The Havoc Shield Blog
Far too many vendor onboarding processes — especially those that don’t leave room for compensating controls — feel like they are destined to be combative from the start. In the typical storyline, a tiny company is working feverishly to sell its products or services to an enterprise, and after gaining support of the “sponsor” (business decision maker), the vendor onboarding process kicks into action. The only problem? It often involves dozens-to-hundreds of nuanced cybersecurity questions that the tiny company is ill equipped to answer. And that puts in jeopardy all of the good work that the small business and the enterprise can do together — because the path to collaboration starts by running the gauntlet through the vendor onboarding process. And that process is far from guaranteed to lead to approval.
Is this link safe? Given the volume of email that most of us receive every day, it’s a question that seems to come up on a pretty frequent basis. Some people even think that they have “pattern detection” capabilities that preclude the need for any technological filtering/scanning.
Here we’ll explore what parts of the “is this link safe?” question can be scrutinized by a savvy visual inspection, versus what parts of the inspection are better done by a machine (well, an algorithm).
Ever hear the famous saying about vendor risk management? “Nobody ever gets fired for hiring IBM.”
We don’t hear this saying as much as we used to a few years ago, but the concept is still a thought provoking one — especially for those of us that spend time in the vendor risk management arena. And it applies far beyond the specific company cited in the saying. Here’s why it’s worth reflecting on this saying today.
Is the password manager you’ve been using for your personal accounts, good enough to be your password management solution for business? That’s the topic before us today. This topic is courtesy of the past dozen-or-so small business owners who have asked us this question recently.
It’s a fair question. Let’s explore.
When a new vendor (maybe a small business) begins working with an enterprise, you can bet that there will be a vendor risk assessment of some form. Format-wise, it might be an Excel-based security questionnaire, a web portal, or a repurposed survey tool with customized questions. It will almost certainly involve a few clarifying conversations, revisions, evaluations, and (here’s hoping) approval.
Let’s zoom out one level above the nitty gritty of the questions that are deep in the assessment. What are the key vendor risk assessment topics that both sides should expect to discuss at some point in the process?
Normally we put all of our focus on helping small businesses with cybersecurity, but today we’re here to talk with enterprise compliance teams about their enterprise security questions. Bad news: almost all of the questions we’ve seen are broken. Good news: they are fixable. Let’s explore.
When a small business is on the cusp of closing out an enterprise sale, that is a big deal to the whole small business. It’s high stakes for them. They’d be willing to hop over just about any hurdle you ask them to. But what if there are 200 different hurdles, some of which matter a ton, others don’t matter much at all, and all of the hurdle heights are obscured. Sound hard? It is. Here’s what’s broken about enterprise security questions.
If you have a Business Continuity Plan, do you also need a Disaster Recovery Plan? If you have a Disaster Recovery Plan, do you also need a Business Continuity Plan? The distinction between these two types of plans is amongst the least understood topics that small businesses must navigate as they think about creating an environment of stability in the face of a cybersecurity incident. These plans extend beyond just cybersecurity matters, but here we’ll focus on what’s in our wheelhouse at Havoc Shield: cybersecurity.
Part of our normal new-client onboarding conversation includes the prompt “tell me about your infosec policies” — which is usually followed by either a long pause or a sigh. Why? Clients joining the Havoc Shield family are often ones that have experienced recent growth causing them to have the realization that they can no longer “get away with” do-it-yourself cybersecurity. Some have drafted rudimentary infosec policies on their own in their do-it-yourself era, some haven’t, but almost none of them are confident that they’ve got the right infosec policies in place. And that’s a source of anxiety (one that we can help with).
This blog is usually written with the small business audience in mind. We usually post about cybersecurity topics that we believe will be useful to small business owners, small business CTOs, small business IT directors, etc. Today is different. Today, we’d like to speak to the Enterprise Compliance Director audience — about their relationship with small businesses.
Many Havoc Shield clients work with a Managed Service Provider (MSP) for their broader IT needs — things like provisioning laptops, configuring telecom closet equipment, setting up VoIP phones, helping employees set up their bluetooth headset, etc. We love it when a client works with an MSP for those types of needs — it accelerates our ability to help on the cybersecurity front, with penetration tests, security awareness training, endpoint security, dark web scans, etc. The collaboration between Havoc Shield and MSPs has been great, enabling each of us to focus on what we do best.
Most companies craft their Acceptable Use Policy from a starting point of an Acceptable Use Policy Template. That’s wise: there is no reason to reinvent the wheel when creating a new policy, especially when it comes to structure, formatting, and the basic policy elements that are relevant to almost every company. At Havoc Shield we have a Policy Manager section in our platform to help companies get exactly that type of jumpstart: a solid, battle-tested policy baseline that lets organizations go from “no policy” to “defensible policy” in no time at all.
Cybersecurity awareness training for small business isn’t at all what many business owners fear it will be. We commonly encounter assumptions that it’s expensive, involves an external consultant, and involves the huge pain of working out a date/time and alternate date/times. None of that is true. Read on.
DNS Filtering, Malicious Traffic Filtering, and Phishing Protection are terms that are sometimes used interchangeably. That’s confusing for small business owners that want to cut through the terminology and simply know what action they should take to stay safe. Here, we’ll explore the subtle differences between these terms — in plain language that anyone can understand.
WFH cybersecurity is perhaps the fastest growing discussion in the security community this year, given the impact of COVID-19. A Gartner survey of HR leaders found that 91% had implemented work-from-home in their organizations as part of their COVID response. Along with WFH came new cybersecurity exposures — at Havoc Shield we started fielding calls and emails along these lines. Read on for the scoop on some of the Fact and Fiction that is floating around.
Why does Shadow IT exist? A starting point is to assume that employees felt they did not have the tools they needed to excel at their job.
At Havoc Shield, infosec dashboard best practices come up early and often in our conversations with technology leaders. Often it’s a lack of robust infosec dashboards that is the wake-up call that leads a CIO, CTO, or CISO to engage our team to get to a better place. Here are our most strongly-held views about what works best in an infosec dashboard in 2020.
Awhile back we wrote an article that was inspired by a question that we’ve heard from clients many times: “can macs get viruses?” … little did we know that it would become one of the most popular articles on this site. The follow-up discussions have been terrific, too. So, here’s Part 2 of an article that was originally meant to be a single-post piece.
With this post, we’re taking a hint that you (our readers) have been sending us. We’ve had an increasing number of readers arrive at our site after searching for how to “prove” that you are cybersecure. And, we get it. As small business owners and operators, it’s totally normal for a larger organization (an enterprise client, a bank, an investor, a partner) to ask you to “prove it” when you make a claim. And the fact that you are hunting around the web to find a way to prove it, means that we need to talk about that topic more on this blog.
UNC paths have been a very handy capability over the years. Before the days of Google Drive, Box, Dropbox, etc., it was extremely common to share files within a company by letting other employees browse certain folders/files/resources hosted on your laptop/computer. Authenticated, usually. But what happens when cyber criminals construct malicious UNC paths and try to fool you into clicking? Read on to learn more.
When does an SSL certificate expire? If you go by Murphy’s law, the answer is that it expires on a day that your website administrator is on vacation. Leading to clients, partners, and employees to all simultaneously complain (and for good reason).