Image courtesy of pixabay.com
Recent Events
In mid-August 2021, a major financial services giant reported a data leakage on its site and mobile app that allowed customers to view the data of other customers. For financial firms like this one, two of the highest costs are fixing the cause of the breach and regaining customer trust.
Also in mid-August 2021, a US health system suffered a security incident that resulted in service cancellations and emergency room diversions. For healthcare companies like the one in this example, one of the greatest costs is getting things back up and running (both in downtime and lost revenue), and one of the largest threats is patient damage or even loss of life.
Before proceeding, no blame is intended – crimes happen, and will continue to happen, even with the best security. What is intended is for industries to take note of the seriousness of cybersecurity and invest in it to the greatest extent possible.
Healthcare industries have been shown to be increasingly targeted (you can read Sophos’ study on ransomware in the healthcare industry here: https://secure2.sophos.com/en-us/content/state-of-ransomware.aspx).
Financial firms continue to be major targets due to the literal treasure chests they hold. (see this recent NY Time article about what leading banking execs consider the primary threat to financial institutions: https://www.nytimes.com/2021/07/03/business/dealbook/hacking-wall-street.html)
Regulations and Requirements
Almost everyone in these industries is familiar with the following acronyms: FDIC, GLBA, PCI-DSS, SOX, HIPAA, HITRUST. Add to this the ever-expanding list of individual state regulations for privacy (e.g., CPA (Colorado Privacy Act), CPRA (California Privacy Rights Act), and there’s a clutter of acronyms that remains difficult to keep track of.
For heavily regulated industries (such as financial and healthcare), regulations exist for a purpose. Customers are trusting these companies to securely store their money and their private information, and even provide life-sustaining services.
A major aspect of regulations and compliance is regularly performing an external third-party pentest. Having said this, there’s nothing yet to indicate that the companies mentioned above did not have penetration tests performed. But, the public, security practitioners, and, more importantly, the customers who were affected, wonder what went wrong. Were regulations and security practices followed? Were any findings from penetration testing and vulnerability scanning remediated, or at least in process of being remediated?
When it comes to regulatory actions, not every regulation requires pentesting, but there are 2 things to keep in mind:
- Pentesting can cover numerous requirements for many regulations, even if not noted specifically (PCI-DSS requires it in Requirement 11.3, but HIPAA doesn’t)
- E.g. HIPAA’s Evaluation Standard § 164.308, specifically (§ 164.308(a)(4))27, requires evaluating access control security measures. Pentesting covers this, the requirement for a security risk analysis, and potentially other areas.
- For more information on HIPAA requirements, see here: https://www.law.cornell.edu/cfr/text/45/164.308
- Consult with your HIPAA Security Officer for specific guidance for your healthcare org.
- While there’s no single PDF for “Cybersecurity Best Practices,” third-party pentesting is toward the top of the list for activities that assure prospects and customers that a company is truly investing in security best practices.
Every company wants to earn the trust of their customers, so creating a useful product or service that remains updated to serve their clientele is at the top of the list for gaining and keeping loyal customers. This workload in and of itself is daunting.
Part of the entire product & services strategy is assuring customers that the company’s offerings keep data private and secure. A significant factor in this is that federal and state governments also want to ensure that company’s do right by their customers. A couple prominent examples are HIPAA and GLBA. The regulatory requirements for privacy and security by HIPAA and GLBA are not light. For regulated organizations who are also in the SaaS business, additional requirements such as SOC 2 or ISO 27001 compliance add an additional resource burden.
Regulations and compliance requirements are actually key components in a company’s reputation (they can be GREAT for marketing!), and are worth pursuing, gaining, and maintaining. As the old saying goes, “The devil is in the details.” It’s one thing to pay for any, much less all, of these; it’s another thing to attain them; it’s yet another thing to maintain them. Maintaining regulatory and compliance requirements is where the true ongoing cost comes into play – there are numerous activities that have to be recorded, saved, logged, noted, referenced, and updated each day/week/month/quarter/year.
Questions and Where to Go for Answers
The term “Trusted Advisor” is a vital term to know. Every company needs at least one for cybersecurity. It doesn’t matter who it is – what’s important is having someone who can more objectively assist with the ever-changing world of securing an organization, and is able to do it when a company needs the advice.
Numerous document repositories are either online or connected to something online. This provides great convenience for customers – and great convenience for criminals. As a business owner or leader, how certain are you of the online security of the data that you hold for your customers?
According to a recent Sophos article, one of the top 3 things victims wish they had done was make sure remote RDP was disabled. Do you know what ports are open? How can you find out? While you could have internal staff test for this vulnerability, or any number of vulnerabilities, an important aspect of securing an organization is having objective, disinterested, and external experts search for vulnerabilities and give expert advice on fixing them.
Here are some key questions to evaluate your cybersecurity posture:
- What are all your internet-facing resources?
- Do those resources contain sensitive data?
- Are those resources updated and secured?
- Are those same resources free of malware?
Cybersecurity Crusaders performs vulnerability assessments and penetration testing that not only fills regulatory gaps, but also works with you to further ensure your company’s security. The D.A.E.R. pentesting methodology provides a common, understandable, and repeatable framework for customers and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner.
Curious as to what sets Cybersecurity Crusaders apart from other vendors? Are you concerned your defense won’t stand up to malicious cyberattacks? We can help you find out. Contact us for a free consultation.