#MeToo Prompts Employers to Review their Anti-Harassment Policies

#MeToo Prompts Employers to Review their Anti-Harassment Policies.

Comprehensive anti-harassment policies are even more important in light of #MeToo movement

The #MeToo movement, which was birthed in the wake of sexual abuse allegations against Hollywood mogul Harvey Weinstein, has shined a spotlight on the epidemic of sexual harassment and discrimination in the U.S. According to a nationwide survey by Stop Street Harassment, a staggering 81% of women and 43% of men have experienced some form of sexual harassment or assault in their lifetimes, with 38% of women and 13% of men reporting that they have been harassed at their workplaces.

#MeToo Prompts Employers to Review their Anti-Harassment Policies

Because of the astounding success of #MeToo – the “Silence Breakers” were named Time magazine’s Person of the Year in 2017 – businesses are bracing for a significant uptick in sexual harassment complaints in 2018. Insurers that offer employment practices liability coverage are expecting #MeToo to result in more claims as well. Forbes reports that they are raising some organizations’ premiums and deductibles (particularly in industries where it’s common for high-paid men to supervise low-paid women), refusing to cover some companies at all, and insisting that all insured companies have updated, comprehensive anti-harassment policies and procedures in place.

In addition to legal liability and difficulty obtaining affordable insurance, sexual harassment claims can irrevocably damage an organization’s reputation and make it difficult to attract the best talent. Not to mention, doing everything you can to prevent a hostile work environment is simply the right thing to do. Every company with employees should have an anti-harassment policy in place, and it should be regularly reviewed and updated as the organization and the legal landscape evolve.

Tips for a Good Anti-Harassment Policy

While the exact details will vary from workplace to workplace, in general, an anti-harassment policy should be written in straightforward, easy-to-understand language and include the following:

  • Real-life examples of inappropriate conduct, including in-person, over the phone, and through texts and email.
  • Clearly defined potential penalties for violating the policy.
  • A clearly defined formal complaint process with multiple channels for employees to make reports.
  • A no-retaliation clause assuring employees that they will not be disciplined for complaining about harassment.

In addition to having a formal anti-harassment policy, organizations must demonstrate their commitment to a harassment-free workplace by providing their employees with regular anti-harassment training, creating a “culture of compliance” from the top down, and following up with victimized employees after a complaint has been made to inform them on the status of the investigation and ensure that they have not been retaliated against.

Continuum GRC proudly supports the values of the #MeToo movement. We feel that sexual harassment and discrimination have no place in the workplace. In support of #MeToo, we are offering organizations, free of charge, a custom anti-harassment policy software module powered by our award-winning IT Audit Machine GRC software. Click here to create your FREE Policy Machine account and get started. Your free ITAM module will automate the process and walk you through the creation of your customized anti-harassment policy, step by step. Then, ITAM will act as a centralized repository of your anti-harassment compliance information moving forward, so that you can easily review and adjust your policies and procedures as needed.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Thousands of Websites Infected in Massive Cryptojacking Attack

Thousands of Websites Infected in Massive Cryptojacking Attack

Hackers installed cryptojacking malware by compromising a popular browser extension

Thousands of websites, including government sites in the United States, the U.K., and Australia, were ensnared in an international cryptojacking scheme, The Register reports:

The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind or partially sighted people.

This technology was compromised in some way – either by hackers or rogue insiders altering Browsealoud’s source code – to silently inject Coinhive’s Monero miner into every webpage offering Browsealoud.

For several hours today, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper.

The nearly 4,300 websites impacted included the U.S. Federal Court system, City University of New York, and the U.K.’s National Health Service (NHS). Notably, the sites themselves were not breached; hackers delivered the malware by compromising the popular Browsealoud plugin. As of this writing, the developers of Browsealoud have not determined how their code was hacked.

Cryptojacking Attacks Getting More Frequent & Sophisticated

Cryptojacking, which employs crypto-mining malware to covertly (and illegally) co-opt CPU resources to “mine” cryptocurrencies like Monero, is on track to becoming a bigger threat to enterprises than ransomware. There are two ways in which cryptojacking attacks can occur:

The first attack vector uses a script injected into a website or in content delivered to multiple websites, such as ads or plugins. No code is stored on victims’ computers; the malware runs only while the visitor has the infected website tab or ad pop-up open. This is the type of attack vector used in the Browsealoud hack and the cryptojacking advertisements recently discovered running on YouTube.

If your organization’s website is cryptojacked, your site visitors’ computer hardware is put to work making money for cyber criminals. Whenever your employees visit a cryptojacked site, they’re the ones put to work for the cyber criminals; additionally, the cryptojacking malware eats up their machines’ resources, slowing their systems, decreasing their productivity, and potentially tying up your IT department with complaints about system sluggishness.

The second method of attack is to install crypto-mining malware on victims’ computers that runs in the background, sucking up resources unbeknownst to the victims. Usually, this happens through a phishing scheme, but a new cryptojacking variant called WannaMine, which specifically targets enterprise systems, also employs the credential harvester Mimikatz to crack weak user passwords.

While cryptojacking malware traditionally attacked smartphones and other small IoT devices, “next-generation” malware like WannaMine and Smominru are designed to go after desktop machines and servers. WannaMine has been reported to eat up so many resources that it has caused applications and hardware to crash. Rogue crypto-mining is even threatening critical infrastructure. Last week, cryptojacking malware was discovered on an industrial control system at a water utility in Europe, where it reportedly had a “significant impact” on system operations.

Preventing Cryptojacking

There are several ways in which your organization can guard against cryptojacking:

  • Incorporate cryptojacking into the cyber security training given to your IT help desk workers and the rest of your employees.
  • Use network security software to monitor for and block the activity needed for crypto-miners to work.
  • Keep your systems and software up-to-date; only older Windows machines are susceptible to the Eternal Blue exploit used by WannaMine and Smominru.
  • Ensure that all system users are using strong passwords that cannot be cracked by Mimikatz.
  • Ensure that all of your employees use ad blocking and anti-crypto-mining browser extensions.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

GSA Proposes Changes to Federal Contractor Cyber Security Rules

Stronger GSA Federal Contractor Cyber Security Rules Are Coming

Stronger GSA Federal Contractor Cyber Security Rules Are Coming

The General Services Administration (GSA) is planning to tighten up federal contractor cyber security requirements regarding sensitive non-classified data, according to a Federal Register Notice dated January 12. The rules would cover internal contractor systems, external contractor systems, cloud systems, and mobile systems.

Stronger GSA Federal Contractor Cyber Security Rules Are Coming

Technically, the proposed rules aren’t “new.” The GSA wants to update the General Services Administration Acquisition Regulation (GSAR) to include existing GSA federal contractor cyber security requirements that did not previously go through the rulemaking process. This would allow the GSA the benefit of receiving public comments and ensure that the final rules are included in subsequent updates to the GSAR. There will be two public comment periods; the public can comment on the information security rules from April to June 2018 and on the incident response rules from August to October.

In addition to tightening up reporting requirements for federal contractor cyber security breaches, the new rules would require federal contractors to protect sensitive non-classified information in accordance with the Federal Information Security Modernization Act (FISMA) and the National Institute of Standards and Technology (NIST) requirements. Specifically, all federal contractors would be required to adhere to NIST SP 800-171 security requirements, just as DoD contractors are now required to do under DFARS, which went into effect on December 31. Applying NIST SP 800-171 requirements to all federal contractors would ensure uniformity in cyber security requirements and reporting.

Understanding NIST SP 800-171

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is 81 pages long and outlines 110 security controls across 14 categories, including:

  • Access control
  • Employee awareness and training
  • Configuration management
  • Risk assessment
  • Security assessment
  • Incident response

The crux of NIST SP 800-71 is that it applies to information that is unclassified yet sensitive. Under the GSA’s proposed rules, federal contractors that currently handle classified information will have to extend their security controls to cover additional systems, as DoD contractors were made to do to comply with DFARS. Contractors that do not currently handle classified data, on the other hand, will have a lot more work to do; some will need to completely rework their security controls to comply with NIST SP 800-171.

While these rules have not yet been enacted, there is every reason to believe that the GSA’s proposal will be approved in some form. Complying with a new, tougher set of standards will be challenging, but in the end, it will end up benefiting federal contractors. Right now, there is no uniformity to federal contractor cyber security standards; they are set by individual agencies. The GSA’s new standards will apply to every agency, which means that contractors who do business with multiple federal agencies will have to follow only one set of rules.

Is your organization compliant with all of the controls in NIST SP 800-171? Compliance can be complex, which is why it’s best to enlist the help of a professional IT audit and cyber security firm such as Continuum GRC. We create sustainable NIST 800-171 based compliance partnerships with our clients. Our proven methodology and project plan, powered by our proprietary IT Audit Machine IRM GRC software solution, will help you achieve compliance on budget and on schedule.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.