Free HIPAA Risk Awareness & Compliance Survey

If you are in the healthcare business you have HIPAA compliance requirements to adhere to. Maybe you are not aware of what they or maybe you just want to gauge your organization’s readiness prior to seeking professional help? We have provided a short survey quiz that will give you a score and some suggestions. The HIPAA Awareness & Compliance Survey helps to determine your office’s degree of HIPAA compliance and awareness.

It’s free so take a minute or two and get your score.

[WpProQuiz 2]

We want to be your provider and assessor of choice for all of your HIPPA needs! For additional information please contact us using the form below or call us at 1-888-896-6207.

Schedule some time with our HIPPA Risk Compliance Superheroes!

Error: Contact form not found.

Secure Your Organization’s Email and Prevent Attacks Like the DNC Email Hack

Cyber security – or, more specifically, the lack of it – is playing a major role in this year’s U.S. presidential election. The recent DNC email hack by Russian cyber criminals, which was discovered in June after the release of numerous emails on WikiLeaks, has turned out to be much larger than originally believed, involving “the private accounts of more than 100 party officials and groups,” as reported by the New York Times.

The emails that have been released on WikiLeaks so far are quite damaging and embarrassing, involving what appear to be party officers plotting to smear Bernie Sanders by questioning his religious faith and planning to reward high-dollar DNC donors with federal appointments in an anticipated Hillary Clinton administration. Additionally, numerous emails contained the private identifying information of these donors, including an image of a six-figure donation check, complete with the donor’s routing and bank account number. In the wake of the DNC email hack scandal, the DNC’s chairperson, CEO, and communications director were forced to resign.

What happened to the DNC could happen to any organization, and in fact, it already has. The DNC email hack is very similar to the infamous Sony email hack of 2014, which was believed to have been carried out by North Korean nation-state hackers. The hack, which involved over 170,000 emails – many of them containing scathing commentary about major Hollywood personalities – resulted in a class-action lawsuit and led to the removal of then-chairman Amy Pascal.

Modern organizations run on email. The DNC email hack and the Sony hack were notable in that they exposed ethical violations by organizational insiders, but even in cases where there are no ethical breaches, the release of corporate email can still severely damage an organization by leaking proprietary product, strategy, or operations information.

How to Protect Yourself Against Email Hacks

Outsource Your Corporate Email Services

The DNC ran its own, private email server as opposed to outsourcing email to a third party, such as Google or Yahoo. In most cases, this is a bad idea. Most organizations simply do not have the in-house monetary and human resources to ensure that email server connections and protocols are secure, maintain up-to-date filters to flag spam and suspicious email messages, and continuously monitor the server for anomalous activity. Outsourcing email services will not guarantee email security, but it’s a very good starting point, as it is likely a third-party email provider will offer a much higher level of security.

Don’t Let Employees Pick Their Own Passwords

The overwhelming majority of data breaches are the result of the misuse of legitimate login credentials, and it is thought that both the DNC email hack and the Sony hack followed this pattern. When employees are allowed to choose their own passwords, they tend to pick weak passwords and/or use passwords that are identical or nearly so to those they use for their personal accounts; this creates a situation wherein a hacker could get hold of an employee’s Facebook password and use it to get into your email system. Set up your system to assign random, strong passwords to your employees and require that they be changed regularly, again to a random, strong password.

Make Sure Your Employees Are Aware of Social Engineering Techniques, Especially Spear Phishing

Experts believe that the DNC email hack and the Sony hack occurred as the result of a spear-phishing campaign. Unlike regular phishing emails, which are often intercepted by spam filters, spear phishing emails are carefully crafted not only to pass through spam filters but also look completely legitimate. The best defense against spear phishing is employee training. Employees should be instructed on how to spot spear phishing emails, which, despite hackers’ best efforts, often contain small mistakes. They should also be prohibited from sending any sensitive information, including their login credentials, to anyone via unsecured email.

Neither the DNC email hack nor the Sony hack had to happen, and a similar attack doesn’t have to happen to your organization. A proactive approach to email security will prevent your company’s confidential emails from ending up on sites like WikiLeaks.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its email server and other systems and keep hackers out.

[bpscheduler_booking_form]

The NSA Hack Proves that Much More Needs to Be Done to Protect Enterprise Data

In the hit USA Network series Mr. Robot, a rogue group of hacktivists target major corporations and the government. In a recent episode, the group enlisted the help of a malicious insider to hack the FBI. Sound far-fetched? Maybe not: Around the same time this episode aired, an anonymous group of hackers known only as the “Shadow Brokers” leaked 300 megabytes of information from the U.S. National Security Agency (NSA).

The NSA hack compromised highly sophisticated hacking tools used by the spy agency to conduct cyber espionage, including zero-day vulnerabilities that can be exploited to breach corporate firewalls. The Washington Post reports:

The file contained 300 megabytes of information, including several “exploits,” or tools for taking control of firewalls in order to control a network, and a number of implants that might, for instance, exfiltrate or modify information.

The exploits are not run-of-the-mill tools to target everyday individuals. They are expensive software used to take over firewalls, such as Cisco and Fortinet, that are used “in the largest and most critical commercial, educational and government agencies around the world,” said Blake Darche, another former TAO operator and now head of security research at Area 1 Security.

The NSA hack has rattled the nerves of cyber security professionals across the nation and around the globe. Not only was one of the most secure systems on the planet compromised, but the release of elite hacking tools and a list of existing vulnerabilities has put numerous private-sector corporations at risk – including at least two major cyber security providers.

It is widely believed that the Shadow Brokers are Russian nation-state hackers, but this theory has not been proven, nor does anyone know how they managed to get their hands on the NSA’s hacking toolbox. However, since nearly all data breaches result from the misuse of legitimate login credentials, the leak very well may have originated from within the NSA, either through a malicious insider (as portrayed in the Mr. Robot story arc) or through a careless or negligent employee clicking on a phishing link or sharing their password.

The NSA hack also has everyone asking, if a covert government spy agency’s data isn’t safe from hackers, what about everyone else’s? So far, 2016 has seen, among other major cyber security incidents:

• Numerous ransomware attacks on the healthcare industry, including the infamous Hollywood Presbyterian attack
• An epidemic of tax data spear phishing schemes, including one that compromised an NBA team
• The hijacking of the SWIFT Network bank messaging system by a team of international cyber bank robbers
• The Wendy’s POS data breach, which resulted in a class-action lawsuit against the fast-food chain
• A former St. Louis Cardinals employee being sentenced to prison for hacking the Houston Astros – using crude techniques to get past weak cyber security barriers
• Information security providers themselves being compromised due to the NSA hack

What’s next? It can be scary to think about. The hacks just keep coming, and both public and private sector organizations in all industries seem ill-prepared to defend against them.

However, now is not the time to panic. Instead, the NSA hack should be a wake-up call for organizations to reevaluate their information security procedures from top to bottom. A cyber security plan is never “finished.” It must be continuously reassessed and rewritten as new technologies and threats emerge. Further, a proactive approach is always better than reacting after a breach has happened. The NSA hack did not have to happen, and neither did any of the other hacks mentioned above. Proactive security measures, from employee training to network monitoring, could have prevented all of these hacks.

Today’s information systems are increasingly complex, and so are cyber attacks. Unless you are an expert in the industry, you’re probably struggling just to wrap your head around it, and you’re not alone. Many organizations simply do not have the resources to handle all of their cyber security needs in-house, and they find that attempting to do so leaves them with security vulnerabilities while taking away time and resources from their core competency.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems and keep hackers out.

[bpscheduler_booking_form]