Cloud X Security Rollout

Introducing Our Newest Service – CloudXSecurity

DTS offers comprehensive security solutions that extend beyond the traditional services offered by most service providers. Our solution to Cybersecurity covers the three critical areas of Cybersecurity Risk Management- End User TrainingResponsible Systems Management, and Incident Detection and Response. Our solutions extend beyond just installing the latest security software. At DTS we actually partner with our customers to develop a comprehensive security program and then provide the oversight and resources to implement and run the program.

This month we are highlighting our End User Training. DTS has partnered with an industry leader in Cybersecurity Awareness Training. Not only do we have dozens of courses that we can deliver electronically, we also have a Phishing simulator that allows us to send safe Phishing emails to our customers employees. This allows us to establish a baseline and get a better understanding of how susceptible and organization is to Phishing scams.

 

Cyber Regulations Affecting Business

How Do GDPR and 23 NYCRR 500 Affect My Business?

Although GDPR and 23 NYCRR Part 500 do not affect most small businesses in the US, there is mounting pressure from many sides urging businesses to take Cybersecurity more seriously. There are compelling Cybersecurity regulations already on the books for the defense, financial services, banking, and healthcare industries, but many businesses that are not in these sectors have been slow to adopt formal Cybersecurity programs. Consensus across the industry, however, is that it is only a matter of time until most states and/or the federal government impose requirements similar to 23 NYCRR Part 500 on all organizations.

Even if your business doesn’t fall under specific Cybersecurity regulations like the ones mentioned above, you are still expected to employ Responsible Systems Management. If you have a security breach or other Cybersecurity incident, the authorities and lawyers can’t claim that you were acting with “negligence” as long as you are making some legitimate effort to be a responsible corporate citizen.

At a minimum, you should have End User Security training, some basic policies and procedures documented, and current firewall and antivirus solutions in place. Unfortunately, many small businesses do not even have these basics covered, and they are leaving themselves wide open for attacks and the resulting consequences.

If you would like more information about how you can start taking some of the basic steps towards implementing a Cybersecurity program, please contact us.

Cyber Security Attacks In The News

Recent CyberSecurity Attacks

Allentown Struggles with $1 Million Cyber-Attack
https://www.infosecurity-magazine.com/news/allentown-struggles-with-1-million/

UK top 500 legal firm credentials leaked on the Dark Web
http://www.zdnet.com/article/uk-top-500-legal-firms-credentials-leaked-on-the-dark-web/

OnePlus hacked; credit card info of 40,000 customers compromised
https://securityboulevard.com/2018/01/oneplus-hacked-credit-card-info-of-40000-customers-compromised/

Nearly Half of the Norway Population Exposed in HealthCare Data Breach
https://thehackernews.com/2018/01/healthcare-data-breach.html

Hospital pays $60,000 to the bad guys to cure malware infection
https://www.theregister.co.uk/AMP/2018/01/16/us_hospital_ransomware_bitcoin

Forever 21 Breach Lasted Over Seven Months
https://www.infosecurity-magazine.com/news/forever-21-breach-lasted-over/

Phishing Exposed Medicaid Details for 30,000 Floridians
https://www.bankinfosecurity.com/phishing-exposed-medicaid-details-for-30000-floridians-a-10563

 

NY Cyber Security Law Deadline March 2018

March 2018 deadline for New York’s Cybersecurity Regulation

The March 2018 deadline has passed for New York’s Cybersecurity Regulation (23 NYCRR Part 500). By March, businesses are required to be in compliance with sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b). This regulation was enacted into law by New York to “promote the protection of customer information as well as the information technology systems.”

Businesses affected (covered entities) include: Any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of the state of New York.

Section Summary:

500.04(b) – The Chief Information Security Officer (CISO) of an organization must report, in writing, to the Executive leadership. The report must address the organization’s Cybersecurity policies and procedures, Cybersecurity risks, effectiveness of the Cybersecurity program, and material Cybersecurity events during the reporting period.

500.05 – Organizations must institute ongoing or periodic monitoring to ensure the effectiveness of the Cybersecurity program. This includes periodic Penetration Testing and Vulnerability Scanning.

500.09 – The organization must conduct a formal Risk Assessment, document the results, and document an action plan to mitigate or accept the risks.

500.12 – Multi-Factor Authentication (MFA) must be used for all external access to internal networks and systems which store private data.

500.14(b) – Organizations must provide regular and appropriate Cybersecurity Awareness training for all personnel.

Additional info:

http://www.dfs.ny.gov/about/cybersecurity.htm

http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

 

GDPR European Regulation Deadline May 25 2018

GDPR enforces requirements for companies that collect data on citizens in European Union (EU)

The General Data Protection Regulation (GDPR) requires companies that collect data on citizens in European Union (EU) countries to comply with new rules designed to protect customer data. The next important deadline is May 25, 2018. In May, the 2 year post adoption grace period ends and GDPR is fully enforceable throughout the European Union.  The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

Articles 17 and 18 of the GDPR give data subjects (customers/consumers) more control over their personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller (the company processing the data) to erase their personal data under certain circumstances (also called the “right to erasure”).

Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.

Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify SA (supervisory authority) of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.

Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.

Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data that includes genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SA). Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.

Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.

Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.

Penalties for non-compliance are steep, and can be up to up to €20 million, or 4% of annual revenue.

Additional Info:
https://www.eugdpr.org/