5 Best Practices for Successful Cyber Security Outsourcing

By following these best practices, organizations can enjoy the benefits of cyber security outsourcing, minimize the risks, and build fruitful, long-term relationships with trusted providers.

By following these best practices, organizations can enjoy the benefits of cyber security outsourcing, minimize the risks, and build fruitful, long-term relationships with trusted providers.

By following these best practices, organizations can enjoy the benefits of cyber security outsourcing, minimize the risks, and build fruitful, long-term relationships with trusted providers.With the cyber security skills gap making it extremely difficult or even impossible for companies to find the security talent they need – and they need it yesterday – more and more firms are turning to cyber security outsourcing. Outsourcing is a great way to save money and gain immediate access to security expertise that you do not have in-house. However, it’s also a very serious decision. Your cyber security outsourcing provider will have access to your entire network and all of your sensitive data. How can you ensure that you are partnering with a provider who is not only legitimate but is also the right fit for your particular organization and data environment? Following are five best practices to follow when choosing a provider for cyber security outsourcing.

If Something Seems “Off” About a Company, It Probably Is …

At a minimum, steer clear of providers who:

  • Cannot provide you with a street address and phone number.
  • Do not have enterprise email addresses and communicate with you using addresses from Gmail, Yahoo, etc.
  • Have websites that appear very “amateurish” in design and/or contain text written in broken English.

These are immediate red flags that indicate you are dealing with an amateur – or possibly a fly-by-night operation.

Get References

Even if a provider seems perfectly legitimate and professional, always ask for references, and make sure to call them. Professional cyber security firms are always happy to provide verifiable references. You should also Google the name of the company and its principal(s) and look for reviews – or complaints.

Make Sure that the Provider Can Handle all of Your Compliance Requirements

Lazarus Alliance’s audit and assessment services include HIPAA and HITECH, PCI DSS QSA, SSAE 18 and AT 101 SOC reports, FedRAMP, FISMA, NIST, CJIS, DFARS, ISO, NERC CIP, SOX, ISO, and EU-US Privacy Shield certification; we are the only Arizona-based company that provides this depth of coverage. For that matter, very few in the world can provide this depth of expertise!

However, many cyber security outsourcing companies – including some that are very large – handle certain IT compliance requirements but not others. Make sure that your provider not only offers all of the compliance services you need but also has experience performing those specific audits; ask about your specific compliance requirements while you are checking the provider’s references.

Ask the Cyber Security Outsourcing Provider About Their Audit & Compliance Processes

Believe it or not, some IT auditors are still using Excel or other spreadsheet programs to perform IT compliance reporting and audits, despite the fact that spreadsheet programs were never meant to be used with the very large data sets produced in today’s complex data environments. An auditor that is still fumbling around with spreadsheets is going to plunge your company into audit anarchy and cost you a lot of time, money, and headaches.

Make sure your provider uses modern RegTech software to perform compliance reporting and audits, such as the Continuum GRC IT Audit Machine (ITAM). ITAM utilizes big data capabilities and rapid report creation to automate data management and reporting. Instead of dozens of different spreadsheets and ledgers, ITAM creates a centralized repository of all IT compliance requirements with associated controls and automated information flows for audits, assessments, and testing. This saves you time, money, and stress and provides you with a big picture of your data environment and its risks and vulnerabilities.

Get Everything in Writing

Finally, make sure that the provider signs a written contract that specifies exactly what is expected of them and ensures that they are willing to guarantee any promises they make.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Six Cyber Security Best Practices for People and Businesses

Cyber security is everyone’s responsibility; here are six cyber security best practices for homes and businesses.

Cyber security is everyone’s responsibility; here are six cyber security best practices for homes and businesses.

Hacks do not happen in a vacuum; if one computer on a network is compromised, all machines on that network are at risk. For this reason, both enterprises and individuals have a responsibility to implement cyber security best practices – and this does not mean installing anti-virus software and a firewall and calling it a day. While it’s important to run anti-virus software and properly configure firewalls, viruses aren’t the only threat to your system; what if your email login credentials are stolen, or someone hacks your router or your smart TV?

Cyber security is everyone’s responsibility; here are six cyber security best practices for homes and businesses.

What else should you be doing? Here are six proactive cyber security best practices for individuals and enterprises.

Use Strong Passwords, and Don’t Reuse Them

The most basic best practice is to use a different, strong password for each site. While remembering all of these passwords can be a challenge, it is for your protection. If a hacker manages to get hold of, for example, your Facebook login credentials, the first thing they’ll do is attempt to use them to get into your online bank account, your email, and other highly sensitive sites.

Businesses should not allow employees to pick their own passwords; employees should be assigned randomly generated strong passwords. This prevents employees from reusing personal passwords – and hackers being able to get into your enterprise systems if an employee’s personal accounts are hacked.

What constitutes a strong password? It should be at least six characters long, not contain your name, user name, or any dictionary words, and be a mixture of upper case letters, lower case letters, and numerals. An easy way to generate a strong password is to base it on the first letter of each word of a sentence. For example, “I graduated from Roosevelt High School in 1998” would generate the strong password IgfRHSi1998.

Use Two-Factor Authentication Whenever Possible

Passwords alone are not considered secure so in addition to strong passwords, use two-factor authentication whenever possible. Two-factor authentication requires an additional device or “secret,” such as a mobile phone or a PIN, to confirm the identity of the person trying to log in. Many websites use two-factor authentication to retrieve forgotten passwords; the site may text a code to your mobile phone.

Never Send Sensitive Data Through Unsecured Email

Email hacks can be both embarrassing and damaging. Just ask Sony Pictures and the Democratic National Committee, both of whom had C-suite shakeups after hackers breached their email servers and handed evidence of executives and their staffers behaving badly to WikiLeaks. Even worse, some of the stolen DNC emails contained full, unredacted images of checks from high-value donors, putting those people’s bank information at risk. Simple cyber security best practices could have prevented these hacks!

Sensitive data – including Social Security Numbers, completed tax forms, bank account information, or even login credentials – should never be sent through unsecured email. Even if your email account isn’t breached, your recipient’s may be, or the email could be intercepted somewhere along the way.

Additionally, you should never write anything in an email that you would not want to see show up on WikiLeaks – because it very well may.

Keep Your Operating System & Software Up to Date

The global WannaCry and NotPetya ransomware attacks that made headlines this summer are notable in that they impacted only older, unpatched versions of Microsoft Windows. This underscores this utmost importance of keeping both your operating system and all of your software up-to-date. Install any manufacturer updates as soon as possible after they are released; often, these updates include important patches addressing new cyber security vulnerabilities.

Back Up Your Data

The easiest way to recover from a ransomware attack is to restore your files from a backup. Be sure to back up your files daily, either to a cloud, an external hard drive, or both. If you use an external hard drive as a backup, keep it unplugged from your machine except when it’s actually performing the daily backup; this way, if your machine is compromised, the hackers won’t be able to access your backup disk, too.

Backups also protect your data in the event your machines are damaged or destroyed in a natural disaster, a burglary, or an accident.

Change the Default Passwords on Your Smart Devices

Last fall, numerous high-profile websites, including Netflix and Airbnb, were knocked offline by the Mirai botnet.  Mirai worked by scanning the internet for smart devices – everything from routers to printers to DVRs – logging into them using default manufacturer credentials, and turning them into “zombies” that sent tens of thousands of junk requests to a company called Dyn, which provides domain name services to the impacted enterprise websites.

Before hooking up anything to your home or enterprise network, even if it’s just a smart thermostat, change the manufacturer default login credentials. These credentials are widely available online, and hackers can use them to breach your smart devices.

The best way to deal with a cyber attack is to prevent it from ever happening in the first place. By adopting proactive cyber security best practices, you can secure your home and business from cyber criminals.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Proactive GRC Can Prevent AWS Security Breaches

Governance, risk, and compliance should be at the heart of AWS security procedures

Governance, risk, and compliance should be at the heart of AWS security procedures

Another day, another AWS security breach, and this one is particularly bad because of the extraordinarily sensitive nature of the data that was compromised: Over 9,000 documents containing personal data on job applicants holding U.S. security clearances, some of them Top Secret, were discovered sitting on an insecure AWS S3 bucket, where they may have been for as long as a year. Gizmodo reports:

[T]he cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the US Department of Defense and within the US intelligence community.

Other documents reveal sensitive and personal details about Iraqi and Afghan nationals who have cooperated and worked alongside US military forces in their home countries, according to the security firm who discovered and reviewed the documents. Between 15 and 20 applicants reportedly meet this criteria.

The AWS bucket belonged to a company called TalentPen, a third-party vendor hired by private security firm Tiger Swan to process job applications.

Governance, risk, and compliance should be at the heart of AWS security procedures

Sound GRC Can Prevent AWS Security Breaches

The TalentPen breach is only the latest in a long line of AWS security incidents, most of them involving third-party business associates of larger firms, such as Verizon and the Republican National Committee. The problem is so pervasive that Amazon itself recently sent out a mass email to customers with unprotected AWS S3 buckets, imploring them to review their security settings, and many companies are now questioning how secure the AWS service really is.

However, the problem isn’t with Amazon Web Services. AWS security is quite sound – if it is configured correctly, and if the enterprise using it follows sound GRC practices and applies them to on-premises data, data residing in the cloud, and, in the case of the companies hiring IT service providers, data being handled by those service providers.

It’s Your Data, and You’re the One Who Has to Secure It and Maintain Compliance

While AWS offers security protections such as encryption of PII both at rest and in transit, and AWS S3 buckets are set to private by default, these protections are only as good as the company that’s utilizing AWS. In the Verizon, RNC, TalentPen, and other recent breaches, someone went into the system and took specific steps to override the default AWS settings and open the buckets up for public viewing.

This raises very serious questions regarding data security and governance within these organizations. Who went into the AWS accounts and made these buckets public? Why did they do this? Why did they have the system privileges to access this data and make this change, and why did the change go unnoticed (in the case of TalentPen, perhaps for as long as a year)? Why was data this sensitive uploaded to the cloud in the first place? Comprehensive, consistent cloud security and AWS security protocols, combined with appropriate user access credentials and continuous system monitoring, would have prevented all of these breaches.

Compliance is another issue when using AWS or other cloud services. While AWS contains tools that customers can use to ensure they comply with major IT audit frameworks, such as HIPPA, PCI DSS, NIST, and FISMA, it would be impossible for AWS, or any other provider, to ensure that all of their customers are covering every aspect of the specific compliance requirements that apply to them. Thus, AWS operates on a “shared responsibility” model, where AWS itself is responsible for the security and compliance of their cloud, while their customers are responsible for the security of the data they store within it.

In the end, it is your data, and you are the one who is ultimately responsible for it – even if a third-party vendor is the one who mishandles it.

Addressing governance, risk, and compliance in the cloud and throughout your cyber ecosystem can be a challenge, but in the end, proactive GRC is much less expensive than cleaning up after a data breach.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.