Posts

XChange of Ideas – Security

XChange EventsLooking at what we learned during three packed days at the XChange 2022 Conference, we have much to share.  The XChange conferences help IT service providers, like Cumulus Global, explore emerging trends, challenges, products, and solutions.  While we attend to improve our service offerings and business, many of the insights will benefit your business as well. This XChange of Ideas shares three emerging security trends.

1 Security is Not a Technology

Most small and midsize businesses see themselves as having security because they have some security technologies and systems in place.  Security, however, is not a technology; security is an ecosystem that spans people, processes, and systems, as well as a lifecycle of prevention, response, and recovery. As important, we need to understand that managing our security

Most businesses still lack the basic set of security protections that span the security lifecycle. A solid security foundation should include advanced threat protection, next-gen endpoint protection, DNS security, web protection, multi-factor authentication, and encryption. A solid backup/recovery is also necessary; having a business continuity solution is preferred.

With the dynamic nature of threats and cyber attacks,  many businesses are at higher risk and should be deploying advanced security services. Advanced security services may include managed security incident detection and response (MDR) services, internal application whitelisting, segmentation, and other protections that can detect, halt, and stop the spread of an attack.

2 Cyber Insurance is Not Assurance

Cyber Insurance is more than a good idea, it is a necessity for almost every business.  But cyber insurance is not assurance that you can quickly recover from a cyber attack.

  • Cyber insurance underwriters have you complete a questionnaire or audit about your cyber protections, policies, and procedures. When you submit a claim, most cyber insurers will ask you to demonstrate that the protections were in place, how they were functioning, and that you follow the policies and procedures noted in your application.  If you cannot show that you do what you promise, expect your claim to be denied.
  • Your cyber insurance underwriters may prevent you from starting your systems and data recovery. Recovery typically destroys evidence of the attack, it’s cause, and it’s method of propagation. You may be unable to restore your systems and data for days — or even weeks — while your insurer completes a forensics investigation.

Having the right protections in place, and being able to demonstrate compliance, is a clear expectation to resolve cyber insurance claims.  Having a continuity solution in place that allows you to return to operation in parallel with a forensics investigation should be considered.

3 HIPAA is Not Just For Doctors

HIPAA is the regulatory cornerstone for protecting personal health information (PHI). These regulations control how we store, transmit, and share — procedurally and technically — PHI. Compliance, however, is not just required of healthcare providers, insurers, and others direct access to patient records. Businesses serving healthcare providers — those that sign a Business Associates Agreement — face compliance requirements as well.

HIPAA enforcement is expanding beyond Covered Entities to Business Associates, as is notable on the US Department of Health and Human Services Office of Civil Rights HIPAA “Wall of Shame

If you are not sure that your security services are up to par, contact us about our security assessments, or schedule an intro call with one of our Cloud Advisors.

Echo of Non-Compliance

Everyday, we hear about new ways we can use our smart speakers. Retailers, radio stations, product companies, and others remind us that we can use our Amazon Echo or Google Home to buy, listen, or learn. The term “smart speaker”, however, is misleading.  These are microphones and they are always listening. They are also likely recording everything they hear.

If you are covered by HIPAA or other privacy regulations, do not talk about protected information within earshot of Alexa.

This warning stems from a 2015 murder case in Arkansas. Believing that the Amazon Echo may have “heard” a murder, the District Attorney subpoenaed any recordings that Amazon may keep from the device. Amazon fought the decision on First Amendment and privacy rights, not by claiming that it was not recording. Amazon did not deny having recordings.

The issue for data privacy compliance is that your smart speaker may be listening to and recording conversations you have about protected information.  Allowing this is a violation of HIPAA and other regulations protecting personal identifying information (PII).

When is your Amazon Echo recording?

The short answer is: we are not sure, but maybe always.

Looking at the Alexa Terms of Use, Amazon tells us “Alexa streams audio to the cloud when you interact with Alexa” and “Alexa uses recordings of your voice to create an acoustic profile of your voice characteristics.” Alexa use is also covered by the Amazon Privacy Notice, which states, “We receive and store any information you enter on our Web site or give us in any other way.”

While Amazon tells us they are recording your “Hey, Alexa” commands, the Terms of Use and Privacy Notice are a bit more ambiguous. Neither document tells us that Amazon records only when listing and processing commands. Nor do the policies limit Amazon’s recording to those commands. We do not know, for sure, when Amazon is not recording what it hears on your Echo.

Better Safe Than Sorry

When speaking about sensitive or protected information, stay away from your “smart speaker” or manually mute the device.


One more thought:  Ever notice how after certain conversations, you see ads on Facebook related to the topic discussed?  Unless you turn off microphone access, Facebook is using your phone to listen to your conversations, analyze what you say, and profile you. Letting Facebook listen is another potential HIPAA and PII breach.


 

Rules, Regulations, and Results

Rules and RegulationsFor Small and Midsize Enterprises (SMEs), the regulatory landscape remains in a perpetual state of flux with changes originating at the Federal, state, and local levels. While some rules and regulations can severely impact your business’ operations, and profitability, many create requirements that you can easily satisfy at a nominal cost.

Three regulations with upcoming deadlines or increased enforcement include:

HIPAA

HIPAA compliance is a requirement for any organization that works with personal health information of individuals — not just medical offices and insurance firms. If you are sharing employee information about benefits, insurance coverage, medical leaves, or other items that involve personal health information (PHI), you have an obligation to protect the PHI. Failure to do so can result in heavy fines and, in a few instances, criminal charges.

Historically, HIPAA compliance has focused on medical practices, insurance, and brokers. We are starting to see audits of non-medical companies, along with fines for those not in compliance. 

Fortunately, you can protect PHI by focusing on the individuals that are authorized or likely to handle sensitive employee information.  By focusing on HR, payroll, and key executive and leadership roles, you can deploy services like message-level email encryption.

What to do:

  • For as little as $5 or $6 per user per month, you can ensure that specific individuals protect PHI and sensitive information while preventing accidental disclosure
  • Contact us for information about encryption, DLP, and other HIPAA solutions.

ELD

Starting December 18, 2017, all interstate trucks in the US must use an Electronic Logging Device (ELD) to track operations and required reporting.  According to the US Department of Transportation (USDOT), fewer than 1/3 of interstate trucks have installed ELDs as of mid-November. Failure to comply can result in heavy fines, impounding of vehicles, and disruption of delivery schedules.

While enforcement is not expected to impact small and midsize trucking firms until late spring or summer of next year, your business can still be at risk.

Here are a few things to note:

  • If you have your own truck(s), they may be classified or registered as Interstate Trucks, even if you only deliver within your state.
  • If you use third parties for shipping, their failure to comply can disrupt your deliveries if trucks are stopped or impounded, or if drivers are pulled off the road.

What to do:

  • Check your own vehicles:
    • Determine if they are properly registered as Interstate Trucks, or if they should be registered as such
    • If you do not have ELDs yet, please contact us for low cost, self-install ELDs with logging software subscriptions
  • Check with your shipper(s):
    • Confirm their trucks, those of their subcontractors, and any owner/operators are properly registered and have ELDs
    • If not, have them contact us for help

GDPR

Effective May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) takes effect. While GDPR covers data protection and privacy for citizens of EU member states, treaties allow enforcement in action against US companies operating within the US.

If you have any personal data for citizens of EU member states, you are responsible for GDPR compliance.

GDPR means more than encrypting sensitive data.  GDPR includes processes and procedures for governance, including:

  • A named Data Protection Officer (DPO) responsible for oversight, compliance, and response to individual inquiries. The DPO role can be full time or part time, internal or contracted.
  • You must report suspected breaches within 72 hours of becoming aware of the issue.
  • You need to deploy privacy by design — any new system or change in systems requires primary consideration of privacy and information security.
  • You must be able to demonstrate that you mitigate risk, even in the absence of a privacy breach.

Fortunately for most SME’s the appropriate policy changes and the risk-mitigation technologies need not be expensive of complicated.

What to do:

  • Discuss GDPR with your team, and your legal counsel, to determine your required compliance
  • Provide training, education, and “cultural support” for a data privacy mindset within your organization
  • Review systems storing or processing personal information for security and privacy compliance
  • Select and deploy relevant data loss prevention (risk mitigation) solutions for your environment

Need help? Contact us for more information.


 

Email Encryption is Not Compliance

Security Key
While providing a reasonable level of protection from inappropriate access to your data, the built-in encryption is not sufficient to meet information privacy regulations. Laws such as the Health Information Portability and Accountability Act (“HIPAA”), and industry regulations including the Personal Card Information (“PCI”) standards require more than data encryption.

Privacy laws and regulations typically include three components:

  1. Policies and procedures that, when followed, provide appropriate data protections
  2. A means to monitor compliance, with the ability to detect and mitigate potential violations of the policies and procedures
  3. A defined response and resolution procedure in the event of a breach

As explained in our eBook, Email Encryption in Google Apps, Technology can support the implementation of these three components, but does not offer a full solution on its own.


Contact us to assess your email encryption needs and to define an affordable solution.


 

Expanding HIPAA Accountability

HIPAA Logo
As more businesses provide health care coverage, or assist employees in obtaining coverage, under the Affordable Care Act, we find ourselves possessing and managing even more sensitive personal information about our employees.  And, while we are not working with medical records, per se, we are often exposed to insurance account and activity information that cannot be disclosed.

Communications with your insurance broker or carrier should be secure — from end to end.

The good news is that you have options.

  • Policy-Based TLS Encryption
    • If your broker or carrier is willing to share some technical info, you can setup policy-based TLS encryption that will forcibly encrypt all emails between your email service and theirs.
    • They will likely need you to prove, or certify, that you encrypt data from your email service to your end users on every platform.
    • Policy-Based TLS Encryption is part of Google Apps, but not every email service is capable.
    • This is the lowest cost, but most technical solution.
  • Manual Encryption Tools
    • Third party apps, like Virtru, let users encrypt email messages before they are sent.
    • They are inexpensive and easy to use, and can also track when messages are opened or forwarded.
    • They are NOT foolproof, as they depend on users knowing what must be encrypted and remembering to do so — every time.
    • This is the lowest cost solution, but most susceptible to an accidental breach.
  • Automated Encryption Tools
    • Integrated email encryption solutions, like Zixmail, give users the ability to flag messages for encryption.
    • They also use heuristics to scan all email traffic, identifying those that should be encrypted and doing so automatically.
    • While slightly more expensive, these tools effectively monitor policy compliance and mitigate your risks.

Select the type of encryption solution you need, based on how your business operates and who is responsible for keeping information private.


 

Unlike many providers, we offer each type of email encryption service on a per-user basis. Most businesses have a limited number of staff working with sensitive information; we can provide these users with encryption services. Our approach provides the protection you need and respects your budget and priorities. Contact us to learn more.


 

4 Questions to Ask When Selecting an Email Encryption Solution

Email Lock
Once you determine who within your organization should be using email encryption to secure sensitive and protected information, you need to select from sea of vendors all claiming to be the “leading” provider.

Here are four (4) questions to ask when selecting an email encryption solution

1) Does the solution include a hosted, shared email encryption network?

Encrypting every email is hard, expensive, and does not accommodate the way most of us work. Using passwords and accessing portals are extra steps that take time and can create frustration. A shared email encryption network ensures that 100% of emails sent within the network are secured without any additional actions required by the sender or the recipient.

2) Does the solution offer policy-based encryption filters?

Most encryption solutions relying on users to trigger encryption by clicking a button or putting a tag into the subject line.  Even if users understand every scenario that warrants encryption, they are likely to miss a few along the way. Solutions with policy-based encryption filters scan and automatically encrypt messages that contain sensitive information. The best solutions provide standard heuristics for common regulatory requirements and let you create custom policies to meet your business’ specific needs.

3) Is the solution easy to use?

Email is a business tool, and email encryption is no different. Ideally, the solution should be easy to use for sender and recipient. Difficult processes result in mistakes, compliance breaches, lost productivity, and users circumventing the system. Easy to use solutions foster adoption and compliance by automatically encrypting message, decrypting inbound messages at the gateway, and ensuring that replies and forwards get encrypted as well.

4) Is the solution provider awesome?

Choosing an email encryption provider is a long-term commitment and the lowest price is not always the best deal. Make sure your provider is trusted by others in your industry. Check to ensure their infrastructure has certifications and accreditations, such as SysTrust/SOC 3 or PCI Level 1. Make sure the solution can be deployed quickly and that your provider supports your deployment technically and with user training. Verify that your provider will support you on an on-going basis and minimize the resources required from you and your team.

 


 We offer multiple email encryption solutions. Contact us to discuss your needs and explore the solution best for you and your business.


 

HIPAA Compliance with Google Apps Just Got Easier

HIPAA Logo
One of the challenges using any IT service are external requirements for data use and privacy.  Among the most restrictive are those imposed by the Healthcare Insurance Portability and Accountability Act (HIPAA).  HIPAA regulations intend to ensure data is private and protected from accidental or intentional breach, and is only shared as needed to ensure appropriate medical care.

One aspect of HIPAA requires entities to execute a Business Associate Agreement (BAA) with any organization with which Protected Health Information (PHI) is shared.  Sharing not only includes data provided to other medical professionals, sharing includes data stored on systems or managed by services.  The BAA defines each party’s roles and responsibilities with respect to data protection and privacy, and accountability in the event of any inappropriate breech or release.

For organizations using Google Apps for Business, Education, or Government, documenting HIPAA compliance just became easier.

Google Apps administrators may now complete and execute a BAA with Google covering key services in Google Apps, specifically:

  • Gmail
  • Calendar
  • Drive
  • Google Apps Vault

The BAA does not cover other services within Google Apps, nor does it cover third-party or marketplace applications.  As such, signing the BAA and implementing Google Apps as part of a HIPAA compliant infrastructure still requires planning, policies and procedures, and an examination of other systems and applications.

Contact us to learn more.

 

Moving to the Cloud: Regulatory Compliance

 

Green_GaugeThis post is the seventh in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Moving to the cloud often entails more than switching to an email service or spinning up a some cloud-based storage and servers.  For many businesses — including Small and Mid-Size Businesses (SMBs) — regulatory requirements place demands on IT systems and security.  And, while these requirements impact in-house and cloud solutions, moving to the cloud requires planning.

The most common regulations for SMBs relate to consumer (customer) privacy:  HIPAA, which protects personal health information, and PCI, which protects personal and credit related information.  Many SMBs, however, must also meet the requirements of Sarbanes/Oxley, FINRA, SEC, and various state regulations.

The solution:  Integrating Solutions.

Fortunately, the tools and systems exist to provide compliance with data security and privacy regulations.  Cloud vendors are creating environments and the management controls necessary for customer regulatory compliance and certification.

The challenge is to make sure that all of the pieces work together.

  • Message Archive/eDisovery:  Manages retention of email as official business records and provides the eDiscovery and audit tools necessary to meet federal subpoena requirements.
  • Message Encryption: Encrypts email at the individual message level based on content and rule sets, requires users to authenticate before accessing the message, and prevents forwarding.
  • Two Factor Authorization / Single Sign-On: Provides identity management services and audit trails beyond core products in order to meet regulatory or policy requirements 
  • Third Party Encryption:  Encrypts data in the browser or client before transmission to the cloud, providing a second level of encryption prior to the encryption provided by the cloud vendor.  In the event of a vendor data breach, the exposed data would be encrypted.

These types of solutions, and others, provide cloud environments with the capabilities to meet regulatory requirements.  Vendor contracts and policies should still be carefully reviewed for any terms and conditions that threaten compliance.

And remember, no vendor can ensure compliance.  Compliance exists when the technology meets the technical standards and is used in accordance with policies and procedures that meet the regulatory intent.

Next Post in the Series:  Internationalization

Previous Post in the Series:  Integration with Legacy Systems