Our team of certified experts have the tools and capabilities to protect your systems in many different areas of industry.

FINANCIAL SERVICES
The financial sector has been one of the hardest hit industries when it comes to cyber attacks and data breaches. That being said, financial companies should not just strive towards being compliant, but focus on increasing their level of security to reasonable and appropriate levels. The overall burden of becoming compliant can be very time consuming and expensive if financial companies try to go at it alone. Read More

The key to addressing the many regulations set forth by the different regulatory bodies is to bring in a team of cyber experts that has the knowledge and expertise from both a technical and non-technical perspective. Implementing an information security program that addresses administrative, physical and technical safeguards will reduce your risk and protect your organization from regulatory fines, legal, financial and reputational losses.

The Gramm-Leach-Bliley Act (GLBA) which is enforced by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) outlines the measures that must be taken by financial firms which are both reasonable and appropriate. The Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) conducts examinations of registered entities to promote compliance, prevent fraud, identify risk and inform policy. In 2014, OCIE began publishing risk alerts pertaining to a series of cyber examinations that will identify cybersecurity risks and assess cybersecurity preparedness in the financial industry. In order to understand a financial firm’s cybersecurity preparedness, the examinations focus on the following areas:

Governance and Risk Assessment – Examiners will assess if firms are periodically evaluating cybersecurity risks that they may be facing and what controls have been put in place to address these risks. Click here to find out more information on our Threat Hunting Service…..

Access Rights and Controls – Examiners may review how firms control access to their systems. This includes a review of controls associated with remote access, logins and passwords, network segmentation and the type of authentication and authorization methods being utilized. Click here to find out more information on our Threat Monitoring service….

Data Loss Prevention – Examiners may assess how firms monitor the volume of content transferred by employees or third parties outside of their firm. They may also assess how firms monitor unauthorized data transfers. Click here to find out more information on our Threat Monitoring service….

Training – Examiners may review the type of training provided to employees as it pertains to their job functions. Examiners may also focus on how training is designed to encourage responsible employee behavior and also what procedures are in place for reporting suspicious activity or responding to cyber incidents. Click here to find out more information on our Threat Training service…..

Incident Response – Examiners may assess whether firms have established policies, procedures, assigned roles, assessed system vulnerabilities and developed plans to address future events. Click here to find out more information on our Threat Monitoring service…..

https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.

HEALTHCARE
In 2016, the healthcare industry suffered an estimated $6.2 Billion in data breaches. The healthcare sector is being targeted by cybercriminals because of the treasure trove of sensitive data available, the high resale value in the underground black market and most organizations security practices are often less sophisticated than other industries. Healthcare identity information is at least ten times more valuable than financial data alone and can be used to to set up fraudulent lines of credit, medical insurance fraud, or obtaining pricey medical care for another person. Also, the implementation of new technology increased the difficulty of attacks in the financial sector has motivated cyber attackers to began to target healthcare companies, ranging from local doctor’s offices to major health insurers. Read More

Hacking, including phishing, ransomware/malware and skimming, were the leading causes of data breaches in the first half of 2017, with ransomware accounting for 72% of healthcare malware attacks. A recent U.S Government report indicates that more than 4,000 ransomware attacks have occurred every day since the beginning of 2016, a 300% increase from the year prior–surging from the 22nd most common type of malware to the 5th most common, in just two years.* The likelihood of a successful crypto-ransomware attack against the healthcare sector is significantly higher than other sectors, due to the lack of a mature information security programing and less than desirable security measures that are in place. This surge of ransomware attacks has prompted the FBI to issue a news alert to the media, hospitals and healthcare providers. There are certain measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack.


In order to help health care entities better understand and respond to the threat of ransomware, OCR released new HIPAA guidance to prevent, detect, contain and respond to these threats. Since ransomware can compromise the integrity and availability of electronic protected health information,
the guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the rule, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach.

The HIPAA Security Rule requires implementation of security measures that can help prevent the introductions of malware, including ransomware. Some of these require security measures include:

  • implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
  • implementing procedures to guard against and detect malicious software;
  • training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
  • implementing access controls to limit access to ePHI to only those persons or software programs requiring accessOCR HIPAA Audit Program Ramps Up in 2016

OCR HIPAA Audit Program Ramps Up in 2016
The President’s fiscal year budget request proposal for 2016 included $83.8 billion for the Department of Health & Human Services (HHS) and $43 million was slated for the Office for Civil Rights (OCR) HIPAA audit program. The OCR will focus on administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The OCR will also focus on corrective action plans while imposing civil monetary fines for violations of the HIPAA Rules.

On March 21, 2016, OCR announced its Phase 2 Audit Program. Since Phase 1 focused more on the larger organizations, this will no longer be the case for Phase 2. OCR is well aware of the fact that smaller organizations are not HIPAA compliant, so Phase 2 will cover a larger more diverse pool of healthcare organizations.

Organizations will be contacted via email to fill out pre-audit questionnaire and once that information is collected, OCR will select organizations to for the actual audit program. If you get selected for an audit, it will most likely be a desk audit and you will be required to upload specified documents within 10 business days.

For Covered Entities
Covered entities should do a self-evaluation to determine if they have the right policies and procedures in place, if they have performed a comprehensive risk assessment as required by the HIPAA Security Rule, if they have performed security awareness training for their employees, if they have an incident response plan in place that incorporates both administrative and technical safeguards and whether they have business associate agreements in place with their business associates.

Security Rule Requirements for Risk Analysis and Risk Management
The Security Management Process standard of the Security Rule requires covered entities to “implement policies and procedures to prevent, detect, contain, and correct security violations.” The Security Management Process standard has four required implementation specifications. Two of the implementation specifications are Risk Analysis and Risk Management. Risk analysis and risk management are important to covered entities since these processes will “form the foundation upon which an entity’s necessary security activities are built”

Risk Analysis
One of the most important and required steps that a covered entity must take is a risk analysis. A covered entity is required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. The Department of Health and Human Services (HHS) states that a risk analysis should be an ongoing process at an organization and should be part of their security management processes. The risk analysis affects the implementation of all of the safeguards (Administrative, Physical, and Technical) contained in the Security Rule.

  • Evaluate the likelihood and impact of potential risks to e-PHI
  • Implement appropriate security measures to address the risks identified in the risk analysis
  • Document the chosen security measures and, where required, the rationale for adopting those measures; and
  • Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

Risk Management
The second most important step and required implementation specification under the HIPAA Security Rule is developing a risk management plan. Under the risk management plan, covered entities are required to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level in order to comply with the general requirements of the Security Rule.” Since the number of new vulnerabilities and threats continue to grow each and every day, it’s important for covered entities to adjust their cyber defenses to address the increasing risks. The purpose of a risk management plan is to provide structure for the covered entity’s evaluation, prioritization, and implementation of risk-reducing security measures. For the risk management plan to be successful, key members of the covered entity’s workforce, including senior management and other key decision makers, must be involved. The results from the risk analysis process will provide these key workforce members with the information needed to make risk prioritization and mitigation decisions.

Risk management is an ongoing process that requires covered entities to continually evaluate and maintain their security measures. Compliance with the Security Rule requires financial resources, management commitment, and the workforce involvement. The risk management plan will guide the covered entity’s actual implementation of security measures to reduce risks to ePHI to reasonable and appropriate levels.

Cybersafe Solutions’ Threat Hunting, Threat Monitoring, Threat Training and Threat Policies not only meets the requirements set forth by the Department of Health and Human Services, but will prepare your organization to successfully pass the upcoming HIPAA audits. Click here to visit our Contact Us page to take the next step towards achieving compliance while also securing your organization’s most sensitive data and systems.

LEGAL SERVICES
Although they generally don’t make the headlines, there have been numerous law firm data breaches stemming as far back as 2011. The legal industry is one industry that is no longer immune to cyber security risks. Law firms are considered soft targets and provide a wealth of information that can easily be accessed by malicious hackers. They are trusted to guard their client’s most sensitive information including intellectual property or trade secrets, but their level of security has been less than adequate. This has made them a prime target for a successful data breach. A 2012 Mandiant report estimated that 80 percent of the 100 largest U.S. law firms suffered successful data breaches by cyber criminals in 2011 alone. Read More

In 2011 the FBI held a meeting with the top 200 law firms in New York City to discuss the threats. In March of 2016, a number of news media outlets confirmed that a Russian hacker named “Oleras” targeted close to 48 law firms. The goal behind these attacks was to acquire confidential insider information as it pertains to mergers and acquisitions to be used to manipulate the financial market. One of the largest data breaches in history hit the legal industry in April 2016. The Panama Papers as it’s better known where over 11. 5 million documents (2.6 TB of data) spanning over 40 years was stolen from Panamanian law firm Mossack Fonseca. This massive amount of data was compiled from 14,000 clients and over 214,000 companies. The confidential files that were leaked from the Panamanian law firm consisted of legal documents for law firm clients that were engaged in secret banking schemes and tax related matters in Panama. This hack has opened up investigations into the activities of both the law firm and their clients and whether their conduct was proper.

This massive attack should be a wakeup call to all law firms to have a vested interest in improving their overall security posture. In March of 2016, the FBI’s Cyber Division issued a Private Industry Notification, warning law firms that a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms. The most recent breaches in the legal industry has caused severe and long term damages towards a law firm’s brand and reputation. Malicious hackers know that it’s easier to hack into a law firm than a large company that has layers of security in place. This has prompted not only the FBI’s Cyber Division to issue a warning to all law firms, but for the American Bar Association to pass a resolution that urges all private and public-sector entities, including law firms to craft and institute a robust cyber security program to tackle mounting data security threats.

The ABA’s Cybersecurity Legal Task Force Section of Science and Technology law adopted a resolution that “encourages all private and public sector organizations to develop, implement and maintain an appropriate cyber security program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.”

The bar association’s Cybersecurity Legal Task Force Section of Science and Technology Law wrote that an “appropriate cyber security program” should entail conducting regular assessments of the threats, vulnerabilities and risks to data, applications, networks and operating platforms as well as the implementation of appropriate security controls to address them. The ABA also encourages all organizations to “develop and test a response plan for potential cyber attacks, including disclosure of data breaches, notification of affected individuals and the recovery and restoration of disrupted operations,” and to enter into cyber security information-sharing arrangements and develop points of contact and protocols to enable such data sharing where appropriate.

Implementing an adequate cyber security program at both public and private law firms would not only mitigate the risk against today’s sophisticated cyber attacks but also reduce the high costs associated with cyber crime, including incident response and forensics, data breach notification, and reputational damage.

In addition to implementing an appropriate cyber security program, the ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6). Attorneys also have common law duties to protect client information and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, like health and financial information. Compliance requires attorneys to understand limitations in their knowledge and to either obtain sufficient information to protect client information, or to get qualified assistance if necessary. These obligations are minimum standards—failure to comply with them can constitute unethical or unlawful conduct. Attorneys should aim for security that goes beyond these minimums as a matter of sound professional practice and client service.
The first step that must be taken as part of an information security program is a risk assessment. A risk assessment provides organizations with a tool to determine what needs to be protected and the types of threats that it faces. Two factors that must be taken into account is the level of sensitivity of the information that needs to be protected and the probability of disclosure if additional safeguards are not implemented. The results from a risk assessment determines the reasonable measures that attorneys should employ.
Security programs should always include measures to prevent breaches, but more importantly, information security should incorporate a four step approach of identifying, protecting, responding and recovering from data breaches and security incidents. Security is not a one size fits all and in order for it to be effective, it must be an ongoing process and not a set it and forget it effort.

EDUCATION
Cyber attackers are targeting the education sector because it is one of the most susceptible segments, making it a hot bed for data breaches. Key factors for cybercriminals zeroing in on education include: enrollment of high numbers of students every semester, unlimited exchange of data between departments, high usage of mobile devices, lack of access policies and faculty training, lack of awareness, reluctance to report breaches, and a broad spectrum of data (demographic info and data of students, family, medical history and more). Read More

According to Verizon’s 2016 Data Breach Investigations Report, the education sector ranked sixth overall in the US for the total number of reported security incidents’ last year. This was notably higher than two other industry sectors which have also been plagued with increased security problems: healthcare, up 153% and retail, up 160%.

College networks, in particular, are prime targets because they function like small cites, with a wealth of personal information and few safeguards in place to protect their data, storing everything from Social Security numbers to financial and health records and valuable intellectual property. Potential attackers include: cyber criminals, infrastructure hijackers, cyber stalkers, hacktivists, corporate spies (mining for costly, technical research/enterprise data and inventions) and even foreign governments. Many university systems also have their own medical centers which are highly desirable targets.

The Ponemon Institute, an independent research company on data security, has determined that the average cost of a cybercrime in education is $3.89 million annually. Cybersecurity is a constant challenge for all industries, but the education sector has unique challenges in safeguarding the personal information of every student. Universities and K-12 school systems across the country are being targeted with ransomware, which puts operations at great risk and is the responsibility of school administrators to protect students’ data. News reports over the past two years have documented the rise in attacks including school districts in New York, New Jersey, Texas, Florida, South Carolina, Mississippi and many more have already been affected. In most of these cases, the schools had to pay a ransom to the hackers in order to remove the malware and resume normal operations.

Schools face a number of complicated issues when it comes to cybersecurity. Overseeing all of the potential weak points in the network and data that can be targeted is no small task, especially for an internal IT team that doesn’t have specific experience or up-to-date training in cybersecurity. Hacking and ransomware is likely to be a significant long-term problem for educational facilities; students and families place great trust in Universities and the facility must do all they can to preserve and protect their important information. Greater attention and the latest technology must be applied to these systems and in order to detect attacks and be prepared to respond, quickly and appropriately. They must identify, contain and eradicate intrusions already in their networks and expel them in order to protect their operations, data, and reputations, by taking a proactive, not reactive, approach to security. Protection requires 360° security-including visibility protection response and containment.

ACCOUNTING
Due to the overwhelming amount of information accounting firms have to manage on a daily basis, they have been one of the first industries to fully embrace emerging technology and digital management systems, which is why there are also one of the most susceptible to cybersecurity breaches. Databases rich with sensitive information including clients’ tax returns, Social Security numbers, employer ID numbers, financial statements and other data are a potential treasure trove for opportunistic hackers. Read More

Filings, client portals and cloud-computing systems are the standard for the industry, but these records maintained by accounting firms must be secured–not only by moral obligation but also by a legal responsibility to safeguard clients’ private information. Federal, state and local government regulations are in place to protect taxpayer data and mandates financial institutions, including CPAs, professional tax preparers, data processors, affiliates and service providers ensure the security and confidentiality of customer records. In addition, regulations also protect against unauthorized access and use of such records or information which could result in substantial harm or inconvenience to any customer. Financial institutions are also required to develop, implement and maintain an Information Security Program. The plan should be written in one or more accessible parts and contain administrative, technical and physical safeguards that are appropriate to the business’ size and complexity, nature and scope of activities and sensitivity of customer information handled. The IRS recommends tax professionals use Publication 4557, Safeguarding Taxpayer Data, as a guide for a comprehensive review of current security measures to create or update your cybersecurity plan. It is critical to assess your current cybersecurity information protection plan in order to address any weaknesses.

A firm may be subject to penalties for violations of federal statutes and regulations for unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns. A client or third party can also bring both direct claims and cross-claims for indemnification against the firm for damages incurred as a result of a breach. Small firms make up 57% of cyber attack cases, while large firms make up 21% of cases*. Data breaches can happen to anyone at anytime, in numerous ways, including: a lost or stolen device, hacking, fraud, improper disposal of data, and errant email messages.

The number of cyber incidents affecting accounting firms has increased almost 10x over the past decade. The median loss amount is approximately $800K*. Should you experience a data compromise – whether by cybercriminals, theft or accident – there are certain basic steps you should take. For a comprehensive list of security actions, consult security experts at Cybersafe Solutions to determine the cause and scope of the breach, to stop the breach and to prevent further breaches from occurring.

*Independently conducted by Ponemon Institute LLC Publication, October 2015.

WHY CYBERSAFE?
Cybersafe’s team of cyber experts have developed and implemented hundreds of Written Information Security Programs
(WISP’s) in both the public and private sectors. One of the key components of an Information Security Program is
establishing an Information Security Policy that reflects the organization’s objectives as it pertains to security.

Prior to establishing an Information Security Policy, it’s critical we find out how management views security. While many security policies share common themes, we understand that each organization is unique and must develop its own set of policies customized to its distinct way of conducting business. It is important that an organization’s security policies always reflect actual practice to which everyone agrees and complies. Our team takes a holistic approach to implementing an Information Security Program that includes policies and procedures to protect the confidentiality, integrity and availability of an organizations’ sensitive data. The failure to protect all three of these could result in legal liability, regulatory fines, loss of business and customer trust.