Category Archives: Security

Immediate Vault Immediate Access

Travel Risk Management for LGBTQ+ Employees

Posted on by

LGBTQ+ travelers can face unique challenges when traveling abroad—many countries do not legally recognize same-sex marriage and more than 70 countries consider consensual LGBTQ+ relationships a crime. If an employee travels on business to a country where their sexual orientation or expression of gender identity is criminalized, an extra layer of complexity is added to duty of care responsibilities. Corporate risk managers need to consider how to best protect employees in a way that doesn’t make them feel singled out, working with them to stay safe and respect local laws without compromising their own values. 

This process begins by providing up-to-date guidance on laws and cultural variations as part of an organization’s duty of care. Attitudes towards the LGBTQ+ community vary considerably around the world, and employers therefore need to shape their duty of care policies around a wide range of considerations, both legal and cultural.

Understand the Law

Risk managers need to ensure they have relevant and up-to-date information at hand to fully understand the traveler’s destination. There are nuances within each country’s legislation, and acceptance can vary dramatically even within different regions of the same country, also evolving over time. Employees need to be informed of the laws to which they will be subject at their destination before they travel. Duty of care procedures should incorporate pre-travel advice and awareness, educating employees on what to expect when on business travel as well as how to respond and whom to contact in an emergency.

Legislation may impact an employee’s behavior in a given destination and travel managers can provide advice on best practices. In the United Arab Emirates for example, transgender, gay and gender nonconforming people have been arrested for violating a law against men “disguised” as women. To the extent possible, it is best for travelers in these countries to remain in resort areas and for same-sex couples to refrain from holding hands, hugging or kissing in public.

Understand the Culture

In addition to local laws, social norms are another factor to consider for deciding whether a destination is safe. While many countries officially recognize homosexuality and allow gender confirmation measures, some communities within these “safe” countries still harbor prejudice against the LGBTQ+ community. In such environments, LGBTQ+ travelers who engage in open displays of affection with each other or appear gender nonconforming may be at risk of harassment and assault, and may also feel intimidated when reporting the incident to local police. There may be few or no local venues that provide a safe space for members of the LGBTQ+ community and the risk of hate crimes and police raids at such establishments cannot be ruled out. Travelers are advised to maintain a low profile in countries that lack full protection for the LGBTQ+ community and exercise caution about where and with whom to discuss related topics in public spaces.

Social media can also put travelers at risk. For example, while dating apps can help people connect with local members of the LGBTQ+ community when traveling or relocating for work, employees should be advised to exercise caution if they plan to use these in communities that are not LGBTQ-friendly. In Russia, where prejudice is widespread and a law against “gay propaganda” has been in effect since 2013, far-right activists and gang members have used dating apps to lure gay men to assault and extort them. Prior to travel, risk managers should advise employees to review privacy settings on social media platforms and reconsider the use of dating applications while abroad.

With some countries still refusing to accept—let alone recognize—the LGBTQ+ community, LGBTQ+ employees often feel compelled to take additional precautions that others would not have to even consider. However, corporate risk managers can help employees to stay safe while on business travel by being aware of the local laws and social norms of the destination before departure.

For other guidance on how to support LGBTQ+ employees and advance diversity, equity and inclusion programs, check out these additional pieces from Risk Management Magazine and the Risk Management Monitor:
Beyond Pride: Building Strong Diversity and Inclusion Programs
The LGBT Travel Risk Dilemma
The Benefits of Diversity & Inclusion Initiatives
Engaging Employees in Their Own Duty of Care
Developing a Strategy for Transgender Workers
The Case for Effective DE&I Training

How to Conduct Better Third-Party Risk Assessments

Posted on by

Today’s enterprises operate in a complex digital ecosystem that connects customers, vendors and partners and through which data is shared and transactions are processed. Because much of this is done through outsourcing of systems and services to third parties, many enterprises have dramatically increased the scale and complexity of their risk surface.

While companies are reliant on third and fourth parties to do business and often benefit from using such external services, these relationships also pose a risk to the enterprise’s sensitive data. Enterprises rely on these third parties to fulfill essential services and often expect them to secure the enterprise’s data in the process. Unfortunately, this does not always happen. 

According to a survey by RiskRecon, a Mastercard company, and the Cyentia Institute, third-party risk practitioners said that 31% of their vendors could cause a critical impact to their organization if breached, while 25% claimed that half of their entire network could trigger severe impacts.

Recent catastrophic cybersecurity incidents like the SolarWinds case demonstrate that cyberrisk can come from supply chain layers beyond the company’s immediate third parties. These multi-party cyber breaches create a ripple effect and threaten to have a far greater impact than those affecting single companies.

Business leaders, third-party risk practitioners, and cybersecurity professionals are well aware of the potential impacts of third-party risk, yet many struggle to keep up. In fact, research shows that only 14% of third-party risk professionals are confident that vendors are capable of meeting third-party security requirements. Managing vendor risk can seem like an impossible problem, but the key is having greater visibility into your digital supply chain and monitoring the external parties that pose the greatest risks to your firm.

Traditional Risk Assessments vs. Continuous Third-Party Monitoring

Traditional risk assessment processes cannot fully address today’s dynamic cyberrisk landscape, as they can be difficult to validate, take a long time for both the vendor and the organization to process, and are pinned to a single point in time. Without a valid, current assessment, security teams are forced to prioritize vulnerabilities blindly, which ultimately compromises risk mitigation, and limits their value as an accurate barometer of third-party risk.

It can be easy and tempting to complete a third-party risk assessment in one month and then forget about it for another year, but third-party risk management is not a once-a-year project—it requires an ongoing program with ongoing monitoring. This may appear to be overwhelming, confusing and time-consuming. While there will always be more vendors to find, a well-structured and continuous third-party monitoring program can help your security team to prioritize.

It is also important to take action on the vulnerabilities these critical vendors produce and gain visibility into how to remediate these issues. Continuous third-party monitoring can not only help you identify and remediate risk, but can also serve as a helpful tool in communicating your organization’s security hygiene to board members or executive leadership.

Below are practical steps that cybersecurity teams and risk professionals can take to better manage their organization’s third-party cyberrisk:

  1. Ask the right questions: Build and collect security questionnaires that ask important questions about how a vendor is handling the company’s data. To better manage risk, security teams need insight into the technologies that are being used internally and externally by third parties, fourth parties, and beyond.
  2. Assign a risk rating: Based on the answers to the questionnaires, assign the vendor a risk rating. By having a clear understanding of a vendor’s security posture, the security team can then rank vulnerabilities in order of priority, so they know which issues to tackle first.
  3. Take action: Create custom-fitted risk action plans so you can immediately start engaging with your vendors on remediation. If a vendor’s cyber risk degrades or an element falls out of policy, you will be notified instantly. By having accurate visibility into supply chain risk, security teams can then use that information to make decisions about whom to share data with moving forward.

By utilizing these best practices, organizations can better manage their third-party risk, further reduce overall risk, increase cyber visibility, and improve the quality of vendor and supplier networks.

Successfully Navigating Identity Management Strategies

Posted on by

For many CISOs, overseeing identity management represents a significant challenge and a substantial component of their broader security ecosystem. In a nod to its importance, the National Cyber Security Alliance even recently kicked off the first ever Identity Management Day. It is also central to a number of critical issues that urgently need a CISO’s attention, namely data access governance, data loss prevention and cloud application security.

When navigating the vital issue of identity, the top considerations include:

Data Access Governance

Data security spans two areas of organizational risk: unauthorized data use and privacy issues associated with authorized data processes. When evaluating an identity management strategy, it is imperative to start at a high level, which includes data access governance to limit access and meaningfully reduce the risk of loss or theft.

An effective end-to-end approach provides visibility and controls to identify risk and protect sensitive information across cloud and on-premise networks while also keeping digital communications compliant. This approach involves establishing a data governance program, which includes data inventory, data mapping, needs-based permissions and, ultimately, data retention and erasure. Critical components in overall data access considerations include understanding what data is being collected, where and how it is stored, who is accessing that data, protection mechanisms in transit and at rest, and how long the data is being retained.

Proper data access governance is essential to ensuring successful digital transformation as remote/hybrid work continues, both email and cloud apps remain core communication channels, and social media continues to drive business.

Data Loss Prevention

Protecting information both at rest and in motion are important elements of another identity management issue: data loss prevention (DLP). Data is lost due to negligent, compromised, or malicious users and it is important to approach DLP in manageable terms. For example, full data classification and discovery is idealistic for many. Complete reliance on both fronts is hard, if not impossible.

Traditional data loss prevention approaches, such as full data discovery, have arduous requirements and usually involve mandatory outsourcing for development and monitoring. In fact, many CISOs only want to tackle the DLP challenge once in their career.

Fortunately, modern strategies are available to manage DLP efforts that focus on protecting the most sensitive information in terms of content type, context, and user behavior. These include systems that issue accurate alerts, reduce investigation time, and focus security teams on risky user behavior rather than solely on classification violations.

online pharmacy female cialis with best prices today in the USA

An approach that places an emphasis on user behavior, in addition to classification, is pivotal to identifying compromised accounts and phished users. Data does not lose itself, but proper DLP can stop bad actors and insider risks from siphoning critical assets.

Cloud Application Security

In a Cloud Security Alliance study of 200 IT professionals, 83% indicated that cloud security is a top area for improvement. This is not surprising in our current climate as CISOs are constantly struggling to ensure they have visibility and control over how users access and share sensitive data in the cloud. It only takes one compromised account to expose an organization to significant risk.

For example, according to a 2020 Proofpoint analysis of over 20 million cloud account users and thousands of cloud tenants across North America and Europe, attackers are increasingly abusing legitimate OAuth authorization apps to exfiltrate data and maintain persistence on specific cloud resources after compromising an account.

Over the last year, threat actors targeted 95% of organizations with cloud account compromise attempts, and more than half of organizations were successfully compromised at least once. Discovering cloud apps and reducing shadow-based IT—including third-party OAuth authorization apps—helps limit accessing and sharing data to only authorized users.

Every cloud app security broker (CASB) strategy needs to address how individuals handle data and the threats targeting them. It is imperative that threat visibility and adaptive controls extend to the most attacked people and operate effectively in the cloud.

online pharmacy avodart with best prices today in the USA

This includes deployment of multifactor authentication solutions, the ability to detect suspicious login attempts, and user education.
online pharmacy amoxicillin with best prices today in the USA

Also, deployed cloud DLP policies need to align with those for email and on-premises file repositories. Finally, DLP incident management should be centralized and span across cloud apps.

The issue of identity management will continue to play a central role in security strategies for years to come. Focusing on data access governance, modern DLP and effective cloud app security can help significantly reduce an organization’s risk.

Building Effective IT Disaster Recovery Plans

Posted on by

No matter how well-managed IT infrastructure is, there is always the risk that a tiny hiccup could ultimately turn into a real emergency. Given the increasing reliance on technology tools and access to business-critical data to continue operations, every business should have an effective IT disaster recovery plan in place to minimize disruption when disaster strikes. Risk professionals must consider and plan for this situation with regular testing and run-throughs to ensure that all team members understand the recovery plan and know their responsibilities.

As natural disaster season begins, risk professionals should assess the risks and mitigation strategies in place to minimize disruption and losses. The following tips can help ensure that IT disaster recovery plans are as effective as possible:

Plan in the Risk Management Context

Instead of thinking too much about what a disaster would mean for your company, frame your recovery plan in the context of risks. Start by examining which risks your company faces, and what steps you can take to minimize each one. This will ensure that all teams are fully aware of what the risks are, and how they can make a difference in eliminating potential problems.

Prioritize Communication

Nothing exacerbates a disaster like a communications breakdown, so all good recovery plans should focus on communication. The onset of an IT disaster could impact communication systems, so plan an alternative way of communicating with teams in the event of an emergency. Ensure that all team members know the backup communication method, and that everyone understands who they need to contact to inform them of the situation. 

Protect Data Continuity and Backups

Data continuity planning is critical to minimize losses during a crisis. At its essence, data continuity ensures companies have alternative processes and infrastructure in place to allow key IT operations to remain intact, taking into account both hardware and software. A first step is often to invest in failover systems across multiple locations as well as backup generators and power supplies, and ensuring you keep them all in working order.

Data continuity also involves backing up all important data and storing it in a location away from potential disruption. Methods range from server replication to continuous protection (continually backing up data on a separate server). For data back-ups, businesses often choose disk-to-tape or disk-to-cloud models. Either way, the most crucial element of backing up data is knowing what to replicate and what to leave. Archiving everything available can mean greater expense, but being selective can increase the risk of losing information. The rule of thumb is that, as a minimum, any backed-up data should be capable of restarting business operations from scratch.

Define Acceptable Downtime 

The amount of downtime that a company can feasibly take varies considerably depending on the company’s size and the products or services it provides. Think about how a disaster could affect your company, then decide on the steps that you’d need to take in different potential scenarios. In most cases, a few minutes of downtime rarely constitutes a total disaster, so focusing on recovery plans that can get systems back up and running as quickly as possible will help keep losses as low as possible. Cloud-based technology can be very helpful in such disaster scenarios since data is off-site and services stay operational even if your physical location is impacted.