Posts

vCISO Training- CvCISO Program Introduction


SecurityStudio created the Certified Virtual Chief Information Security Officer (CvCISO®) Program to establish an industry standard for vCISO quality and qualifications. This program is designed to address the pressing need within the cybersecurity community for highly skilled and well-qualified virtual Chief Information Security Officers (vCISOs).

This vCISO training program goes beyond conventional certification approaches. It strategically aligns its learning objectives with a broader mission, directly impacting individual vCISOs and the organizations seeking their expertise.

Recognizing the multifaceted needs of vCISOs, this vCISO training program aims to enhance their quality of life by providing a comprehensive support system. This includes increased opportunities for professional growth, improved benefits such as heightened productivity, a sense of accomplishment, and competitive pay. The program empowers vCISOs to excel by instilling confidence in their information security and risk management expertise.

Simultaneously, the CvCISO® Program is designed to elevate the quality of life for organizations navigating the complex cybersecurity landscape. It strives to create opportunities for these entities to achieve better returns on their cybersecurity investments.

vCISO Training Program Goals

The program underscores the potential risks of employing underqualified vCISOs, emphasizing that a poorly equipped vCISO could potentially cause more harm to an organization than if it had not employed a vCISO at all. Ultimately, the CvCISO® Program offers not only prestige to its certification holders but also an assurance to those who choose to employ them, ensuring a higher standard of cybersecurity leadership.

By equipping vCISOs with the skills and knowledge necessary to address contemporary challenges, the program enables organizations to bolster their cybersecurity protection with confidence. This holistic approach reflects a commitment to bridging the talent gaps within the information security sector and rectifying the systemic issues that have plagued the industry.

SecurityStudio acknowledges that the ultimate goal isn’t merely to churn out more vCISOs, but to cultivate professionals capable of making a tangible difference by producing good vCISOs with standardization to their practice.

The vCISO Training Certification- CvCISO

The vCISO training program comprises four distinct levels, from CvCISO® Level 1 to the advanced CvCISO® Expert, accommodating individuals at various stages of their careers.

There are no specific experiential prerequisites for entry into CvCISO® Level 1, ensuring inclusivity and accessibility. Conversely, achieving the CvCISO® Expert status demands substantial and diverse experiential accomplishments and an interview with industry leaders. Advancement within the program hinges on a triad of fundamental principles: training, experience, and collaborative engagement within the CvCISO® community.

The vCISO training regimen starts with the foundational Certified virtual Chief Information Security Officer Course (CvCISO-1), followed by specialized courses for those seeking to navigate more intricate organizational landscapes, evidenced by higher levels of certification.  Experience and training requirements are defined for each vCISO level, acknowledging the evolving skill set necessary for ascending the ranks.

The CvCISO Community

The hallmark distinguishing the CvCISO® Program lies in its unwavering emphasis on community. The group “CvCISO CommUnity” stands as a testament to this commitment. Within this specialized community, CvCISOs find more than just a platform for exchanging knowledge; they discover mentorship, validation, camaraderie, and avenues for career advancement.

The significance of this communal space is captured in the adage, “People come for the content but stay for the community.” While the program may initially attract individuals with its rich educational content, the thriving, collaborative community becomes the cornerstone of long-lasting connections and growth.

Regional CvCISO Chapters

The CvCISO Program has begun to extend its reach by establishing a regional CvCISO community chapter in Minnesota that, in time, will be duplicated nationwide. These chapters provide a localized dimension to the overarching community, fostering even closer ties, facilitating regional knowledge exchange, and strengthening the network of like-minded professionals. This unique blend of shared experiences, expertise, and regional connectivity enhances individual professional trajectories and contributes to the collective strength and resilience of the entire CvCISO network.

Importance of a Certified vCISO

A CvCISO® certification validates the professional’s proficiency in risk management and strategic security planning and is a tangible testament to their commitment to excellence. A vCISO with certified expertise ensures that an organization’s defense mechanisms are standardized, robust, and adaptive.

Beyond technical adaptability, a certification is a beacon of trust for stakeholders, clients, and partners. It signifies that the vCISO possesses a recognized and standardized set of skills, instilling confidence in its ability to safeguard critical assets and navigate the complex landscape of cybersecurity threats.

This CvCISO certification extends beyond individual competence because of the membership in our dynamic and supportive “CvCISO CommUnity,” providing a stamp of individual proficiency and the support of professional peers.

Join the CvCISO Community

Whether you are seeking to advance, change, or enhance your career, the CvCISO certification badge represents more than just a credential—it is a symbol of excellence, trust, and belonging to a dynamic, growing community.

In a field where expertise and adaptability are paramount, the CvCISO certification is an investment in both individual growth and the collective strength of the cybersecurity community. Consider the CvCISO certification as a milestone and catalyst for propelling your cybersecurity career to new heights. For more information on our upcoming courses visit: SecurityStudio Academy.


S2PCI: The PCI Compliance Software helping to navigate the complex terrain of PCI DSS

Approach to Streamlining Documentation

In the rapidly advancing digital era, businesses face the task of safeguarding their customers’ payment data. Attaining and sustaining Payment Card Industry Data Security Standard (PCI DSS) compliance is a formidable challenge for many industries. This article delves into the intricacies of PCI compliance, highlighting the complexities faced by organizations and introducing our PCI compliance software solution, S2PCI,  designed to streamline the often-arduous documentation process.

The Challenge of PCI Compliance

The path to compliance is fraught with complexity. This complexity is not just in the interpretation and adherence to the standards themselves. It’s more basic than that. Organizations struggle to identify which Self-Assessment Questionnaire (SAQ) form is appropriate for them. This form has far-reaching implications, determining which requirements they need to meet.

Resource Allocation and Security Implications

The pursuit of PCI compliance demands a significant investment of time, financial resources, and skilled personnel. Striking a delicate balance between these investments and other pressing business priorities is an ongoing struggle for many organizations. Additionally, the consequences of failing to comply with PCI DSS can be severe, ranging from data breaches to fines and reputational damage, elevating the stakes and adding pressure to an already intricate process.

Navigating the PCI Compliance Landscape

The lack of in-house expertise further complicates the PCI compliance journey for organizations. The absence of knowledgeable personnel can make it challenging to navigate the path toward compliance, especially when it comes to determining the correct Self-Assessment Questionnaire (SAQ) form. The result is often a time-consuming and resource-intensive process with potential compliance gaps.

A Thoughtful Solution- Our PCI Compliance Software

In response to these challenges, we’ve launched our latest product, S2PCI to assist with this process. S2PCI is a PCI compliance software aimed at organizations falling under PCI compliance Levels 2-4. This is because Levels 2-4 are eligible to self-assess.

The following are the 4 levels of  PCI Compliance:

  • Level 1: Merchants processing over 6 million card transactions per year (Need a QSA to complete)
  • Level 2: Merchants processing 1 to 6 million transactions per year
  • Level 3: Merchants handling 20,000 to 1 million transactions per year
  • Level 4: Merchants handling fewer than 20,000 transactions per year

Exploring the Evaluation Workflow

Setup:

Initiating the evaluation for the Card Acceptance Process (CAP).

Classification:

Answering a series of questions to determine business type, compliance level, and the correct SAQ form.

Avoiding the waste of resources associated with completing  the wrong SAQ form

Assessment (SAQ):

Completing the online SAQ form, including any required notes.

Achieving a compliant or non-compliant status for the CAP.

Remediation:

Organizing the collection of supporting evidence or pursuing further action on non-compliant requirements.

Achieving a compliant or non-compliant status for the CAP after remediation is completed.

Outcomes of S2PCI

Efficiency:

Leveraging built-in logic to discern the correct SAQ form.

Facilitating the completion of the SAQ form online, significantly reducing the time required.

Accuracy:

Minimizing the risk of selecting the wrong SAQ form.

Ensuring documentation aligns precisely with PCI standards.

Alignment:

Providing a platform to document and track progress toward compliance standards.

Facilitating the systematic gathering of evidence for all requirements.

Centralization:

Organizing workload through automatic communications, an evaluation scheduler, and evidence collection.

More Than Checking the Compliance Box

SecurityStudio doesn’t just aim to sell a product but to contribute to the ongoing dialogue surrounding information security, and by extension, compliance. We acknowledge the many challenges of achieving PCI compliance, but we also encourage everyone to think beyond checking a compliance box. We intend to foster understanding, inspire discussions, and, most importantly, offer a practical solution that aligns with the broader goals of improving your information security posture, as well as securing payment data.

PCI Awareness Training Recommendation

Complementing the endeavor to streamline PCI compliance, we suggest anyone looking to expand their knowledge of PCI compliance consider the PCI Security Standards Council’s PCI Awareness Training. This training program is tailored for individuals wanting to enhance their understanding of PCI, particularly those within organizations obligated to adhere to the PCI Data Security Standard (PCI DSS).

Conclusion

The journey toward PCI compliance is undeniably challenging, but a thoughtful solution like S2PCI can significantly alleviate the burden. By simplifying the documentation process and providing a structured approach, organizations can not only meet compliance standards but also optimize their efforts. We encourage organizations to view PCI compliance as a critical aspect of their commitment to data security and operational integrity, not just a means to check the box. It’s just good business practice. As businesses continue to evolve in the digital landscape, thoughtful approaches to compliance become integral pillars of responsible and secure operations. If you’re interested in seeing a demonstration of our PCI compliance software, S2PCI, we’d love to show you in more detail! Book a demo with one of our team members, or watch the demonstration below.

Keeping your passwords, financial information, and other personal data safe is important for both companies and individuals as they are important methods of securing information and ensuring data security. 

Table of Contents:

  • Protecting your devices and networks is essential.
  • In order to keep personal information private, it is important for all employees of a company to follow these guidelines.
  • Protecting Your Identity
  • Protecting Your Credit
  • Social networking poses a huge risk to any business data.
  • Protecting Your Data Online
  • The importance of data security following a breach is important.

Protect Your Organization from Cybersecurity Threats

SecurityStudio helps information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.


How to protect your data online

This is the same as saying what steps can you take to secure your private information online and safeguard your data.

1. Encrypt your data.

Data encryption isn’t just for technology geeks; modern tools make it possible for anyone to encrypt emails and other information. “Encryption used to be the sole province of geeks and mathematicians, but a lot has changed in recent years. In particular, various publicly available tools have taken the rocket science out of encrypting (and decrypting) emails and files. GPG for Mail, for example, is an open-source plug-in for the Apple Mail program that makes it easy to encrypt, decrypt, sign, and verify emails using the OpenPGP standard. And for protecting files, newer versions of Apple’s OS X operating system come with FileVault, a program that encrypts the hard drive of a computer. Those running Microsoft Windows have a similar program. 

2. Backup Your Data.

One of the most basic, yet often overlooked, data protection tips is backing up your data. Basically, this creates a duplicate copy of your data so that if a device is lost, stolen, or compromised, you don’t also lose your important information. As the U.S. Chamber of Commerce and insurance company Nationwide points out, “According to Nationwide, 68% of small businesses don’t have a disaster recovery plan. The problem with this is the longer it takes you to restore your data, the more money you’ll lose. Gartner found that this downtime can cost companies as much as $300,000 an hour.” Twitter: @growwithco

The cloud is a good option for backup.

While you should use sound security practices when you’re making use of the cloud, it can provide an ideal solution for backing up your data. Since data is not stored on a local device, it’s easily accessible even when your hardware becomes compromised. “Cloud storage, where data is kept offsite by a provider, is a guarantee of adequate disaster recovery,” according to this post on TechRadar. Twitter: @techradar

It is important to protect your computer with anti-malware software.

Malware is a serious issue plaguing many computer users, and it’s known for cropping up in inconspicuous places, unbeknownst to users. Anti-malware protection is essential for laying a foundation of security for your devices. “Malware (short for malicious software) is software designed to infiltrate or damage a computer without your consent. Malware includes computer viruses, worms, trojan horses, spyware, scareware, and more. It can be present on websites and emails, or hidden in downloadable files, photos, videos, freeware, or shareware. (However, it should be noted that most websites, shareware or freeware applications do not come with malware.) The best way to avoid getting infected is to run a good anti-virus protection program, do periodic scans for spyware, and avoid clicking on suspicious email links or websites. But scammers are sneaky: sometimes malware is cleverly disguised as an email from a friend, or a useful website. Even the most cautious of web surfers will likely pick up an infection at some point.,” explains Clark Howard. Twitter: @ClarkHoward

3. Delete the data on old hard drives so they can’t be read.

Much information can be gleaned through old computing devices, but you can protect your personal data by making hard drives unreadable before disposing of them. “Make old computers’ hard drives unreadable. After you back up your data and transfer the files elsewhere, you should sanitize by disk shredding, magnetically cleaning the disk, or using software to wipe the disk clean. Destroy old computer disks and backup tapes,” according to the Florida Office of the Attorney General. Twitter: @AGPamBondi

If you’re using Windows, install updates for the operating system.

Operating system updates are a gigantic pain for users; it’s the honest truth. But they’re a necessary evil, as these updates contain critical security patches that will protect your computer from recently discovered threats. Failing to install these updates means your computer is at risk. “No matter which operating system you use, it’s important that you update it regularly. Windows operating systems are typically updated at least monthly, typically on so-called ‘Patch Tuesday.’ Other operating systems may not be updated quite as frequently or on a regular schedule. It’s best to set your operating system to update automatically. The method for doing so will vary depending upon your particular operating system,” says PrivacyRights.org. Twitter: @PrivacyToday

You should automate updates on your software, so you don’t have to worry about them.

In order to ensure that you’re downloading the latest security updates from operating systems and other software, enable automatic updates. “Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option,” suggests StaySafeOnline.org. Twitter: @StaySafeOnline

It’s important to protect your wireless network at home or in the workplace.

A valuable tip for both small business owners and individuals or families, it’s always recommended to secure your wireless network with a password. This prevents unauthorized individuals within proximity to hijack your wireless network. Even if they’re merely attempting to get free Wi-Fi access, you don’t want to inadvertently share private information with other people who are using your network without permission. “If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router,” says FCC.gov in an article offering data protection tips for small businesses. Twitter: @FCC

4. Turn Off Your Computer.

When you’re finished using your computer or laptop, power it off. Leaving computing devices on, and most often, connected to the Internet, opens the door for rogue attacks. “Leaving your computer connected to the Internet when it’s not in use gives scammers 24/7 access to install malware and commit cybercrimes. To be safe, turn off your computer when it’s not in use,” suggests CSID, a division of Experian. Twitter: @ExperianPS_NA

5. Use A Firewall.

“Firewalls assist in blocking dangerous programs, viruses or spyware before they infiltrate your system. Various software companies offer firewall protection, but hardware-based firewalls, like those frequently built into network routers, provide a better level of security,” says Geek Squad. Twitter: @GeekSquad

It is important to give employees as little access and power as possible.

Indiana University Information Technology recommends following the Principle of Least Privilege (PoLP): “Do not log into a computer with administrator rights unless you must do so to perform specific tasks. Running your computer as an administrator (or as a Power User in Windows) leaves your computer vulnerable to security risks and exploits. Simply visiting an unfamiliar Internet site with these high-privilege accounts can cause extreme damage to your computer, such as reformatting your hard drive, deleting all your files, and creating a new user account with administrative access. When you do need to perform tasks as an administrator, always follow security procedures.” Twitter: @IndianaUniv

6. Use “Passphrases” Rather Than “Passwords.”

What’s the difference? “…we recommend you use passphrases–a series of random words or a sentence. The more characters your passphrase has, the stronger it is.  The advantage is these are much easier to remember and type, but still hard for cyber attackers to hack.” explains SANS. Twitter: @SANSAwareness. CISA also has a great resource for creating strong passphrases.

7. Make sure the data on your USB and SIM is encrypted.

Encrypting your data on your removable storage devices can make it more difficult (albeit not impossible) for criminals to interpret your personal data should your device become lost or stolen. USB drives and SIM cards are excellent examples of removable storage devices that can simply be plugged into another device, enabling the user to access all the data stored on it. Unless, of course, it’s encrypted. “Your USB drive could easily be stolen and put into another computer, where they can steal all of your files and even install malware or viruses onto your flash drive that will infect any computer it is plugged into. Encrypt your SIM card in case your phone is ever stolen, or take it out if you are selling your old cell phone,” according to Mike Juba in an article on Business2Community. Twitter: @EZSolutionCorp

8. Don’t store passwords on your laptop or mobile device.

A Post-It note stuck to the outside of your laptop or tablet is “akin to leaving your keys in your car,” says The Ohio State University’s Office of the Chief Information Officer. Likewise, you shouldn’t leave your laptop in your car. It’s a magnet for identity thieves. Twitter: @OhioState

If you don’t need file or media sharing, disable it. It’s an easy way to save time and bandwidth.

If you have a home wireless network with multiple devices connected, you might find it convenient to share files between machines. However, there’s no reason to make files publicly available if it’s not necessary. “Make sure that you share some of your folders only on the home network. If you don’t really need your files to be visible to other machines, disable file and media sharing completely,” says Kaspersky. Twitter: @kaspersky

When you want to encrypt your data, create encrypted volumes.

One of the best ways to encrypt files is by making an encrypted volume. This article explains how you can do it with different programs and tools.

9. Overwrite Deleted Files.

PCWorld has a tool to overwrite old data on Windows operating systems. This ensures that your information is completely deleted and not recoverable by anyone who knows what they’re doing.

Make sure to delete old files from your cloud backup.

If you’re diligent about backing up your data and use a secure cloud storage service to do so, you’re headed in the right direction. That said, cloud backups, and any data backups really, create an added step when it comes to deleting old information. Don’t forget to delete files from your backup services in addition to those you remove (or overwrite) on your local devices. “If you back up your files to the cloud, remember that even though you delete them on your computer or mobile device, they’re still stored in your cloud account. To completely delete the file, you’ll also need to remove it from your backup cloud account,” says re/code. Twitter: @Recode

10. Data Protection Tips for Mobile Devices

It’s important to be aware of the privacy settings on your app and configure them as necessary.

Most apps offer privacy settings for users, enabling you to determine how much and what types of information are shared or stored. Always choose the least amount of data-sharing possible. Casey Chin from Wired explains, “You probably spend a lot of your day inside apps: catching up on the news, playing music and movies, keeping in touch with friends, racing cartoon characters around a track, and so on. Every once in a while though, it’s worth running an audit on these apps to make sure they’re not overreaching and going beyond their remit—collecting more data about you and controlling more of your devices than you’d like.” Twitter: @WIRED

Enable employees to work remotely and enable data wiping on devices.

“If your gadget is lost or stolen, tracking apps can tell you exactly where your phone is. These apps also let you wipe sensitive information remotely. If your phone does end up landing in the wrong hands, you can at least make sure they don’t get your information,” says Kim Komando. Twitter: @kimkomando

11. Immediately after setting up your phone, make sure to change the privacy settings.

When configuring a new device or operating system, configuring privacy settings should be the first order of business. This ensures that you’re not inadvertently sharing sensitive information as you set up your standard apps and services. “The minute you download and install iOS 8, the latest version of Apple’s mobile operating system for iPhone and iPad, you should take note of these privacy steps in order to lock down your device. iOS 8 has a number of new features tied to your location. It also has new privacy settings, allowing users to limit how long data is stored, such as message expiry features and new private browsing settings…Before you do anything like customizing your phone, loading new apps, or syncing your data for the first time, these first seven settings need to be checked, and if necessary, changed,” explains Zack Whittaker in an article appearing on ZDNet. Twitter: @zackwhittaker

With MyPermissions.com, you can control app permissions all at once.

MyPermissions.com is a handy tool that allows you to check your permission settings across many apps, get reminders for cleanup with mobile-friendly app alerts, and access personal information when it’s needed so that the user can remove it with one click.

Lock Your phone and tablet devices at all times.

Practically everyone has a smartphone, tablet, or both these days. All it takes is a single mishap where your device slips out of your pocket or briefcase at a restaurant or on public transportation, and your data could wind up in the hands of someone who will use it maliciously. You can take steps to protect your data in the event of a lost or stolen device, however, beginning with locking your device. When your device is locked, a thief must crack your password before gaining access to your apps or personal information, adding a layer of protection. Unfortunately, many don’t lock their devices, says Monica Anderson of Pew Research, “More than a quarter (28%) of smartphone owners say they do not use a screen lock or other security features to access their phone.” Twitter: @pewresearch

12. Make sure to back up any data on your mobile device.

It’s important to back up data from your mobile devices, not just desktops or laptops. It’s a good idea to use IFTTT (If This Then That) because it will help with automatic backups of important files such as photos and work documents.

13. Set Your Camera to manual and make sure it’s wifi is off 

Some devices automatically backup your data to the cloud, and some apps used on smartphones or tablets store information in remote servers. Yes, having a backup of your data is a good thing, but the backup should be accessible only by you or someone you authorize. You can prevent your devices from sharing your personal photos and other information with the cloud for the world to see by disabling automatic backup settings on your device and on individual apps. In an article on BBC, Colin Barras explains, “As cloud services grow it’s becoming common for devices like smartphones to upload user data to remote servers by default. If you’re at all worried about some of your photos falling into the hands of malicious parties it’s probably not a bad idea to check your phone settings to see what data is being automatically backed up to the cloud, and disable automatic uploading.” Twitter: @BBC_Future

14. When you’re not using Bluetooth, turn it off to save battery life.

Bluetooth technology has offered incredible conveniences to the mobile world, but it also opens the door for vulnerabilities. Most threats exploiting Bluetooth connectivity are dependent on the active Bluetooth connection, and while they aren’t typically devastating or dangerous, they’re certainly inconvenient and can be serious. “Bluetooth attacks depend on exploiting the permission request/grant process that is the backbone of Bluetooth connectivity. Regardless of the security features on your device, the only way to completely prevent attackers from exploiting that permission request/grant process is to power off your device’s Bluetooth function when you’re not using it — not putting it into an invisible or undetectable mode, but completely turning it off (there are bad apps that can power your device back on, just one more reason overall app security is vital),” advises Kaspersky Lab. Twitter: @kaspersky

15. Get protection for your phones and tablets, especially if you use them to access the internet.

Anti-malware protection software is a given for most computer users, but many consumers still overlook the importance of protecting mobile devices from the growing number of malware programs impacting all types of mobile devices. Just a few years ago, however, security options for mobile devices offered mediocre protection against threats, at best. “Besides antivirus and malware scanning, security apps for Android also offer a full McAfee LiveSafe 2014 Android screenshot McAfee for Android security suite with features such as device location, remote wipe, backup, and suspicious-URL blocking. These extra features usually require a premium subscription, but most apps offer a minimal, basic level of protection for free, including malware scanning,” according to an article on PCWorld. Twitter: @pcworld

16. If you use your phone to check and send messages, make sure that notifications are turned off.

Push notifications are notices posted to your device’s home screen so that you don’t miss important information or updates. “Many applications send proactive notifications to your phone’s home screen. In general, these notifications are valuable and make it easy to keep track of what’s happening in your favorite applications. Personal health applications may send these types of notifications as well. If you are using applications that use push notifications, review them to ensure that sensitive data isn’t being shared unexpectedly to your home screen. You don’t want your personal health data laying out in plain site on your phone,” according to an article on TrueVault. Twitter: @TrueVault

17. If you use an Apple device, enable Touch ID.

If you use an iPhone 5 or later, you can take advantage of an added security measure known as Touch ID, a technologically advanced fingerprint security tactic. “The actual image of your fingerprint is not stored anywhere and is instead converted to a mathematical representation of a fingerprint that cannot be reverse-engineered into one. This mathematical representation is stored in a Secure Enclave within your phone’s chip, and is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else.”

18. Set Up Content Filters.

If you have children who use mobile devices, make sure to set up content filters through your wireless provider or on the device itself. These filters block certain types of content and keep your child from going to websites with inappropriate or malicious information.

One way to keep your device secure is by setting it up so that it locks after a period of inactivity.

Most smartphones and tablets enable you to set a specified time frame, after which the device automatically locks if it’s been inactive. This means if you lose your smartphone, but it wasn’t locked, it will lock on its own, ideally before a thief obtains it and attempts to access your personal information. “Configure your settings to ensure that your device locks after a short period of time,” says DeviceCheck.ca, formerly known as ProtectYourData.ca. Twitter: @CWTAwireless

19. Don’t install apps that you don’t need.

There are new apps entering the market constantly. But too many apps running in the background not only slows down your smartphone or tablet, but some of them could be sharing your personal information, even your current location via GPS, without your knowledge. Don’t install apps unless they’re from trusted sources. “The problem is that many third-party app stores are not safe. If you choose to download an APK file and install it yourself, you could be putting malware on your device. You may also be sent an APK file in an email or a text message, or you could be prompted to install one after clicking on a link in your web browser. It’s best not to install these unless you are certain it is safe,” according to an article on Digital Trends. Twitter: @DigitalTrends

20. Make sure your smartphone is secured and out of reach from would-be thieves.

While remote wiping and location-tracking solutions are great for finding your device and protecting your data if it’s been stolen, the ideal solution is to avoid having your smartphone or other device stolen in the first place. “One of your best ‘grab-prevention’ options is a wireless proximity alarm system. These handy app/device combos let you know when your phone gets more than the pre-set distance limit from the proximity device (which is usually small enough to fit on a key ring),” ComputerWorld recommends. Twitter: @computerworld

21. Put a firewall on your phone.

Firewalls aren’t just for servers and browsers; you can get a personal firewall for your mobile device, too. MySecurityAwareness.com suggests installing “an on-device personal firewall to protect mobile device interfaces from direct attack.”

22. Before donating or discarding, set the device to factory defaults and wipe it clean.

Don’t just give your old mobile devices to someone else, particularly someone you don’t know, without first wiping it clean and restoring it to factory settings. Otherwise, you’re basically handing over all your personal data to whoever ends up with your old smartphone or tablet. “Many security experts say performing a factory reset on your old phone is exactly what you’re supposed to do if you plan to sell or donate it. According to the nation’s major wireless carriers, a reset will erase all personal information – such as texts, contact lists, photos, and important user data – from your phone’s memory,” says WTHR.com. But, this method isn’t fool-proof; in fact, 13 Investigates put this very theory to the test and found that in some cases, a factory reset will wipe a device clean. In others, it won’t. The solution? Do a factory reset as a precaution, but do your research and determine the best way to discard your device or clean it before donating it to charity. Twitter: @WTHRcom

23. Be aware that people can hear what you’re saying on your phone when in public.

If you have time to kill on your morning commute, you might browse the virtual shopping aisles, but be mindful of who is sitting beside you or behind you. Criminals can easily peep over your shoulder and watch as you enter passwords, credit card details, and other information. “A long commute on a bus or a train is the perfect time to get some holiday shopping done, but beware of that stranger sitting next to you. Your neighbors might try and read your screen and steal your credit card number or other information. Investing in a privacy screen or filter can significantly reduce the risk of peeping thieves. Screen protectors come in all shapes and sizes and at Best Buy, you can find the one that’s best for your favorite tech gadget,” advises BestBuy in an article offering tips for keeping your digital data safe on Cyber Monday (and really, anytime you’re shopping online). Twitter: @BBYNews

24. Protecting Your Identity

Decide for yourself what you think is personally identifiable information, such as your name and email address.

ComputerWorld asks six privacy experts for their recommendations for protecting data in the modern digital age. “‘The traditional definition of personally identifying information (PII) — health records, credit card numbers, social security numbers, etc. — is so 20th century. The big data age of the Internet is upon us, and even data not previously considered to be PII can feel very personal when viewed in a broader context. ‘Bits of data, when combined, tell a lot about you,’ says Alex Fowler, chief privacy officer at Mozilla. Those aggregated bits, which constitute the new PII, may include such information as your email address, browsing history, and search history. ‘The definition of PII — information that a person has a legitimate interest in understanding and protecting — is going to be broadened as we move further into the information society,’ says Fowler. ‘It’s a different footprint than what your parents ever thought about. Think about what you consider personal information,’ Fowler adds. ‘You need a working definition.’” Twitter: @Computerworld

25. Use Secure Passwords.

Passwords are easily cracked by hackers, particularly if you don’t use sound password-creation practices. The best passwords contain uppercase and lowercase letters, numbers, and special characters. You should also avoid using easily guessed words or alphanumeric combinations, such as the names of children or pets, birth dates, addresses, and similar information that can be easily guessed by someone looking at your Facebook profile or through a Google search. “The shorter and less complex your password is, the quicker it is for cybercriminals to come up with the correct combination of characters in your password.” suggests the CSA Alliance. Twitter: @CSAsingapore

Passwords should never contain personally identifiable information.

Don’t use numbers or combinations associated with other personally identifiable information as all or even part of your passwords. “Don’t use any part of your social security number (or any other sensitive info, like a credit card number) as a password, user ID, or personal identification number (PIN). If someone gains access to this information, it will be among the first things they use to try to get into your account,” Bank of America advises. Twitter: @BofA_News

When you’re too cautious, people might think that there’s something wrong.

When you’re online, it’s important to be careful about who has access to your personal information. Who is asking for this information? Why do they need the info and what will happen with it? Do they have security measures in place or can anyone see my private data if I provide them with that info.?
Article: What are some of these initiatives and how might we measure their success (or failure)?

26. When hiring, be wary of people who pretend to represent a company and try to get you on board with their offer.

Related to the previous tip, there are many impostors who attempt to trick unsuspecting consumers into giving out their sensitive personal information by pretending to be the individual’s bank, credit card company, or other entity. This can happen by phone or online, via phishing emails or websites designed to mimic the authentic company’s look and feel. “Make sure you know who is getting your personal or financial information. Don’t give out personal information on the phone, through the mail, or over the Internet unless you’ve initiated the contact or know who you’re dealing with. If a company that claims to have an account with you sends an email asking for personal information, don’t click on links in the email. Instead, type the company name into your web browser, go to their site, and contact them through customer service. Or, call the customer service number listed on your account statement. Ask whether the company really sent a request,” advises the Federal Trade Commission. Twitter: @FTC

27. Share Passwords Carefully.

This data protection tip has been emphasized by many security experts, but there are still a lot of people who don’t follow this advice. The truth is, it’s impractical in the modern environment. Many families need to share passwords for bank accounts and credit cards with spouses or children, and they may also have shared logins for Netflix accounts at work. You should never give out your password without concern; instead, you can determine when another person legitimately needs access to something from your personal information or account on a case-by-case basis.

Don’t use the same password for multiple accounts or services.

Password managers are really great if you have any accounts or passwords that you don’t want to share. With a password manager, it’s easy to make sure your information is safe.

28. Be careful to watch for people stealing your government-issued identification numbers.

Thieves don’t always go after credit and debit cards; sometimes, they steal important government-issued identification numbers, such as driver’s license numbers or Social Security numbers in an attempt to assume another individual’s identity. “If you are notified of a breach involving your driver’s license or another government document, contact the agency that issued the document and find out what it recommends in such situations. You might be instructed to cancel the document and obtain a replacement. Or the agency might instead ‘flag’ your file to prevent an imposter from getting a license in your name,” suggests PrivacyRights.org. Twitter: @PrivacyToday

29. Don’t write down your passwords.

It’s tempting to keep a written list of passwords, or even a single password written down in a notebook or, worse yet, a sticky note. But this is a bad idea, as it makes it extraordinarily easy for someone else to steal your login information and access your accounts without your permission. “Writing your password on a ‘sticky note’ and sticking it on your monitor makes it very easy for people who regularly steal passwords to obtain yours. Hiding it under your keyboard or mouse pad is not much better, as these are common hiding places for passwords. However, if you must write something down, jot down a hint or clue that will help jog your memory or store the written password in a secure, locked place,” says SANS.org. Twitter: @SANSInstitute

30. Instead of having one giant list, divide them into groups.

By using a different system for creating passwords for different types of websites, such as social networking websites, financial institutions, and other membership sites, you ensure that should a hacker crack one of your algorithms, they won’t immediately be able to crack all of your accounts’ passwords. “First up, group your passwords by function — social media, financial information, work — and use a different approach for creating passwords within each group. That way, if a hacker figures out your Facebook password, he won’t be just clicks away from your bank account,” explains an article on the Boston Globe. Twitter: @BostonGlobe

31. Unless it’s absolutely necessary, try not to fax sensitive information.

Faxing can be a convenient way to send information quickly, but it’s not possible to ensure that the intended recipient is the person who receives the document on the other end, or that the information isn’t visible to someone else in the process of transporting it to another department or individual. “Personal information should not be sent by fax unless it is necessary to transmit the information quickly. It is important that sufficient precautions are taken to ensure that it is received only by its intended recipient,” says BCMJ.org. Twitter: @BCMedicalJrnl

32. Make sure you shred documents and statements before throwing them out.

Most consumers receive an abundance of mail largely considered junk mail. Credit card statements, bank account statements, notifications regarding other accounts, credit card offers, and more plague the mailboxes of consumers across the U.S. While online access to accounts has made printed statements practically unnecessary, many consumers simply toss these items out when they’re received. But doing so without first shredding them could put your personal information in the hands of thieves. “Identity theft is the nation’s number one complaint, according to the Federal Trade Commission. One of the most common methods used by thieves to steal personal information is dumpster diving, which entails rummaging through trash looking for old bills or other documents that contain personal information,” explains Katie Delong, in an article for Fox 6 Now. Fellowes.com offers an informative list of documents that should be shredded, as well as best practices for document shredding to ensure adequate data protection. Twitter: @FellowesInc

33. Whenever you have old data that’s no longer useful, delete it from your computer.

Keeping your computer and mobile devices clean is a good practice to ensure usability, but it’s also wise to eliminate old data you no longer need. Why give potential criminals more info than absolutely necessary? “Keep only the data you need for routine current business, safely archive or destroy older data, and remove it from all computers and other devices (smartphones, laptops, flash drives, external hard disks),” advises the Massachusetts Institute of Technology. Twitter: @mit_istnews

34. Always make sure to dispose of electronics properly.

It’s true that nothing is ever really deleted permanently from a computing device; hackers and technologically savvy criminals (and, of course, the FBI) are often able to recover information from hard drives if they haven’t been properly disposed of. “Document shredding and electronics recycling are two of the most effective ways to dispose of sensitive records, data, documents, and information. Electronic devices, even when no longer in use, often retain confidential personal information that can fall into the wrong hands if disposed of incorrectly,” the Better Business Bureau says. Twitter: @bbb_media

35. Protecting Your Credit

If you’re using a debit card, it’s best to sign the receipt instead of entering your PIN.

When possible, ask cashiers to process your debit card as a credit card transaction. Not all retail stores allow this (it results in a small processing fee to be paid by the retailer), but most do. It’s often simpler just to enter your PIN, but it also makes it easier for thieves to steal all the information they need to make unauthorized purchases using your card. “Not entering your PIN into a keypad will help reduce the chances of a hacker stealing that number too, Young says. Crooks can do more damage with your PIN, possibly printing a copy of the card and taking money out of an ATM, he says. During Target’s breach last year, the discount retailer said hackers gained access to customers’ PINs. Home Depot, however, said there was no indication that PINs were compromised in the breach at its stores,” explains Joseph Pasani in an Associated Press article appearing on USA Today. Twitter: @USATODAY

Set up an email alert for transactions, so you can know when someone has made a purchase from your company.

If your bank or credit card company offers this service, sign up to receive an email alert when your card has been used for a transaction. This makes it easy to pinpoint charges you didn’t make and allows you to take rapid action to cancel cards. “Sign up for email alerts when something is charged to the account. Not all banks will offer this, but these alerts let you know when a new transaction has been made using your card,” says CT Watchdog. Twitter: @ctwatchdog

36. Review Your statements on a regular basis.

“Review your bank and credit card statements regularly to look for suspicious transactions. If you have online access to your bank and credit card accounts, it is a good idea to check them regularly, perhaps weekly, for transactions that aren’t yours. Contact your bank or credit card issuer immediately to report a problem. Debit card users in particular should promptly report a lost card or an unauthorized transaction. Unlike the federal protections for credit cards that cap losses from fraudulent charges at $50, your liability limit for a debit card could be up to $500, or more, if you don’t notify your bank within two business days after discovering the loss or theft,” advises FDIC.gov. Twitter: @FDICgov

You want to make sure you see transactions in the company’s bank account, regardless of how small they are.

Fraudsters don’t always make major purchases with stolen cards. In fact, there have been some otherwise legitimate companies that have scammed their own customers by charging small amounts to credit and debit cards they believed would go unnoticed by consumers. Jack Ablin, chief investment officer at BMO Private Bank in Chicago, talks with ChicagoBusiness.com about his experience: “Mr. Ablin says those who pay with credit should be vigilant about tracking their bills. He recalls after a recent online order he placed for flowers that a random charge for $1.99 appeared on his account from an unknown source. He found that the flower company he used was scamming people for this small amount. He figures the company believed most people wouldn’t notice the relatively small amount. ‘Don’t necessarily look for the Hawaiian vacation on your statement,’ Mr. Ablin says.” Twitter: @CrainsChicago

37. Help following a data breach is not always genuine.

It’s an unfortunate reality that a data breach impacting a major corporation and, therefore, hundreds of thousands of its customers, spells an opportunity for thieves. “Be very careful about responding to an unsolicited e-mail promoting credit monitoring services, since many of these offers are fraudulent. If you’re interested in credit monitoring and it’s not being offered for free by your retailer or bank, do your own independent research to find a reputable service,” suggests FDIC.gov. Twitter: @FDICgov

If you get a call from someone saying they’re your bank, hang up. It’s probably a scam.

Calling one of the three major credit bureaus (Experian, Equifax, and TransUnion) and asking for a one-call fraud alert is a great way to stay on top of suspicious activity. “You only need to call one of the three credit bureaus. The one you contact is required to contact the other two. This one-call fraud alert will remain in your credit file for at least 90 days. The fraud alert requires creditors to contact you before opening any new accounts or increasing credit limits on your existing accounts. When you place a fraud alert on your credit report, you are entitled to one free credit report from each of the three credit bureaus upon request,” suggests Office of Minnesota Attorney General Lori Swanson.

 38. Shop on Familiar Websites.

There are hundreds of thousands of online retailers, known as e-commerce vendors, some more credible than others. Always opt to shop with a well-known retailer you’re familiar with, rather than smaller, unfamiliar sites that could merely be a facade for credit card theft. “When it comes to online shopping, it’s best to use a trusted website rather than selecting a random website with a search engine. If you’re familiar with the company and website, it’s easier to avoid scams. For instance, many consumer items can be bought just as easily for competitive prices using Amazon.com vs. finding boutique online shopping. Amazon has a reputation and regulations to uphold,” according to NENS.com. Additionally, major online retailers are more likely to offer fraud protection options and the ability to return damaged or defective merchandise. Twitter: @4NENS

39. Get A Free Credit Report.

Secura Insurance Companies recommends getting a copy of your credit report annually. “The FACT Act of 2003 entitles you to a free credit report once a year from the three credit bureaus. The reports should be examined for fraudulent activity. To obtain your free annual credit report, either order online via www.annualcreditreport.com, or by telephone at ( 877) 322-8228. For the mail-in form, go to https://www.annualcreditreport.com/cra/ requestformfinal.pdf. ” This allows you to pinpoint suspicious activity and identify accounts that you haven’t opened. Twitter: @SecuraInsurance

40. Don’t do any shopping online for personal or business purchases without being careful.

Because shopping online is one of the easiest ways to get your credit card number stolen, some experts suggest maintaining a separate, low-balance credit card specifically for online purchases. “Online shopping security is a concern for everyone who makes purchases on the Internet, but it is also an important issue for business leaders — and not just those in the retail sector. Firms also go shopping online, and their employees frequently make business purchases on the company credit card.” explains Security Intelligence. Twitter: @IBMSecurity

41. Protecting Your Data on Social Networking

If you are on social media, don’t share too much information. It’s important to keep your personal and professional life separate.

Social networking has become a way of life for many individuals, but sharing too much personal information on your social media profiles can be dangerous. For instance, many hackers have successfully guessed passwords through trial-and-error methods, using combinations of common information (such as children’s names, addresses, and other details) easily found on users’ social media profiles. “Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing. Also be considerate when posting information, including photos, about your connections,” advises the United States Computer Emergency Readiness Team (US-CERT). Twitter: @USCERT_gov

42. Be careful about the information you’re sharing and how it’s being used.

Social networks like Facebook enable users to customize their privacy settings. On Facebook, for instance, you can choose who is able to see the content you post and who is able to view information on your profile, such as your place of employment, birth date, and hometown. Always choose the highest level of privacy possible to ensure that your personal data doesn’t end up in the hands of someone with malicious intent. “The content you post online will be around for a long time, but you can customize privacy settings on most social media sites. This will affect who can contact you and who can see the information you post. Be choosy: while it’s fun to share information, keep your online reputation in mind. And if you over-disclose information publicly, it could be used by identity thieves to hijack your identity,” suggests the Chronicle of Data Protection. Twitter: @HLPrivacy

43. Don’t trust “friends” who claim to be mugged or have other unbelievable stories.

Scams have been attempted on Facebook. Thieves masquerading as friends of the individual ask for money after they supposedly got mugged in a foreign country and it is usually successful because people don’t realize what’s going on until they’ve already sent them some.

44. If you come across a suspicious Facebook user, block them.

For users you don’t know outside of Facebook who befriend you and then make you uncomfortable by asking repeated, personal questions or pressuring you to meet them offline, blocking them is a viable option. “You also have a ‘Block List’ feature in your privacy settings. If you choose to block people, you cannot interact with them on Facebook at all,” says Just Ask Gemalto. Blocking shady users means they cannot message you, contact you, or see that you’re online. In fact, they cannot view your profile at all. Twitter: @JustAskGemalto

45. Protect Your Tweets.

If you’re using Twitter for your business, make sure to set it so that any Tweets are publicly available. However, if you use the site just for personal communications, then keep them private and only allow approved followers to view what you post.

It’s important to check privacy settings and make sure that they’re still what you want them to be.

Privacy options are always changing on social networking platforms, so be sure to check your personal settings regularly and make adjustments as needed. “Content uploaded to social media platforms is not always secure, so it’s imperative to understand how to use the privacy features your social media sites have to offer,” according to Social Media Examiner. Click through to the full article for a breakdown of how to update your privacy settings on each of the popular social networks. Twitter: @SMExaminer

46. Know who your friends are.

Don’t accept random friend requests on Facebook from people you don’t know. “Some of the fun is creating a large pool of friends from many aspects of your life. That doesn’t mean all friends are created equal. Use tools to manage the information you share with friends in different groups or even have multiple online pages. If you’re trying to create a public persona as a blogger or expert, create an open profile or a ‘fan’ page that encourages broad participation and limits personal information. Use your personal profile to keep your real friends (the ones you know and trust) more synched up with your daily life,” advises StaySafeOnline.org. Twitter: @StaySafeOnline

47. For security purposes, make sure to use two-step verification for all work accounts on LinkedIn.

“LinkedIn offers members the ability to turn on two-step verification for their accounts. This will require an account password and a numeric code sent to your phone via SMS whenever you attempt to sign in from a device that your LinkedIn account does not recognize,” according to a post on Business News Daily. This ensures that should someone crack your account password, they will be unable to log in unless they can’t access your account unless they also gain access to your code — meaning they’d have to also be in possession of your mobile device. Twitter: @BNDarticles

48. If you’ve been hacked, contact the social network immediately and let your friends know.

Sometimes, having your social networks hacked means your friends could be being conned by criminals pretending to be you. Or, you could even be blocked from your own account if they’ve changed the password or conducted activities that have led to your account being banned by the service. “If you’re locked out of your account or blocked from accessing it, many Web services have steps in place so you can get back in. For example, Facebook has a system where you can use a trusted source like a friend to take back your account. Search each service’s help section for specific instructions. Speaking of friends, you should let your contacts know that you’ve been hacked, and report the issue to the site. Also, run a scan of your computer or mobile device using a trusted and up-to-date antivirus program,” advises re/code. Twitter: @Recode

49. Protecting Your Data Online

If you are using public Wi-Fi, avoid transactions that may be sensitive.

Working at the local coffee shop may have some appeal, but relying on a public Wi-Fi connection means your data is interceptable by outsiders. Avoid conducting banking transactions and sending other sensitive information over a public Wi-Fi network. As the FTC notes, “If you use an unsecured network to log in to an unencrypted site — or a site that uses encryption only on the sign-in page — other users on the network can see what you see and what you send. They could hijack your session and log in as you.” Twitter: @FTC

You can choose to share your personal information on social media, but you need to be aware of the privacy settings for this.

Websites other than social networking platforms also offer some privacy options. YouTube, for instance (which could arguably be considered a social networking platform, as well), allows users to make videos private or viewable only by specified persons. “You can often find privacy controls on a site by navigating to a control panel or settings menu. Sometimes, websites will draw attention to privacy controls while in other cases they will group them under broader categories like “Account Settings”. Privacy controls may also be offered during the sign-up process for a new online service or account. To best protect your privacy you should explore and understand privacy controls available to you on a given website/platform before you share personal information on or with the site,” recommends TRUSTe. Twitter: @TRUSTe

50. Don’t Forget to Sign Out.

Signing in to online services is necessary when you need to access your personal accounts, but many users forget to sign out when they’re finished using a service. “But when using public computers like in a cybercafe or library, remember that you may still be signed into any services you’ve been using even after you close the browser. So when using a public computer, be sure to sign out by clicking on your account photo or email address in the top right corner and selecting Sign out. If you use public computers often, use 2-step verification to help keep your account safe, and be extra careful to sign out of your accounts and shut down your browser when you have finished using the web,” according to the Google Safety Center.

51. If you get an email from someone that is not in your contacts, don’t open it.

If you receive an email from a source or individual you don’t recognize, don’t open it, and definitely avoid clicking any links or file attachments. The Hubbard Township Police Department in Ohio suggests, “Delete email from unknown sources. Watch out for files attached to e-mails, particularly those with an ‘exe’ extension-even if people you know sent them to you. Some files transport and distribute viruses and other programs that can permanently destroy files and damage computers and Web sites. Do not forward e-mail if you are not completely sure that any attached files are safe.” 

52. Use A Password And An Additional Security Measure To Protect Yourself From Hackers.

Two-factor authentication is an additional layer of security that provides protection in the event that a hacker guesses or cracks your password. Two-factor authentication requires a second verification step, such as the answer to a secret question or a personal identification number (PIN). You should opt for two-factor authentication when given an option. “Some websites, such as Google, will text you a code when you log in to verify your identity, while others have small devices that you can carry around to generate the code. Authenticator apps are also available on all major smartphone platforms. Other types of two-factor authentication do exist as well, so look in the settings of your banking, shopping, and e-mail hosts for the option,” explains the Webroot Threat Blog. Twitter: @Webroot

53. Don’t take everything you read as the truth.

This tip is important for much beyond data protection, such as protecting your financial assets, your reputation, and perhaps most importantly, your personal confidence or self-worth. Too many people have fallen victim to scams online, by buying into false claims and promises of vast accumulation of wealth. Michael Daniel, on The White House Blog, advises, “Be cautious about what you receive or read online – if it sounds too good to be true, it probably is.” The best-case scenario is you lose a few bucks buying into a pyramid scheme that will never net you any profits; worst-case, your personal information is sold and your identity is stolen. Twitter: @WhiteHouse

55. It’s important to use secure websites for sensitive transactions.

When you’re conducting a financial transaction or sharing other sensitive information, always use a secure website to do so. Secure Socket Layers (SSL) is a commonly used website security protocol that provides additional protection for data as it’s transmitted through the Internet. You can tell if you’re using a secure website by looking at the beginning of the URL. Those beginning with https:// are secure. “Web browsers such as Internet Explorer and Firefox display a padlock icon to indicate that the website is secure, as it also displays https:// in the address bar. When a user connects to a website via HTTPS, the website encrypts the session with a Digital Certificate,” explains Instant SSL. Twitter: @Comodo_SSL

56. If you click on links in emails, it can leave your computer vulnerable to viruses.

Most everyone gets the occasional email from their bank, financial institution, or similar accounts and services. But to be safe, you should always open a browser window and type the URL in the address bar, rather than click on links in emails. Why? Phishing emails are one of the most common ways hackers obtain personal information, tricking users into inadvertently handing over their login credentials to bank accounts, credit cards, and other accounts where they can glean further information, make unauthorized purchases, or even steal your identity. “Don’t get caught by phishers. Phishing is when you get an email or a social media message that looks like it’s coming from a legitimate place such as a bank or social networking site. If you click on a link in the message, you’re taken to a website that looks legitimate but could be run by criminals trying to trick you into signing in with your username and password so they can capture that information. Your best bet is not to click on the link but rather type the web address (such as mybank.com) into your browser window and go to the site that way,” the Google Safety Center recommends.

57. Be Careful Of What You Post Online.

Any information you enter on social networking websites, accounts, or any other website could potentially be up for grabs in the event of a data breach. In general, the information you put online contributes to your online reputation which can impact your chances of securing employment and getting into college as well as create many problems if it is unfavorable. Monitoring your own personal internet activity will help identify sensitive info that should not be publicly available so they can take action and have them removed from public sites like Facebook, Twitter etc… Microsoft suggests searching all variations with our name (which we often neglect), avoid search terms such as driver’s license number or Social Security numbers because these are easily found out by hackers who might use this info against us at some point). You’ll also want to check sites frequented frequently plus social media networks so that when necessary their profiles can be cleaned up.

58. If you download something, make sure it’s from a trustworthy website.

Websites like peer-to-peer file-sharing platforms are not only illegal, but they’re often rife with malware. Avoid downloading files from any website that you don’t trust completely. “According to a press release released this morning, the research found that of the 30 top pirate sites, ‘90% contained malware and other ‘Potentially Unwanted Programs’ designed to deceive or defraud unwitting viewers.’ The ‘Potentially Unwanted Programmes’ category is rather broad and includes popups and ads that link to download managers. In addition, the report links one-third of the sites to credit card fraud. ‘The rogue sites are also rife with credit card scams, with over two-thirds (67%) of the 30 sites containing credit card fraud,’ the press release states,” per a May 2014 report on BeforeItsNews.com.

59. Use a disposable email address to have the emails sent there deleted after being read.

A disposable email account is one created solely for a specific purpose that you’ll never use again or for any other account or purpose. “We live in a world where there are so many things that are disposable and email addresses can be added to that list. With the many free online email accounts that take just a few minutes to set up, it’s easy to create an email address that can be disposed of after it has served its purpose. There are many instances where such a disposable email will make sense. Examples include short-term projects, an email address specific to one online application (such as Facebook or Twitter,) for testing purposes, etc; basically, anytime you are unsure of the period of use, like when you decide to take on numerous free software trials,” GetApp explains. Twitter: @GetApp

60. It’s worth investing in a mobile security system.

Some online services offer secure mobile access options, enabling users to access services without exposing login credentials. “Keep sensitive personal information and bank account numbers/passwords off your phone. Some banks offer secure mobile access without having to expose your account information or passwords,” says Bank of America. Twitter: @BofA_News

61. Opt Out Of Ad Tracking.

An article on MakeUseOf addresses the issues that arise from ad tracking online: “Advertising is a huge business. We’ve written before about how online ads are used to target you and this goes even further with social media ads. You have to expect a level of this behavior while using the Internet, but there are ways to limit how much information is collected about you.” For tips on how to opt out of ad tracking on Windows devices, click here. Twitter: @MakeUseOf

62. Always log out of your browser after you’re done using it.

Another useful tip from MakeUseOf, this advice suggests that the common practice of ‘remembering passwords’ in browsers is a dangerous practice. Indeed, should someone gain access to your computer or mobile device, they’d be able to easily access any accounts for which you’ve stored login credentials in your browser. While it may make logging in more convenient, it’s a risky habit in terms of data protection. “Keep an eye out for these pop-ups and be sure to deny them.” Twitter: @MakeUseOf

Much like using the same password for multiple accounts, using the same email address for every account is a recipe for disaster. That’s not to say that you can’t use the same email address more than once, but a good strategy is to use a different email address for different contexts, such as one for personal accounts, one for business-related accounts, one for online retail accounts, and so on. Rich from Securosis says, “One of my favorites is to use different email accounts for different contexts. A lot of security pros know this, but it’s not something we have our less technical friends try. Thanks to the ease of webmail, and most mail applications’ support for multiple email accounts, this isn’t all that hard. Keeping things simple, I usually suggest 4-5 different email accounts: your permanent address, your work address, an address for buying online when you don’t trust the store, an address for trusted retailers, and an address for email subscriptions.” For more suggestions on the types of accounts to use with each email account, click here. Twitter: @securosis

63. Create a Gmail account for long-term projects, and use that instead of your main email address.

GetApp.com also offers a list of compelling reasons for maintaining multiple email accounts, suggesting creating a dedicated email account for a long-term project. That way, should you need to hand over the work or the position to someone else, you can simply pass along the login credentials rather than worry about forwarding emails for weeks and months to come. “If you are engaged in a long-term contract or project, having an email address dedicated to that specific project makes sense if you are ever transferred or moved jobs. You can just hand over the email address and password to your replacement.” Twitter: @GetApp

64. Take a look at your online presence. Make sure it’s up to date and reflects you well.

Akin to evaluating your online reputation, taking stock of your digital footprint involves investigating your online presence, but finding old accounts that you no longer use. “With your digital information scattered everywhere over the course of a lifetime, it’s important to think about what valuable information you have where. For example, how many websites are storing your credit card information? How many have up-to-date card numbers and expiration dates? Where do you have important documents, files, and videos across the web? You can start by making a list and noting the types of sensitive data associated with each site. If there are sites you no longer use, you might want to consider deleting your account profiles,” explains Unisys. Twitter: @unisyscorp

65. Don’t use your social media credentials to sign in on any site other than the one you are trying to access.

Third-party sites are becoming popular, but you should be careful about using your Facebook or LinkedIn account to sign up for them. Doing so can jeopardize your privacy.

66. When you’re browsing the web, be careful not to visit any categories known for malware.

This is a difficult tip to adequately describe in a relatively small number of words, but use caution anytime you’re searching for any topic known for spam or malware. This often happens with extremely popular search topics, such as pharmaceuticals, celebrities, and adult-oriented content. Because so many people search for these topics, it’s easy for hackers to set up websites that are essentially fake, designed solely to elicit clicks and execute malicious files. “Googling your favorite celebrities can be a dangerous business if you don’t recognize the sites you are clicking on. Many Google results of famous celebrity names lead to infecting your PC with malware and viruses,” according to this article on PopSugar. Twitter: @POPSUGARTech

67. Be sure to avoid sending passwords or account login credentials when using public or unsecured Wi-Fi networks.

“Never, ever send account and password information over an open (unsecured) wireless connection. You are broadcasting to everyone within the radius of your wireless signal, which can be several hundred feet, all of your personal information and account information. They can use this to compromise your accounts (e.g. email, financial, system/application access), steal your identity, or commit fraud in your name,” warns the Office of the Chief Information Officer at The Ohio State University. Twitter: @TechOhioState

68. Make sure to store your most sensitive data in a secure location.

Instead of backing up all your data in the cloud, particularly a cloud storage provider with security measures you’re not completely confident in, consider backing up your most sensitive information locally or on a removable storage device, you can keep under tight wraps. “I doubt there’s such a thing as real privacy on the internet, so personally I wouldn’t trust storing my top secret files in the cloud. Call it paranoia, but identity theft is on the rise and I just don’t want to risk any of that. In any case, we probably don’t have to look at our most sensitive data through the cloud on a 24/7 basis. My advice is to keep only those files that you need to access frequently and avoid putting up documents containing passwords for your various online accounts or personally identifiable information (PII) such as your credit card numbers, national identification number, home address, etc. If you must include this information in your files, make sure to encrypt them before you upload,” says Michael Poh in an article on Hongkiat. Twitter: @hongkiat

Frequent password changes have long been advised and offered in security circles, but the practice’s efficacy has come into question in recent years. “Security expert Bruce Schneier points out that in most cases today attackers won’t be passive. If they get your bank account login, they won’t wait two months hanging around but will transfer the money out of your account right away. In the case of private networks, a hacker might be more stealthy and stick around eavesdropping, but he’s less likely to continue to use your stolen password and will instead install backdoor access. Regular password changes won’t do much for either of those cases. (Of course, in both instances, it’s critical to change your password as soon as the security breach is found and the intruder blocked.),” says an article on NBC News. Twitter: @NBCNews

69. You should use a cloud service that has encryption to protect your data.

While cloud storage makes for an ideal backup solution, it can also be more prone to hackers if you’re not careful about the cloud services you choose. Victoria Ivey, in an article on CIO.com, suggests encrypting the data you store in the cloud or using a cloud provider that encrypts your data for you. “There are some cloud services that provide local encryption and decryption of your files in addition to storage and backup. It means that the service takes care of both encrypting your files on your own computer and storing them safely on the cloud. Therefore, there is a bigger chance that this time no one — including service providers or server administrators — will have access to your files (the so-called “zero-knowledge” privacy). Among such services are Spideroak and Wuala.” Twitter: @CIOonline

70. Make sure your email provider is safe and reputable.

Much like not all cloud storage providers are created equal, neither are email providers. Inc.com interviews Patrick Peterson, Patrick Peterson, the founder and CEO of San Mateo, California-based email security firm Agari, about data protection, password management, and choosing safe service providers. “Be sure yours provides proper security. ‘There’s been technology development that stops people from impersonating your ISP, your bank, or your travel site,” Peterson says. “You need to make sure your email provider uses technology like DMARC to stop that phishing. The good news is that Google does it, Yahoo does it, Microsoft supports it, AOL supports it, so if you’re on one of those, you’re on your way to minimizing your risk.’” Twitter: @WillYakowicz

71. Data Protection Following a Data Breach

After a data breach, change your passwords immediately.

If a company through which you have an account has suffered a data breach, immediately change your password. An article on ConsumerReports.org discusses the JPMorgan Chase data breach, offering tips for consumers to take steps to protect their data after a breach. “We still recommend online and mobile banking, because it allows you to watch your account in real-time from almost anywhere. Yes, it’s now clear that Internet banking is not impervious to hacking, but ‘the convenience you get from banking digitally greatly supersedes any security risk,’ said Al Pascual, head of fraud and security research at Javelin Strategy and Research, a California-based financial services industry consulting firm. As part of your monitoring, watch out for changes to your debit card PIN.” Twitter: @consumerreports

72. Check to see if a breach has actually occurred.

There are many opportunists who use the likelihood of a data breach to trick unassuming consumers into actually handing over their passwords and other information when a data breach hasn’t actually occurred. Before responding to any requests to update your login info through a link sent to you in an email, visit the company’s website by typing the URL into your address bar and confirming the breach occurred, or call the company to verify the information. “First, make sure that your card information has actually been compromised. If you receive a notification via email requesting ‘confirmation’ of your card information, don’t respond – it could be an opportunistic fraudster. Check the merchant’s website for news about a breach or reach out to customer support for details,” says the Electronic Transactions Association (ETA). Twitter: @joxman

73. If you need a new card, please request one.

If a data breach has affected a company that has issued you a card, such as a bank-issued or retail store-issued credit card, cancel your existing card and request a new one. This action makes the previous card number invalid, so if it has been stolen by hackers, it is no longer usable and your finances are secure. “You may be able to do this through your issuer’s customer service department, or through the lost and stolen card department. Some companies will charge a small fee for a replacement card, but most will swap cards for you for free. When you request a new credit card, your old card and its number are destroyed. That means that if a thief tries to use your card in the future, the card will be declined. You will have to wait for the new card to arrive in the mail, so make sure you have money to pay for your purchases during this time,” says CT Watchdog. Twitter: @ctwatchdog

74. Consider A Credit Freeze.

This is a major step, but one that can be especially helpful if you suspect or know your identity has been stolen. It’s possible to restrict access to your credit reports, meaning that thieves who are assuming your identity and attempting to open accounts in your name won’t be able to do so. “Also known as a security freeze, this tool lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to look at your credit report before approving a new account. If they can’t see your file, they may not extend the credit. To place a freeze on your credit reports, contact each of the nationwide credit reporting companies: Equifax, Experian, and TransUnion. You will need to supply your name, address, date of birth, Social Security number, and other personal information. Fees vary based on where you live, but commonly range from $5 to $10,” according to a Consumer Information article from the Federal Trade Commission. Twitter: @FTC

75. Free Credit Monitoring Is Helpful.

If a major corporation suffers a data breach and your account information has been compromised, the company may offer affected consumers free credit monitoring services. “If your personal information is hacked, the company that was victimized will probably offer you credit monitoring. (Although a Chase bank spokeswoman told CNBC that credit monitoring would not be provided to customers affected by this week’s breach because no financial information was compromised.) If it does, go ahead and take it,” says Bob Sullivan in an article on CNBC. Twitter: @CNBC

76. If your friends are telling you that they’ve been getting emails from your account, don’t ignore it.

One of the most common ways people learn they’ve been hacked is when their friends or family members report receiving an odd email or social media message or even seeing strange updates posted on social media profiles. It’s easy to ignore these warnings and assume it’s some sort of fluke or someone who simply changed the “reply-to” when sending a spam email, but this is often a sure indicator that your account has been compromised. Don’t ignore these tips. According to Consumer Affairs, “Anytime you receive a new “friend” request from someone who’s already on your Facebook friends list, the simplest thing to do is send your real friend a message asking if they know about their apparent double.” Twitter: @ConsumerAffairs

77. It’s important to know what the warning signs are of a data breach.

There are many possible indications that an account has been hacked, your identity stolen, or your data breached in some other way. Educate yourself on the warning signs of a potential breach and create positive habits for monitoring your personal data security to identify potential attacks or breaches before they escalate to devastation. Read up on data protection tips (such as the guide you’re reading right now) and on information outlining the common warning signs of a data breach or hack, such as this list of “11 Sure Signs You’ve Been Hacked” from InfoWorld. Twitter: @infoworld

78. If your account is compromised, take the necessary steps to regain control of it.

All too frequently, if one account has been hacked, your data is no longer secure on other accounts using the same login information, particularly if you use the same password for multiple services. “Regaining control of a hacked email account can be tougher. You’ll have to contact the email provider and prove that you’re the true account holder. Of course, if the hacker changes your password, you can’t use your regular email to contact the provider. It’s important to have more than one email address and make each the alternate contact address for the other. Did you use your email address as a username on other sites? That’s certainly a common practice. But if you also used the same password that you used for the hacked email account, those accounts are now compromised as well. Even if you didn’t use the same password, you could still be in trouble. Think about this. If you forget a website password, what do you do? Right—you click to get a password reset link sent to your email address. A smart hacker who has control of the email account will quickly seek your other accounts, social media, perhaps, or worse, shopping and banking accounts,” explains Neil J. Rubenking in an article at PCMag. Twitter: @neiljrubenking

79. It is important to find out the root of the problem in order to fix it.

If your account has been hacked, your data lost, or your device is stolen, consider it a learning opportunity. Find out exactly what went wrong and how you could have protected your data by taking better precautions. “While you are fixing things, it’s a good time to take a step back, and ask yourself a more basic question: What was the reason for the breach? If it was your bank account, the answer may be obvious. In other cases, such as e-mail, it can be for a host of reasons — from using it to send spam, to requesting money from your contacts, to getting password resets on other services. An attacker may even be trying to gain access to your business. Knowing why you were targeted can also sometimes help you understand how you were breached,” says Mat Honan at Wired.

80. Protect Your Organization from Cybersecurity Threats

SecurityStudio helps information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Keeping your passwords, financial information, and other personal data safe is important for both companies and individuals as they are important methods of securing information and also ensure data security. 

Introduction

What is third-party information security risk management?
Third-party information security risk management (“TPISRM” or vendor risk management for short) is a critical component for ALL information security programs. You cannot adequately account for information security risk without also accounting for TPISRM.

Background

TPISRM isn’t new. Some organizations have been doing it for a long time. Mostly larger companies (with adequate resources) driven by compliance requirements. In the early 2000s, I worked on TPISRM for a few Fortune 500 companies and saw first-hand how things were done.

In 2013, TPISRM took center stage when Target Corporation became aware of a significant data breach involving one of their third-party providers (Fazio Mechanical). This was one of the most publicized cybersecurity breaches of all time because of the timing (holiday season), the number of people affected (110 million+), and the fact that Target is one of the largest retailers in the world.

One of the many lawsuits that stemmed from the Target breach was a derivative action where shareholders filed suit against Target’s board of directors, essentially Target suing Target. When this happens, the court appoints a special litigation committee (SLC), and this is where I fit in again. I was retained by the SLC to assist and consult them[1] [2]. What does this have to do with TPISRM? A lot! Vendor risk management program (or lack thereof) played a critical role in the breach.

Unfortunately, not enough has changed since then:

  • 66% of security professionals think that it’s possible or definite that they suffered a breach through third-party access[3]
  • Roughly 61% (just shy of two-thirds) of U.S. companies have experienced a data breach caused by a third-party.[4]
  • Third-party breaches and security incidents are more costly than ever, especially for smaller organizations.[5]
  • Only 52% of the companies in the United States have security standards for third-parties.[6]

TPISRM is more important than it’s ever been, and if you’re waiting for someone else to make you do it, it will be too late. Whatever you do, don’t half-ass this.

Three things before we jump into the “must-haves”:

  1. TPISRM can be done right and inexpensively, even in smaller organizations.
  2. You must engage in TPISRM, either now or later. “Now” hurts less.
  3. If you’re going to do TPISRM (which you’d better), make sure you do it right.

[1] https://dandodiaryboutique.lexblogplatformthree.com/wp-content/uploads/sites/893/2016/07/Target-SLC-Report.pdf
[2] https://dandodiaryboutique.lexblogplatformthree.com/wp-content/uploads/sites/893/2016/07/Target-Motion-to-Dismiss.pdf
[3] https://www.bomgar.com/resources/whitepapers/privileged-access-threat-report
[4] https://www.businesswire.com/news/home/20181115005665/en/Opus-Ponemon-Institute-Announce-Results-2018-Third-Party
[5] https://securityscorecard.com/blog/5-ways-to-prevent-data-breaches-caused-by-third-party-vendor
[6] https://www.pwc.com/us/en/cybersecurity/information-security-survey.html

Quick SecurityStudio Introduction

SecurityStudio (or S2) is a community and mission-driven information security solutions company dedicated to simplifying information security management and compliance. We help people and organizations in all industries (public and private) master information security fundamentals by providing practical tools on our best-in-class SaaS platform and through our trusted service partners.

The S2 platform is the premier risk and digital safety assessment tool in the world. Driven through our easy-to-use interface, information security risks can be assessed and managed for individuals (consumers and employees/personnel), the organizations they work for (public and private sector), and their vendors. With more than 3,000 assessments completed, our platform has been proven to be successful in simplifying and improving information security for hundreds of thousands of people.

Our tools:

In this document, we’ll discuss things related to S2Score, S2Org, and S2Vendor, but don’t worry, I won’t get salesy. I want you to get value from reading this more than I want to sell you something.

Alright, the seven “must-haves” for TPRISM.

7 Must-Haves for Effective Third-Party Information Security Risk Management

Must-Have #1 – Adequate Coverage

Your TPISRM MUST account for administrative, physical, and technical risk.

The most tempting place in TPISRM to take shortcuts is to treat it like it’s a technical or IT issue. DON’T! It’s not! It’s a business issue and to treat it as anything else will be done at your own peril.

Effective TPISRM practices MUST account for administrative, physical and technical risks. Isn’t it easier (and more likely) for an attacker to go through a secretary (or another person) than it is to go through a firewall, and who cares about a firewall when an attacker can just steal the server? This is truth. I know it. You know it. Certainly, attackers know it too.

Technical controls are part of TPISRM. Technical controls are not TPISRM in its entirety. Slight, but significant difference. Scans are good, but they won’t tell you squat about a third-party’s employee training program, asset management practices, onboarding/offboarding processes, access control procedures, server room security, etc., etc.

DO NOT TAKE SHORTCUTS

Must-Have #2 – Automated Workflows

Using manual processes with spreadsheets and calendars is error-prone, costly, and ineffective.

The only people who claim spreadsheets are the way to do TPISRM have either never done TPISRM or they’re stuck in the dark ages (“this is the way we’ve always done it”). Not only is using spreadsheets a pain in the butt, it’s expensive and ineffective.

There’s a much better way! Use an automated workflow where TPISRM processes (inventory, classification, assessment, remediation, etc.) are programmatic. If you’ve got money to waste, you could build your own automated workflow tool, but a better choice is probably using a commercial tool. Automated workflows ensure that everything is tidy and easy to manage. If you’re handling any more than one or two third-party relationships, an automated workflow is a must.

Another fact; there is a demonstrable ROI in using an automated workflow versus using manual processes.

USE AN AUTOMATED WORKFLOW-ENABLED TOOL

MUST-HAVE #3 – Distributed Workloads

No single person knows enough about all vendor relationships to be effective.

The wrong way to handle TPISRM is to name a “TPIRSM Manager” or “Vendor Risk Manager” and leave everything to them. It’s unlikely that this person engaged the third-party in the first place, understands how the organization uses the third-party, and/or maintains the relationship with the third-party.

For each third-party relationship, there’s someone who’s responsible for the relationship. We sometimes call this person the “relationship manager”. These people must be involved in the TPISRM process. The best place for this person/group to be inserted into the TPISRM process is usually:

  • Third-party inventory management – validating that the third-party is still engaged by the organization.
  • Vendor contact maintenance – validating that the third-party’s contact information is valid.
  • Inherent risk determination (or classification) – validating how the organization uses the third-party, including the nature of the products or services provided.

If you’ve addressed the first two “must-haves” in our list, ensure that the tool you use will enable or facilitate participation from other people and groups. A shared workload makes everything better.

DO NOT TRY TO TACKLE TPISRM ALONE

MUST-HAVE #4 – Quantification

It’s easier to defend a process or system than it is to defend your judgment.

Regardless of how good you get at TPISRM, a bad thing (breach, disruption, or whatever) will eventually happen. No matter what you do, you cannot prevent all bad things from happening, but that’s not the point anyway. Risk elimination is impossible. Risk management IS possible, and it’s the objective.

The truth is, at some point you’ll need to defend your TPISRM program from someone, and they’ll probably question your judgement. It might be the board of directors, a regulator, a customer, or (God-forbid) opposing legal counsel. Somebody, somewhere, is going to question what you’re doing.

Quantification helps take your judgement out of the equation, and quantification comes through measurement. Quantification allows you to make comparisons between third-parties and set thresholds of acceptable risk. Setting a threshold of acceptable risk is easier to defend because you hold all third-parties to the same standard. One-off and arbitrary decision-making will be much harder to defend.

I have trouble remembering what I did last weekend let alone a decision I made in February of last year.

Adding to defensibility is using a tool, process, and/or risk threshold that’s used by others. There’s (some) safety in the herd.

QUANTIFY/MEASURE EVERYTHING

MUST-HAVE #5 – Objectivity

Binary (1 or 0) decisions are more efficient, easier to defend, and scorable.

Which question is more efficient, easier to defend, and scorable:

  • Tell me about your information security program? OR
  • Do you have a documented information security program?

How about these:

  • How do you train your employees? OR
  • Do you train your employees?

Binary (1 or 0, “yes” or “no”, etc.) questions are objective and create a much better measurement/quantification than do subjective, open-ended questions. The downside to objective questions is the to ask more of them. Once someone answers “Do you train your employees?”, we’ll need to ask more binary questions about the training.

Using objective criteria will also reduce the need for interpretation where two people can look at the same subjective/open-ended response and interpret in completely opposite ways. Subjectivity steals the efficiency and defensibility out of our TPISRM program.

USE OBJECTIVE QUESTIONS/CRITERIA

MUST-HAVE #6 – Inventory Management

Garbage in, garbage out.

The entire TPISRM process starts with your inventory of third-party relationships. It’s the first step. There’s the initial inventory and ongoing inventory management.

Build your initial inventory by checking who you’re paying, either through invoices, credit card payments, or employee reimbursements. Chances are good that you’re paying your third-parties in some manner, so Accounts Payable (or similar) is a great place to start.

In order to keep your inventory current, the “ongoing inventory”, you’ll need to determine how important it is for you to maintain a live inventory or if a periodic third-party inventory reconciliation is good enough. The answer should be a function of the churn in your third-party relationships. If third-parties come and go often, then there’s more justification for the live inventory approach. In a live third-party inventory scenario, you’ll need to make sure your third-party engagement/procurement/enrollment process is tightly-integrated with your TPISRM processes. Maybe you don’t pay any third-party until they’ve been assessed for cyber risk.

Periodic reconciliation consists of validating your inventory periodically, maybe on an annual basis.

A good TISRM tool accounts for all the “must-haves” here, including assistance with third-party inventory management. Entering third-party information one-by-one is fine but becomes a real pain when you have many third-parties to enter. A great feature is the ability to upload third-party information in bulk and a potential integration through APIs with other enterprise systems.

YOU CANNOT ACCOUNT FOR THIRD-PARTY RELATIONSHIPS YOU DON’T KNOW YOU HAVE

Must-Have #7 – Simplified Processes

Complexity is the enemy of information security.

Your TPISRM process shouldn’t consist of any more than four primary steps. If it’s more than four steps, you might be making this harder on yourself. The four steps are Inventory, Classification, Assessment, and Decision-Making. That’s it.

In some cases, you may need to repeat steps, but it’s still only four steps. For instance, you may decide (Decision-Making) that the risk posed by a third-party is unacceptable. In this case, you could decide to remediate, which will then lead back into the Assessment step.

DO NOT OVER-COMPLICATE THIS

BONUS: Third-Party Risk Assessment/Questionnaire Re-Use

Everybody hates filling out dumb questionnaires.

I have yet to meet anyone who enjoys filling out TPISRM questionnaires from their customers. If I did, I’d question their sanity. Filling out questionnaires is a waste of time. There are three ways we can make this more enjoyable and usable for everyone.

  1. What if we made the questionnaire into an organization’s information security risk assessment?
  2. What if an organization’s own/internal information security risk assessment could be used in lieu of a questionnaire?
  3. What if we reused a questionnaire that a third-party completed for someone else?

Yes, yes, and yes please!

On the SecurityStudio platform we’ve developed two effective, best practice, and simple tools to enable all the “must-haves” in this document, and significantly reduce wasted time, effort, and money for your third-party friends. By reusing assessments and questionnaires, you’ll get better results in your TPISRM efforts and your third-parties will sincerely appreciate having to do less work!

The tools are S2Vendor and S2Org.

S2Vendor is our best-in-class TPISRM tool for organizations of all shapes and sizes. S2Org is the best organizational information security risk management tool for vendor performance regarding security anywhere. Combined, there are no other solutions that compare!

Let’s demonstrate how these tools work together.

  1. A third-party who completes an S2Vendor questionnaire can use the same information to manage their information security program with a simple click of a button. The click of the button imports their responses into their own (private) S2Org portal where they can track results, print reports, create a roadmap (risk treatment plan), manage the roadmap, and much more! Not only can the third-party use this information to improve their security program in a measurable way, but they’re also more inclined to provide truthful answers to you as their customer.
  2. There are more than 3,000 organizations who already use the SecurityStudio platform and S2Org for information security risk assessments and management. Rather than having to complete another tedious questionnaire, an S2Org user can just choose to share their assessment (or resulting S2Score) with the S2Vendor user (you).
  3. If an S2Vendor third-party risk assessment has already been completed on behalf of a vendor by someone else, rather than completing another assessment, you can allow them to confirm and reuse one that they’ve already completed. This saves you the headache of dealing with pushback and saves your third-party vendors a lot of time.

In Closing

There you have it. If you want to build a TPISRM practice/program the right way, these are seven things that you must have. Short cuts, manual processes, bottlenecks, subjectivity, gaps, and complexity must all be accounted for and taken out of the equation. If you’re into these things, well, that’s too bad. They’ll eventually come back to haunt you.

All the best.
Evan Francen CEO

s2core

Estimate your score or book free demo today

As mentioned in Phase 2 – Classification, High and Medium impact third parties need to be assessed for residual risk. Residual risk is another term that isn’t common to all people, so we’ll define it. Residual risk is the amount of risk that remains (residual) after the consideration of controls that are in place and any applicable threats. Residual risk assessments attempt to validate, qualify, and/or quantify risk related to threats and vulnerabilities, using inherent risk as a base input.

The first place to check for residual risk is an assessment that the third party may have already completed; an assessment that is high quality, fits our definitions of “information security” and “risk,” and represents risk. For SecurityStudio, this is the S2SCORE. The logic is simple: Does the third-party have a current S2SCORE or not?

Current Acceptable S2SCORE

If the third party has a current S2SCORE, then Phase 3 – Risk Assessment is complete for now, and the score is evaluated as part of Phase 4 – Risk Treatment. A threshold for S2SCORE must be set by the organization, and an automated comparison is made.

S2SCORE is calculated on a scale between 300 – 850, with 300 representing an infinite amount of risk and 850 representing no risk at all. Obviously, it’s not possible to have infinite risk or no risk, so all S2SCOREs fall between the range. Organizations that have not defined a specific threshold will typically accept a default S2SCORE of 660.

If the S2SCORE is acceptable, meaning it meets or exceeds your threshold, then the process is complete for you and the third party. That’s it!

If the S2SCORE is not acceptable, meaning it does not meet your threshold, then the process remains in Phase 3 – Assessment for next steps. An unacceptable S2SCORE follows the same process as not having a S2SCORE at all.

No Current Acceptable S2SCORE

Third parties that do not have a current S2SCORE and third parties that do not have an acceptable S2SCORE will receive a questionnaire that is commensurate with the level of inherent risk they pose to the organization. Third parties that are classified as High receive the High Residual Risk Questionnaire, and third parties that are classified as Medium receive the Medium Residual Risk Questionnaire.

All notifications to third parties are managed by SecurityStudio so that administrators don’t need to track and manage follow-up tasks.

All questionnaires are completed via an authenticated and secure online portal provided to the third-party provider.

High Residual Risk Questionnaire

By default, the High Residual Risk Questionnaire leverages simliar criteria* used in calculating the S2SCORE. This is important for (at least) five reasons:

  1. Validation of the questionnaire will result in a genuine S2SCORE that can be reused in other applications.
  2. The common set of criteria allows for better comparisons and consistent baselining across all third parties.
  3. Deliverables from the S2SCORE can be used to build the third-party security program and/or identify the greatest areas of concern accompanied by actionable recommendations. The S2SCORE provides value to the third party in this way.
  4. For the most impactful third parties, a S2SCORE can be validated by personnel who are certified by SecurityStudio® to complete validations. This ensures consistency across organizations who use SecurityStudio and S2SCORE.
  5. Validation of the S2SCORE can be done using in-house personnel, through SecurityStudio, or through any of the SecurityStudio partners. Today there are more than a dozen SecurityStudio partner organizations who are certified to perform validations.

Medium Residual Risk Questionnaire

By default, the Medium Residual Risk Questionnaire leverages the same criteria used in the calculation of the S2SCORE Estimator. The S2SCORE Estimator is a freely available assessment provided to anyone online and is also built into SecurityStudio. The important reasons why we’ve chosen to use the same criteria include some of the following:

  1. Any organization, with or without the use of VENDFENSE can get a score that can be leveraged without cost to the third party and be reused for third-party information security risk management if the inherent risk calculation results in a Medium classification.
  2. Ensures consistency within SecurityStudio and all other uses of the S2SCORE Estimator.
  3. The S2SCORE Estimator is an easy, and no-cost introduction to all that S2SCORE is and can be used for.

SecurityStudio S2SCORE

The result of the questionnaire process is a S2SCORE. The score is objective and automatic, and if the third parties are providing accurate and truthful information, the S2SCORE will be a true measurement of information security risk. There are times when you don’t believe that the information provided by the third party is accurate and true. These are times when you might want validation. There are also times when a third party is so critical to the success of your organization that you may want validation too. Regardless of the reason for validation, you are in control.

Now that the third parties have been assessed for residual risk, we move on to Phase 4 of VRM– Risk Treatment.

*Vulnerability scanning data, crime rate index, and natural threat data is not employed in the High Residual Risk Questionnaire but is used in the full S2SCORE and validated S2SCORE.

 

s2core

Estimate your score or book free demo today

Now that you’ve completed your vendor inventory, it’s time to classify them according to the risk they pose on your organization. Third-party classification is about rating your third-party providers according to the amount of inherent risk they present to your organization. The term”inherent risk” isn’t necessarily in everyone’s vocabulary, so let’s explain what it is. Inherent risk is the amount of risk that your vendor poses to your company based strictly on how you intend to use them. It’s a very simple process to classify your third-party providers according to inherent risk.  The point in doing this is to make sure we only spend your valuable time, and the valuable time belonging to your partners, on the risks that really matter.

Inherent Risk Questionnaire

The classification process starts with the Inherent Risk Questionnaire. This is a simple questionnaire that is completed by the person within your organization who is responsible for the third-party relationship.  This is usually the person who relies on the third party to complete certain tasks on behalf of your organization, or it’s the person who arranged for using the third party in the first place.

The questionnaire is very simple and straightforward, consisting of less than 10 questions.

VENDFENSE is very flexible and meant for all organizations. We pre-populate the system with default inherent risk questions to include in the Inherent Risk Questionnaire; however, we can also include custom questions.

Classification

Third-party providers are classified according to the inherent risk they pose to your organization. The classification is automatic, based on objective criteria defined and built into the SecurityStudio Classification Scoring System. The responses provided in the Inherent Risk Questionnaire lead to a classification of High, Medium, or Low. You could choose different words or different classifications, depending on your needs. The point is that the classification criteria should be objective, be a representation of inherent risk, and the classification levels you choose should be simple and logical.

A very important reason for classifying vendors according to inherent risk is to support the reasoning that not all vendors should be subjected to the same level of scrutiny because not all vendors pose the same amount of inherent risk.

High and Medium Impact

High and Medium impact (or inherent risk) third parties require additional review.  The third parties that were classified as High or Medium impact are moved into processing at Phase 3 – Third-Party Risk Assessment.

Low Impact

Low impact third parties are not a significant concern for most organizations. The processing of Low impact third parties is done after the classification. Low impact third parties are usually not reviewed again until the next cycle (quarter, semi-annual, annual, etc.)

In some cases, the percentage of third parties who are Low impact risk is as high as 80%. This is important to note. If an organization has 1,000 third parties that they work with, as many as 800 (or more) of these third-parties don’t need any further review beyond the initial inherent risk classification. This also means that there are 800 less questionnaires to keep track of and 800 less third parties that we need to secure.  Also important is the fact that we have demonstrated our due diligence by ensuring that all third parties were classified according to objective criteria.

Once the Classification step is complete, you’re ready to start  Phase 3 of VRM – Assessment.

 

s2core

Estimate your score or book free demo today

In the simplest sense, a good vendor risk management program is made up of four phases: Inventory, Classification, Assessment and Treatment. These four phases make up a well-designed third-party information security risk management program.

Phase 1 – Vendor Inventory

 

Everything starts with third-party inventory. The inventory of third-party providers is what feeds the SecurityStudio system. The purpose of the inventory phase is to get all your third parties into the system and ensure that your third-party inventory remains current.

The bulk of the work comes during implementation. After the system is set up and running, you rarely make any significant changes. Occasionally, you may decide to audit the third-party inventory by comparing the list of third parties maintained within SecurityStudio with the list of third parties maintained in other areas of the business. After the initial system setup, the inventory can be easily audited on an ongoing basis.

There are two parts to vendor inventory if you’re just getting started: the initial inventory and the onboarding process. Once you’re up and running, you will mostly focus on third-party onboarding.

Vendor Inventory

Most organizations don’t know who all their third-party providers are, and the place to start building your third-party inventory is through your finance department. The theory is that if you have a third-party provider, you must be paying for them somehow. There are three places to look for third-party providers initially for your inventory:

  • Third-party providers who are sending you invoices
  • Third-party providers who are being paid with a corporate credit card
  • Third-party providers who are paid by an employee who is being reimbursed for the expense.

Vendor Onboarding

Onboarding is focused on ensuring that all new third-party providers are accounted for in the vendor risk management program before they begin providing their product or service. Uploading third parties into the SecurityStudio system is a snap. You can either upload them one at a time or do a mass upload using a spreadsheet. Employees and finance personnel can enter new vendor information directly into SecurityStudio or we can link to an existing intranet site that you already have set up.

Once the Inventory and Onboarding steps are complete, you’re ready to start  Phase 2 of VRM – Vendor Classification.

 

s2core

Estimate your score or book free demo today

The topic of vendor risk management (VRM) is on the lips of nearly every CISO, IT Director, CTO/CIO and business owner in the country, and with good reason. Security breaches have reached near epidemic proportions and businesses don’t need to just worry about data being stolen. The real issue is what happens after the breach occurs when regulators, lawyers, and your own customers come after your business, trying to determine who is at fault for the breach.

Using third-party vendors adds another layer of complexity to finding the source of the breach, but even though it may have been the fault of the vendor, your business could still be liable. It’s critical to both track and monitor all vendors with a good VRM program and also classify them as low, medium or high risk so you can focus on those vendors that pose the most risk to your business. This business-critical process can help keep you out of hot water in the event of a third-party breach, but how do you know if your business is ready for a VRM program?

Use our quick guide below to determine if you should invest in a VRM program:

For a free demo of SecurityStudio, the vendor risk management tool that can help your business become simplified, standardized, and defensible, sign up.

 

s2core

Estimate your score or book free demo today

Despite vendor-caused breaches being common, organizations still struggle to handle vendor risk management practices properly. We can use organizations who have experienced vendor breaches to improve our own information security programs and strategies. Here is how the Target breach from 2013 can provide a roadmap for your organization.