Wednesday, March 20, 2019

How does a company get started with cybersecurity when they’ve never addressed it seriously?

To get started with cybersecurity, companies must understand what data they have, what regulations apply to them, and the overall leadership attitude towards risk, cybersecurity, and protecting information assets.  From here, the company needs to pick a cybersecurity framework such as HIPAA, PCI, NIST, or ISO that most closely aligns with their goals.  Once a framework is selected, a gap analysis should be performed.  Then the company can proceed with implementing controls to address the unique weaknesses and vulnerabilities that face it.

2019's New Frontier of Cybersecurity Threats and Trends

Remaining vigilant and proactive are key strategies for cybersecurity experts in 2019. Hackers find new ways to exploit vulnerabilities on public and private computer networks. Information technology (IT) industry leaders appeal to everyone from consumers to corporate technical architects to adopt protocols that make technology safer and more reliable to use. Here are some cybersecurity threats and trends to watch in 2019. 

Viruses as Weapons of Mass Destruction 

When diplomacy doesn't work, leaders of national governments have been known to resort to unconventional warfare tactics to effect change. Instead of directly declaring war and dropping bombs, these governments have been known to stage cyber-attacks on other countries' public and private networks.

In December 2018, the U.S. Department of Justice put out a statement about the criminal charges that it levied against two Chinese hackers who breached a network to steal intellectual property. The hackers worked for China's Ministry of State Security. Was pressure to fix trade imbalances between the United States and China the motive for the attack?

More recently, Venezuelan leaders accused the United States and its allies of sabotaging Venezuela's power grid and causing a country-wide blackout. Some have hinted that attackers used the computer virus Stuxnet to bring the power grid down; the worm is not detected by most antivirus software. The two countries have been at odds about the use of Venezuela's gold and oil assets as they relate to U.S. business interests. 

Hijacked Hardware for Crypto Mining 

Many national currencies are in a state of decline or instability as financial experts look for solutions that'll bring permanent economic health and prosperity to their respective countries. These leaders are giving digital currencies a serious look. Meanwhile, cybercriminals attempt to grow their cryptocurrency wealth by any means necessary. They often hijack the computer systems of individuals and businesses for crypto mining activities.

Biometric Authentication 

Stealing authentication credentials and cracking passwords are common skills for today's cybercriminals. These thieves continue to steal credentials because it works, and their first acts aren't usually thwarted by sophisticated antivirus software. Biometric-based authentication systems such as fingerprint readers and iris scanners eliminate network breaches that are caused by stolen credentials.

Labor Shortage of Cybersecurity Talent 

People who are worried about global competition for IT jobs need to check out the field of cybersecurity. According to industry analysts, there is a growing shortage of trained, cybersecurity talent. Someone who wants to break into a computer security job needs training and credentials. Four-year degree seekers take programs such as Drexel's BS in Computing and Security Technology. Those who already have a bachelor's degree often earn certificates through specialized training programs such as the EC Council's Certified Ethical Hacker course.


In 2019, IT security specialists will continue to use their knowledge of network protocols and advanced antivirus tools to prevent, contain, and clean up cyberspace's most costly digital messes. Hackers will use old viruses in new ways to exploit vulnerable computer networks everywhere. Their attacks have a surprising bright side, however, for people who are willing to get the proper education and training.

Bit by Bit can help with your network security assessment you can help up at Contact us

Tuesday, March 19, 2019

Why is cybersecurity important for small and medium businesses?

Large companies tend to have the time, money, and resources to invest in cybersecurity.  Small and medium businesses (SMBs) generally don’t have a single point person devoted to the organization’s cybersecurity.  SMBs generally lack the knowledge and expertise to ensure that risk is both discovered and addressed.  This is why most SMBs outsource the cybersecurity function to a trusted third party with the certifications, experience, and know-how to combat cyber risks.  SMBs who don’t outsource this important role are at significant risk of damaging information loss and downtime.

River Legacy Speaker Series

Monday, March 18, 2019

Why does HIPAA apply to me if I am not in the medical field?

HIPAA, the acronym for the Health Insurance Portability and Accountability Act, is a regulation administered by the Department of Health and Human Services.
Most people are aware that hospitals, long-term care facilities, health insurance companies, doctors offices, & the like must comply with both the privacy and security components of HIPAA. However, many people are fuzzy on the fact that other organizations also have to follow a minimum set of security standards under HIPAA.
Any organization who provides services to any of the entities above has to sign what is called a business associate agreement or BAA. This agreement is essentially an attestation that the business associate will exercise due care while handling medical records.
Here are some examples of business associates:
- An outsourced IT firm
- A third-party cybersecurity firm
- A CPA firm who provides accounting services and has access to PHI in the process
Any time a business associate discloses, handles or uses PHI, they must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates.
The HIPAA Security Rule requires periodic risk assessments, users to be trained on security best practices, and penetration testing to ensure that the business associate is not adding unnecessary risk to the handling of protected health information.
Essentially, anybody coming in touch with protected health information needs to align their cybersecurity posture with HIPAA requirements.
Managed Security Team

Cross-border e-commerce is booming:

Cross-border e-commerce is booming: it is expected to bring in $203 billion annually by 2021. Yet many U.S.-based merchants hesitate to engage in global transactions. To be sure, risks abound, but so do misconceptions about payment fraud.
Using local payment methods (LPMs) — that is, payment methods beyond credit cards — may lessen risk and allow global expansion. Linked to local banks, they typically have built-in security safeguards. In China, for instance, 49 percent of online transaction take place via e-wallet and only 23 percent by credit card.
Risk is reduced because such push-payment methods, where the customer initiates payment, do not require the business to collect consumers’ payment data, thereby lessening exposure to chargebacks due to misuse of stolen cards.
Bank transfers — which move money directly from the purchaser’s bank to the merchant’s — are another avenue to pursue. Used in nearly half of online transactions in Germany, bank transfers are performed via redirect during checkout, through a real-time or offline transfer process.

In Other News:

In Other News:
The U.K. has seen its first group litigation case concerning data breach, and the organization in question, the supermarket chain Morrisons, was found vicariously liable for the actions of one of its employees.
A disgruntled employee posted a file on a file-sharing website that included data on nearly 100,000 of his colleagues. That employee was found guilty of several charges related to the incident, including fraud and gaining unauthorized access to computer materials, and sentenced to eight years in prison.
Then 5,518 of the individuals whose personal data was published sued Morrisons. In this class-action-type suit, Morrisons — which was determined to have been compliant with data security laws at the time — was found vicariously liable for its rogue employee’s actions. It now faces large compensation costs.
Notable not only for being the first of its kind around data breach in the U.K., this case is also interesting for setting a high standard of responsibility among companies for their employees’ actions. As data breaches increase in both frequency and scope in Europe, those affected by them are likely to look to class-action claims under the provisions of the GDPR, which gives data subjects’ more rights and increases defendants’ penalties.
A side note: Similar claims but concerning nonmaterial damage like emotional distress may be enabled by the GDPR and the Irish Data Protection Act 2018 to be brought to Irish courts.