The Havoc Shield Blog
If there is one thing we’ve learned about small business cybersecurity it’s that there are a great many operators that are afraid to ask tough questions about cybersecurity… because they are worried what the answers might be. We specialize (tactfully, of course) in helping organizations raise and think through those tough questions — and come out the other end safer and happier. Today we’ll take on the issue of Remote Work, asking four of the tough questions that deserve to be asked. And giving you, our reader, a ray of hope that there are reasonable ways to resolve any cybersecurity loose ends made apparent by the question. Here goes:
Many companies that have “gone remote” have decided to keep some small physical office for occasional team gatherings, customer visits, and regulatory and compliance purposes. However, that has often involved moving from a pre-existing office (often a spacious one) to a more compact one that fits the new normal. A popular request we’ve received during those transitions is for a small business network setup checklist summarizing the key things that are the largest information security factors in getting a new office network set up safely. Here’s our take on that.
Stating the obvious: over the past year, we’ve come to meet many people who now WFH (work from home). And, many of them rely on Xfinity router security to keep them safe. It’s long overdue that we talk about that in specific terms, about what to expect — and what not to expect — if that description matches your situation. Equally important, it might describe many employees in your organization — probably even employees that handle sensitive company information regularly.
For this particular post, we’re going to focus mostly on malicious traffic filtering, although we have much more to say about Xfinity router security and WFH threats in future posts.
Many small businesses – especially those with a web-based product or service – choose to use an outsourced Data Protection Officer to fulfill their GDPR obligations. These same SMBs are often the least inclined to outsource anything, but yet they happily choose to outsource their Data Protection Officer function. Why?
Does your company handle Sensitive But Unclassified (SBU) information in your role as a contractor of the IRS? If you do (and in some cases, even if you don’t), you’ve got IRS Cybersecurity Standards to keep an eye on. Evaluating your current approach to complying with IRS Cybersecurity Standards is a deeper topic than we can cover in a single article, but here we’ll focus on some initial steps you can take (if you haven’t already) to handle some of your most essential cybersecurity obligations.
Many small businesses end up on the receiving end of highly nuanced security and regulatory questions from clients and partners, with little in the way of internal expertise or resources to find their way to acceptable answers. One way that savvy small businesses prevail, is to know the language of “big company” compliance. That way, when a question arises — perhaps one about NIST Control Families — the small business is prepared to give a contextually relevant answer about controls or compensating controls.
Many small businesses decide that they aren’t ready to full-time IT professionals, but still realize that they need professional help to manage their IT and IT Security needs. One click deeper into that research small businesses often end up asking themselves what the difference is between MSP vs MSSP. If you are in that very spot, you’ve come to the right place — in this post we’ll discuss the difference between those two types of service providers.
As we help companies in regulated industries with their cybrersecurity obligations, we try to be a resource for others that are at a more exploratory phase in their journey towards compliance. One particularly misunderstood regulatory obligation that many financial institutions face is the FTC Safeguards Rule. That rule is not misunderstood by 10,000-person financial institutions, and probably not misunderstood by 1,000-person financial instituations, given the resources and expertise that they are able to leverage in their compliance efforts. But our clients tend to be the type of organizations that have several dozen to a few hundred employees, and at that organization size, very few have the resources to have dedicated on-staff cybersecurity professionals studying every nuanced regulatory obligation. And that’s where we step in.
There’s something that doesn’t feel right about most small business MSSP relationships. MSSPs, for those that aren’t familiar with the term, are managed security service providers.
The origin of many of these engagements is fine and reasonable. When a small business operator knows that they should be doing more on the infosec/cybersecurity front, but doesn’t want to hire a CISO or other security specialists, engaging an MSSP seems like a logical step. But, what happens next, is “too much” on many dimensions. Here’s our perspective.
If you are an operator at a startup, especially the venture-backed type, you’ve probably come across some situation that requires you to commit to a recurring IT Risk Assessment. In this guide, we’ll go deep into why this obligation tends to come about, how to fulfill it efficiently, and how to make sure that you are getting real security benefits from it rather than just security theater. A great many startups that take on an obligation to do internal IT Risk Assessments feel like they need to re-invent the wheel, figuring out what that obligation means to their specific company. There’s a good chance that startups that feel that way, end up “over-thinking it” — when just a bit of knowledge about the way other companies handle it would give them a clear and efficient path to success. Out of that backdrop, this guide was born.
Thanks for following us in 2020! Here is cybersecurity in 2020, as we see it, broken down by key trend/topic.
If you aren’t yet running phishing simulations across your company, it’s time. 29% of data breaches involve phishing (source: Verizon) — it’s a problem worth resolving. We’ve covered phishing extensively on this blog. Everything from our top 113 favorite phishing simulation emails, to simple steps to help your team identify fraudulent emails, to this advanced guide showing 7 techniques we use to sniff out phishing. However, we think we’ve overlooked an important topic: what to do when an employee clicks a link on a phishing simulation email. Here are your options.
Small business cybersecurity has never been a more active topic than in 2020. We’re delighted to see the increase in attention on the needs of small businesses when it comes to cybersecurity — we’re tireless advocates for getting small businesses the tools, processes, and advice that they need to operate safely. As we look back on 2020, here are some of the statistics that helped to shape a broader awareness about the challenges facing small businesses today.
Thinking of engaging a SOC 2 auditor? Good thinking. Successful completion of a SOC 2 audit carries a great deal of credibility, especially for small organizations seeking to do business with large enterprises. Heading into your SOC 2 audit (and in fact, before you engage an auditor) you should have a SOC 2 compliance checklist in mind. That checklist should contain the things that you believe you will need to demonstrate to the auditor.
A common misperception is that the SOC 2 process is designed to help you implement additional controls and processes. Not so. The SOC 2 audit is designed to evaluate your organization’s practices, on the premise that you already have the controls and processes in place.
As the end of the year approaches, hidden annual security requirements tend to pop up at the least convenient time. Although we’re glad to spring into action to help bail out companies that have some last-minute cybersecurity obligation that needs “doing” before December 31st, we’d rather help you avoid that type of scramble altogether in the future. Here are the top ways that you can sniff out hidden annual security requirements well in advance, to avoid a scramble.
When a company’s phishing simulation emails land in the news headlines, that’s a bad thing. The recent news out of GoDaddy about a phishing a simulation email that claimed to be a holiday bonus is a prime example. So is the example out of Tribune Media a few months ago. Although we don’t know the particulars about what motivated those particular phishing simulations, we do know that they were not well received, and that there are much more appropriate strategies readily available. Here are four strategies that we recommend to our clients, and that we help them implement by leaning on our massive bank of preconfigured phishing email templates (113 phishing simulation email examples).
At Havoc Shield, our Web Vulnerability Scan capability is especially popular amongst the portion of our client base that self-identifies as B2B SaaS. We’re still at a scale where we know every customer by first name and are able to ask for candid feedback about what cybersecurity concerns led them to our doorstep, so this article is a roundup of what we’re hearing from our B2B SaaS clients about what they find so essential about completing a web vulnerability scan with us.
Welcome to our post for tech startups seeking to sell cloud-based services to the federal government. As a warm welcome before getting deep into the FedRAMP Security Controls Baseline, here are a few words from fedramp.gov about the nature of the overall program:...
There are some easy email security best practices to follow when it comes to tagging emails that come in from external sources. This has become a huge topic recently because the increase in phishing attacks has made it incredibly important for employees to know whether a particular email came from an internal sender (e.g., your boss) versus an external sender (e.g. someone pretending to be your boss). Helping employees very easily distinguish between the two can be the difference between falling for a phishing attack versus staying safe.
Spear phishing training is an effort to fend off the most devious form of phishing: spear phishing. Spear phishing is a phishing attack that is targeted at an individual. Not a phishing attack claiming to be from Citibank sent to a million random recipients on the hope that some of them are Citibank customers. Not a phishing attack claiming to be package delivery information from UPS sent to hundreds of thousands of email addresses. A phishing attack whose message body is unique to one person, containing context relevant to that one person.
A few years ago this type of attack was talked about but not frequently seen in the wild: now it’s seen by most of our clients, most months, but with some predictable patterns worth addressing via training. This post is our first shot at describing what we think that training looks like.