High Performance Risk Management

As every business becomes more interconnected across the state, cybersecurity is no longer just an information technology (IT) problem, it is a business problem.

Cybertech and the State of Indiana will hold its kick-off Cybertech Midwest event on Oct.  23, 2018 for executives, managers, critical infrastructure owners and operators to learn how to strategically prepare, respond, and recover from a cyber attack.  Sentree Systems, Corp. will host a booth at this awesome event, so come out and see our latest solutions.

 

“We are absolutely thrilled to bring the Cybertech to Indiana for our flagship U.S. event,” said Amir Rapaport, founder of Cybertech. “We see Indiana as the ideal location for our Cybertech event due to its vibrant cyber eco-system, with incredible involvement and passion from the state, industry, academia and local government when it comes to cybersecurity, protection and innovation.”

This thought-provoking conference and exhibition will present on global cyber threats, solutions, innovations, and technologies. Speakers and panelists will focus on cyber threat and strategies for meeting diverse challenges in sectors such as healthcare, utilities, small businesses and local government.

Attendees will also meet decision-makers from the leading companies, startups, government officials, investors, academics, and other professionals changing the global cyber landscape.

Speakers will include Indiana Governor Eric Holcomb, Indiana Lt. Governor Suzanne Crouch, Secretary of State Connie Lawson, Director of the National Initiative for Cybersecurity Education (NICE) at the National Institute of Standards and Technology (NIST) Rodney Petersen, as well as speakers from Eli Lilly and Company, Purdue University, Indiana University, KSM Consulting, Indiana Department of Homeland Security, Indiana Office of Technology, and more.

 

For more information or to register, visit midwest.cybertechconference.com.  

International cyber wars have been in the news a quite a bit lately. Countries are attacking other countries. Computer servers are being hacked by sophisticated government operations. Identity theft is now so rampant that the theft of an American person’s identity happens once every few seconds. A study conducted by Javelin Strategy & Research found that during 2017 about 16.7 million Americans were subject to identity theft. This caused over $17 billion in losses from the data breaches. Businesses are not immune to these attacks either.

North Korean cyber attackers are thought to have hacked cryptocoin currency exchanges in South Korea and Japan. They got away with stealing the equivalent of tens of millions of dollars. Then, the perceived technical vulnerabilities of the cryptocurrency exchanges caused the value of all of the cryptocurrencies to decrease rapidly. About half of the value of all the cryptocurrencies disappeared in less than a few weeks, which represented more than $42 billion in lost value that evaporated during June 2018. The most popular one, Bitcoin, suffered the greatest loss of value.

Other cyber-criminal hackers distribute a vicious form of malware called “ransomware” that infects computers, encrypts the files, and then the hackers demand payment in anonymous cryptocurrency for the key needed to unlock the files. They promise to send the unlock keycode for payment; however, they may not send it, even if the ransom is paid.

Businesses that make use of bank wire transfers are seeing attacks that divert funds from their business account. Hackers get the information they need by doing “spearfishing” with keyloggers to capture personal information. They get the passcodes to bank accounts or simply use an email that seems to come from the boss to instruct a worker in the company to make a payment to the criminals.

This is an important warning for the big businesses, as well as for the small-to-medium-sized businesses, which are located in the service area for Sentree Systems in Indiana. This includes the cities of Avon, Carmel, Fishers, Indianapolis, Noblesville, Plainfield, and the surrounding areas. You need Sentree Systems on your side to fight this menace.

World War III has already started and it is a cyber war. The attacks do not even need to directly focus on your company to cause great harm. They can be against critical infrastructure, electrical power grids, banking networks etc. All of these attacks can be disruptive and damaging to every business that uses these systems.

Having high-defense IT security and a comprehensive plan for disaster response for your business is no longer something that can be left to do some time in the future. In fact, this needs to have already been done and regularly updated for the ongoing and upcoming threats. Contact Sentree Systems at 317-939-3282 or email info@sentreesystems.com to set up an appointment for a comprehensive IT security review to help mitigate the serious risks that all American businesses are now facing.

Some cybercriminals operate a fraudulent scheme that is called a Business Email Compromise (BEC). In this crime, funds are stolen by convincing a person to send a bank wire to a dummy bank account for what the criminals claim is a legitimate transaction. Businesses that conduct operations that frequently make use of bank wires are the main targets for these criminals. Senior citizens and individuals may be targeted as well, especially if they are involved in a real estate transaction.

Under a program called “Operation Wire Wire,” federal law enforcement, with the cooperation of international authorities, were able to make a total of 74 arrests of alleged criminals. 42 were arrested in America, 29 arrests were made in Nigeria, and one arrest was made in each of the countries of Poland, Mauritius, and Canada. The law enforcement efforts in the United States were a coordinated investigation by the Department of Homeland Security, the Department of Justice, the Department of the Treasury and the U.S. Postal Inspector’s Office.

The investigation lasted six months. In addition to making the arrests, the investigation captured $2.4 million of stolen funds and authorities also blocked the illegal transfers of $14 million.

How does a business email compromise scheme work?

The BEC scheme is financial cybercrime. It is a sophisticated fraud that attacks employees with the authority to transfer company funds by bank wire. Businesses that work with foreign suppliers and those that regularly send bank wires are especially vulnerable. This fraud is usually achieved by obtaining the email account of a senior level employee for a company and impersonating this person to direct other employees to send a bank wire to the criminal’s account. Besides stealing money, the criminals may also try to obtain confidential information such as the employee tax records.

This fraud began in Nigeria. Now, through the involvement of transnational criminal groups, it spread across the globe. The use of Americans increased the success of this fraudulent scheme in the United States.

Conclusion

Companies continue to lose millions of dollars each year due to this scam. Consult with the security experts at Sentree Systems Corp. in Indianapolis, serving central Indiana and the surrounding cities of Avon, Carmel, Fishers, Noblesville, and Plainfield. They will help implement a more secure approval process for bank wire transfers, improve email security, and can create an ongoing employee education program to help employees spot criminal business email compromise attempts.

For many industrial and commercial purposes, there are tremendous benefits, in terms of system management, for increased connectivity with the technological innovations of the Internet of Things (IoT). This also brings many new security issues to consider. A new level of security risk comes from the expansion of the IoT to connect devices. These risks come from connected devices that are communicating in less-than-secure ways. Every piece of equipment that is connected through the IoT may create a security breach.

Risks Caused by Medical Devices

An example of this new type of risk is experienced by healthcare organizations that are becoming aware of the cyber vulnerabilities of medical devices. The U.S. Department of Homeland Security (DHS) issued six alerts since April 2018 advising major healthcare organizations about the security risk of medical imaging equipment and patient monitoring devices. The DHS has a special Industrial Control System Emergency Response Team that is tasked with the goal of discovering vulnerabilities in all types of equipment.

Recent security alerts from DHS include notices about devices with these problems:

  • Improper authentication procedures
  • Personal information exposure
  • Missing encryption
  • Memory read/write vulnerability
  • Denial of service potentials

These risks can cause harm to patients if they are exploited.

Risk Mitigation

Healthcare companies now are encouraged to conduct security audits that include an evaluation of connected medical devices. These organizations must also track and record any security risks found in their operations caused by devices and the remediation steps taken to remove the risk.

The challenges include finding things with vulnerabilities that the organization can update with software security patches, checking for proper configurations, and adding system architecture controls. Other things may need to be fixed by the vendors. There should be an ongoing effort to identify vulnerable devices. Taking them offline to fix them or relocate them may cause operational problems. There is a balance between managing the devices to improve security and understanding the effect on operations when the equipment is not available for clinical procedures.

Conclusion

Companies, especially those in the healthcare industry, need to be aware of the risks caused by devices used in their operations. Contact Sentree Systems Corp. for a security review and to get advice about how to manage security risk caused by devices that are connected to the IoT. Sentree serves Indianapolis, Avon, Plainfield, Carmel, Fishers, Noblesville, and the surrounding areas in Indiana.

New privacy and data security rules are now in effect for any company that has some of its operations in Europe or has some customers from there. The European Union (EU) passed a law called the General Data Protection Regulation (GDPR) that requires businesses to give EU customers more control over how their personal data is collected, what permissions are required for a company to use it, and what can be done with the information. This law went into effect on May 25, 2018.

Any American company that has customers from the EU needs to be in compliance with the GDPR regulations. It is likely that over the next few years similar regulations will be imposed by the U.S. government on companies in the USA as well.

GDPR is in Response to Data Breaches

The GDPR law is in response to the continuing problem of data breaches being experienced by many companies including large online retailers and companies that are tech giants. Facebook got into serious trouble over the Cambridge Analytica data hack of its system.

Under the GDPR rules, any company that has any data on any person from the EU must notify regulators within 72 hours of the discovery of a major data breach. This means that even U.S.-based companies need to be in compliance if they have an office in the EU, share data with a company there, or have online customers from the EU.

Another new GDPR rule requires companies to make it very easy to opt-in and opt-out of data collection. Companies who fail to do this correctly face a fine of up to 4% of their annual level of global sales or about $23.5 million, whichever is a greater amount.

Conclusion

The new GDPR rules are considered the best practices. Many American companies are taking the proactive stance to be in compliance with GDPR regulations even if they are not required to follow the GDPR rules by law. Work with the experts at Sentree Systems Corp. to find out how to change information collection, storage, and usage procedures to be in compliance with the new GDPR rules.

The U.S. Department of Health and Human Services maintains a database that tracks every data breach of medical records where more than 500 records have been compromised. SafeticaUSA reports that, during 2016, the data breaches were caused by improper disposal of memory storage (2.3%), loss (5.4%), theft (19%), hacking (31.8%), and unauthorized access/disclosure of information (41.5%) by employees, which happens sometimes by accident.

Misuse of this information obtained by a data breach is rampant. Criminals can use this personal data in many nefarious ways including blackmail and identity theft. Businesses that do not protect personal and private data are liable for its misuse. They can face fines and civil lawsuits in the multiple millions of dollars.

The SafeticaUSA study noted that the average cost for a single data breach is $7 million and that 100% of businesses share business data in ways that are not safe. When employees leave a company, 87% of them take company data with them increasing risk exposure.

California

Indiana’s Data Security Record

In the SafeticaUSA study of medical record data breaches, which reviewed the occurrences in 2016, California was the state with the largest number of incidents, followed by Florida, Texas, and New York. Indiana came in fifth place by having 12 major data breach incidences during 2016. In terms of the number of compromised private records, the state of Indiana, with 257,174 records breached, was in tenth place on the list of states with the highest number of data breaches.

Conclusion

Data breaches are a serious problem that puts every business at risk. Personal medical records are very vulnerable and the dangers are increasing. Proactive strategies to reduce this risk include conducting a data security Risk Assessment, implementing a data loss prevention solution, and advocating that the best practices are used for data security by affiliates, contractors, and business partners.

Contact Sentree Systems for a Risk Assessment to improve security and reduce the chance of a serious data breach.

Data Security is improved by taking a data-driven approach that addresses security issues that are uncovered by a review of security risk data. For example, allowing employees to continue to use software that has known vulnerabilities, which has not had the most recent security patch applied, is a risk that is unnecessary.

Here are a few tips to improve Data Security by using a data-driven approach:

Conduct a Security Assessment and Implement Its Recommendations

It is surprising when an organization goes to the trouble to conduct a security Assessment, which should be done on a regular basis and then does not implement the recommendations. Executives may think that since the security Assessment was done, the security is improved. A security Assessment demonstrates an Impact vs. Likelihood that your organization will have a compromise in the near future, but does not actually stop a breach from happening. It is important to take the next steps of implementing security upgrades as well.

Monitor Data Security News Alerts

By setting up Google alerts and keeping an eye on the latest Data Security News, helps increase awareness about security issues. An example of a Google alert is using the name of the software or IT service combined with the phrase “security flaw.” Moreover, there are industry security news systems that can be regularly checked for alerts such as the Security News notifications in the Security Education Companion.

Organizations that do not have sufficient internal staff for these Data Security issues do well by contracting with an outsourced IT data security company to monitor them on behalf of the organization.

Be Proactive About Advanced Persistent Threats

Advanced Persistent Threats (APT) are socially-engineered attacks that are occurring on a continual basis. Examples of APT attacks included phishing where websites are faked to get people to enter private information, email campaigns that cause people to download attachments that are malware, or websites that load malware when a person visits them.

Sentree Systems Corp. is a highly-qualified data security consulting company that works with small businesses in Indiana, serving Indianapolis and the surrounding areas including Avon, Carmel, Fishers, Plainfield, and Noblesville. Every business should assume they have either been attacked, are being attacked, or will be attacked. Fast detection and swift response are the small business owner’s only defense. Contact us today to learn more about these strategies at www.sentreesystems.com

 

[contentblock id=72 img=gcb.png]

What do email scams, death threats and bitcoin have in common? Together they are being used by scammers to steal money from innocent victims. This is by no means a new threat (it’s been around since 2006) but it’s one that’s getting some new recognition. The FBI recently issued a warning about the uptick in these scams and we know if the FBI is talking about it, it’s a big deal.

Threat: Death Threat Scams

Do You Need to Worry: Yup! Everyone is at risk. The scam goes a little something like this: recipient receives a threat via email and is ordered to pay in virtual currency (like bitcoin) or prepaid cards otherwise they or their family will be harmed. Keep in mind that this scam could also come in the form of a text message and they might be after more than just money – they may try to obtain your personal information, account numbers, etc.  

What Can You Do About It: Contact the police immediately and follow their advice. You should also file a complaint with the FBI’s Internet Crime Complaint Center (IC3.GOV).

 

 

There is a massive scam campaign going on, this time a very well executed Netflix phishing attack.

The scam targets subscribers telling them that their account is about to be canceled. The well-designed, individualized fake email convinces customers to update their account information to avoid suspension. This results in stolen personal and credit card information.

The email has the subject line “Your suspension notification” and includes a link where the subscriber is taken to a fake Netflix page which requires their log-in information as well as credit card number.

The scam was detected Sunday and it targeted nearly 110 million Netflix subscribers. As mentioned, the fake site includes Netflix’s logo as well as popular Netflix shows like “The Crown” and “House of Cards” to make it seem legitimate.

LOS ANGELES—Risk managers, whose job once focused on a basic “bucket of risks,” and making decisions about which risks are transferable and which ones the company should retain, have been “migrating along an evolutionary path which is allowing us to be more strategic,” Chris Mandel, senior vice president of strategic solutions at Sedgwick, said at the RIMS ERM Conference 2017 here.

He noted during the session, “The Trouble with ERM,” that risk managers now need to alter their focus. “The question for risk managers now is, how do we get our organizations to focus on long-term success and recognize the link between strategy and risk?” he said.

Erin Sedor, president at Black Fox Strategy, said that she found through personal experience the importance of connecting with the CEO and aligning with the company’s strategy when setting up a program. “You need to know what they are talking about and understand strategy,” she said.

Unable to find a satisfactory definition of strategy for ERM, Sedor came up with her own: “A strategic business discipline that allows an organization to manage risks and seize opportunities related to the achievement of its objectives.” She added that, unfortunately, enterprise risk is not a term that resonates with the c-suite, but strategy is.

She identified three major problems with ERM that can dampen its prospects:

  1. A limited view of the organization’s mission, growth and survival.
  2. Silos. Breaking through them is a nonstop process, no matter how a company tries to improve the situation—especially in the areas of risk management, continuity planning and strategy, which typically happen in very different parts of the company.

“It is important to link risk management and continuity planning in the strategic planning process, because that will get some attention and get the program where it needs to be,” she said.

  1. Size. Because ERM programs are notoriously huge, “The thought is that ERM will cost too much money, take too many resources and take too long to implement. And that by the time it’s finished, everything will have changed anyway,” she said.

Starting the process by “saying you’re going to focus on mission-critical,” however, can help get the conversation moving. “Because as you focus on that, the lines between risk management, continuity planning and strategic planning begin to blur,” she said.

Sedor described mission-critical as any activity, asset, resource, service or system that materially impacts (positively or negatively) the organization’s ability to successfully achieve its strategic goals and objectives.

She said to find out what mission-critical means to the organization, what is the company’s appetite and tolerance for mission-critical, and the impacts of mission-critical exposures on the organization. “Risk managers will often ask this question first, but you have to come to grips with the fact that not every risk is a mission-critical risk,” she said. “And not everything in a risk management program is mission-critical.” Using that context helps in gaining perspective, she added.

When viewing risk management, continuity planning and strategic planning from a traditional perspective, strategic planning is about capturing opportunity and mitigating threats; risk management is the identification, assessment and mitigation of risk; and business continuity planning is about planning for and mitigating catastrophic threats.

Looking at them from a different vantage, however, strategic planning is planning for growth; risk management allows you to eliminate weaknesses that will impede growth, which is why it’s important; and continuity planning will identify and mitigate the threats that impact sustainability. “That is how they work together,” she said, adding, “You are also looking at weaknesses that when coupled with a threat, will take you out. Those are your high-priority weaknesses. Using a mission-critical context makes it all manageable.”

At this point, if a risk manager can gain enough leverage to talk to executives throughout the organization about what mission-critical means to the company, its impact, and then about tolerances and creating a more integrated program, “all of a sudden you’ve talked about ERM and they didn’t even know it. They thought you were talking about strategy,” she said.

Similar Posts:

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282