Compliance and Cybersecurity Insights

Any business that stores, transmits, or processes payment card data has a responsibility to ensure that those transactions are secure. The Payment Card Industry Data Security Standard (PCI DSS) has a path for that.

The PCI DSS issued a set of 12 high-level requirements known as the PCI compliance checklist. These requirements apply to merchants of all sizes that accept consumer credit and debit cards. At its core, the PCI compliance checklist is designed to protect consumer card data from fraud and data breaches. Although the requirements mandated by PCI DSS are not law, there are hefty fees and fines for non-compliance.

There you are, scrolling through Instagram in between other mundane tasks, or checking out the current events on Facebook. You then go to the latest relevant tweets, and wait… is that a virus lurking in the virtual shadows? Nah, it’s just an advertisement asking you to click on an image of a nice sweater. You were just talking about how it gets cold in the office and you need some new appropriate yet stylish professional attire. You click on the link and next thing you know you are in the vortex of so many other online shopping opportunities. Shopping is literally at the tip of our fingertips with a simple mouse click, and has become increasingly popular online on computers, tablets, and other cellular devices. It is possible to order anything online and have it delivered directly to you and with the increase in online purchases, cybercriminals simply must wait in the background to trap consumers rushing to get the best deals.

Living in a digital age has made it far more difficult to protect our homes and families from threats we cannot physically see. Technology is everywhere  when our homes becomes smart homes and schools providing online platforms for education at an  early age.  Although it may seem that malware attacks and cybercrime live in the adult world, cyber thieves regularly target children and teens where they’re most active – chat rooms, social media, video streaming sites and online video games. Children are good targets because they may have high levels of trust in people and low levels of knowledge in cybersecurity. According to the department of Homeland Security, kids between the ages of 8-18 spend an average of 7 hours and 38 minutes per day online. Assuming a child sleeps eight hours a day, this means almost HALF their time awake is spent online! While the benefits are fantastic, there are great possible threats posed to children on the internet.

Did you forget to close your garage door when you left home, but then used your mobile device to close it as you sat worry free in the waiting room at the doctor’s office? Not sure if you armed the alarm system when you left for a weekend trip? No problem, because you’re a smart cookie who has smart devices, which will help you handle all this remotely. Left your lights on downstairs, and too tired to get out of bed? Ask Alexa or your Google home to turn them off. Technology is great, technology has evolved, technology has allowed us to forgive ourselves for human shortcomings. But you know what else technology has done? It has facilitated an invitation to those less innocent individuals with malicious intent, and has increased the opportunities for cybercriminals.

With so many devices being upgraded to “smart” devices as consumers move towards “smart” living, the number of Internet of Things (IoT) devices is increasing at a rapid pace. Cisco estimates this number to grow exponentially over 50 billion by year 2020. What does this mean for the average consumer? It means regular household devices such as refrigerators, washing machines, televisions will all become connected and humans will be communicating remotely via the internet with each of these devices. By 2030, only a decade later, this number is estimated to grow to 500 billion devices!

There are vulnerabilities, which can allow for hackers to be able to gain access to these devices. The more consumers utilize these devices to control their home, the greater access these cyber criminals will gain. It is a scary thought to think you may be susceptible to hackers, and while it seems like it is not a big deal if a hacker can turn off your lights, the security repercussions can be far more dangerous. If your doors are connected via an IoT device, then criminals will be able to access data on when you leave your house, and even be able to control the disarming of your security system to break into your home. Security cameras can be disabled, motion sensors switched off, and the consumer would have no idea until it is possibly too late. 5G enabled devices will increase this risk, as these will connect directly to a network vs a Wi-Fi router, exposing devices to an even greater likelihood of cyberattack.

What is exceptionally dangerous about these attacks, is the victims would in most cases be completely clueless as the devices continue to function as normal. Systems such as Google Assistant and Samsung’s Bixby can inadvertently result in compromised data generated from unprotected devices. This can in turn expose victim’s personal information such as credit card data and confidential passwords.

The important thing is to be a conscientious consumer, don’t be afraid of becoming one of the many who are upgrading theirs to a Smart Home; simply take counter measures to ensure you don’t become victim to cunning cyber criminals.

Let’s start with the simplest of security elements. THE PASSWORD. Phishing is still incredibly popular amongst hackers, and highly successful as well. While technology continues to evolve, human nature remains the same, and it is easiest to appeal to this vulnerability with disguised emails tricking the recipients. A strong defense to this line of attack would be to enable two-factor authentication.

Additionally, a surprising amount of people utilize the same password for all of their devices. Their laptop, home security, cell phones, bank pin codes; the list is endless. Over 83% of people surveyed stated they use the same password for multiple sites. A simple solution to this is to utilize a unique password for each device, so if one is compromised, your other devices will remain safe.

Most smart home devices are controlled remotely via an application installed on a person’s smartphone. If your phone is compromised, then you are inadvertently creating vulnerabilities with all other devices controlled from your phone. If you are using public wi-fi on your phone, you should exercise caution and ensure you always utilize VPN (virtual private network), which has strong security features and maintains an anonymous internet connection.

You should also ensure the software for your smart devices is always up to date in order to protect yourself from any identified security risks. Device makers will do frequent software releases and security patches, and you should never ignore these when they come through. Change the privacy settings the manufacture defaults the devices to, and don’t ever give the same access to guests and acquaintances who may need temporary access to your IoT devices.

Lastly, you can give your router a different name from the one which automatically generates from the manufacturer as well as the default password, so as to hinder hackers’ ability to gain information on the make and model of your device. Any roadblocks you can setup for malicious attacks will create an added layer of security and more barriers between you and cyber criminals wanting to gain access to devices in your home and your day to day lives.

To learn more about  the Internet of Things (IoT), you can visit:

https://www.cgcompliance.com/industries/internet-of-things-iot

This last November (Nov. 6-9, 2018) Townsend Security had a chance to participate in the 20th annual PASS Summit in Seattle as an exhibitor. While there, they had an opportunity to ask attendees about their company's encryption and key management practices. Our own Tim Roncevich was able to review the results and give his expert opinion on some of the findings. Enjoy!

If you are a service organization and your customers trust you with their data, you may need to pass a SOC 2 audit to sell your products.

Whether your customers demand an audit report from you or industry regulations require one, you may have to provide proof of SOC 2  compliance to demonstrate that the data you’ve been entrusted with is properly secured.

Effective December 15, 2018, all SOC 2 audits now need to comply with TSP Section 100—the 2017 Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.

The new SOC 2 audit reports will focus on changes meant to address head-on the current security breach landscape, which appears to be getting worse with each incident.

Many of these changes align with the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control criteria already in place but feature tighter controls to thwart and mitigate cybersecurity breaches and increase flexibility in the application of controls over areas such as security and privacy. The new framework affects those service organizations which will be issuing SOC 2 and/or SOC 3 reports with reporting periods ending after December 15, 2018. Companies, who did not early adopt the new standard, will need to prepare for examinations of their controls under the new criteria, which aligns with the new COSO framework. 

The new points of focus include:

Security: The effectiveness of policies and procedures governing the way organizations protect themselves against unauthorized access and respond to security breaches resulting in unauthorized disclosure of information will be periodically evaluated.

Availability: Information and systems must be available for operation and use to meet the entity’s objectives.

Confidentiality: Information designated as confidential must be sufficiently protected from unauthorized access to meet organizational effectiveness.

Processing Integrity: System processing should be complete, valid, accurate, timely, and authorized to meet organizational objectives.

Privacy: Personally identifiable information must be collected, used, disclosed, and disposed of in a secure manner.

What Are the Main Implications?

The primary implications of these changes include positive impact on reporting clarity as a result of a defined level of transparency between service organizations and their users. Adding to the positive impact of the new framework, the detailed and thorough audits will be more satisfactory to service organization's clients and assessors. For service organizations, the revisions issued over the past 15 months represent new compliance challenges, which require additional controls, as well as additional effort preparing the system description.

The main principles guiding the 2013 COSO Internal Control–Integrated Framework are comprehensive and are outlined here:

Control Environment

Your organization should demonstrate a commitment to integrity and ethical values. This starts with the board of directors ensuring oversight over management and performance of internal controls.

Management, in turn, should work closely with the board of directors in pursuit of organizational objectives, which include the commitment to attract, develop, and retain competent staff and hold employees accountable for their internal-control responsibilities.

Risk Assessment

Your organization must not only identify and assess risks with sufficient clarity but also analyze those risks as a basis for how risks should be managed when they arise.

In other words, have a well-thought-out plan of action.

Your organization should also consider the potential for fraud in assessing risks to ensure the integrity of the process and identify changes, which could significantly affect the system of internal control―a fail-safe measure.

Control Activities

Your institution must select and develop control activities, which contribute to the mitigation of risk to the achievement of your goals to acceptable levels. Basically, you need to select processes for governing technology, which support your objectives, and you should deploy policies and procedures to establish expected outcomes.

Information and Communication

Governments and other related entities rely on information gathering to support their activities. Your organization is no different when it comes to meeting the new SOC 2 audit requirements.

You will need to obtain and use relevant, quality information to support the functioning of internal control. In addition, it is essential to effectively communicate any information internally and externally―perhaps with third parties―regarding matters, which affect the functioning of internal control. In other words, all parties must talk to each other.

Monitoring Activities

Compliance is a function of how well you self-monitor your own activities. Your organization is expected to select, develop, and perform ongoing evaluations of the effectiveness of each component of internal control and its functional efficiency.

If an internal control deficiency is identified, you are expected to communicate your findings to all parties responsible for taking corrective action, including C-suite executives, the board of directors, and other decision makers.

As the cybersecurity landscape evolves, compliance becomes a constantly moving target, which often brings with it confusion over how to remain compliant.

With such major changes coming your way, you may need to consider a Readiness Assessment to update your compliance program to align with TSP Section 100.

Ransomware is like the flu. Everybody knows about it, nobody wants it, and many try to prevent it, but it spreads anyways.