FREE TRIAL
Compliance. The state of security

Compliance. The state of security

by | Mar 11, 2021 | Definitions, soffid

A compliance audit is a comprehensive review and evaluation of a business or organization’s compliance with a voluntary compliance framework (e.g., SOC 2) or a regulatory requirement (e.g., GDPR). The scope of a compliance audit depends on which framework/regulation the auditor is evaluating against and, for some frameworks, what type of information the organization stores and how they utilize it.

Many companies still do not appreciate the interconnection of security and compliance. Both are often considered cost centers, and that paints a scowl on the face of many Chief Financial Officers. However, there is a different way of looking at compliance (or its negative counterpart, non-compliance).

We can divide compliance into the categories of obvious and not-so-obvious costs.

The obvious costs are easy to understand:

  • Track – Keeping a close watch on the requirements to maintain compliance
  • Mitigate – Correcting any deficiencies
  • Fines – Monetary penalties for compliance failure

Some of the hidden costs include:

  • Additional internal audits – To verify that everything is in order as well as the costs of reworking
  • Business disruption – Due to a regulator lockdown of a business unit or the entire organization,
  • Productivity loss – The time employees need to focus on remediation
  • Brand loss – Due to bad media coverage, and this leads to customer erosion

These costs ensure that your organization is equipped with the correct resources that are required to maintain and confirm there are no compliance slips. The biggest hidden cost, though, is the loss that is not accounted for due to non-standardized operating procedures and a lack of standardized control.

In information technology, this is known as secure configuration management.  An organization may be operating at lower efficiency without being noticed until regulatory compliance audits unravel the cracks in the IT ecosystem. This is the “close to broken” setting mentioned earlier.

Fortunately, the journey to compliance need not be a burdensome task. For example, in the banking industry, digital checking mechanisms enable institutions to track all the risks and ensure compliance by applying the appropriate controls. Comprehensive dashboards are used to ensure that banks can effectively monitor and mitigate compliance issues before they cross into non-compliant territory.

To reduce business risk by ensuring systems are properly configured or hardened to meet with your internal regulatory and legislative compliance standards, Secure Configuration Management is a must.

A secure configuration management tool combines network monitoring and Endpoint Protection methodology to compare monitored systems against an approved configuration baseline or a golden image. Deviation from this baseline, known as test failures, can usually be corrected with little or no human intervention. Secure configuration management is truly a need-to-have based solution.

Secure configuration management offers benefits to organizations, not only from the cost-avoidance standpoint of non-compliance but also from increased organizational efficiency and agility.

Attacks
It is important to note that while many vulnerabilities are “common,” there is a more critical aspect of maintaining compliance to protect your organization. The largest segments of attack types are targeted. This type of attack means your organization is singled out, and the attacker has a specific interest in your business or your intellectual property.

A targeted attack takes time and planning, sometimes months, to lay the groundwork and prepare. Attackers still use commodity techniques to probe the systems in your organization, looking for the best path to exploit, but their methods are specifically tailored to your infrastructure, your processes and your personnel. The main reason that targeted attacks are effective is because organizations struggle to follow basic security practices and properly institute measurable security policies.

Could you imagine how much less risk your organization would have if you could eliminate 99.99% of attacks?

How Soffid Can Help
Soffid makes compliance to security standard easier with the broadest set of compliance and security policies that accelerate securing your infrastructure and knowing where the weak points are. We update these policies as standards change and allow you to customize the test and assessment results to better meet your individual needs, as you get a giant head-start on your security policy and framework as well as the flexibility to make it your own.

Sources:
(1) Security Boulevard
(2) Forbes

Is your Intranet Digital Workplace secure?

Is your Intranet Digital Workplace secure?

by | Mar 3, 2021 | News, soffid

Intranets offer more than just avenues for communication within your company. They also present employees with a treasure trove of content and services, enabling them to perform better and become more effective.

On the contrary, when employers are forced to deal with unwieldy intranets, be it for lack of features or a cluttered UI, to manage their daily tasks, the negative impact on the company’s bottom line can be huge.

As such, implementing a robust intranet solution can give companies a competitive advantage. In fact, Deloitte research shows that companies with strong internal social and work networks are 7% more productive.

Yet, not all intranets are created equal, and some might not give you as many benefits as other, more consolidated, options.

Intranets were created to increase productivity in the physical workplace, but 2020 showed us that the workplace isn’t tied to a single location. The workplace has now become a concept rather than a specific site.

Yet, there is still the need for a centralized hub where employees can access company information and improve their communication. When employees don’t have access to a neural center to find what they are looking for, the company suffers. Plus, without an intranet, employees will start using their own tools, resulting in data silos and incompatible technologies.

These are some of the features you need to look for in a modern intranet in 2021:

  • Intuitive user experience: Intranets shouldn’t look different from other applications and software, and they need to be easy to use.
  • Integration with third-party applications: Modern intranets need to integrate with both corporate and consumer applications of all kinds.
  • Availability as a mobile application: Modern intranets need to be available as native apps or PWAs to reach employees truly.
  • Support for cloud office solutions: Be it Microsoft 365 or Google G-Suite, an intranet needs to work with the office suite your company uses.
  • Personalization-ready: Modern intranets need to be able to personalize messages for both departments and users at a granular level.

Intranets connect all of an organization’s teams, systems, and networks elevating your operations to a whole new level. But why open source? Simple, because you need a platform with flexible information architecture. A platform you can tweak as per your company’s needs and unique workflows.

The main benefits of an open source platform for intranets include:

  • Lower costs: Open source platforms tend to be more cost-effective than proprietary software.
  • Extensibility: An open source intranet can be built into and can be extended to maximize growth.
  • Integrability: The open source architecture enables developers to integrate with other platforms without the constraints of a proprietary solution.
  • Powerful search: A modern intranet needs powerful search capabilities to be able to sift through all the data enterprise businesses have.

Our new Soffid 3 provides the most intuitive and user-friendly interface, making the transition smooth and convenient and offering advantages for your team.

Shall we talk about your project?

 

5 Cyber Security Tips for Remote Working

5 Cyber Security Tips for Remote Working

by | Feb 24, 2021 | Resources, soffid

After the issuance of movement restriction policies by the government to avoid the spread of coronavirus, organizations had no choice but to send people home. Most were in a hurry to get people up and working from home such that most resulted in advising some people to use their own devices. It is also highly likely that most overlooked the importance of cybersecurity.

Unfortunately, cybercriminals never rest and they are always looking for such opportunities to attack. While you had the IT department take care of cybersecurity issues when working in the office, the problem could have fallen squarely on you now. Not to worry, though, here we enlist 5 tech tips for cybersecurity as you work from.

Presented below are the top three cyber risks that organization need to address:

    1. Use of Unsecured Wi-Fi Networks – Employees accessing Company networks using Wi-Fi from popular locations (such as a coffee shop) can be more susceptible to cyberattacks.
    2. Lack of Cybersecurity Awareness and Training – Ensuring that there is a training program in place for best practices on security is Paramount in defending against cybersecurity threats.
    3. Lack of Physical Security or Personal Use of Laptops – Leaving work devices in the open, letting non-employees, such as family and Friends, borrow devices for personal use, or using corporate devices to answer personal emails, shop online or visit social media pages, are all examples of risky behaviour that employees may engage in whilst working remotely.

There are a number of ways in which your employees can ensure they stay safer when working out of the office. Make sure you inform your employees of these home cyber security tips.

  • Avoid Public Wi-Fi. A lot of people like to work in cafes which have public Wi-Fi. This is a very dangerous way of working because it means that hackers can target your computer if they are on the same network. If your employees work in public places, make sure your employees use personal hotspots or encrypt their web connection. Encrypted web connections help to protect your traffic.
  • Use adaptive and multi-factor authentication: 
    • Device encryption ensure that if a laptop is stolen or lost that hackers can’t get into it. They also help to protect your online accounts.
    • Make sure you and your remote working employees use long passwords with multi-characters.
    • Add multi-factor authentication processes is also a great way to stay safe.
    • Do not use your corporate passwords with third party systems.
  • Use Security Protection. If your organization owns laptops that your employees will take home, make sure that good and up-to-date security protection is installed on it.
    • It is a good idea to have firewalls, antivirus, device encryption, web filtering, and any other preventative software.
    • If your employees are using their own laptops or desktops, then make sure your employees have these security protections on their laptops too.
  • Encrypted Emails. Encrypt your emails so that hackers can’t read your business emails. Install applications that ensure the protection of your emails.
    • It is also a good idea to ensure your employees know how to spot cyber threats, such as phishing emails, so give them some training on cybersecurity.
  • Hide Your Work. If your remote employees are working at a coffee shop, make sure they know to hide their work. Don’t let the people around you see what you are typing or your screen.
    • Always keep your work with you, even if you just go to the restroom, because hackers can easily access your information in a matter of minutes.
    • Download our free cybersecurity reportto find out about the most critical IT security protections your business needs in place.

Protecting your business from hackers and cybercrime is extremely important, so make sure you implement our 5 cybersecurity tips now.

Remember to ensure your remote employees follow physical security tips too, such as not leaving a laptop in plain sight in their car.

Looking for effective IT solutions? Learn more about how we can help you by contacting us now

GDPR and data security

GDPR and data security

by | Feb 17, 2021 | Resources, soffid

The General Data Protection Regulation (GDPR) is the most significant overhaul of European Union (EU) data protection legislation in over 20 years. Amongst other things, it is intended to provide better protection to individuals and to give greater certainty to organizations in navigating data protection across EU member states

It includes 99 articles or clauses covering virtually every aspect of business and information management – everything from the consent to collect and process information, to the “right to be deleted”.  Importantly for global businesses (including those outside the EU) the GDPR is supra-national, therefore any business that processes the data of EU citizens will fall under its remit, not just European businesses.

For cyber security professionals, the drive for data protection and information management is not new; although the level of detail, the requirements on data breach notification and the fines in GDPR impose a lot more focus.

As the scale of the cyber threat is revealed, organizations should welcome the data security requirements laid down by the GDPR as an opportunity to reduce the risk of data breaches. After all, if an organization’s data is compromised, regulatory fines may be the least of its worries

While the GDPR introduces severe penalties for compliance failures, it will also force organizations to pay more attention to data security in the face of the looming cyber threat.

How to comply with the 5 cyber security clauses of GDPR 

For security monitoring and operations in GDPR compliant businesses there is increased focus on both prevention and avoidance of security and privacy breaches.  Further, it is imperative to be able to respond quickly when a problem does occur, understand it and take action.  The 72 hours allowed to notify the government authority is accompanied by an expectation that affected data subjects will be communicated with promptly.  As a minimum, businesses handling personal data will need to:

  1. Engage DPO to be part of the access and authorization approval processes.
  2. Use identity governance tools to get access attestation as well as prevent unauthorized access.
  3. Create a catalogue of roles to identify the personal data contained in each application. Track and timely review each one of these roles.

Shall we talk about your needs? Our team can help you with your cybersecurity projects.

Sources:
(1) Dreamhost
(2) gdpr.eu

Session Monitoring and Recording

Session Monitoring and Recording

by | Feb 10, 2021 | soffid, Uncategorized

As businesses reflect on the disruption caused by the COVID-19 crisis, ensuring agility and resilience have risen to the top of C-suite agendas everywhere.
Administrative users require privileged account access in their day-to-day roles to maintain systems, perform upgrades and troubleshoot issues. However, these users can also misuse their privileges to gain unauthorized access to sensitive information or cause damage to the IT environment. To deter the misuse of privileges by authorized users, as well as detect malicious activity that could indicate a compromised account, organizations should proactively record and monitor all privileged session activity.

It’s great to have a session recording tool that recorded everything users do on the command line, it might prevent some oversights from happening in the first place if users are aware that what they were doing will being recorded.  After all, people are usually on their best behavior when they know they are being recorded.

Key Benefits:

  • Cost and time savings– both admins and developers need to use less time for non-productive routines and can concentrate on real value-adding tasks.
  • Improved security– not having to generate, rotate, and dispose of passwords or keys improves your security posture and reduces your attack surface. Ditto for the automatic revocation of access rights upon someone leaving the organisation and not having to worry about lost credentials.
  • Improved compliance– with detailed audit logs and the available session recording and playback and integration with SIEM systems, you get full visibility into who has done what, where, and when. This not only gives you peace of mind, but it also helps you stay on the right side of GDPR and other regulations.
  • Better user experience– while a great customer experience is something we often think about, improving the user experience easier is often equally valuable.

Report and audit privileged sessions that leverage shared accounts and individual accounts with full video and metadata capture. The Soffid Audit and Monitoring Service allows customers to conduct analysis and leverage high-fidelity recordings for audit and compliance purposes.