The Need for a Business Continuity Plan

The need for a Business Continuity Plan

Business Continuity Planning in a Coronavirus World

The need for a business continuity plan is becoming more critical as businesses adjust disruptions caused by the coronavirus.

A virus in and of itself can’t shut your company’s systems, operations, or services down, but it can impact how a business functions. It’s not often that businesses face a pandemic. Still, natural disasters, human-made disasters, security threats (such as a malware attack), and an outage are a reality. If businesses want to ensure a smooth recovery process and continuity of operations, they must do a risk assessment and develop a recovery services strategy with disaster recovery and business continuity plans.

Read More

FINRA: Cyber Security Still a Major Threat to Broker-Dealers

Latest FINRA Examination Findings Reveal That Firms Have Made Progress with Cyber Security, but Problems Remain

Latest FINRA Examination Findings Reveal That Firms Have Made Progress with Cyber Security, but Problems Remain

Cyber security remains “one of the principal operational risks facing broker-dealers,” according to the FINRA 2017 Examination Findings Report, and while progress has been made, many broker-dealer firms still have work to do to protect themselves against hackers.

Latest FINRA Examination Findings Reveal That Firms Have Made Progress with Cyber Security, but Problems Remain

Firms More Aware of Cyber Security Risks

FINRA noted a significant uptick in firms’ awareness of cyber security risks, noting a substantial increase in “attention to cybersecurity challenges over the past two years, including at the executive management level.” Most of the firms FINRA examined had already established or were in the process of establishing risk management programs to address security issues. FINRA noted that firms with the most effective cyber security programs tended to have:

But Better Risk Management & Data Governance Needed

FINRA noted that the quality of firms’ cyber risk management programs varied widely, not only from firm to firm but also within the same organization. By far, the biggest security vulnerability was firms’ own people; the most common threats observed in 2016 and 2017 were all rooted in social engineering: phishing and spearphishing schemes, ransomware (which usually begins with a phishing email), and fraudulent third-party wires (again, usually involving phishing schemes).

The agency highlighted a number of frequent problem areas:

  • Access Management – Some firms didn’t adhere to basic procedures such as terminating system access for former employees and monitoring systems for anomalies, such as logins from unusual locations or privileged users granting themselves additional, unwarranted system privileges.
  • Risk Assessments – Despite the importance of regular risk assessments, some firms still aren’t doing them; even worse, the firms “could not effectively identify their critical assets and the potential risks to those assets.”
  • Vendor Management – Third-party vendor hacks are a serious problem, but some broker-dealers are still not properly vetting their business associates’ cyber security preparedness or sufficiently documenting vendors’ responsibilities in service level agreements.
  • Branch Offices – Branch offices tended to have less robust cyber security than home offices; FINRA noted problems with password management, software updates, removable storage device security, data encryption, and reporting incidents.
  • Segregation of Duties – Some small and medium-sized firms are not properly segregating responsibilities for cyber security rules and systems changes; for example, at some firms, network engineers are performing cyber security functions without any supervision from cyber security experts.
  • Data Loss Prevention – Many firms need stronger DLP protocols, such as applying the same rules that currently protect clients’ Social Security Numbers to other sensitive data, such as account numbers.

Since cyber attacks represent such a serious threat to the U.S. and global financial systems, both FINRA and the SEC, NFA have indicated that cyber security will be of high priority throughout 2018. Firms that run afoul of SEC, NFA and FINRA standards – or, worse yet, suffer a breach – can face millions of dollars in fines. The good news is that a data-centric, integrated risk management approach to cyber security will head off all of the problem areas FINRA discusses in its report.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Medical Device Security Is Largely Nonexistent

A new report by Synopsys and the Ponemon Institute finds that medical device security is plagued by a lack of standards, testing, and accountability.

Healthcare organizations tend to focus their cyber security efforts on HIPAA compliance, protecting patient data, and defending against ransomware attacks like WannaCry, with scant, if any, attention paid to medical device security. A Ponemon Institute study released last week by Synopsys, Medical Device Security: An Industry Under Attack and Unprepared to Defend, paints an ominous picture regarding the cyber security of IoT devices such as smart insulin pumps, diagnostic and monitoring equipment, and even the mobile apps used to control connected devices:

  • 67% of medical device manufacturers expect that their devices will be hacked within the next 12 months, but only 17% are taking “significant steps” to prevent it.
  • 56% of healthcare delivery organizations (HDOs) expect a hack within the next 12 months, but only 15% are doing anything about it.
  • Fewer than half (41%) of device manufacturers have an incident response plan in place in the event of a hack.
  • Among HDOs, the numbers are even worse; only 22% have an incident response plan.
  • Only 9% of device manufacturers and 5% of HDOs test their medical devices at least yearly. Over half of HDOs, and 43% of manufacturers, either do not test their devices at all or are “unsure if testing occurs.”

A new report by Synopsys and the Ponemon Institute finds that medical device security is plagued by a lack of standards, testing, and accountability.

No Testing, No Standards, No Accountability: What Could Possibly Go Wrong?

One would think that, given the fact that a faulty connected medical device could result in a dead or maimed patient, these devices would be subject to strict regulations and exacting security standards.

This is not the case at all. Medical device security is no more robust than general IoT security. The respondents to the Synopsys/Ponemon study cited a complete lack of security standards, testing, and accountability for medical device security, along with intense pressure to push products to the market as soon as possible. These are the same problems that plague the overall connected devices industry. Smart watches, smart doorbells, smart toys, and even smart cars are designed for ease of use and cutting-edge features, not cyber security.

Smart medical devices are no different. The FDA does have a set of voluntary guidelines addressing medical device security, but according to the study, only 51% of manufacturers and 44% of HDOs followed them.

Medical Device Security Cannot Be Reactive

Perhaps the most horrifying finding from this already frightening report is that most device manufacturers and HDOs stated that only a “serious hacking incident” would prompt their organizations to increase their medical device security budgets. Yes, you read that correctly: The majority of players in the medical device industry are relying on reactive cyber security, waiting until a breach has actually happened – which, in this case, could mean that someone dies or is maimed – to address device vulnerabilities.

Last fall, medical device maker St. Jude Inc. announced that it was forming a medical advisory board focused specifically on medical device security. This is a positive step, but it happened only after allegations that its smart cardiac implants were vulnerable to hacking, which prompted an investigation by the FDA.

The current reactive approach to medical device security is completely unacceptable. Knowing this, the FDA has cited the cyber security of medical devices as one of its top regulatory science priorities in 2017. However, the wheels of government turn very slowly; manufacturers, HDOs, and patients cannot afford to wait for the government to step in and save the day. The healthcare industry needs to start taking the same proactive approach to cyber security that it does to disease prevention. This isn’t just about money or reputation; human lives depend on it.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.