while taking steps to ensure compliance with the Children’s Internet Protection Act (CIPA), and the E-Rate Program.
E-RATE: TECH ADOPTION & INTERNET SAFETY
The E-Rate Program supports connectivity. Through grants, it provides discounts up to 90 percent to help schools and libraries obtain affordable internet and telecommunication access.
Eligible schools need to certify they have an online safety policy in place that is supported by technology protection measures. These measures must block or filter harmful content, and monitor the activities of minors.
GET VISIBILITY, PROVE COMPLIANCE
While school districts can meet CIPA compliance requirements by installing software that filters web content, it’s another challenge to know and prove these programs remain installed and are effective.
With Absolute’s unique solutions for education, K-12 school districts have uncompromised visibility and remediation of their devices – whether inside or outside the school network. Absolute also gives districts true, layered visibility into data and applications that can’t be removed or tampered with by overzealous students, or malicious attackers.
The self-healing capabilities of Absolute’s Persistence technology helps school districts ensure that critical security features such as web filtering or cyber-attack protection remain in place and stay functional – making it easier to prove CIPA and E-Rate compliance.
STUDENT TECHNOLOGY ANALYTICS, BETTER INSIGHTS
Absolute’s Student Technology Analytics unlocks the door to a host of detailed information that can be applied to contextualize device and end-user activity.
Using data from Student Technology Analytics, schools can better analyze the impact and outcomes of their technology investments. Districts not only see how users interact with technology, but gain insight into online behaviors like application use, websites visited, and device usage.
Absolute is empowering schools globally to deliver safe, secure, and more productive learning environments. Read our whitepaper to learn three important ways that integrating Student Technology Analytics into your technology plans can help your school district.
Read 3 Ways Student Technology Analytics Validate Technology Analytics in Classrooms

Loading

Categories