Category: Blog

According to the ISO/IEC 27001 standard, Cybersecurity Governance is the system by which “an organization specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated.” On the other hand, Cybersecurity Management is the process used to ensure that the right controls are implemented.

In general, Cybersecurity Governance implies going through several steps:

#1: A Well-devised Cybersecurity Strategy

Good cybersecurity governance can’t happen without a clearly defined risk management strategy with well-set goals and policies. Before implementing an effective strategy, the organization must understand the cybersecurity risks most likely to affect business operations and why.

Once you complete this step, identify the main needs and objectives to include in the strategy. This leads to correctly identifying the resources needed and the key performance indicators.

#2: Creating Standardized Processes

It is crucial for organizations to establish repeatable (or standardized) processes in order to be consistent about implementing the cybersecurity strategy. For instance, if you use cloud services to store important data, it is important to create backups, keep the system up to date, and stay informed on possible threats.

By keeping consistent watch over the health of your systems, you make sure there is no room for security breaches and shortfalls. Define these processes clearly to avoid any confusion or missed steps.

#3: Enforcement & Accountability

Who will take care of backups and who will constantly check if the systems are up to date?

What are the steps every employee must go through before logging in to the company network from a remote location?

Cybersecurity governance is about delegating responsibility for various tasks. It’s also about educating employees, managers, and higher-ups about their own responsibility and keeping them accountable if something does happen.

A great example of cybersecurity governance comes from the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). They use a tiered approach that promotes integrating and adapting various cybersecurity methods as a system grows and develops. Constantly monitor the system and involve all decision-making levels in the process.

#4: Involving Leadership

The only way to implement a successful enterprise-wide cybersecurity strategy is with the support and leadership of the top decision-makers. They must ensure all processes are respected, followed properly, and held accountable.

In addition, they are also the ones that must ensure access to resources and information for all the people involved in the cybersecurity process.

Organizations that understand cybersecurity is a process that requires strategy and consistency, can lower their risk exposure and keep any damage at a minimum.

If your organization is struggling with implementing proper Cybersecurity management and governance, our specialists have the necessary knowledge and experience to provide you with guidance and resources. We can perform an analysis of your business risk and run vulnerability assessments to create a roadmap that can serve as the foundation of your cybersecurity strategy. If you require outside help in implementing a mature Cybersecurity program, we have the people, tools, and processes to supplement your program as well.

If you have questions about cybersecurity governance, don’t hesitate to reach out to our specialists.

Each year, cyber threats become more sophisticated and complex, and they target individuals and businesses of all kinds. Some of the most common challenges we will continue to face in 2021 include: phishing attacks, remote workers’ endpoint security, cloud jacking, ransomware attacks,IoT devices, deep fakes, and 5G-to-WiFi security vulnerabilities.

As the COVID-19 pandemic pushed most companies into untested waters, the world was hit by a flood of cyber-attacks, and the threat to data privacy and security has increased. And unfortunately, there are no signs that this trend will slow down anytime soon. According to Cybercrime Magazine, specialists expect costs caused by cybercrime to reach about $10.5 trillion per year by 2025.

That is why it’s essential for companies and organizations everywhere to take cybersecurity and all the elements it implies more seriously.

Why should organizations care more about the Importance of Cybersecurity?

Whether we like it or not, our personal and professional lives are intertwined with the technologies we use.

Businesses everywhere use communication technologies such as email, video conferencing, or VoIP calls to communicate with partners and customers. With more people working from home, the need for secure channels and mobile devices have increased. Cloud services have also been in high demand because they provide easy access to data regardless of location and available devices.

Without having the proper cybersecurity policies and methods in place, the increased use of modern technology leaves many organizations open to attacks like the ones we mentioned earlier.

As a result, businesses risk losing a lot more than just money.

Studies show that organizations suffer a loss in reputation after a successful attack and this can lead to loss of customers, collaborators, and even bankruptcy.

Importance of Cybersecurity as a Process

Besides poor security measures and implementation, the other major problem organizations face is the incapacity to see cybersecurity as an ongoing process that involves the entire company.

Most organizations that understand the need for efficient cybersecurity measures manage to create and define enterprise-level policies and systems. However, there is a misalignment between Cybersecurity Management and Cybersecurity Governance.

Cybersecurity management is about implementing measures and making decisions to mitigate risks. Through management, the department or people in charge of cybersecurity recommend strategies for a wide range of situations. This step is important in the race for better cybersecurity but it lacks an important factor: governance.

Cybersecurity governance is about who makes what decisions and in what situation. Governance places responsibility on specific people involved in the process of keeping the company safe and secure. By doing so, we create an accountability framework that keeps people accountable and ready for action whenever there is a security risk.

Both cybersecurity management and cybersecurity governance play a crucial role in what a successful cybersecurity program encompasses.

2021 comes with a wide range of cybersecurity risks and threats, but the situation is not hopeless. Organizations that understand cybersecurity is a process that requires strategy and consistency, can lower their risk exposure and keep any damage at a minimum.

If your organization is struggling with implementing proper Importance of Cybersecurity management and governance, our specialists have the necessary knowledge and experience to provide you with guidance and resources. We can run a deep analysis of your business risk and a vulnerability assessment to create a roadmap that can serve as the foundation of your cybersecurity strategy. If you require outside help in implementing a mature Cybersecurity program, we have the people, tools, and processes to supplement your program as well.

What is a DoD Contractor?

If you are a DoD (Department of Defense) contractor and want to continue the activity, it is important to make sure your organization is following the requirements of the new Interim Rule.

While it may seem like another hindrance to your budget, it is important to understand that these requirements can put your organization on the path to CMMC Level 3 compliance. This way, when the time comes and the CMMC (Cybersecurity Maturity Model Certification) will get into action, your business will be ready to receive the certification without additional costs. It will keep your company one step ahead of the competition, which can also lead to more lucrative types of contracts.

Lastly, it is important to know that the work you did to become DFARS compliant was not in vain. The new Interim Rule clearly specifies that CMMC, built on DFARS, aims to bridge the gaps between the two frameworks.

Our team of specialists can run a complete analysis to assess your current level of compliance.  We can provide you with advice and guidance regarding CMMC compliance rules, and we will always keep you up to date with any new developments in this area. If you have questions about these topics, don’t hesitate to reach out to our specialists. We are ready to answer your inquiries!

What You Need to Know About DFARS and CMMC Compliance?

The number of cyber-attacks on businesses, organizations, and governmental institutions has accelerated in just the last few years. Furthermore, the COVID-19 pandemic has weakened many organizations’ cybersecurity posture, which brought with it a new wave of successful attacks.

Frameworks like DFARS and CMMC are more than necessary to make sure that all contractors and subcontractors who handle controlled unclassified information are doing so according to cybersecurity standards. Still, the confusion created by unrealistic or inaccurate requirements and the delays in rolling out new regulations can only lead to chaos if left unchecked.

The Defense Federal Acquisition Regulation Supplement (or DFARS) is a memorandum issued by the Department of Defense (DoD) for contractors and subcontractors, and was designed as a set of cybersecurity requirements for contractors and organizations operating with the DoD, to safeguard controlled unclassified information (CUI) from cyberattacks and accidental leaks.

This memorandum aims to strengthen cybersecurity practices and secure the Defense Industrial Base (DIB) against cyber threats. Unfortunately, the requirements and standards specified in the DFARS are not clear enough for real-life implementation, which slowed down the entire process and left contractors and subcontractors in a state of confusion.

The DoD released the Cybersecurity Maturity Model Certification (CMMC) framework to replace the DFARS standard and provide clarity. Nevertheless, the CMMC has not been fully implemented, and the DoD still demands that all contractors & subcontractors that process, store, or transmit CUI must comply with DFARS minimum security standards. Otherwise, contractors risk losing their collaboration with the DoD.

In addition, on September 29, the DoD released an Interim Rule (that became effective on November 30) that focuses on making sure all DoD contractors are currently in compliance with all 110 security controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171). Furthermore, the rule also adds CMMC as a requirement in a DoD contract.

Sadly, the rule does not answer many of the questions that contractors have regarding CMMC implementation.  As a result, the situation is still uncertain, and many business owners are still in a state of confusion.

The Current CMMC Situation

As of now, the CMMC is not fully rolled out and DFARS is still in effect. In fact, the CMMC Accreditation Body (AB) mentioned clearly that the DFARS standard is paramount for CMMC compliance for any of the DoD contractors that handle CUI, regardless of size.

In short, the CMMC framework is an improved version of the DFARS framework, with an added level of control that comes as audits and assessments that validate your company’s cybersecurity practices against the standard. These controls will be performed by independent third-party certified organizations, and each contractor will be assigned a maturity level from “Basic Cybersecurity Hygiene” to “Advanced/Progressive” (there are 5 levels in total).

For instance, a company working under DFARS that wants to reach level 3 (“Good Cybersecurity Hygiene”) should already have about 85% of the work already laid out; this is because, out of the 130 controls, 110 are straight from NIST 800-171, which has been the standard for several years.

Since we did not have specialized controls up until the CMMC framework, many companies will have gaps. Based on our expertise, some of the most common issues are:

• No system security plan
• Incomplete cybersecurity policies
• Missing multi-factor authentication (MFA) and/or encryption
• Incomplete incident response plans

Before applying for a CMMC evaluation, run a complete analysis to assess your current compliance level.

The New DFARS Interim Rule

DoD contractors and subcontractors handling controlled unclassified information have had to self-assess their cybersecurity using NIST SP 800-171 requirements. This has proven inefficient because contractors lack a well-structured system to support their self-assessment efforts. As a result, there are plenty of gaps and differences in planning from one business to another.

The Interim Rule is trying to improve this situation by helping contractors grade themselves using a standardized score. This way, each contractor can learn about the NIST SP 800-171 security requirements they still need to work on.

This means that all the contractors that work with CUI will have to take the NIST 800-171 Self-Assessment (even though they already did one in the past) and then post their result in the Supplier Performance Risk System (SPRS). The DoD cannot award contracts without this new assessment, which follows the scoring methodology specified by the Interim Rule.

Contractors should expect random audits by the DCMA, checking their self-assessment and final scores.

If you want to stay in the game, your business needs to be in compliance. This means keeping up with the new standards, as challenging as they may be. Our specialists have the necessary knowledge and experience to get you there. We evaluate your business, identify goals, and provide a framework and action plan while protecting your core job functions. Were ready to become your cybersecurity team or fill the gaps in your cybersecurity program.

We provide advice and guidance on CMMC compliance rules, ensuring you stay updated with all new developments.

We are ready to become your cybersecurity team or fill the gaps in your cybersecurity program. If you have questions about these topics, don’t hesitate to reach out to our specialists.

Work from Home Security–Is Your VPN Letting the Hackers In?

In the haste of the rapid changes coming down from government agencies, everyone who could work from home spent the last week or two getting their remote functionality set up.

While this was necessary, the last thing most people were thinking about was the potential security implications.  Even though security may have been a thought, while quickly trying to think about how to handle everything else, it more than likely did not get the full attention it requires.

Now that we are past the initial shock and starting to work full-time from home, we wanted to put together some security posts to help organizations better secure their networks in this new environment.  In these unusual circumstances, hackers always try to take advantage.

First, let’s talk about VPNs.  They are incredibly useful tools if secured properly.  Unfortunately, there have already been news stories about hackers targeting VPNs.  What are they targeting?  The answer is improperly configured and unpatched VPNs.

With that in mind, do you maintain and keep your firewalls up-to-date? The first step if you aren’t sure is to determine if your firewall and/or VPN appliances are up-to-date on firmware.  Your IT engineers should be patching the hardware on at least a monthly basis, and sometimes even sooner if a critical update is available.

The next question to consider is whether you have configured the VPN properly. There are a few different ways to configure traffic on a client-to-site VPN.  One option is to configure split tunneling, which is a way to only send network traffic specifically destined for the work network through the VPN.  The other option is the opposite: all traffic goes through the VPN.

On the surface, split-tunneling sounds like the way to go.  You do not want your employees personal web surfing to go through your network.  What if they are streaming music while working? That seems like a bandwidth nightmare, right?

The problem with split-tunneling is that your employee’s computer becomes a gateway into your network.  The employee could accidentally browse a malicious site via their home network which does not have any web filtering, causing that computer to become infected. Since the computer is connected to the VPN, that malware can enable hackers to access your business network by allowing them to enter through the employee’s home internet.

What about the problem of bandwidth?  With the alternative, it is true you will use more bandwidth, but you have control over that bandwidth and, more importantly, the traffic.  If you are concerned about music and video streaming, you can block that traffic from the VPN. After all, your employees are working from home.  They could turn on the TV or radio.

You can also turn on web filtering, antivirus scans, intrusion detection and other firewall services to scan all traffic.

This way, the VPN will force all traffic to go through it. Any other devices on the home network will not be able to communicate with the laptop – the Xbox, Alexa, Google devices, etc.  It will be in a quarantine of sorts.  This dramatically improves security and will limit the exposure of your internal business network.

Finally, you should limit the type of traffic that can go through the VPN.  If most of the traffic is just web traffic, only allow web traffic.  If it’s a database application on your network, you can limit traffic to that database. List everything users need to access and implement access control policies to allow only that traffic.

As always, if you have questions about VPNs or are unsure about your security, reach out to us without hesitation. We are here to help.

Stay tuned for more security information to keep your business secure while your employees are working from home.