A bill introduced by leading U.S. senators yesterday requires the owners and operators of our nation’s critical computer networks to safeguard against hackers.

Essentially, under this bill, the Department of Homeland Security would have the power to identify systems that may cause mass casualties or catastrophic economic damage when attacked. Those identified as a “Covered Critical Infrastructure” would be required to prove or improve security according to the set regulations of the sector-specific agency. Companies would have to show that their networks are secure or face penalties.

The bill calls for identifying vital information networks and setting security requirements for companies and government agencies. Lawmakers and regulators say rules are needed to fight increasingly sophisticated cyber attacks capable of disrupting power grids, banks and communications networks.
Read more . . .

By Chris Strohm, Bloomberg

This bill, called the ‘‘Cybersecurity Act of 2012’’, is a combination of cybersecurity bills introduced during the past three years. One provision not included is the Internet “kill switch” language that caused so much controversy in the past, but there is still a lot of backlash toward this bill because of the burdening cost that it is expected to create on companies. The Homeland Security and Government Affairs Committee, chaired by Joe Lieberman (I-CT), has scheduled a hearing on the ‘Cybersecurity Act of 2012’ on February 16, but surely the debate over this bill will continue so that other committees have a chance to take up the issue.

Whatever the outcome, the bill will include companies taking more responsibility for securing their own networks. This means scheduling the needed security services to maintain a secure environment that thwarts off hackers and ensures your computer networks are not vulnerable.

Posted by Mike Fitzpatrick, CRISC, CEO, NCX Group

As a reminder, any business or entity that conducts business within California and collects and holds Personally Identifiable Information (PII) is now subject to Senate Bill 24, which amends the California breach notification law.

This new bill aims to strengthen the state’s groundbreaking SB 1386 security breach notification law by mandating how and what content to include when notifying affected individuals after January 1, 2012.

To begin, SB 24 requires that the notice to California residents be written in plain language. I believe this to mean at a level easy to understand without the legalese.

Additional content required must include the following:

• The types of information breached.
• When the breach occurred or a range of suspected dates.
• The name and contact of the person or business reporting the breach.
• Whether the notification was delayed as a result of a law enforcement investigation.
• A general description of the breach incident.
• The toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number or a driver’s license or California identification card number.

At the discretion of the business, the security breach notification may also include what is being done to protect the individual whose information was compromised.  We urge businesses to add this because it can restore trust and may reduce customer churn.

In addition, SB 24 now requires businesses and state agencies notifying more than 500 California residents in a single breach to submit an electronic reporting form online and upload a sample copy of the notification letter being sent to affected individual.

HIPAA-covered entities are deemed to have complied with the notice requirements if they have complied with the similar breach notification requirements of the HITECH Act.  This means that a HITECH Act notification satisfies the content requirements of SB24, but nothing more.  HIPAA-covered entities must still notify the Attorney General if more than 500 California residents need to be notified.

NCX encourages all organizations to establish a comprehensive information security program that includes a thorough incident response program.  Don’t forget to review SB24 and update your notification policies to include the new requirements.

Posted by Mike Fitzpatrick, CRISC, CEO, NCX Group

As CEO of NCX Group, I wish you and your company a prosperous new year. It is sure to be a challenging one for all of us due to the economy and smaller budgets, and with the 2012 data threat predictions calling for an increase of very sophisticated breach attacks, profitability becomes even more challenging.

It only takes one attack to change the hope of a prosperous year. Our goal is to prevent that from happening by helping businesses and organizations, regardless of size, identify their current data security vulnerabilities and prepare them against oncoming threats.

A thorough Secure24 security review identifies high and medium data risk, explains remediation solutions, and enables organizations to build an effective data security and privacy program that mitigates risk and meets compliance regulations. Most information security reviews we conduct find vulnerabilities due to misconfiguration of assets, lack of processes and controls, insecure web applications or misguided procedures. It is critical that you don’t take your eyes off of the “basics” in securing your information assets when the stakes are so high. Even a simple, cost effective network Vulnerability Assessment or a Web Application Test will go a long way in meeting most of your information risk management needs during these difficult times.

Many organizations are demanding that departments affecting security, IT and compliance groups do more with less. Your approach to obtaining the right services and expertise has never been more important than it is right now.

For more information on how NCX Group can assist you in meeting your company’s information risk management goals for 2012, please contact us for a free consultation. We look forward to helping you stay profitable.

Best Regards,

Michael Fitzpatrick, CEO
NCX Group, Inc.

It would be the ultimate buzzkill to learn that data breaches you hear happening to other companies has now happened to yours, especially when your company’s security measures were strong, or so you thought.

There’s a dangerous disconnect between perception and reality when it comes to data security and that disconnect can come back to bite. It slowly begins when those responsible for their company’s data security become complacent or have a false sense of security, simply because a breach hasn’t happened yet. Many who thought their critical information was secure were surprised to discover it was not. How do we know? We only need to read the news. It’s alarming to learn that simple fixes and better due diligence could have kept most hackers at bay.

The key is to know if your critical data is vulnerable and if policies and processes are in place to head off an attacker. This is accomplished by identifying the state of your company’s security posture. A comprehensive security review can save you hundreds of thousands in data breach exposure costs and quickly identify areas requiring risk mitigation.

Remember, a secure environment can change unexpectedly with newly added equipment, mergers, or even conducting downsizing activities. Performing periodic network vulnerability scans from experts with the right tools will also help confirm that your critical information is protected from overlooked configurations or undocumented changes.

You probably already know that security threats have skyrocketed this year and data breaches are climbing to an all time high. This means it’s a risky time to have a wait and see attitude. Businesses with fewer than 500 employees, or even 100 employees, are proving to be more popular targets as hackers are finding them to be “low-hanging fruit” and “ripe for the pickins”. Why? Because they typically have weaker security measures in place and hackers view them as opportunistic. The end result can have significant repercussions to the business while the hacker exhibits little effort for a good payout. You can prove them wrong, and we can help.

Contact us for a free consultation on how we can help secure your critical information assets at a price that will fit your budget, or email us to have a representative call you.

California has one of the toughest breach notification laws in the country.  Although it is strong on notification, the current law lacks direction on what information to include when issuing a data breach notification.  Senate Bill 24, which was signed by Governor Brown on August 31, 2011 and goes into effect January 1, 2012, amends SB 1386 to include standard, core content when notifying individuals of a data breach.

SB 24 requires certain content in data breach notifications, including a general description of the incident; the type of information breached; the date or date range of the breach; the name and contact information of the reporting agency; and the toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a Social Security number or a driver’s license.

In addition, SB 24 also mandates the breached agency send an electronic copy of the notification to the California Attorney General if a single breach affects more than 500 Californians.

We have seen many vague and unhelpful notification letters in the news.  I believe the requirements of SB 24 aim to help consumers gain a greater understanding of how to respond and protect themselves against identity theft.

Posted by Mike Fitzpatrick, CEO, NCX Group

Results of a recent survey by Financial Executives International (FEI) and Gartner posted on CIO states CIOs and IT teams are falling short of CFO expectations. CFOs, who appear to be having a greater influence over IT, don’t have the confidence that their own IT organization can muster the flexibility to respond to changing business priorities.

As I read this article, I thought of how this sentiment also ties to the security of information assets. With all the breaches in the news lately, it stands to reason that doubts of IT security capabilities are coming into question as well. Today’s CIO and IT teams must be able to bridge information technology and business requirements to meet company business objectives, all while making sure security is not an impediment to growth.

We all know that new technology and the thought of building new systems usually puts a gleam of excitement in the eyes of IT folks. Unfortunately, information security is not the primary focus of these new technology implementations. Too many times, I’ve seen companies spend a lot of money on hardware and software without verifying the current state of information security and how it relates to the business environment or forward strategy. The end result is money spent in the wrong areas. In many cases, IT can actually hamper business growth by only focusing on technology. I can understand why CFOs loose confidence. IT must consider how information security plays into business objectives to create a competitive advantage over other businesses.

Because most structural IT purchases must now tightly integrate with information security, it is critical that IT not perform in a vacuum. As head of an information security consulting company, I have for years advocated that information security should not be the sole responsibility of your an IT organization; after all, ‘it takes a village.’ While I hate this phrase, it’s true in this case. An effective and successful information security program requires the involvement of the entire organization; Everyone on the same page and moving in the same direction to deliver on the business objectives of the company.

To this point, NCX strongly recommends the formation of an Information Security Steering Committee (ISSC). This committee not only provides leadership in protecting information assets and technology, they also prioritize the development of security initiatives and provide guidance on IT infrastructure and investments that affect the confidentiality, integrity and availability of critical information. The committee should include someone from executive leadership (CEO, CFO, COO), HR, IT and legal. No more than you can feed with a large pizza.

Establishing such a body will give CFOs and upper management the confidence their company’s critical information assets, desired growth path, and business priorities are being considered to achieve success.

Let me know what think.

Posted by Mike Fitzpatrick, CEO, NCX Group

Companies that have launched their data into the cloud might be doing so at a greater cost than what they hope to save. The lure of IT cost savings provided by cloud computing becomes a strong incentive in this economy, but many organizations are overlooking security and privacy, and a breach could destroy the savings they intend to gain.

I have read many surveys lately highlighting the adoption of cloud computing along with the pros and cons. No doubt, more and more companies are migrating to this technology, but what is now coming to light is the misconception of who’s responsible for securing customer data. In a recent study released by the Ponemon Institute, “Security of Cloud Computing Providers,” the majority of cloud providers (79%) allocate 10% or less of IT resources to security or control-related activities. They found that most providers believe their cloud services do not include the protection of sensitive data. Instead of security, cloud providers focus on cost and speed of deployment, the survey states.

As with any outsourced service, it’s important to vet the service provider to ensure their security framework supports your standards of access control and authentication. Qualify that the SLA meets your level of security and thoroughly understand the controls and testing of the provider. Attempting to achieve your required mandates of security later may be complex and more costly.

With that said, I strongly urge companies considering cloud computing to assess their security risks before they make the move. This will identify and close any gaps that might put them at risk.

NCX Group includes assessing clients’ cloud computing information risks as a part of our Secure24 security review to help identify any security issues or potential impact to their security architecture. As a standard, cloud computing services need to be mapped to a model of compensating security and operational controls, risk assessment and management frameworks, all while adhering to security compliance guidelines. NCX Group can help you achieve this goal.

We’re beginning to see hackers hit the cloud hard to capture easy data. Businesses will soon be forced into more heightened security measures as more critical data gets pushed to the cloud. Stay vigilant, stay aware.

Posted by Mike Fitzpatrick, CEO, NCX Group

Although there are some breaches companies can’t prepare for, this breach appears to be a case of lapsed security.

The breached system at Nasdaq, so far, was tied to Directors Desk, a web-based service tool used by directors of companies, including board members, to share confidential documents.  One would think that if Nasdaq were acquiring a company for their portal service, as they did Directors Desk in 2007, the web application would have been thoroughly tested for flaws based on the highly sensitive information that flows through and is housed in its system.  For all you CEOs out there, take note!  Have ALL your web-based applications tested!

What’s so concerning about this breach is that it became known through “routine computer security checks” revealing that hackers had installed malware files inside Directors Desk.  The Wall Street Journal reported the computer network had been repeatedly penetrated during the past year.  So the real question is why the system was only routinely monitored and not continually monitored?  This went on for a full year before it was discovered, despite the files left on the system by the hack!  Web-based services like this are highly vulnerable and require constant monitoring.

There are other board portals out there and these services don’t come cheap.  It would be interesting to see if companies jump to other board management systems because of the lack of security discovered by this breach.

The latest development from this breach is to revive the Cybersecurity Enhancement Act.  To investigate the cause of this breach is certainly required, but to initiate a bill that funds scholarships and grants for security research through the National Science Foundation to the tune of $639 million over four years is truly alarming.

It’s said that these systems are complicated, but really?  With a thorough information security program in place, the chance of this type of breach is minimal. According to the reports, the files in question were removed and Nasdaq made modifications to the system as a deterrent.  Gee, guess it wasn’t all that complicated.

Posted by Mike Fitzpatrick, CEO, NCX Group