What Is RegTech, and What Can It Do for You?

How RegTech Simplifies Governance, Risk, and Compliance

How RegTech Simplifies Governance, Risk, and Compliance

Complying with standards such as HIPAA, PCI DSS, FISMA, and SSAE 16 SOC reporting is complex, costly, and time-consuming, especially for organizations that must comply with multiple standards. You may have heard the term “RegTech” mentioned as a solution. What is RegTech, and how can it help your organization save time, money, and hassle?

How RegTech Simplifies Governance, Risk, and Compliance

RegTech refers to software solutions, usually delivered in the cloud, that automate governance, risk, and compliance processes. Continuum GRC’s proprietary IT Audit Machine (ITAM IT audit software) is an example of a RegTech software solution. In the finance industry, RegTech is often thought of as a subset of FinTech. However, RegTech has applications in every industry, from healthcare to ecommerce to SaaS and cloud providers.

3 Benefits of Using a RegTech Solution for Compliance

Lower Costs

Perhaps the biggest advantage of implementing a RegTech solution is the cost savings. Compliance is not a business driver; it is a business cost. Not only do RegTech solutions directly save organizations money by eliminating “audit anarchy” and making the compliance process less expensive and more efficient, they also free up internal IT staff to work on projects that benefit the organization’s daily operations and long-term goals, fostering innovation and driving profits.

Greater Insight into Your Data

Many organizations still use Excel and other spreadsheet programs for assessment and audit work. However, Excel performs poorly when used for this purpose; it has limits on space, accessibility, presentation, sustainability and formatting and was not meant to be used to analyze very large, complex data sets. RegTech solutions such as the ITAM IT audit software eliminate “spreadsheet madness” and organize data to give you clear visibility into your organization’s key risk indicators, assessment results, and compliance initiatives, with integrated reporting of self-assessments, manual assessments, and automated controls.

Peace of Mind

There is a severe shortage of cyber security and compliance professionals. Most organizations simply do not have the in-house expertise to interpret the complex requirements of industry and regulatory standards, particularly since they are continually shifting to respond to the evolving threat environment. For example, the PCI Council just released a 64-page guide updating PCI DSS best practices for ecommerce that stresses, in great technical detail, the upcoming required migration to TLS 1.1+. A RegTech solution cuts through the noise, takes the guesswork out of compliance, and ensures that organizations are always up-to-date with the latest standards, saving you from sleepless nights, wondering if your company is compliant.

RegTech in the “Era of Deregulation”

The recent election of President Donald Trump, whose campaign emphasized deregulation, has caused some experts to question the future of RegTech. However, even in a post-Trump world of relaxed regulations, RegTech will remain relevant. Consider the following:

  • The political pendulum will ultimately swing in the other direction. Just as President Trump quickly obliterated many of former President Obama’s policies with the stroke of a pen, the president and Congress who follow Trump could immediately reinstate everything that was abolished during Trump’s administration.
  • Individual states may respond to federal deregulation by establishing their own compliance standards, which could end up being more stringent.
  • Privately established industry standards will remain in place regardless of what the president or Congress do. For example, PCI DSS is not a piece of legislation. It is a set of standards the major credit card providers require merchants and processors to follow in exchange for the privilege of accepting their cards.

It’s also important to note that RegTech isn’t just about compliance. RegTech solutions have multiple governance and risk management applications that will never lose their relevance, especially in today’s threat environment. For example, in addition to compliance and audit management, Continuum GRC’s ITAM IT audit software:

  • Integrates your IT governance, policy management, risk management, and incident management so that your security protocols and policies are always aligned with the current threat environment.
  • Enables an automated and workflow driven approach to managing, communicating, and implementing IT policies and procedures across the enterprise, ensuring consistency across departments, divisions, and locations.
  • Provides an integrated and flexible framework for documenting and analyzing IT risks, developing mitigation plans, defining security controls, and managing ongoing risk assessments so that you can anticipate new and emerging threats and stop them before you are hacked.

Perhaps most importantly, most compliance standards are, at their core, common-sense cyber security best practices. Your customers want to know that their data is secure, and they will be hesitant to do business with your company if they do not have that assurance. Even if certain data privacy and reporting regulations are officially done away with, many organizations may choose to keep complying with them anyway, simply because their customer base demands it.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

[bpscheduler_booking_form]

Education Cyber Security: Why Are Schools Getting Hacked?

Education Cyber Security Vulnerabilities and What Schools Can Do About Them

Education Cyber Security Vulnerabilities and What Schools Can Do About Them

K-12 schools, colleges, and universities are attractive targets for hackers. Their networks contain an enormous amount of identifying information on staff members, students, and students’ families, including names, birth dates, addresses, Social Security numbers, and even health records.

Education Cyber Security Vulnerabilities and What Schools Can Do About Them

Additionally, educational institutions are frequently connected to each other and to government agencies for information-sharing purposes, which means that hackers may use a school’s network as a “back door” into their real target. Unfortunately, education cyber security is as weak as other industries, as these recent incidents show:

Education cyber security poses a unique set of challenges. K-12 schools and, to some extent, colleges and universities have a user base that includes minor children. Minors are particularly vulnerable to social engineering schemes, and, as in the South Washington County Schools case, they can even pose threats themselves. Students may breach a school’s network to alter grades, cause general disruption, or even just for kicks.

The good news is, there are proactive steps schools can take to prevent attacks.

Address Bring Your Own Device (BYOD) Vulnerabilities

Modern classrooms and school hallways are filled with teachers, other staff members, and students carrying their own mobile devices and laptops, which they are using for both work and play. Unfortunately, all of these devices create a data security nightmare. Developing an authentication system for accessing the network is critical, but because some of the users are children, the challenge is to make it easy enough for them to use but robust enough to protect the network; schools should enlist the help of cyber security professionals like the experts at Continuum GRC to implement a workable but secure solution.

Implement Appropriate User Access

Similar to a workplace, users should be given different levels of network access depending on their role: student, teacher, other faculty member, or guest. Teachers and faculty, just like employees at any other organization, should be given only as much access to the network as they need to do their job. Likewise, students should be given only the access they need to complete their coursework, and no more.

Ensure that Third-Party Education Apps Are Secure

Cash-strapped schools, under pressure from students and parents to offer more e-learning options, often turn to free or very low-cost applications released by third-party vendors. The companies that make these apps must earn money somehow, and they could do it by collecting personal data from teachers and students and selling it to other companies. There are also serious questions as to the data security of third-party education apps. An independent audit of 1,200 education applications by the nonprofit group Common Sense Education found that nearly half did not automatically encrypt students’ data. In many schools, individual teachers are given autonomy regarding which apps to use. Schools must centralize approval of applications and bar teachers from installing any apps until they have been vetted for data security.

Train Teachers and Students on Cyber Security Best Practices

Just as in any other field, education cyber security must be proactive, not reactive. Teachers, other school staff, and students must be educated on data security, including how to spot phishing emails and other social engineering techniques. Since even young children access the internet, they can and should be taught how to protect themselves online, just as they are taught how to stay safe in the real world.

Maintain Compliance with Applicable Data Security Standards

Because of the wealth of data they process and store, educational institutions are subject to a number of data security standards, from FISMA to HIPAA. While compliance with these standards is not data security in and of itself, it is the law, and it lays the foundation for a solid cyber security plan. Educational institutions should consult with compliance professionals such as the experts at Continuum GRC, who can advise which standards apply and help schools achieve and maintain compliance.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

[bpscheduler_booking_form]

5 Ransomware Threats to Watch Out for in 2017

Be Prepared for these New and Emerging Ransomware Threats.

Be Prepared for these New and Emerging Ransomware Threats

Ransomware threats are everywhere, and the problem is going to get much worse before it gets any better. According to a recent survey, about half of all businesses have experienced a ransomware attack at least once in the last 12 months, and a staggering 85% had been hit three or more times. Because ransomware is now ubiquitous, organizations have learned to fight back, to some extent, by restoring their systems from backup drives. However, hackers are fighting back, too, with new and improved ransomware variants. Here are five of the biggest ransomware threats to watch out for in 2017.

Be Prepared for these New and Emerging Ransomware Threats.

  1. Doxware

Doxware, a combination of ransomware and extortionware, is a direct response to organizations’ attempts to avoid paying ransom by restoring infected systems from clean backups. In addition to locking down a victim’s system, doxware goes a step further by simultaneously threatening to publicly release the user’s private or sensitive data. For example, one doxware variant notifies users that it has compromised all of their login credentials, contacts, and Skype history onto a server and threatens to forward it to all of their contacts. Other variants are programmed to search the user’s system for files containing keywords that might indicate embarrassing content, such as “nude” or “sex.” Restoring the system from a backup is ineffective against a doxware attack because it will solve only half the problem.

  1. Ransomware Threats Against Mobile and IoT Devices

One of the many concerns regarding doxware is that it is perfectly suited to attacks on mobile devices, where users are likely to store embarrassing photos and videos, sensitive data such as bank login credentials, and contact lists. Recently, the owner of an Android-powered smart TV made the news when his set was locked down by what was believed to be a variant of the Cyber.Police ransomware strain. Since most internet access is done on mobile now, and since the Internet of Things is exploding in popularity, look for more ransomware threats specifically targeting these devices.

  1. Attacks on SCADA/ICS Networks

SCADA and ICS (industrial control systems) networks, which are widely used to power critical infrastructure networks such as utilities and public transit systems, are particularly vulnerable to ransomware threats and other forms of cyber crime. Many SCADA and ICS systems that are currently in use pre-date the internet by decades; they were designed to maximize functionality, efficiency, and safety, not cyber security. Shortly before Christmas in 2015, an attack on a Ukrainian power company’s SCADA network took 30 substations offline and plunged 230,000 residents into darkness for hours. It was recently disclosed that a disk-wiper virus called KillDisk was involved in this attack – and that KillDisk has since mutated into a form of ransomware that may be specifically aimed at SCADA/ICS systems. And, in late November 2016, the San Francisco Municipal Transportation Agency was attacked by ransomware that locked down its ticketing systems for part of a weekend, forcing it to give away free rides so that the public-transit-dependent city would not ground to a halt.

  1. Attacks on the Manufacturing Industry

Manufacturing is the second most hacked industry in the nation, trailing only healthcare. Automotive manufacturers are the top target, followed by makers of chemicals. The manufacturing industry is vulnerable due to a lack of regulations regarding industrial cyber security, coupled with the complexity of the industrial supply chain. The latter means that manufacturing plants, like hospitals, cannot afford to have their systems locked down for even a day. Yet many manufacturers focus solely on achieving the minimum compliance with industry and regulatory standards, which does little to protect their systems and data. Look for increased ransomware threats against manufacturers as hackers seek large paydays.

  1. Malware-Free Ransomware

So-called “malware-free” ransomware does not contain an executable file, instead relying on normally benign tools such as JavaScript and PowerShell to do its dirty work. One variant discovered in November infects Scalable Vector Graphics (SVG) files with malicious JavaScript code, which redirects users to malicious websites. This type of ransomware is extremely difficult to detect, and it’s very easy to hackers to alter the code to evade new security tools.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Schedule some time with our Superheroes for a Free Assessment!