Is it a Trick if Pushed to do Right Thing?

Ho do we convince people that don’t  know enough to make an educated decision? If we trick them into making the right decision is that ok?

Cybersecurity is not obvious to the regular person (or the minimal IT educated CxO).

What do the three pictures above have in common? Anonymous, local hacker, and criminal hacker from Eastern Europe.

All 3 are hackers that for one reason or another are attacking your systems. And due to the wonders of the Internet not only are you subjected to attacks by US hackers, but also Chinese, East Europe(Russia, Ukraine & more) and many other countries where there is lax or corruptible law enforcement.

So maybe you thought that the sophistication of hackers are in the top 2 pictures (local and cause based hackers) that do not have a level of sophistication which the bottom one does.

Now we are connected to all hackers in the world including the ones that have made a significant living making attacks ever more sophisticated.

Think about this for a second: The hackers are also drawing up plans next year and the Criminal organizations are looking to recruit new hackers and create more attacks since they want to “make” more money than this year2016.

So, let’s assume you agree that it is important to do more in Cybersecurity next year than this year.

How do we do this? We have to try something new, a new method which sort of tricks the decision maker or the user into making more secure decisions.

Well, we have to review the Psychology of Security first:  Last Week post which says the security decision maker wants to take the risk of not doing anything (in the hope that nothing happens). As most of us are willing to risk the potential bad day from a hacker, I mean what is the worst that could happen?



We can go down the list of companies that have used this bad decision making in the past like

  1. Sony
  2. Home Depot
  3. Michaels
  4. Target
  5. Wendys
  6. Government OPM office
  7. Healthcare records (Georgia  Blue cross Blue Shield)

#7 is a story about a hacker which stole 400,000 health records and will potentially make $682k  in ransom money.


If your budget and thoughts are to keep everything the same – then you are inviting a disaster that will make whatever your hopes of “nothing will happen” be bad feeling in your stomach when you first hear the bad news.

So how do we do it?

How can we explain against the grain of ‘I’m not worried’?

Do we make the bad potential seem worse? It seems to me that does not work – it is just more Screaming in the wind.


We have to incrementally increase things – explain 1 item at a time.

Let’s patch the systems first on time (if you are not doing this already).

Here is where  we have to use compliance of different standards (depending on your industry) to make your security better in 2017.


What if there is no “have to have” compliance standard?

Then you can always pull the old ISO 27001


Mr decisionmaker… We should be ISO 27001 compliant or at least start to move to it so that we can have a competitive advantage versus our competitors.


Contact me if you need help with this strategy.




Cloud Compliance & Cybersecurity

Cloud Compliance? Do we even need it? Our data is in the cloud … therefore it is safe right?

What does it mean to have compliance in a cloud computer?  So a cloud computer is a computer managed by “someone else”.   Compliance for various standards is all about your data. So we do have to ask some detailed questions to make sure there is compliant methods at the cloud.


(image from

In past posts I made it clear that backups are needed to make sure you are safe from Cyber attacks. As in case of a successful Encryption attack (Ransomware – including the recent San Francisco train system)  you must have a working backup.  By ‘Working’ I mean tested in the last 3-6 months.  Yes this is a pain and difficult, but as in most Cybersecurity issues the details are important.

As you can see in the image above your devices connect to the Cloud (or Remote Servers) which house your data.

Each cloud setup is different with applications and usage that drive the type of cloud service.


So the data you work on is on the remote server(cloud). How can we make sure we are compliant for this environment (as we do not control it)?

Answering the following is an important step:

  1. Who has access to the data? Employees of cloud company only? Is Data Secure? Details…
  2. How is the data backed up? How long is it kept etc.
  3. How does the data get to the Cloud /remote server? Encrypted or  some other way?

Documentation of the answers to the above 3 questions and the details are important, are there any contractors that will have access to the data? The SLA (Service Level Agreement) is important to review.


The item that now must be done (after the documentation is done and you know what data is stored where) is to test the environment for recovery.

This is an important step not to be missed. How do you know if the backup and recovery works? You will not know until you try it. And it is too late when an actual emergency is facing you. At this point it is a Pray and hope everything works as it should.


Admittedly this testing step is difficult  especially in complex environments.

Let’s assume that you look at these challenges and consider that the costs may be too high to make testing the backup viable.  You may be tempted by our Psychology of Security and decide that you would rather risk the potential of failure in the cloud somehow (Cybersecurity or otherwise) instead of paying a cost to test and ensure the recovery from a failure.


This is not wise but we are human after all and you would be in the majority (as in blogpost 70% take higher risks when loss is an option)


We at do not recommend this argument, as it is better to ensure your survival rather than risk it.

As in the USA Today link about the San Francisco Train System ransomware attack (whether the train system is on the cloud or not) it is undeniable that in the future more companies will depend on the “cloud” and will have serious problems if there are Cybersecurity or functional problems with the infrastructure. So it behooves you to get your backup-recovery tested however complicated.


Contact us to discuss





How Much Time Before Notifying a Breach?

I hope that there is something in place to understand when a breach occurs, but assuming there was a breach – and you found out. When should you notify?

So let’s assume you are in Health Industry and protect the PHI or {Personal health information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.  (definition from Google)}   then when should the breach be notified to the various people in your database?

An old post at says right away the breach must be investigated immediately.  BUT one does not automatically know that a breach occurred,  so we have to develop a process to uncover breaches.


  1. Breach was found or suspected
  2. Risk Analysis of Breach – if it occurred – what happened?
  3. Determine level of risk
    1. if low: Document, fix and move on
    2. if something else including high – prepare to notify the breached data PHI owners.

When Breach notification must occur:

  • Brief description of the breach, including dates.
  • Description of types of unsecured PHI involved.
  • Steps the individual should take to protect against potential harm.
  • Brief description of steps you have taken to investigate the incident, mitigate harm, and protect against further breaches.
  • Your contact information.



There are many types of breaches – as in Health field if a person sees data that should not have – this is a HIPAA breach. But in this type of breach it may be handled internally. And if the employee or contractor was rebuked and reminded this data is not for worldly consumption  this is a Low risk.

On another case if the breach is a laptop was lost and had patient data then this is a notification event.  Every case is different.

There are many potential scenarios, and I cannot list all the types of breaches in health care and other industries. Data with Social security numbers and addresses are important. Knowing when to notify in your incident response plan is also important. You don’t want to be developing these plans when there is a problem. Unfortunately every company that uses credit card information needs this Incident Response(IR) eventuality.

  • HIPAA breaches
  • PCI breaches
  • SS#’s and other information
  • Privacy data of your customers
  • other data (employee hiring records)
  • other payroll data
  • Data that somebody can use to sue you


we cannot predict how this regulatory environment will change in the future, but it is safe to say that even if regulation is reduced, an enterprising lawyer will take you to court if nothing was done.



So it is better to get started on an Incident response plan.

Contact us today.

We Set Up Compliance Policies! Now What?

There is an organization which has a solution to the next steps after  you have some compliance set up: OCEG with their pdf  “A Maturity Model For Integrated GRC”

First page of report:



As in title the goal is integrated GRC  where the company business goals are intertwined with Compliance, Risk, and Governance. It turns out this organization has been working on integrated GRC for a while now (founded in 2002)


Well, assuming you have GRC – Governance, Risk, Compliance or at least a little bit, like you started a PCI compliance program or a HIPAA compliance program , or another compliance program it is a good start.  Of course you can hear a ‘but’ in this line of thinking…

Or rather now what? having an initial compliance program is nice, working on security is also nice.  So let’s be more secure while being compliant.

The idea is to integrate GRC and Security with business goals.  Now I can say that in one sentence, but the actual hard work of getting to integrated GRC is not easy.


Imagine every time you make a potential decision now you will also think about the compliance and security implications. Too draconian for you?  I can easily add keep your customer data private (within privacy laws).


Notice the idea is to make this a goal of the organization with the understanding that it is not going to be easy as many decisions are made without compliance or risk being thought of.

How else does one think of security while making decisions?

And this is the real reason to introduce an integrated GRC methodology

Buying new products, installing products, creating new services and products and on and on. Every decision could be the next point of GRC issue.  You may not be aware of it until it happens and the IT department asks the million $ question.  “How does this issue affect” Security?

And right after that question IT or your compliance department will ask how to keep the new program compliant.

It might be second nature to you, but it may not. I like the structured methods of OCEG, and it bears further review and understanding.


Contact Us to discuss your potential GRC issues.


Hidden Hacks In Network

I’m often thinking where the next attack can come in and unfortunately it may come where we least expect it.

Spiceworks blogpost has an interesting angle:

How often have cloud services been installed by users without IT department knowledge?


The survey by Spiceworks has found that many IT people have found their users installing cloud services 78% of the time from 2 times to over 5 times.


The Cloud applications that IT people are worried about:

  • Cloud Storage (Dropbox, Google Drive, OneDrive) – 35%
  • Webmail (Gmail,Microsoft Exchange Online, Yahoo) – 27%
  • Messaging Services (Google hangouts, Slack, Yammer) – 9%
  • Finance/Accounting applications (Quickbooks Online, FreshBooks) – 8%
  • Productivity Tools(Office Online, Google Docs) – 4%
  • CRM& SFA (Salesforce, Zoho CRM) – 3%
  • Other – 4%

I would think games are also a big portion. Bigger than 4% inside of others.


As you read down the list of cloud applications, some are easier to access than others. Gmail, Google hangouts and Google Docs are accessed with a login on a browser.  I think that Google applications are not inherently unsafe it is only when a document is downloaded within Gmail or Google Drive is when the danger goes up. Although many online cloud apps do not require plugins or other software to be downloaded, many do so that is one way of infection (downloaded plugins).

Accessing personal email in the company network with Yahoo, online Exchange, Gmail or any other email service is not just a “breach of protocol”. The user may unknowingly add streams of spam and phishing emails which will try to take over the machine of the user.

So let’s say you invested into  a program or service which checks company emails for viruses and other malware, obviously the personal emails accessed will not be using your ‘safety’ program.  Now all of a sudden more viruses and malware are installed (in a hidden manner).

The same goes for messaging services.  I think it is hard to see that online accounting programs could have malware,  the chance may be less, but it could happen where files are downloaded which have malware in their files.

This is the reason an IPS(Intrusion Prevention System)  is needed.


It is very hard to accurately predict all user actions so another layer of defense at the Firewall/network would be a good thing.

We know how to do our jobs of defending the network and perimeter, and the hacker finds any nook and cranny to get through this defense.

On the network we have TTP: Tactics Techniques and Procedures. Technology (firewall and endpoint protection), and the procedures are where people are using their personal email in a company computer.

More attacks come on where hackers can get in that is least defended. Like your unknown network devices:

And then if a system (like an IoT – Internet of Things) i.e  a new refrigerator, TV, Lightbulb, and really any other device (like a camera attacking using DDOS in this post) that is on the network can be hacked.

The hacker has tools like ncat and other innocuous  programs that can be used by an enterprising person.

IPS systems properly configured can at least provide some defense to these odd attacks. But there is no foolproof defense – just constant surveillance and review as well as patching, configuration updates as needed.

Not to mention that GRC(Governance, Risk , Compliance)  is also important to keep track of all programs and devices on your network. GRC provides context and priority for attention.

Contact Us to discuss