The Havoc Shield Blog
Every day we talk with startup founders about small business cybersecurity. Although we’d love to speak with founders that spontaneously decided to “do more” about cybersecurity, our conversations usually start very differently than that.
Most often, there is a very specific and urgent cybersecurity-related need at hand. And an urgent call to our team for help thinking it through. We’re happy to help — not a problem! However, for the benefit of founders that haven’t yet hit one of those moments, here’s what folks a few steps ahead of you are running into. We’re glad to help with these more proactively if you’d like, to save a hectic scramble later.
Companies seeking to obtain a SOC 2 report are often in a hurry. So, what’s wrong with searching for a SOC 2 Compliance Checklist? Maybe this whole SOC 2 examination thing can be a quick, simple matter of working through a checklist and obtaining a report? Not quite.
Although we specialize in helping companies prepare for SOC 2 examinations — and we’ve gone to great lengths to ensure that we are attuned to the most common security controls that SOC 2 auditors tend to evaluate — auditors are required (for good reason) to maintain independence. That means that no provider (not Havoc Shield or anyone else) can supply the perfect checklist of items that is sure to lead to a clean SOC 2 report (an “unmodified opinion”).
If you’ve begun to explore the possibility of obtaining a SOC 2 report, you may have heard that a SOC 2 Readiness Assessment is a good place to being the journey. That’s reasonable advice. Just as you wouldn’t invite a financial auditor to review your financials without taking preliminary steps to ensure that your financial statements are in order, you wouldn’t pursue a SOC 2 examination if you didn’t have reason to believe that you had the necessary security practices in place to perform well under professional scrutiny. For that reason, the following sequence has become popularized:
If you are subject to the FTC Safeguards Rule (link), it can be hard to know where to start with your compliance effort. An important first piece of information that you should keep in mind is that the proposed changes to the FTC Safeguards Rule have not yet been...
No one wants a SOC 2 examination to go poorly. For most organizations, getting to a SOC 2 report that reflects favorably on the company’s security practices is essential. Often there are customers or partners pressing for evidence of a SOC 2 report. When that’s the case, the process of engaging an auditor to conduct an examination is one that can cause some anxiety. The concept of a SOC 2 Readiness Assessment has become popular as one of the ways to reduce the odds of unexpected surprises during the examination.
One of the central topics in a SOC 2 Readiness Assessment is the concept of “commitments to customers” — specifically, determining precisely what commitments an organization has made to their customers. Was there a 99% uptime commitment, or was it 99.5%? Was the commitment made uniformly to all customers, or are there some marquee customers that were promised 99.9%? This is an example of one type of commitment that might come up during a SOC 2 Readiness Assessment.
For organizations that have never previously been through a SOC 2 examination, it may take substantial effort to gather the documents needed to fully understand what commitments have (and haven’t) been made to customers. That’s the purpose of this post: to suggest some of the items to gather to be prepared to substantiate what commitments to customers exist. Here’s our take:
Maintaining small business cybersecurity while allowing BYOL (bring your own laptop) is one of the hottest topics amongst companies that seek out our help. Although there is no one-size-fits-all solution, it helps to have a contextual sense for the continuum of high risk to low risk decisions that a company can make while navigating this complex topic. Here’s our shot at very simply summarizing some of the key stopovers on that continuum that we’ve seen companies land at.
SOC 2 involves internal procedures for the company’s employees and doesn’t involve any board of directors involvement, right? Wrong. In this post, we’ll offer some insights into the ways in which a company’s board of directors should expect to be involved in the company’s SOC 2 efforts.
We’ve seen many attempts at a SOC 2 compliance checklist over the past few years as more and more companies have become interested in obtaining a SOC 2 audit report. Unfortunately, there are fundamental flaws that we routinely see in these types of checklists. Today we’ll dive into the the flaws to watch out for — ones that could lead to extreme frustration if you were to complete a SOC 2 compliance checklist and later discover (with an auditor present) that you are far from read for a SOC 2 audit. Here’s the scoop.
Is your organization required to comply with HIPAA privacy standards? If so, you’ve probably heard the term PHI – which is short for Protected Health Information. In the past we’ve written about how Protected Health Information must be rendered “Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” — and that leads HIPAA covered entities and business associates to be especially careful about encryption at rest, encryption in-transit, and authentication.
However, today we’d like to take a step beyond that, to a day that no one enjoys but everyone experiences at some point. What happens when a hard drive containing Protected Health Information fails? The problem that most organizations face on that day, is the uncertainty about how to dispose of this type of storage device if they don’t have the luxury of being able to use software-based utilities for clearing it’s contents.
Would you rather talk about movies, photographs, or SOC 2 Type 1 vs Type 2? If your answer was “all of the above” then you’ve come to the right place.
Amongst companies evaluating the possibility of obtaining a SOC 2 report, there’s been some confusion about the difference between SOC 2 Type 1 vs Type 2. Lets see if we can clear that up; here’s what the AICPA says about it.
Apple just released iOS 14.4, with absolutely essential security updates. Although we rarely use this blog as a method of announcing patches and releases from specific vendors, the iOS security vulnerabilities in Apple’s recent release are so essential that we’ll break with tradition. We’ll break down the three key points in Apple’s release notes for you below.
If there is one thing we’ve learned about small business cybersecurity it’s that there are a great many operators that are afraid to ask tough questions about cybersecurity… because they are worried what the answers might be. We specialize (tactfully, of course) in helping organizations raise and think through those tough questions — and come out the other end safer and happier. Today we’ll take on the issue of Remote Work, asking four of the tough questions that deserve to be asked. And giving you, our reader, a ray of hope that there are reasonable ways to resolve any cybersecurity loose ends made apparent by the question. Here goes:
Many companies that have “gone remote” have decided to keep some small physical office for occasional team gatherings, customer visits, and regulatory and compliance purposes. However, that has often involved moving from a pre-existing office (often a spacious one) to a more compact one that fits the new normal. A popular request we’ve received during those transitions is for a small business network setup checklist summarizing the key things that are the largest information security factors in getting a new office network set up safely. Here’s our take on that.
Stating the obvious: over the past year, we’ve come to meet many people who now WFH (work from home). And, many of them rely on Xfinity router security to keep them safe. It’s long overdue that we talk about that in specific terms, about what to expect — and what not to expect — if that description matches your situation. Equally important, it might describe many employees in your organization — probably even employees that handle sensitive company information regularly.
For this particular post, we’re going to focus mostly on malicious traffic filtering, although we have much more to say about Xfinity router security and WFH threats in future posts.
Many small businesses – especially those with a web-based product or service – choose to use an outsourced Data Protection Officer to fulfill their GDPR obligations. These same SMBs are often the least inclined to outsource anything, but yet they happily choose to outsource their Data Protection Officer function. Why?
Does your company handle Sensitive But Unclassified (SBU) information in your role as a contractor of the IRS? If you do (and in some cases, even if you don’t), you’ve got IRS Cybersecurity Standards to keep an eye on. Evaluating your current approach to complying with IRS Cybersecurity Standards is a deeper topic than we can cover in a single article, but here we’ll focus on some initial steps you can take (if you haven’t already) to handle some of your most essential cybersecurity obligations.
Many small businesses end up on the receiving end of highly nuanced security and regulatory questions from clients and partners, with little in the way of internal expertise or resources to find their way to acceptable answers. One way that savvy small businesses prevail, is to know the language of “big company” compliance. That way, when a question arises — perhaps one about NIST Control Families — the small business is prepared to give a contextually relevant answer about controls or compensating controls.
Many small businesses decide that they aren’t ready to full-time IT professionals, but still realize that they need professional help to manage their IT and IT Security needs. One click deeper into that research small businesses often end up asking themselves what the difference is between MSP vs MSSP. If you are in that very spot, you’ve come to the right place — in this post we’ll discuss the difference between those two types of service providers.
As we help companies in regulated industries with their cybrersecurity obligations, we try to be a resource for others that are at a more exploratory phase in their journey towards compliance. One particularly misunderstood regulatory obligation that many financial institutions face is the FTC Safeguards Rule. That rule is not misunderstood by 10,000-person financial institutions, and probably not misunderstood by 1,000-person financial instituations, given the resources and expertise that they are able to leverage in their compliance efforts. But our clients tend to be the type of organizations that have several dozen to a few hundred employees, and at that organization size, very few have the resources to have dedicated on-staff cybersecurity professionals studying every nuanced regulatory obligation. And that’s where we step in.
There’s something that doesn’t feel right about most small business MSSP relationships. MSSPs, for those that aren’t familiar with the term, are managed security service providers.
The origin of many of these engagements is fine and reasonable. When a small business operator knows that they should be doing more on the infosec/cybersecurity front, but doesn’t want to hire a CISO or other security specialists, engaging an MSSP seems like a logical step. But, what happens next, is “too much” on many dimensions. Here’s our perspective.