#Can I outsource data security compliance tasks for my business | Explore Tumblr Posts and Blogs

everetttax · 4 years

Text

Why You Need To Consider Outsourcing Your Business Services

Owning your own home is said to be the American dream. Owning their own business is the way many plan to fund that dream. Statistics indicate that 80% of small business starts fail within the first two years, another 10% within five years. There is no single reason, rather a combination of factors. Those factors generally include: undercapitalization, lack of planning, no experience, insufficient education, loss of motivation beyond the idea stage, inability to understand the hiring process, unfamiliar with tax and legal issues affecting small business owners, trying to do it all yourself, not knowing when to get help and how to find quality coaching/mentoring resources.

Small business owners often find themselves in burnout as they try to do it all. It's hard to delegate your "baby" to others who don't have your dreams for the future. Are those dreams based on reality? To get anything generally requires we have to help others get what they want. Business owners who beat the odds recognize that no matter what, they are in the customer service business, first, middle, and last. Small business owners often bought into the "build a store and they will come" fantasy only to discover that sinking all their capital into a location before they had a market left them financial drained. Many small business owners either develop or market a unique product they hope everyone will want, or they find a niche that is underserved and fill it.

Illustration of a Unique Product: You may have developed the greatest widget ever. It does it all, it can be folded, spindled and mutilated and it will still deliver perfect service every time. For those of us in the real world, we recognize that almost any product has a predecessor. What sets your product apart is how you market it. Take for example how Volvo began marketing their vehicles.

Remember how they would show a head-on crash and you were amazed that the hood folded up in an upside-down "V" protecting the windshield; and, the engine was slanted to go under the car instead of through the firewall into the passenger compartment? We all thought that was innovative and showed superior design, so much so that generations of us bought a Volvo, paying as much as 10-15% more for those 'safety' features. Now, the truth: American auto manufacturers had been using similar safety features for years! Look under the hood of your American made car or truck and note the notches cut into the steel on each side. Yup! Those are there to collapse the hood into the upsidedown "V" position if you get hit head on. Their engines are also designed to drop and go under. That my friend is the power of marketing; but the difference is that Volvo TOLD us about it and that made them look like champs.

What do you do that everyone else does in your business? Who markets that concept as though they invented it? Try this one that I read recently:

"Who do you think brought the idea of payroll services to the market? Why settle for the Johnny-come-lately 'payroll experts' who want to copy our success? Allow us to become your payroll service provider. Our history, experience, and training make us the best choice for your business and we will still be here long after the others are gone. Your payroll services are in the right hands, if you will call today. Cheerful customer service people are standing by for your call. Call XXX-XXXX to put the strongest payroll service provider to work for you. We are ready to serve."

Now, take that ad apart. Did they actually say they "invented" the concept? Not at all, but by clever wording, they positioned themselves as the most established provider. Note how the ad creates the impression that newcomers are merely imitators, without anything original to offer. The third sentence reinforces the first two. The fourth sentence takes the assumptive role that you are already a client; you just don't know it yet. The "if" creates a since of urgency and gives you the sense that your decision is completely yours but is a clever way to push for the decision "today". Finally, the transition is made to calling for an appointment, that nice people with your best interests at heart are eagerly waiting by the phone to fulfill their life-long dream of helping you. The ad is a work of sheer genius.

The truth? This supposed inventor of the concept proved to be a startup company run by a very nice lady working from her home. She had just completed a course on payroll processing after purchasing a payroll module for a well-known accounting software package. Her total experience in payroll included six weeks on-the-job training working for someone else. In our interview, she admitted that the ad had already produced thirty new customers in the first 60 days. She had beat out over a dozen established payroll service vendors who only relied on word of mouth. By running a couple of ads in the local flea market newspaper, posting it on her chamber of commerce website, and by targeted mail, she was processing over 3,500 payroll checks for her clients. At $1.60 per employee per pay period her revenue stream was well over $11,000/month (two pay periods X 3500 X $1.60).

Why did she call us? She was overwhelmed by the volume of work. She didn't have time to stop and hire someone to help her and she was working 14 - 18 hour days. Her business grew so fast that she needed an actual office, a secretary, additional bookkeepers and customer service help. Also, despite having learned to use her accounting software and passing the course for bookkeeping, she didn't have the time to even track her own business. She saw a listing for our company on a local business web page and contacted us for help with hiring and training services, office location finding services, help setting up her new office (furniture, phones, lease agreement negotiation, address changes, business licenses, business cards, brochures, etc.).

Have you considered making a list of things that you know need to get done and then outsource those tasks? The time you save on petty tasks will allow you to grow your business. That is the number one goal you have, growth. If something isn't growing, it's dead! You need to be marketing your business, its services, its image. Hire others to do the day-to-day work and oversee, don't micromanage. Temps are readily available in the current market. For the first time in many years, you can find MBAs with 20 years experience searching for temp and part-time jobs. Take advantage of the times to gain all the expertise and knowledge you can while it is offered.

Here are just a few of the tasks and functions available through outsourcing today:

• payroll management • accounting/bookkeeping • payables and receivables • collections • competitive analysis • sales projections/forecasting • long-term planning • marketing/advertising • building a viable sales force • computer system setup • software installation and setup • data migration to upgraded systems • computer repair and maintenance • web site setup and management • employee benefits, health and other insurance • finding and securing needed financing for expansion and growth • key man insurance, 401K • developing a commission/bonus structure that is fair and rewarding • finding locations for expansion • negotiating with vendors • interim management • temporary staff hiring • staff and sales force training • safety/quality inspections • city/state compliance • quarterly/annual taxes • HR functions like interviewing, and annual reviews • setting up phonebook ads and other advertising • negotiating better supplier rates • finding new suppliers • partnering with other business owners for support • networking • customer tracking • customer data base management • new market development • research and development

Rank the items that you feel are most important to the growth of your business. Carefully review which items are dependent on other things happening first. Separate out the tasks that are independent and delegate them to the person best able to get the job done or consider hiring a temporary assistant to locate the people and companies best suited to help you cover those tasks. Then, concentrate on the more important tasks. Ask yourself, "If I found a capable person would I be willing to delegate this task?" Then, make your goal to find and hire a temp or long-term individual to accomplish that specific task. Hire for the task!

Taxes Everett

#Taxes Everett

0 notes

holytheoristtastemaker · 4 years

Link

The groundwork of all technology work, whether it's in software engineering, marketing, product management or on-call operations, is understanding the fundamentals. Getting a solid foundation in which to build a solid career upon requires some work to fully understand the basics. To understand the pervasiveness of the cloud in 2020 is overwhelming. From your Wal-Mart order for produce to the information on your favorite sports team, the cloud is part of providing the networking, storage and compute to power many parts of your daily life. Just to provide you with some of the financial implications globally of the cloud, this article in Feb 2020 shows the power of companies selecting cloud services:

Microsoft’s cloud services experienced the most significant growth, with revenue increasing 27%. Revenue in its business and productivity division, which includes LinkedIn, rose 17% to a total of $11.8 billion

The cloud, what is it?

Microsoft defines cloud computing as: the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet (“the cloud”) to offer faster innovation, flexible resources, and economies of scale. You typically pay only for cloud services you use, helping you lower your operating costs, run your infrastructure more efficiently, and scale as your business needs change. The cloud comes with a number of major benefits that provide a leg up over traditional datacenter deployments. With a datacenter, you're relying on the operational overhead handle many of the big tasks that come along with reliably deploying services for your customers. I really like this definition of what I mean by overhead in this context:

Overhead (computing)

In computer science, overhead is any combination of excess or indirect computation time, memory, bandwidth, or other resources that are required to attain a particular goal. It is a special case of engineering overhead In the context of a datacenter, your overhead is the time and money spent on buying equipment, installtion, support, maintenance and security of your gear. You'll need to consider if you're going to rent a colocated space or building your own. Are you ensuring redunancy in your application? Does that mean you need a disaster recover location to handle failover? What about backups? Who ensure these are happening? Then there is compliance, are you beholden to GDPR, PCI, or any other external regulations? These are all things that Information Technology professionals have had to do to ensure their applications are always available. Seems like a ton of work, doesn't it? Well the reason people use the cloud many times is to offset this overhead to their vendor and spending more time on what their business actually does. If you're an e-commerce business, you want to spend your time improving your store, adding features and ensuring performance for your customers. The business is to sell people products, not to install computing infrastructure.

Top Benefits

Cloud computing is a big shift from the traditional way businesses think about IT resources. Here are seven common reasons organizations are turning to cloud computing services:

Cost - Rather than make a purchase up front for your datacenter gear, licenses and support - use a credit card and pay for what you need, when you need it.

Global Scale - Access to resources in datacenters across the planet. No installing, racking and stacking. Storage, compute and network resources whenever you need.

Performance - Use various types of CPUs, GPUs, enhanced networking and more to provide the best experience for your users.

Security - Remember all that compliance? That's done for you. Ensuring firewalls are configured by default, patching of Operating Systems and managing your secrets - all done in the cloud.

Speed - The ability to build, move fast and fail fast! If something doesn't work the way you want in your application, you can quickly spin up new resources. A Linux Virtual Machine is an example of a resource you can have available in just minutes.

Productivity - Focus on your business's needs - not the needs of a datacenter. Offset your IT tasks to managed services and reduce your overhead!

Reliability - The cloud comes with the knowledge, the tools and global datacenter availability to ensure that whatever you invent, it's invented with purpose. Reduce downtime, improve reliability and keep your app users happy!

Management over manual

Using the cloud means you have the ability to select managed service over those you need to maintain on your own. ****Managed services* is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions in order to improve operations and cut expenses.*** In the context of Microsoft Azure, there are so many managed services to select from. Let's say that you have a new CMS driven website that you are tasked with getting running. You could just set up a Linux VM, install a LAMP stack and then get Wordpress running, but you are assuming some risk here. By doing this without some managed services, you're reducing your ability to withstand many of the common problems with unmanaged servers. You may have MySQL, PHP and Apache all running on one single VM...what do you do when MySQL runs out of memory? What happens when your website is no longer available due to running into swap memory? More than likely you're going to spend some time on this once your pager goes off letting you know the site is offline. What if you could take away a lot of those headaches and still keep the CMS website online? Azure provides managed services for much of the common tasks you would associate with running a website like a Wordpress CMS. Azure provides a service to help you install, backup and maintain this service long term. By visiting the Azure Marketplace you'll be able to find this Wordpress app install. Rather than installing a MySQL server - we can select the Azure Database for MySQL managed service. Azure Database for MySQL provides fully managed, enterprise-ready community MySQL database as a service. You'll have backups, scalability and security you need for your database without having to configure it yourself. These are the tasks that can keep you up late or take a while to ensure you can automate. By using a managed service, you get all these feautres right out of the box.

What about my Word docs in the cloud?

Sure. there's a place for you. SaaS (software as a service) helps provide you with many of tasks like word processing, calendaring and email all in the cloud. No need to set up your own email server or a storage array with shares for your company. Select a SaaS like Microsoft 365, and much like our web service for our apps, we reduce overhead. Microsoft 365 is designed to help you achieve more with innovative Office apps, intelligent cloud services, and world-class security. SaaS solutions aren't just limited to productivity, you use them almost every day with tasks like signing documents, saving your files or even talking to a friend online.

Security first

Take advantage of multi-layered security provided by Microsoft across physical datacenters, infrastructure, and operations in Azure. Gain from the state-of-art security delivered in Azure data centers globally. Rely on a cloud that is built with customized hardware, has security controls integrated into the hardware and firmware components, and added protections against threats such as DDoS. Benefit from a team of more than 3,500 global cybersecurity experts that work together to help safeguard your business assets and data in Azure. Read even more about Secuity on Azure here.

The number of managed services Azure provides is tremendous, over 200 at the time of this blog. You have access to AI, IoT, DevOps tools, and so much more. You can get a view of the entire list of products by checking the Azure Directory of Cloud Services.

Sure there's tons of companies using the cloud... what about me?

Starting with the foundations to help you invent with purpose are there. By learning how to build applications, manage resources and more can help you get the most out of the cloud. Here are some great sources to begin using many of the things I discussed in this blog post:

Microsoft Learn

Master core concepts at your speed and on your schedule. Whether you've got 15 minutes or an hour, you can develop practical skills through interactive modules and paths. Learn has a number of learning paths to help you get your start. You can get the fundamentals down first and then move on to your certification showing your proficiency. Exam AZ-900: Microsoft Azure Fundamentals is great to show you know how to use the foundational products that make up the cloud and Azure.

Docs

Discover comprehensive documentation for consumers, developers, and IT administrators through tutorials and code examples. Docs on subjects like Visual Studio Code, Microsoft 365, Azure and even gaming! The docs website contains tons of information, reference guides and even quickstart how-to's that can help you understand how to use the services described. One of my favorite quickstarts is Create an Azure Cosmos account, database, container, and items from the Azure portal. It's a perfect first step into understanding the global NoSQL database service, Cosmos DB.

Azure Advocates

Our team's charter is to help every technologist on the planet succeed, be they students or those working in enterprises or startups. We engage in outreach to developers and others in the software ecosystem, all designed to further technical education and proficiency with the Microsoft Cloud + AI platform. We create content, bring back feedback and do our best to help you learn about how to use Azure. Many of us are available on Twitter and want to hear what you're up to or need help with. Check out this guide for a list of advocates and their technology specialties!

Microsoft Build 2020

Join us for the 48-hour digital experience, at no cost, May 19-20. As developers come together to help the world solve new challenges, sharing knowledge and staying connected is more important than ever. Join your community to learn, connect, and code—to expand your skillset today, and innovate for tomorrow. For developers by developers, a non-stop, 48-hour interactive experience straight to your screen—but what if you can’t wait until May 19? Keep exploring leading up to the event and get a jumpstart on your Microsoft Build experience. This is a different kind of Microsoft Build delivered in a new way. Presenting a digital event provides the developer community unique opportunities to come together for a truly global experience. Register for free. Check out the full agenda!

PDT Experiences 8:00 AM Microsoft Build digital event begins 8:20 AM Empowering every developer, with Satya Nadella 8:40 AM Imagine Cup 9:00 AM Every developer is welcome, with Scott Hanselman and guests 10:15 AM Azure for every developer, with Scott Guthrie and guests 11:00 AM Building the tools for modern work, with Rajesh Jha and guests 12:30 PM Digital Breakouts with live Q&A 4:45 PM Social Hour: Mix, Mingle, and Celebrate 5:20 PM Empowering every developer, with Satya Nadella 5:40 PM Imagine Cup 6:00 PM Every developer is welcome, with Scott Hanselman and guests 7:30 PM Digital Breakouts with live Q&A

PDT Experiences 12:15 AM Azure for every developer, with Scott Guthrie and guests 1:00 AM New ways to work and learn, with Rajesh Jha and guests 2:00 AM Digital Breakouts with live Q&A 9:45 AM The future of tech, with Kevin Scott and guests 10:30 AM Ask Scott Guthrie, with Scott Guthrie 11:30 AM Power Platform for developers, with James Philips 12:30 PM Digital Breakouts with live Q&A 6:30 PM Social Hour: Mix, Mingle, and Celebrate 7:30 PM The future of tech, with Kevin Scott and guests 8:15 PM Power Platform for developers, with James Philips 9:30 PM Digital Breakouts with live Q&A

Get started

What do you want to learn about the cloud today? This blog should help you at least start finding a path to getting those answers on what you want to invent with purpose.

0 notes

simonconsultancypage · 5 years

Text

Guest Post: What the Capital One Hack Means for Board of Directors

John Reed Stark

The news of the recent massive data breach at Capital One made the front pages of the business sections of newspapers across the country. The hack has drawn attention not just because of the magnitude of the hack, but also because the hackers apparently managed to steal data from The Cloud. The Capital Data breach represents a “wake-up call” for boards of directors, according to the following guest post from John Reed Stark. John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. My thanks to John for allowing me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.

*********************************

Another day, another data breach. This time at Capital One, the fifth largest credit card issuer in the United States.

Specifically, on July 29, 2019, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of 100 million Capital One Financial Corp credit applications from a rented cloud data server. The FBI says Capital One learned about the theft from a July 17, 2019, email stating that some of its leaked data was being stored for public view on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of Paige A. Thompson. According to the FBI, Thompson also used a public Meetup group under the alias “erratic,” where she invited others to join a Slack channel named “Netcrave Communications.”

KrebsOnSecurity, actually entered the open Netcrave Slack channel on July 30, 2019, and reviewed a June 27, 2019 commentary Thompson, which listed various databases she found by hacking into improperly secured Amazon cloud accounts, suggesting that Thompson may also have exfiltrated tens of gigabytes of data belonging to other major corporations.

Ironically, Capital One is considered by many to be a digital banking pioneer and one of the more cyber-savvy companies in the world, evidencing how even the most technologically mature organizations are struggling to manage the rising force of third-party cyber-risk.

Make no mistake: vendors, partners, business associates, and other third parties whose outsourced operations become integrated within a company, can pose a challenging and existential cybersecurity threat to operations. Yet despite increased regulatory scrutiny; growing virtual threats at a global, national and state level; and a riskier business environment, most experts would attest that the relative maturity level of vendor risk management programs is still lacking. For example, CrowdStrike’s 2018 report “Securing the Supply Chain” states:

“Although almost 90 percent of the respondents believe they are at risk for supply chain attack, companies are still slow to detect, remediate and respond to threats.”

Undoubtedly, upon learning of the Capital One hack, corporate board members across the U.S. are likely struck by one immediate thought (there but for the grace of God go I) and one immediate question (What should I do now?).

This article tackles the issue of third party digital risk management head-on, by offering a useful and comprehensive strategical framework for boards of directors to undertake intelligent, thoughtful, and appropriate supervision of a company’s vendor-related cybersecurity risks, especially those risks relating to cloud computing services.

Vendors and Cybersecurity

Companies today rely on a broad range of third party vendors to support core business functions, which typically entails granting these third-party entities access to a company’s data and its internal systems. This digital interconnectivity between vendor and customer creates an inherent risk as cybersecurity shortcomings of third-party vendors have become the go-to-attack vector for cybercriminals. In fact, PWC reports that 63% of all cyber-attacks could be traced either directly or indirectly to third parties.

Vendor’s often maintain less stringent security protocols, raise fewer suspicions and allow for easier identity masking — providing ideal points of entry for attackers looking to leverage unauthorized access. For example, in the Target breach, attackers began by using malware to steal credentials from the air conditioning subcontractor, and from there had access to Target’s vendor-dedicated web services. In the JP Morgan data breach, the cyber-attack infiltrated J.P. Morgan’s Corporate Challenge online platform run by an outside website vendor.

Some other recent examples illustrate how varied and almost epidemic cyber-attacks vis-a-vis third party vendors have become, including:

AMCA (Billing Vendor). Billing services vendor American Medical Collections Agency (AMCA) was hacked for eight months between August 1, 2018 and March 30, 2019, impacting more than 25 million patients. At least six covered entities have come forward to report their patient data was compromised by the AMCA hack, including 7.7 million LabCorp patients, 12 million Quest Diagnostics patients and 422,000 BioReference patients. Unable to manage the financial impact of the data breach, AMCA has now filed for Chapter 11 bankruptcy;

Applebee’s (Point of Sale Vendor). The Applebee’s restaurant chains reported point-of-sale data breaches that resided on a third-party system and exposed payment card information at some of the chain’s corporate and franchised locations, possibly affecting all of its167 locations. The exfiltrated information included cardholder name, credit/debit card number, expiration date, cardholder verification value, and service code. Similar breaches of payment systems occurred at fast food chains Sonic Drive-In, Arby’s, and Chipotle, and stores Forever 21, Whole Foods, Kmart, and Brooks Brothers; and

BestBuy, Sears, Kmart, Delta (Chat Vendor). These three vastly different companies had one characteristic in common – they all used [24]7.ai, a chat and customer services vendor for many brand names, which was hacked via malware, compromising credit card information, addresses, CVV numbers, card expiration dates and other personal data across multiple customer groups.

Boards and Cybersecurity

Every board now knows it’s company will fall victim to a cyber-attack, and even worse, that the board of directors will need to clean up the mess and superintend the fallout. Yet cyber-attacks can be extraordinarily complicated and, once identified, demand a host of costly responses.

Consider the Capital One data breach. When a cyber-attack involves a third party vendor of any sort, a myriad of tasks immediately emerge, including:

Digital forensic preservation and investigation;

Fulfillment of state and federal compliance obligations;

Responding to potential litigation with third parties;

Class action defense (within 24 hours of the Capital One announcement, plaintiffs had already filed a bevy of class suits against Capital One);

Engagement with law enforcement (the FBI is already investigating other possible data breaches related to Capital One);

State regulatory response (New York Attorney General Letitia James announced that her office immediately opened an investigation into the Capital One incident stating, “Safeguards were missing that allowed for the illegal access of consumers’ names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information.”);

Provision of credit monitoring and identity protection;

Managing of insurance claims;

Public relations planning; and

So many other anticipated and unanticipated breach-related tasks such as briefing customers, partners, employees, affiliates, insurance carriers, and a range of other interested parties.

And besides the more predictable workflow, Capital One will become exposed to other, even more intangible costs as well, including temporary, or even, permanent reputational and brand damage; loss of productivity; extended management drag; and a negative impact on employee morale and overall business performance.

Given the explosive growth of outsourced technology services and the increasingly intimate cyber-integration and relationship of companies and third party vendors, boards need to monitor and challenge their third-party exposure and insure the proper implementation of safeguards and processes to reduce their vulnerability.

Boards, Vendors and Data Breaches

Outsourcing of services such as information technology (IT), payroll, accounting, pension, and other financial services, has become increasingly common for today’s corporations, and raises particularly challenging cybersecurity concerns. For instance, the Trustwave 2018 Global Security Report (GSR) found a marked increase of 9.5% in compromises targeting businesses that provide IT services. In stark contrast, service provider compromises did not even register in the 2016 GSR statistics.

Given this sudden explosion of IT-related vendors, boards of directors should probe the practices and procedures of their respective companies with respect to the cybersecurity of their vendors. Most importantly, boards should understand that data security incidents involving companies and their vendors are a “two way street.” In other words, given that cyber-attackers will often traverse across a company’s network and into the networks of its vendors or vice versa, cyber-attacks can often result in disputes as to the culpability for an attack.

Along these lines, boards should confirm that their respective company’s carefully manage vendor access to its networks, customer data or other sensitive information, by inquiring whether their respective companies:

Have high standards for their vendors, mandating for instance that vendors: have been in business for a reasonable amount of time; have earned certain data security and government compliance certifications (such as PCI, HIPAA and SOX); have annual third party risk and security assessments (which the company can review); make proper use of encryption; use the latest methodology and technology to protect and control access to data and ensure that it meets current security trends and regulations; use two-factor authentication; maintain good password management; have strong cybersecurity training practices; have incident response plans, disaster recovery plans, table-top cyber-attack exercises and place limitations on daily ingress or egress of data;

Place vendors into different risk categories based on the nature and quantity of company information to which they have access (such as personally identifiable data (PII), payment card information (PCI) or protected health information (PHI)). For example, if a vendor has access to PII or to PHI, then a data breach at the vendor would impact the company substantially. But If the vendor only accesses publicly available information, a data breach would have far less of an impact;

Map data-flow by assigning data custodians, implementing system controls, enforcing security policies and executing strict data handling procedures and auditing;

Research whether vendors have experienced data security incidents in the past and how those incidents were handled;

Consider constructing an interactive vendor portal for sharing knowledge and a hotline to answer and report issues;

Insure that vendors maintain proper incident-response protocols (e.g. who is the responsible party within the organization to notify when a vendor experiences a data security incident? What is the notification procedure? What is the anticipated timeline?);

Consider physical site visits to assess vendor cybersecurity first-hand;

Have contractual agreements with vendors that cover audit rights, cooperation rights and other relationship-based based demarcation definitions;

Insure that vendors adhere to all applicable laws, especially those relating to data privacy, such as the General Data Protection Regulation (GDPR), Privacy Shield Framework, and the new California Consumer Privacy Act (CCPA);

Conduct due diligence on vendors to assess their security and privacy practices as part of a procurement process and throughout the ongoing vendor relationship. This means establishing via written agreements and ongoing supervision, formal vendor management programs that assess risk and identify potential cybersecurity concerns prior to engaging in a business relationship;

Include robust privacy and data security clauses in contracts with vendors, including strict and broad data security incident notification provisions;

Maintain a register of all vendors and the types of personal, sensitive of confidential information the vendors accesses, stores, shares, transfers, etc.;

Engage in annual third party cybersecurity audits and assessments;

Check references of vendors, and establish clear “data out” procedures if the company wants to terminate its relationship with a vendor;

Review not just how sensitive data will be stored, but also how it will be handled when a vendor relationship ends (because former vendor relationships can create even greater risk to an organizations than existing ones); and

Create contractually defined practical and realistic appropriate remediation protocols.

If vendors conduct remote maintenance of a company’s networks and devices, in the event of a cyber-attack, the company may want to confirm it can obtain copies of any relevant logs, as well as access the third-party system to scan for IOCs.

Boards should also probe the company/vendor communication lines and make sure they are established and thoughtfully staffed and structured, incorporating all of the legal implications of communications. One simple inculpatory miscommunication from the company’s IT department to a vendor (e.g. “I think we screwed up and missed a patch.”) can trigger calamitous legal liabilities.

Boards should also probe whether a company’s vendors have cyber insurance coverage and/or agreements that require the vendor to defend and indemnify the company for legal liability arising from any release or disclosure of the information resulting from the cybersecurity failure of the vendor. Similarly, boards should probe how vendors will deal with government requests or subpoenas that involve data of the company. For instance, will the company be notified and will the company be offered an opportunity to contest any subpoena (and who will pay for any resulting litigation against the government pertaining to the subpoena’s enforcement.)

For boards, the appropriate level of cybersecurity due diligence for vendors is bespoke. Consider the New York State Department of Financial Services (NYDFS) Cybersecurity requirements for financial services firms, one of the more onerous state cyber-regulatory regimes in the country, which lays out more general requirements than specific ones.

For example, per the NYDFS, all third party service providers are not specifically required to implement multi-factor authentication and encryption. Rather, New York financial firms must engage “in a risk assessment regarding the appropriate controls for third party service providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution.”

When a Vendor Suffers a Data Breach

With respect to data security incidents, a board should focus its lens on two distinct perspectives:

What happens if there is a data security incident at a vendor which impacts the company; and

What happens if there is a data security incident at the company that impacts a vendor.

Under either scenario, much of the communication and cooperation between a vendor and a company will be dictated by the contractual terms governing their relationship.

Along these lines, boards should also confirm that their respective companies have contractual language establishing the company’s rights when a cyber-attack occurs involving a vendor, which can range from notification, to on-site inspections, to the option of an independent risk and security assessment/audit of the vendor (at the vendor’s, and not the company’s, expense).

Specifically, in the event of a data security incident at a vendor, contracts should explicitly allow for the company to know all relevant facts relating to the cyber-attack, especially:

Whether their data has potentially been compromised;

Whether services will experience any disruption;

The nature of remediation efforts;

Whether there are any official or unofficial findings of any investigation; or

Whether there is any other information that can impact their operations or reputation.

On the other hand, when a company discovers a data security incident, vendors might make requests to the company, such as seeking images of malware and indicators of compromise (IOCs) or wanting to visit the company and inspect the company with its own investigation team. Vendors may ask for weekly or even daily briefings and may demand attestations in writing with respect to any findings pertaining to their data. Boards should also probe these requirements, obligations, protocols, etc. – to insure that these communications lines are contractually defined, controlled and properly modulated.

Spotlight: Cloud Storage Vendors

Whether AWS will be held at all responsible for Thompson’s alleged cyber-attack upon Capital One remains to be seen. AWS emphatically denies any culpability, issuing a statement asserting:

“AWS was not compromised in any way and functioned as designed . . . The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud.”

AWS might have a good point. First, according to the Capital One news release announcing incident, the firewall configuration vulnerability that Thompson exploited is “a specific configuration vulnerability in our infrastructure . . . not specific to the cloud.” Capital One even touts the cloud as helping with its incident response, stating:

“The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.”

Second, the outcome will center around the contractual arrangement between AWS and Capital One, and AWS’s notoriously detailed contracts tend to favor AWS (according to Gartner, AWS has a 47.8% market share of the cloud computing space). Third, users like Capital One typically maintain full control over any applications they build on top of AWS.

On the other hand, there is a wildcard thrown into the liability calculus that could become a problem for AWS: Thompson is a former AWS employee who worked in the company’s S3 cloud storage technology group, and is suspected of exfiltrating data from other possible AWS customers. As more information is stored in the cloud, staff system engineers like Thompson, trained to become experts using these cloud systems, could become a threat to other companies. If it’s established that Thompson somehow used proprietary AWS information in order to carry out her hack into Capital One, or perhaps that AWS should have done more to alert Capital One about server configuration vulnerabilities or errors, liability could shift to AWS.

Interestingly, AWS considers Capital One to be a prized customer. In fact, Capital One’s CIO Rob Alexander gushed ad nauseum over AWS at a 2015 Las Vegas AWS conference. AWS even showcases the interconnectivity of its Capital One relationship on the AWS website, stating:

“Capital One is using AWS as a central part of its technology strategy. As a result, the bank plans to reduce its data center footprint from eight to three by 2018. Capital One is one of the nation’s largest banks and offers credit cards, checking and savings accounts, auto loans, rewards, and online banking services for consumers and businesses. It is using or experimenting with nearly every AWS service to develop, test, build, and run its most critical workloads, including its new flagship mobile-banking application. Capital One selected AWS for its security model and for the ability to provision infrastructure on the fly, the elasticity to handle purchasing demands at peak times, its high availability, and its pace of innovation.”

Under any circumstance, whether AWS shoulders any of the liability for the Capital One breach, the incident should still serve as a wake-up call for the bet-the-company cybersecurity risks associated with utilizing cloud computing services, and highlights the importance of knowing who becomes liable in the event of a cloud-related data security incident.

Cloud Services and Cybersecurity

More companies, from government to manufacturing to retail, are becoming increasingly comfortable about moving their data to the cloud. Why? Because cloud platforms coordinate globally based integration of networks and enable new, highly complex business models, dramatic cost savings, exponential scalability, increased mobility and easier collaboration.

Indeed, the global public cloud computing market is set to reach $258 billion in 2019, with an average of about one third of companies’ IT budget going to cloud services. Banks in particular are forecast to spend more than $53 billion on public cloud infrastructure and data services, up from $24.3 billion in 2018. But all of this growth is not without risk.

When a company stores critical or confidential information in the cloud, that information is essentially stored off-site, possibly in another country. Along these lines, boards should confirm that their respective companies are using cloud providers that can reasonably protect and provide assurances on overall data security.

Specifically, boards should probe a company’s cloud-related practices, especially an assessment of any enterprise-grade security systems and analytics, a determination of the attack vectors, and a review of data security measures. Important questions include:

Whether the cloud data is encrypted (in transition and in motion);

Who holds the encryption keys for cloud data;

Whether the cloud data is subject to search and seizure (both domestically and internationally);

The nature of data protections used by the cloud firm;

How transparent the cloud providers’ own security systems are;

What access can the company get to the cloud provider’s data center and personnel to ensure the security system is in place and functioning and make sure it can undertake a risk assessment and design a response plan;

Whether company customers have given approval for cloud storage of their data;

What the cloud servicers’ responsibilities are to update their security systems as technology and cyber-attack sophistication evolves;

How the cloud providers continuously monitor, detect, and respond to security incidents;

What cloud logging exists and how long logs are maintained;

How and when cloud data is destroyed;

Whether cloud data could be subject to a litigation hold and what technologies allow for the cloud data’s perusal;

What happens when a cloud company receives a subpoena or other request or is subjected to a search warrant from any government that involves the company’s data;

What auditing is permitted of the security capabilities of the cloud company;

What regulatory and privacy requirements apply to the PII, PHI, personal financial information, or other customer data within the cloud data;

Whether the cloud firm and the company have any indemnification agreements or evidence of cyber insurance;

Whether the company’s insurance policies cover losses from activities undertaken by the cloud service providers in the event of a cyber-attack;

What types of pen testing are undertaken by the cloud firm; and

What the specific details and efficacy of security policies and procedures of the cloud firm are.

Boards should also confirm that a company has a comprehensive means to prevent sensitive data from being uploaded to the cloud for inappropriate sharing, and the requisite visibility and access to detect anomalies, conduct further investigation and launch quick and decisive remedial action.

Along these lines, questions should cover technologies used to prevent the unauthorized use of cloud applications by employees; internal controls regarding any cloud applications used by employees; an incident response plan for handling an attack on any cloud application; and employee training concerning use of cloud applications.

Cloud-Based Filing Services

Cloud-based file-sharing services, such as Dropbox, Google Drive, Box, and others, are another way confidential information leaks out of a company – and have become an increasingly popular way to store, back-up, transfer and temporarily warehouse large data files.

Such cloud services often are used through personal accounts, despite many large companies prohibiting, as a matter of policy, the use of such services for these purposes. Some companies also block access to such services from the company’s systems (such as desktops, laptops, tablets, phones, etc.) with effective security controls, while other companies are less sophisticated or simply resist the notion of becoming the automated “data nanny” for their employees.

Boards should probe the company’s policies, practices and procedures regarding cloud-sharing services used by employees and confirm that the company maintains adequate and appropriate cybersecurity for the myriad of enterprise and personal cloud-service applications.

Looking Ahead

As companies expand, they must inevitably trust critical business operations to third parties for specialty services, especially those relating to technology. But while the influx of third party fintech, including cloud computing, can benefit companies exponentially, their integration also triggers additional costs and risks. By expanding and complicating digital ecosystems, IT outsourcing can increase vulnerabilities and weaknesses, thereby creating dramatic bet-the-company threats relating to cybersecurity and data management. Capital One is clearly learning this lesson the hard way.

For corporate directors, who have a fiduciary duty to understand and oversee cybersecurity, yet often have little if any, cybersecurity experience, there is no need to feel insecure. Given that just one successful attack can irreparably damage a company built on 100 years of excellence and hard work, who can blame board members for lacking confidence in how they are monitoring cybersecurity risk, both within the organization and especially among vendors. But cybersecurity engagement for boards does not mean that board members must obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts.

Responsible boards of directors can begin by becoming more preemptive in evaluating cybersecurity vendor risk exposure, and endeavor to elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item, at the top of a board’s oversight agenda. Indeed, a recent Protiviti study shows that higher levels of board engagement with vendor risk management often leads to sufficient resource allocations to those programs. And, as might be expected, lower board engagement is often a characteristic of underperforming vendor risk management programs.

Good cybersecurity hygiene is good for business, it evidences discipline, maturity, integrity, dependability, reliability, trustworthiness and a whole lot more. By approaching cyber-risks of vendors with vigorous, skeptical, intelligent, independent and methodical administration and inquiry, boards will not just insure that company data is appropriately secure, boards will also make their companies more prosperous. My dad always preached that if you want success, start with your health. The same definitely goes for cybersecurity.

__________________________

John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of “The Cybersecurity Due Diligence Handbook.”

The post Guest Post: What the Capital One Hack Means for Board of Directors appeared first on The D&O Diary.

Guest Post: What the Capital One Hack Means for Board of Directors published first on http://simonconsultancypage.tumblr.com/

0 notes

lawfultruth · 5 years