FREE TRIAL
Transforming risk into a strategic advantage

Transforming risk into a strategic advantage

by | Jan 11, 2023 | cybersecurity, GRC

Transforming risk into a strategic advantage

The need for a conscious, holistic approach to governance, risk, and compliance (GRC) has never been more critical to organizations. As the business environment changes, companies need to evolve their GRC strategies to maintain a comprehensive view of interconnected risks, understand the financial implications of those risks, and make more informed decisions at all levels.

How to take a proactive approach to transform risk into a strategic advantage:
  1. As your business prepares for inflation, economic uncertainty, and the global risk of stagflation, you must build resiliency to recover from obstacles with minimal business impact. Resiliency has gained importance in recent years. It integrates with enterprise-wide risk management and works across the organization, providing a comprehensive view of what’s at stake. Agility and resilience complement each other.
  2. Technology leaders, like CIOs, now at the center of corporate decisions, are becoming critical decision-makers in core business functions such as marketing, sales, product development, and finance.
  3. To build and maintain customer trust in third-party vendors, you need a proactive approach to third-party risk management. Amid escalating economic uncertainty, you need to look closely at third-party companies as businesses – which vendors are mission-critical and which ones you can eliminate with minimal negative impact. Most companies conduct some due diligence, but many don’t monitor third-party risks beyond an annual checklist. By then, information could be outdated, vendors noncompliant, and your business at risk. With the right tools and clear communication, your business can manage vendor risks to protect yourself and your customers.
  4. More than 80% of consumers believe companies should actively shape ESG guidelines, and almost all (91%) business leaders believe their organization is responsible for acting on ESG issues. Additionally, 86% of employees want to work for businesses that share their values.
  5. A resilient organization requires flexible and adaptable structures in all operational areas. While hybrid work offers employees flexibility, it also increases operational risk.

Risk management is everyone’s responsibility. Cultivating a culture of resiliency and taking control of third-party relationships will improve your risk attitude. Risk becomes a strategic advantage when you empower your CIO as a changemaker and commit to robust ESG monitoring and reporting practices.

Source:

  • Learn.g2.com
  • PwC
  • Logicgate.com
  • Worldbank
Cybersecurity Law Code

Cybersecurity Law Code

by | Jan 4, 2023 | cybersecurity

Cybersecurity Law Code

There is a European Directive, Directive 2016/1148, regarding the measures aimed at guaranteeing a high common level of security in the networks and information systems of the Union. This Directive has a couple of articles related to the security of networks and information systems for essential service operators and digital service providers.

Thus, Article 14 establishes that “Member States shall ensure that operators of essential services take adequate and proportionate technical and organizational measures to manage the risks that arise for the security of networks and information systems” used in their operations. Given the situation, these measures will guarantee a level of security of the networks and information systems that is adequate in relation to the risk posed.”

In other words, the Member States will ensure that the measures that are proportionate or appropriate to the risk posed are complied with. And also so that measures are adopted in order to minimize, reduce or prevent incidents that affect security.

Likewise, the competent authority or the CSIRT (acronym for Computer Security Incident Response Teams) must also be notified without undue delay of incidents that will have significant effects on the continuity of essential services provided so that they can be taken. Institutional or national measures in this regard, where appropriate.

In addition, in June 2019 the EU Cybersecurity Regulation entered into force, and introduced:

  • A certification system for the whole EU,
  • A new and strengthened mandate for the EU Agency for Cybersecurity.

Thanks to it, the EU has put in place a single EU-wide certification framework that will build trust, increase the growth of the cybersecurity market, and facilitate trade across the EU.

In Spain we have a Cybersecurity Law Code, published in the Official State Gazette, which cites the main rules to be taken into account in relation to the protection of cyberspace and ensuring the aforementioned cybersecurity.

Regarding cybersecurity at a technical and organizational level, it is also necessary to take into account the new European Data Protection Regulation – Regulation (EU) 2016/679; as well as the existence of other types of international protocols or rules, especially those related to the international transfer of data, such as the Privacy Shield.

These are just some of the rules that aim to protect cyberspace, but there are many more detailed ones that regulate even more specific aspects.

Therefore, cybersecurity covers many subjects related to criminal and civil law, and the protection of honor or privacy, among others, that are also applied in the real and physical world. What has to be taken into account is the online dimension in which these illicit or illegal actions are produced, and the resulting impact due to the fact of occurring in the digital world.

Also, on on 15 September 2022 The European Commission published a proposal for a Cyber Resilience Act (the ‘Regulation’), which aims to:

  • ensure that cyber security is considered during the development of hardware and software products and is continuously improved throughout that product’s life cycle; and
  • improve transparency so that users can take cybersecurity into account when selecting and using a product with digital elements.

The Regulation will impact a broad range of parties in the technology supply chain, who should consider how the additional cyber-security requirements will impact their manufacturing and distribution processes. Whilst the majority of the obligations will come into effect 24 months after entry into force, manufacturers will only have twelve months to comply with the Act’s reporting obligations.

Sources:

  • technologylawdispatch
  • enisa.europa.eu
Ransomware: To pay or not to pay

Ransomware: To pay or not to pay

by | Dec 28, 2022 | cybersecurity

Ransomware: To pay or not to pay

The main goal of hackers when carrying out a ransomware attack is to demand a ransom in return and profit.

The 64% of Spanish companies agreed to pay the ransom requested by cybercriminals and 43% of them did so to become operational again because the ransomware attack paralyzed their activity. This is concluded in the Hiscox 2022 Cyberpreparation Report, an insurance company that offers innovative and specialized products for businesses and professionals in the Spanish market.

This number of companies that chose to pay the ransom in order to become operational again increases to 56% in the case of small and medium-sized Spanish companies. This type of attack endangers the economic capital of the company, since only the payment of all the ransoms carried out by Spanish companies in 2021 cost each of them an average of €19,400, without taking into account the extra €10,843 that on average they invested to be able to recover their normal activity after the incident.

However, paying is not synonymous with peace of mind in light of the fact that 47% of companies that decided to pay the ransom demanded by cybercriminals resulted in a second ransomware attack, a figure that rises to 50% in the case of small and medium-sized companies in Spain.

Ransomware is the third type of attack that companies suffer the most (22%), behind Denial of Service (38%) and financial fraud (32%). In the specific case of SMEs, ransomware attacks are becoming more frequent, since if in 2020 they only represented 11%, in 2021 it has risen to 20%.

But why shouldn’t we pay? There are different reasons:

  • Nothing guarantees that we will recover the files.
  • In certain circumstances it is illegal to pay such a ransom and even not to inform the authorities that we have been the victim of a ransomware attack. In the United States, for example, it is a crime.
  • Paying allows cybercriminals to continue their attacks since we would be financing the attackers.

 

Soffid recommends to adopt the principle of least privilege for internal and external network users. With this type of ransomware it is effective to reduce the privileges of user accounts, reducing to a minimum the accounts that need system administrator privileges – thus reducing the attack surface exploited by the ransomware agent.

 

Sources:

  • thelawreviews
  • signaturit
  • redeszone

Happy holliday season and best wishes for 2023

by | Dec 21, 2022 | soffid, Uncategorized

At the holiday season, our thoughts turn gratefully to those who have made our progress possible. It is in this spirit that we say…

… Thank you and best wishes for the holidays and Happy New Year. 

News are coming in 2023 and we are looking to share all the best with you during the upcoming year.

Why Zero Trust?

Why Zero Trust?

by | Dec 14, 2022 | cybersecurity

Zero Trust

This concept was coined in 2010 by John Kindervag, a former Forrester Research analyst who is also considered one of the world’s leading cybersecurity experts. Guided by the principle “never trust, always verify”, the application of this strategy aims to protect modern digital environments with increasingly mobile and connected users.

A zero-trust approach enables organizations to make access decisions based on the context of the transaction, including factors such as user identity, classification of the data being accessed, device security profile, network, the application and the authenticators used.

Building a zero-trust architecture requires having excellent identity data, properly provisioned entitlements, as well as standardized authentication and authorization enforcement.

Why Zero Trust?

Many organizations have taken a decentralized approach to identity and access management, allowing multiple lines of business to build their own controls. Unfortunately, this leads to duplicate access enforcement systems. Zero Trust takes a more consistent approach across the enterprise, providing visibility and enforcement of access policies. This means increased security and compliance.

Implementing zero trust is an interdisciplinary exercise spanning identity, access management, and infrastructure security. There is no single technology that can cover all requirements. Access policies can be enforced in access management solutions, privileged access tools, network infrastructure, API gateways, cloud platforms, and even within application code.

To get started on the zero trust journey, organizations must:

  • Identify policy enforcement points and policy engines for access decisions.
  • Understand the information points of the policy.
  • Identify implementation patterns.
  • Know their data.
  • Develop a risk-based roadmap.

Do you want to keep your company safe?

This means accurately authenticating the identity, authorizing each identity with the appropriate permissions, and providing access for each of the identities to privileged assets in a structured way, all in a way that can be audited (or accounted for) to ensure that all process is solid.

Shall we talk?

 

Sources:

  • Accenture
  • welivesecurity.com