Newsletter dedicated to IT security issues and current trends and products.

Introducing Our Newest Service – CloudXSecurity

DTS offers comprehensive security solutions that extend beyond the traditional services offered by most service providers. Our solution to Cybersecurity covers the three critical areas of Cybersecurity Risk Management- End User TrainingResponsible Systems Management, and Incident Detection and Response. Our solutions extend beyond just installing the latest security software. At DTS we actually partner with our customers to develop a comprehensive security program and then provide the oversight and resources to implement and run the program.

This month we are highlighting our End User Training. DTS has partnered with an industry leader in Cybersecurity Awareness Training. Not only do we have dozens of courses that we can deliver electronically, we also have a Phishing simulator that allows us to send safe Phishing emails to our customers employees. This allows us to establish a baseline and get a better understanding of how susceptible and organization is to Phishing scams.

For more information…

To signup to get your own regular security news email, click here.

How Does GDPR and 23 NYCRR Pt 500 Affect My Business?

Although GDPR and 23 NYCRR Part 500 do not affect most small businesses in the US, there is mounting pressure from many sides urging businesses to take Cybersecurity more seriously. There are compelling cybersecurity regulations already on the books for the defense, financial services, banking, and healthcare industries, but many businesses that are not in these sectors have been slow to adopt formal Cybersecurity programs. Consensus across the industry, however, is that it is only a matter of time until most states and/or the federal government impose requirements similar to 23 NYCRR Part 500 on all organizations.

Even if your business doesn’t fall under specific cybersecurity regulations like the ones mentioned above, you are still expected to employ Responsible Systems Management. If you have a security breach or other cybersecurity incident, the authorities and lawyers can’t claim that you were acting with “negligence” as long as you are making some legitimate effort to be a responsible corporate citizen.

At a minimum, you should have End User Security training, some basic policies and procedures documents, and current firewall and antivirus. Unfortunately, many small businesses do not even have these basics covered and they are leaving themselves wide open for attacks and the resulting consequences.

If you would like more information about how you can start taking some of the basic steps towards implementing a basic Cybersecurity program, please contact us.

Recent CyberSecurity Attacks

Recent CyberSecurity Attacks

UK top 500 legal firm credentials leaked on the Dark Web
http://www.zdnet.com/article/uk-top-500-legal-firms-credentials-leaked-on-the-dark-web/

OnePlus hacked; credit card info of 40,000 customers compromised
https://securityboulevard.com/2018/01/oneplus-hacked-credit-card-info-of-40000-customers-compromised/

Nearly Half of the Norway Population Exposed in HealthCare Data Breach
https://thehackernews.com/2018/01/healthcare-data-breach.html

Hospital pays $60,000 to the bad guys to cure malware infection
https://www.theregister.co.uk/AMP/2018/01/16/us_hospital_ransomware_bitcoin

Forever 21 Breach Lasted Over Seven Months
https://www.infosecurity-magazine.com/news/forever-21-breach-lasted-over/

Phishing Exposed Medicaid Details for 30,000 Floridians
https://www.bankinfosecurity.com/phishing-exposed-medicaid-details-for-30000-floridians-a-10563

 

NY Cyber Security Law Deadline March 2018

March 2018 deadline looms for New York’s Cybersecurity Regulation

The March 2018 deadline looms for New York’s Cybersecurity Regulation (23 NYCRR Part 500). By March 1st, businesses are required to be in compliance with sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b). This regulation was enacted into law by New York to “promote the protection of customer information as well as the information technology systems.”

Businesses affected (covered entities): Any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of the state of New York.

Section Summary:

500.04(b) – The Chief Information Security Officer (CISO) of an organization must report, in writing, to the Executive leadership. The report must address the organization’s Cybersecurity policies and procedures, Cybersecurity risks, effectiveness of the Cybersecurity program, and material Cybersecurity events during the reporting period.

500.05 – Organizations must institute ongoing or periodic monitoring to ensure the effectiveness of the Cybersecurity program. This includes periodic Penetration Testing and Vulnerability Scanning.

500.09 – The organization must conduct a formal Risk Assessment, document the results, and document an action plan to mitigate or accept the risks.

500.12 – Multi-Factor Authentication (MFA) must be used for all external access to internal networks and systems which store private data.

500.14(b) – Organizations must provide regular and appropriate Cybersecurity Awareness training for all personnel.

Additional info:

http://www.dfs.ny.gov/about/cybersecurity.htm

http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

For more information…

To signup to get your own regular security news email, click here.

GDPR European Regulation Deadline May 25 2018

GDPR requires companies that collect data on citizens in European Union (EU) countries with new rules designed to protect customer data

The General Data Protection Regulation (GDPR) requires companies that collect data on citizens in European Union (EU) countries to comply with new rules designed to protect customer data. The next important deadline is May 25, 2018. In May, the 2 year post adoption grace period ends and GDPR is fully enforceable throughout the European Union.  The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).

Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.

Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.

Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.

Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs). Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.

Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.

Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.

Additional Info:

https://www.eugdpr.org/