It’s easy to be on the other side of a breach and point fingers. When we understand how a breach happened, the solutions seem like they should have been simple. These simple solutions (and preventative measures) are not always common sense though. In fact, as a whole, we don’t do a great job using these breaches to teach us the lessons they should.

We can use the 2013 Target breach as an example.  Target wasn’t breached due to a lack of their own network security. Instead, an attacker was able to access their system through a vendor. This vendor (an HVAC vendor, not even one that regularly interacts with Target’s network) was required by Target to access Target’s vendor portal. Attackers were able to retrieve log-in credentials from someone at the vendor to access Target’s portal. That was enough.

What’s not enough are the improvements that have been made across all organizations in vendor risk management since this incident occurred.

But we can still use it as a teachable moment now.

target

Where Target Went Wrong

When determining the vendor risk, there are two initial steps every organization should begin with.

First, organizations need to know who all of their vendors are. If you don’t have an inventory of every company you work with, how can you possibly know all the risks that your organization faces because of the vendors? Many organizations fail even this first step.

The second step (and where Target missed the mark) is classifying your vendors. It’s not enough to just know who your vendors are. Organizations also need to know the amount of risk the vendors pose to you. You can do this a number of ways, but the key is to categorize your vendors based on the types of information they touch (very sensitive or not sensitive) and how much data they have access to.

This is where Target went wrong.

How This May Have Been Avoided

It’s likely that Target (and many organizations, frankly) would look at an HVAC provider like Fazio Mechanical and immediately write them off as a low-risk vendor. In actuality, and because of the vendor’s access to Target’s online portal, Fazio Mechanical probably should have been classified as a medium-risk vendor.

Doing your due diligence in classifying a vendor as low risk is often enough to brush them off to the side and reevaluate their status in another year. However, in strong vendor risk management programs, medium-risk vendors are required to go through a vendor risk assessment process where the organization can get an understanding of the amount of risk that exists before allowing that vendor to continue to access its critical information.

It’s likely that Target did just that— brushed off their HVAC provider as a low-risk vendor and pushed them off to the side for reevaluation down the road.

Had they gone through an assessment with the vendor as if it were medium risk, they likely would have caught the lack of protection that was the reason behind the breach.

Vendor Risk Management is About Logic

Making assumptions in information security is detrimental. Making assumptions provides a vehicle for avoiding issues that may be hyper-pertinent to your business. You may think that a vendor is low risk when it actually belongs in a more sensitive category.

When organizations take objectivity out of the classification step of vendor risk management, they take out any assumptions and guesses. Assumptions and guesses erode your credibility.

If Target had gone through proper and objective steps to classify Fazio Mechanical (even if they classified them incorrectly) at least they would have been able to prove that they did their due diligence and that the breach was not a cause of their negligence.

information-security

How You Can Prevent This

Vendor risk management is all about simplifying, standardizing and making yourself defensible.

Build a list of your vendors first.

Then, work through standardized criteria to determine how much risk they pose to your organization. Get an understanding of exactly how they work with your organization and what kinds of data they touch. By doing that, you get an immediate grasp on how important it is that they handle their own information security practices well. If you do that, it’ll make sure you are defensible if something does go wrong, and likely help limit the amount of vendor-caused incidents you experience.

You can simplify this process by implementing a vendor risk management tool like VENDEFENSE to help you automate your vendor identification and classification. With VENDEFENSE, it’s likely that Fazio Mechanical would have been flagged as a medium risk vendor, and then steps would have been taken to improve their security once the risk assessment was completed.

For more information on vendor risk management and for a live look at the tool that can help make your organization’s vendor risk management program simplified, standardized and defensible, visit securitystudio.com.

A New Kind of Insurance

A few years ago, I flew down to Florida to talk with some large insurance companies about this new cutting-edge market for “hacking insurance” (aka cyber insurance), and what I found out while talking to these companies blew my mind.

It turns out that many large companies are now wanting to protect themselves from the costly threat of being breached, so they look toward purchasing cyber insurance. It was a newer concept at the time, and I was just discovering how much potential this market had. This multi-million-dollar market for hacking insurance has popped up out of nowhere and is well on its way toward being a $3B industry by the year 2022. Many insurance companies are interested in bringing development to this cutting-edge market, but there are a few obstacles to overcome.

Let’s talk about how cyber insurance works. Purchasing cyber insurance will typically cost your company between $20k-$50k per million dollars in coverage annually. Then, there are deductibles. There’s still a missing piece of the puzzle and it’s the biggest one: the overall security of the company looking to become insured. This will ultimately determine exactly how much the organization will be charged for coverage, and what type of coverage they can receive.

Think of it this way: if your home was directly on the ocean in Florida where I spoke with these insurance companies, you would be much more likely to experience natural forces that could ruin your house. For this reason, it’s a bigger risk for insurance companies to insure you. If they’re going to accept that risk, they’re going to want more money for your policy, because they’re more likely to have to pay for damages to your home down the road.

home-insurance-risk

The same is true of cyber insurance. If an organization takes rigid measures to ensure their organization and client data remains safe, it’s significantly less likely for an incident to occur or be handled poorly. Any insurance company would look at the low risk and be willing to ensure that company completely — and for less money.

However, this is still a relatively new concept. Underwriters find it difficult to pinpoint proper premiums that will adequately insure these businesses without undercharging and leaving themselves in a financial quandary. It can also be challenging to determine what the risk thresholds are that would cause an insurance company to charge a client more, less, or simply not insure them at all.

The Cyber Insurance Metric

So, what if there was a measure to calculate this for insurance companies looking to sell cyber insurance? What if there was an all-inclusive security analysis for a company that considers all aspects of the organization’s security? What if this analysis included everything from policies, to physical networks, to technical controls? And what if it gave us a reliable and readable analysis — an industry standard that everyone can understand?

There is an information security analysis that will do these things. It’s called FISASCORE®. Purposefully built on the same scoring scale as your individual credit score and considering administrative, technical, and physical controls of a business, this assessment is an all-encompassing score that can be easily understood by virtually anyone, even people who know little to nothing about cybersecurity.

Using an assessment system and scoring metric like FISASCORE® has direct benefits to insurance companies and the companies they look to insure. Not only does a credit-like score give insurance organizations an immediate understanding of the security level of the companies they look to insure, but it also gives those looking to purchase cyber insurance an understanding of how much and where they need to improve to avoid cyber risks.

Ultimately, FISASCORE is the answer to the cyber insurance conundrum. With it, insurance organizations will know exactly how much risk they’re taking on by insuring any given company, and that company will have a better understanding of where they can make improvements to keep their data safer. It’s a true win-win for all involved, the insurance company, the company seeking cyber insurance coverage, and the entire industry.

To learn more about FISASCORE, and other important information security services that can make an impact for your organization, visit frsecure.com.

 

FISASCORE-cyber-insurance-metric

Information security is a hot topic, and one that continues to be the concern of businesses all over the world. As more of our data lives online, and black-hat hackers become more sophisticated, the risk of our data being exposed is higher than ever. Unfortunately, there are many organizations who do not have the necessary skill sets or bandwidth to make information security a priority. Because of this, these organizations will often lean on their trusted managed service providers (MSPs) to assist them with their security objectives. Here are some statistics that show how offering information security as part of your service offering can make a big impact on both your clients, and your bottom line.

[click_to_tweet tweet=”‘Only a third of organizations believe they have adequate resources to manage security effectively.’ #cybersecurity #mssp” quote=”Only a third of organizations believe they have adequate resources to manage security effectively.”]

Source: Ponemon Institute

[click_to_tweet tweet=”‘Worldwide security spending is forecast to reach $96B in 2018, up 8% from 2017.’ #cybersecuirty #infosec #mssp” quote=”Worldwide security spending is forecast to reach $96B in 2018, up 8% from 2017.”]

Source: Gartner

[click_to_tweet tweet=”‘By 2019, total enterprise spending on security outsourcing services will be 75% of the spending on security software and hardware products, up from 63 percent in 2016.’ #cybersecurity #infosec #MSSP” quote=”Gartner predicts that by 2019, total enterprise spending on security outsourcing services will be 75 percent of the spending on security software and hardware products, up from 63 percent in 2016. “]

Source: Gartner

[click_to_tweet tweet=”‘Post data breach response activities include help desk activities, special investigative activities, remediation, legal expenditures, product discounts, identity protection services, etc. In the United States, these costs were $1.56 million per breach on average’ #infosec #databreach #MSSP” quote=”Post data breach response activities include help desk activities, special investigative activities, remediation, legal expenditures, product discounts, identity protection services, etc. In the United States, these costs were $1.56 million per breach on average.”]

Source: Ponemon Institue

[click_to_tweet tweet=”‘Global spending on cybersecurity products and services is expected to exceed $1 trillion cumulatively from 2017-2021, a 12-15% year-over-year increase.’ #infosec #cyberspending #MSSP” quote=”Global spending on cybersecurity products and services is expected to exceed $1 trillion cumulatively from 2017-2021, a 12-15% year-over-year increase.”]

Source: Cybersecurity Ventures

[click_to_tweet tweet=”#Demand for information security jobs is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million employees.’ #cybersecurity #securityjobs #infosec #MSSP” quote=”Demand for information security jobs is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million employees.”]

Source: Forbes

[click_to_tweet tweet=”‘70% of employers around the world want to increase their cybersecurity staff size by 15% this year.’ #infosecjobs #cybersecurity” quote=”70% of employers around the world want to increase their cybersecurity staff size by 15% this year.”]

Source: Global Information Security Workforce Study (GISWS)

[click_to_tweet tweet=”’61 percent of breach victims in 2017 were businesses with under 1,000 employees.’ #databreach #cybersecurity #MSSP” quote=”61 percent of breach victims in 2017 were businesses with under 1,000 employees. “]

Source: Verizon

[click_to_tweet tweet=”‘The U.S. was the most targeted country in the past three years, accounting for 27 percent of all targeted attack activity.’ #infosec #cyberattacks #hacking” quote=”The U.S. was the most targeted country in the past three years, accounting for 27 percent of all targeted attack activity.”]

Source: Symantec

[click_to_tweet tweet=”‘56% say they have made changes to their strategies and plans to take information security into account, but only 4% are confident they have fully considered their current strategy.’ #infosec #mssp” quote=”56% say they have made changes to their strategies and plans to take information security into account, but only 4% are confident they have fully considered their current strategy.”]

Source: EY

Most people are relatively aware of the Health Insurance Portability and Accountability Act (HIPAA). It was created to make sure that medical records of patients remain safe, and that the medical providers accessing them are doing their best to ensure that’s the case. When most people think of HIPAA, they often go right to medical providers and hospitals. It’s important to understand that dental providers are also expected to adhere to HIPAA requirements. However, being HIPAA compliant poses challenges for dental providers. Here are some of those challenges, and what dental providers can do to combat them.

Failure to Identify Your Dental Practice as a HIPAA “Covered Entity”

Covered entities are required to follow HIPAA requirements. A dental practice is considered a covered entity if it transmits an electronic claim, payment, etc. to a dental plan or on behalf of a dental practice. It’s very likely that your dental practice is a covered entity and should be considering HIPAA requirements.

Missing Business Associate Agreements (BAAs)

Outside people or entities often have access to patient records and information. If your dental practice works with third parties of this nature, it’s important that you’re keeping tabs on them. Third parties are often root causes of breaches and data exposure. Continuously review your third parties and be sure you have BAAs for them.

Security Policies and Procedures

Well thought out, written plans are needed to ensure that your practice stays in compliance. Your HIPAA compliance policy should clearly state the responsibilities of your office and each staff member in protecting your patients’ private health information. The policy should clearly outline how your office handles and remediates various kinds of security breaches.

Training

Training employees is a critical component to HIPAA compliance, even for dental practices. Once you have your policies and procedures in place, it becomes critical that you train your employees on them. If someone’s job is affected by a change in your HIPAA policies or procedures, provide training on the change within a reasonable time after the change becomes effective. Training employees will limit the risk of breach.

Texting and Email

HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening. While HIPAA doesn’t prohibit using email or text to communicate patient information, it is important it’s done the proper way.

Social Media

A restaurant is very likely to respond to a Yelp, Facebook or Google review to either appreciate what has been said, or try to take corrective action. Dental practices must be a bit more careful. It’s easy to respond in a way that violates HIPAA rules. Ensure you and your employees understand privacy rules before responding to your practice’s reviews.

Other Media

As photos or videos are being taken of a patient there is the possibility that other patients may be included inadvertently. These photos and videos are quite often shared through social media and this can compromise those patients’ privacy. In addition, staff members of the practice might be included in the photo or video and this violates their privacy. Be cognizant of what is going on in the background of your images and videos so you do not compromise patient information.

Reporting Breaches

Breaches happen. It can and will happen to anyone at any time. It’s crucial that you understand what you need to report, and when. Covered dental practices must report all breaches of unsecured protected health information to the Office of Civil Rights, as well as to individuals and, in some cases, to the media. The bottom line is, have a plan for what to do in case an incident does occur, because it certainly can.

How can you get a better understanding of these challenges, so you know how to avoid and face them? A security assessment is a great tool to do that. Security assessments helps you identify where your gaps in security are. Once they’ve been identified, you can also use the assessment to develop action plans for improvement, meeting HIPAA regulations and proving to examiners that you have a strong data protection program. While there are many challenges as a dental provider to being HIPAA compliant and safeguarding patient information, getting a security assessment puts you on the fast track to understanding and preventing your patients’ data being compromised.

FISASCORE® is a comprehensive assessment that measures your organization’s information security risk. It was created because of a recognized need in the information security industry for a common language people could use to be on the same page about security. Built on the widely unsterstood credit score scale, FISASCORE measures four different types of controls and give you the score to litmus test and starting point for improvements. Every organization should have a FISASCORE and here is why.

1. FISASCORE is easy to understand.

Information security is a complex discipline with many moving parts, but FISASCORE simplifies the communication about how your information security program is performing. You don’t need to be an information security expert with years of experience to understand what FISASCORE is telling you. One simple number represents your overall risk, and additional indicators show where your most significant risks are.

2. FISASCORE can tell you what everyone else is doing.

Hundreds of organizations have received their FISASCORE and this allows for good, fact-based comparisons. One of the common questions we receive about information security is, “What is everybody else doing?” This question comes from the responsibility for due care/due diligence, liability, and knowing that there’s “protection in the herd.

3. With a FISASCORE, you can track progress.

FISASCORE is a point of reference that should be used to track progress and to determine whether risk is maintained within your tolerance. Your information security program and risks are always getting better or worse; they never stay the same. Questions about progress, regular reporting, and support for maintaining your information security program are all answered through the FISASCORE.

fisascore-scale

The average FISASCORE is 567.72. An “acceptable” level of security is 660.

4. FISASCORE is objective.

FISASCORE is maintained by an independent organization that doesn’t do consulting work, and has no other purpose but to provide accurate measurements of information security risk. In addition to organizational objectivity, the score is also objective. FISASCORE is calculated through the measurement of thousands of objective characteristics that take much of the guesswork and opinion out of the equation.

5. FISASCORE is credible.

FISASCORE was developed over the course of more than 15 years through the work of seasoned information security practitioners and is now on its fifth major release. FISASCORE is based on generally well-accepted information security standards. The criteria for measurement are all referenceable to the NIST Cybersecurity Framework (CSF), and its supporting standards: NIST SP 800-53, COBIT, ISO 27001:2013, and CIS CSC.

6. FISASCORE represents risk.

Risk is the combination of vulnerabilities and applicable threats that manifest themselves into the likelihood of something bad happening and the impact if it did. If there is no vulnerability (or weakness) in a control, there is no risk. If there is a vulnerability in a control without an applicable threat, there is also no risk. FISASCORE represents the analysis of hundreds of controls, thousands of vulnerabilities and thousands of threats, resulting in likelihoods and impacts of bad events.

7. FISASCORE is comprehensive.

Fundamental to FISASCORE is our definition of information security: The application of administrative, physical, and technical controls to protect the confidentiality, integrity and availability of information. There are four phases within FISASCORE:

• Phase 1 – Administrative Controls
• Phase 2 – Physical Controls
• Phase 3 – Internal Technical Controls
• Phase 4 – External Technical Controls

All four parts of the information security program must work well together. A weakness in one control can lead to a collapse of all others. The phases are further segmented into sections, and the sections are further segmented into controls. The final FISASCORE report is presented both high level and then digs deep in the details.

8. There is fast-growing community support for FISASCORE.

The partner community behind FISASCORE is critical to its success. Partners works to generate FISASCOREs for their clients, but the partner community is also vital to future improvements and considerations. The partner community participates in further improvements of the methodology, shares critical information, and evangelizes the need for a common information security language (provided by FISASCORE). Our partners include IT service companies, CPA firms, insurance brokers and security consulting companies.

9. FISASCORE is an indicator of future losses.

As FISASCORE continues to evolve, we get closer to understanding the true losses behind information security incidents and breaches. FISASCORE provides the framework for predicting future information security losses accurately, using the best information available. Today FISASCORE is tied to research conducted by the Ponemon Institute for loss data.

10. FISASCORE is a competitive advantage.

Information security as a competitive advantage? Yes, absolutely! FISASCORE is a representation of the efforts you’ve put into information security and it’s a demonstration that you know where your most significant information security risks are. Armed with this information, you can make an objective case to your customers that you take information security seriously, backed by experienced information security experts, a community of partners, and a clean methodology. Don’t forget the fact that you can now invest your information security dollars where they will have the greatest benefit.

 

 

fisascore

Douglas County Hospital is a system of healthcare providers that includes Heartland Orthopedic Specialists, Alexandria Clinic and Osakis Clinic. This 127-bed, non-profit regional hospital and clinics located in Alexandria, MN includes 875 staff and 72 physicians and advanced practice professionals providing integrated health care services to the patients, families and communities they serve.

The hospital is heavily focused on customer care, and because of this, saw a need to keep the organization’s patient data as safe as possible. Its leadership understood that compliance is only a small part of risk management and that it needed to expand its thinking beyond the ordinary security measures. Heating and cooling systems, outside foliage and camera placements were just a few potential vulnerabilities the hospital was looking to measure vulnerabilities on.

asset-management

So, Douglas County Hospital looked to SecurityStudio®.

SecurityStudio® was vital in helping the hospital mature its information security program. It provided an intensive independent review of the hospital’s security practices. To do so, it used the FISASCORE® assessment, a security rating system that measures internal, external, administrative and physical security controls. This assessment was the crucial first step in improving the hospital’s security program, as it indicated strengths, weaknesses and threats that could help determine where the focuses for improvement should lie.

“Our information security program and policies should be based on an independent and unbiased standard. This assessment is helpful as it gives us a foundation on which to mature our program, develop new policies and rework current practices,” Director of Information Security, Joyce Beck said.

“We wanted to understand our security position and its effectiveness. After the assessment we learned that strengthening logical segmentation protocols via restrictive VLAN would protect our overall network from unauthorized access in a more effective way. Systems such as heating, cooling and camera control were given limited access and could only communicate on their assigned VLAN networks,” IT Lead Ryan Engelbrecht added.

The implementation of the additional protocols through the assessment added an additional layer of security to the hospital’s overall security. On top of this, it shifted their focus from reactionary thinking to a proactive mindset with a systematic handling of their known vulnerabilities, and it guided the hospital on recommended lifecycles for its hardware and software.

“Asset management was one of the tools we utilized but not to its fullest potential. Improved documentation was implemented and additional methods for auditing and ensuring the necessary follow through were added. The assessment gave us an approach that was modest and a directive to keep it simple, by starting at square one and building this plan from the ground up. This made the process of managing our hardware less overwhelming and cumbersome,” Engelbrecht said.

The FISASCORE® security assessment not only pinpointed vulnerabilities for immediate improvement but also provided a roadmap for enhancing the overall security posture of Douglas County Hospital. Overall, this open, collaborative and mentoring approach is what made the difference to improving the hospital’s security position now and into the future.

 

 

fisascore

Information security demands are increasing at a dramatic rate. Security services are expected to grow to more than $100 billion by the year 2020 and nearly 40% of all contracts will be bundled with other security services and broader IT outsourcing projects. Becoming a managed security service provider (MSSP) and partnering with a security firm allows you to get ahead of this curve, and allows you to provide security services and enhancements to those customers that need and ask for them.

The Right Tools

Security tools are a key benefit of partnering with an information security company. By offering a broad range of products and offerings, you not only improve your customers’ security postures, but you’re also providing your organization the opportunity for strong monthly recurring revenue (MRR) and professional services revenue. This all starts with the assessment. Your customers won’t know how to improve their information security posture without first knowing what needs to be improved.

 

fisascore

SecurityStudio offers the most robust and comprehensive risk assessment tool on the market. Information Security is a complex mastery of many moving parts. To simplify this complexity, we needed a common language around security that anyone could understand. From this need came the FISASCORE. FISASCORE is a numeric scoring system that measures risk by evaluating the Administrative, Physical and Technical Controls of an organization. It’s built on the same scale as a credit score and translates to any organization, which makes it a simple and comprehensive way for anyone to speak to security.

 

VENDEFENSE

Often, when a breach or information security incident occurs, it comes from vendors of the company impacted and not the company itself. Not only do organizations struggle to manage the risk their vendors can bring to their information security, many of them aren’t even aware of who all their vendors are. Vendefense allows you to find, list, categorize and assess your third parties. Utilizing FISASCORE as the risk assessment metric, your customers can easily manage the risk of their vendors.

Understanding Requirements

Your customers may simply want to be more secure. However, there are many lines of business that have security requirements that they need to comply with. An additional benefit of becoming an MSSP by partnering with an information security organization is the knowledge base around audits, compliance and regulatory requirements. Working with security experts gives you training and assistance on these requirements so that you can ensure both you and your customers comply with regulatory requirements for your industry. In turn, you’ll also dramatically improve your customers’ security postures.

Set Up to Succeed

Even with great products, a partnership will not succeed without solid relationships and mutual engagement. It’s important that when you choose a security expert to partner with, you choose one that will continue to work in conjunction with your organization to help you succeed. Good security expert partners give you sales and analyst training, sales and lead generation tools, marketing content and more through a channel partner program. Not only does this put your organization in a position to satisfy all its customers’ needs and wants, but it also allows you to continue to expand your client and customer base. By leveraging techniques, practices and materials of expert partners, your organization quickly becomes a trusted security organization that your customers will continuously look to lean on and build off.

Information security demands are increasing at a dramatic rate. By becoming a partner of a security expert, you can provide your customers and clients with the right products and services to increase their information security, while driving a profit for your own organization simultaneously.

To learn more about how you can become an MSSP for your clients, visit our become a partner page.