NYDFS Cybersecurity Regulations : Discussing the Financial Cybersecurity Compliance Requirements

For years, governing agencies and leaders have held the “it won’t happen to us” mentality that comes with cyber attacks. However, threats are becoming more sophisticated at a faster rate than anyone ever expected. New techniques are emerging constantly to get around current security systems and compromise sensitive resources. The increasing likelihood of cyber attacks and the rising consequences associated with these events have grabbed the attention of federal and state legislators to better protect government entities and the public. In September 2016, the New York Department of Financial Services released a draft of its cyber security regulations known as 23 NYCRR Part 500, with the final version going into effect on March 1, 2017. This is a first-in-the-nation regulation that was aimed at protecting the state of New York and its financial institutions from cyber attacks.The initiative covers a large range of requirements, from establishing a cyber security program to how third-party service providers should be managed. Let’s take a closer look at the most important things to know about NYDFS cybersecurity regulations:

1. You Must Report All Cyber Attacks

Reporting cyber attack events is nothing new for businesses, but 23 NYCRR Part 500 places the obligation to report unsuccessful cyber attacks as well. According to The National Law Review, the regulation states that a cyber security event must have the reasonable likelihood of materially harming any part of normal operations, particularly attempts – successful or unsuccessful – to gain unauthorized access to information systems. Businesses within regulated industries must

Advanced Persistent Threat (APT): How to Protect Your Organization From Lurking APTs

Technology advancement has traditionally been seen as a way for employees to work more effectively, simplify tasks and maximize business value. With increasing connectivity across different objects, more machines generate and store data than ever before, creating a web of smart devices. However, many devices don’t have the proper protection, but are connected to vital networks.

Hackers are starting to use these objects to breach business systems and initiate Advanced Persistent Threat (APT) techniques. As the consequences of cyber attacks continue to mount, it will be important for organizations to understand the dangers associated with advanced persistent threats and how to protect themselves as well as their business computers effectively.

1. Know What an Advanced Persistent Threat Entails

An Advanced Persistent Threat (APT) is a set of stealthy and persistent computer hacking processes, which enable unauthorized access to a system or network, with the goal of business data theft. The “advanced” process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The “persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “threat” process indicates human involvement in orchestrating the attack. They operate in multiple phases – including avoiding detection, mapping business data, hacking the network with dormant rootkits, gathering sensitive data, and possibly extract that data. An advanced persistent threat is typically sophisticated. This type of strategy aims to remain undetectable, by traditional security measures and has resulted in large, costly data breaches.

Educating your staff on an advanced persistent threat will help not only maintain security, but also ensure that

Faronics Tech Roundup – June in Review

The beginning of summer, June also saw the beginning of truly advanced malware and cyber-threat techniques. Let’s take a look back at some of the biggest cyber news highlights from June 2017:

Payment-Card Malware Impacts Retailers

It’s no secret that payment-card data is some of the most valuable information to a potential cyber​ attacker. Hackers can sell this data for a quick payday or even use it to steal identities and money from unsuspecting victims. Of the biggest breaches within the past few years, Target comes to mind, but many organizations still haven’t learned from these incidents. Chipotle had 2,000 restaurants impacted by a security breach originating at its point-of-sale devices. Kmart was also impacted by POS malware, but the strain was undetectable by current security controls.

As malware continues to evolve, organizations are more likely to have longstanding breaches fly under the radar until it’s too late. Attacks might allow individuals to get away with data necessary to make fraudulent payments and seriously impact a customer’s life. Consumers are no longer taking these threats lying down and are less likely to do business with an organization that has been breached. For more information about how payment-card malware has impacted retail chains across the U.S. and what organizations can do about it, visit our blog on the subject.

POS malware impacted retailers across the U.S.

New Ransomware Takes Notes From WannaCry

WannaCry was one of

4 Tips for Effective Business Continuity and Disaster Recovery (BCDR) Planning

Disaster strikes when you least expect it, and it’s increasingly been shown that organizations can no longer afford to believe that such emergencies won’t happen to them. Business continuity and disaster recovery (BCDR) planning has become a major priority for companies, but a number of them are still lacking the strategy necessary to ensure that their operations can continue in the event of a disaster. A 2016 survey by ITProPortal contributor, Matt Kingswood found that nearly half of respondents don’t have a comprehensive business continuity and disaster recovery (BCDR) plan. This number is significant considering the mounting pressure and consequences for downtime and disaster recovery.

As the price associated with operational issues continues to rise, it’s become more necessary than ever to create a strategy that will support organizations throughout their recovery process. Let’s take a look at the top tips that you should follow to build a solid BCDR plan:

1. Analyze Environments and Threat Tolerance

When creating a business continuity and disaster recovery (BCDR) plan, leaders must start by looking at their critical environments and analyzing the potential risks they might face. Business2Community contributor Jamie Keenan suggested creating a detailed list of threats and categorizing them according to the systems they are likely to impact. It will be important to err on the side of caution and consider all possible problems that might emerge. This will help your organization truly focus on recognizing issues and dealing with them before they occur or cause damage.

Prioritizing threats will be a significantly part

Data Security in Health Care : How HCOs Can Go About Safeguarding PHI

Protecting sensitive and personally identifiable information (PII) has become a main priority for health care organizations (HCOs). Not only do medical professionals need to be able to access patient files regularly, they must also comply with strict industry regulations that detail how this Protected Health Information (PHI) can be stored, modified and guarded. If anything happens, it could result in major fines and other consequences. In fact, health care data breaches are the most expensive, costing $380 per record, 2.5 times above the global average across industries, according to a report by IBM and Ponemon Institute.

Although the monetary cost of a data breach has dropped 10 percent, attackers still see health care data as the most lucrative path to a payday. Medical institutions cannot become complacent in the face of advancing cyberthreats and must step up their safety measures. Let’s take a closer look into how health care organizations can improve their data security and safeguard PHI.

1. Provide Comprehensive Training

Human error remains one of the biggest causes of data breaches across the board, but particularly in health care when personnel are unaware of potential risks to information security. Some medical organizations might have smaller security teams and budgets, leading to a general lack of protection. Employees are going to be the first line of defense to prevent issues like phishing and malware from getting through. However, phishing techniques are becoming more sophisticated to appear as though the communications are coming from a genuine source. When workers fall for