Noah Webster

Ransomware on the Rise

admin — Sun, 18 Jul 2021 04:10:43 +0000

Ransomware on the Rise admin Sat, 07/17/2021 - 23:10 Trends Noah Webster

Ransomware cripples the target company’s operations, making it much different from an attack that steals data. The implication of this became clear as I developed a contingency plan to pay a ransom. Before thinking through the issue, I pictured the payment as a get-out-of-jail-free-card. My team does all it can to secure our systems; if we get hit, we can pay and continue operations. But that simply isn’t the case. You need a better plan.

Ransomware on the Rise

Ransomware blocks access to systems or data until you pay. It takes what would once result in a breach or data loss through phishing email or an exposed security vulnerability, and systematizes how the attacker monetizes the attack. After the attacker gains control, they threaten to keep you locked out or to disclose your data unless you pay.

A recent attack on Kaseya shows how ransomware presents a threat to both a Managed Service Provider (MSP) and the end customer. The attacker uses the MSP to gain access to the customers.

Given the financial incentive, everything about ransomware has exploded. In 2020, ransomware attacks increased by approximately 400% in developed nations, with a reported 65,000 successful attacks which is an average of one every eight minutes. The FBI observes that, in 2013, ransomware focused on one PC at a time, now it targets entire networks or industries. A ransom demand had been hundreds of dollars, then thousands, now millions. Where previously a gang often worked alone, Ransomware attackers now coordinate as larger cartels, sharing information and techniques more broadly.

The threat has become so serious that the U.S. government now offers a bounty up to $10M for information that leads to the arrest of a ransomware gang. The government has also established a stopransomware site to keep you informed and encourage victims to report attacks.

Paying the Ransom, Not a Good Option

There are several reasons why you cannot depend on being able to pay your way out of a ransomware incident:

No guarantee of honesty. Despite stories about the illicit dark web running like the Amazon store, where even the bad guys must maintain a reputation for honoring commitments, you can’t be sure that your system will be restored after you make payment. Even if your attacker wants to restore your system, the restoration process may not work or the attack may have been irreversibly destructive. You can also have no expectation that any restoration will happen immediately.
Government prohibitions. On October 1, 2020, the Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory that ransomware payments encourage malicious activity, and could thus threaten national security. On this basis, OFAC can impose penalties for making ransomware payments.

In a development that may hit closer to home for an MSP, states are in the process of passing laws that draw this same line. Specifically, states are evaluating bills that prohibit ransomware payments and require reporting of ransomware attacks. MSPs that serve state and local government customers will be directly impacted. Louisiana is first, with its law effective February 1, 2021.

Effective Law

Louisiana (Requires registration of MSPs that service Louisiana government entities and for registered MSPs to report cyber incidents and ransomware payments)

Bills

New York (Bans the payments of ransom in cyber-incidents by a New York government entity or by another entity on their behalf. Requires reporting.)
North Carolina (Prohibits government entities from making ransomware payments. Requires reporting.)
Pennsylvania (Requires an MSP “in the service” of Pennsylvania to report “discovery of ransomware or of an extortion attempt involving ransomware within one hour of the discovery.” Taxpayer money must not be used to make a ransomware payment, except in circumstances of a declared emergency.)

Reputation. Ransomware payments can become public, and your reputation may suffer. Moreover, the bad guys will know you pay, putting you on the radar for subsequent attacks.

As you consider whether to pay, your operations and those of your customers are at a standstill. Rather than be left in a no-win situation of choosing between watching your business perish or making a desperate payment that may only make things worse—have a backup plan.

Establish a Backup Plan

First off, implement appropriate safeguards to secure yourself against and detect cyberattacks (e.g., two-factor authentication, phishing training, access management etc.).

Then for Plan B, establish a ransomware response plan that includes backup and restore capabilities. Such capabilities assist not only in a ransomware situation, but apply in the case of any destructive event that effects your data or systems, events such as malicious insider activity, an honest mistake, or natural disaster. As an MSP, your plans should account for customers, as well as your own systems.

Backup and Restore. If you have a working backup, you can sidestep the ransomware attack and get back to work as soon as you restore. So create backups for your systems and data, focusing on high value data.
Segregation. Segregate the backups so an attacker can’t access them after compromising your systems.

Segregate parts of your systems. This enables you to pull-the-plug on an infected area, protecting the rest of your systems.
Know where the copies are. Review your systems to locate where distinct copies of data reside, even if it isn’t a formal backup copy. You can make use of such copies during a crisis.
Have a plan. Have an incident response plan, specific to ransomware, and periodically test it. Table-top exercises with your principal executive decision-makers are helpful, and so is testing of your backup and restore capabilities.
More tips. Here are suggestions for what your plan can cover:
- Replacing infected hardware, like employee laptops.
- Claiming insurance. Check your coverage.
- Following applicable law. Monitor the changing legal landscape.
- Cooperating with the government. Consider whether, and under what circumstances, you will report a ransomware attack to the government or seek assistance. The OFAC advisory and stopransomware site provide contact information. OFAC may show you leniency for cooperative reporting, if you end up making a prohibited ransomware payment.
- Renewing your commitment to security, especially closing the specific vulnerabilities that were exploited.

After you implement these steps, you’ll have another layer beyond cybersecurity to protect you and your customers’ business operations. You won’t need to consider making the payment, because back-up and restore will be your get-out-of-jail-free card.

Secure Modern Workplace

Noah Webster

admin — Wed, 24 Mar 2021 20:40:18 +0000

Noah Webster admin Wed, 03/24/2021 - 15:40 Chief Legal Officer

Noah F. Webster has served as our Chief Legal Officer since June 2018. Mr. Webster has over 15 years of legal experience in negotiating agreements, security, compliance and intellectual property. Prior to joining ��Ƶɫ, Mr. Webster worked for eight years at BlackBerry, serving most recently as General Counsel, Mobility Solutions, and holding other legal roles involving privacy and anticorruption legal compliance, M&A, and patent litigation. Before BlackBerry, Mr. Webster worked for Kirkland & Ellis in Chicago, where he represented and advised clients in patent litigations, trademark infringement and general intellectual property matters. Mr. Webster earned his Juris Doctorate degree from the University of Illinois College of Law and clerked with the U.S. District Court for the Eastern District of Michigan and the High Court of American Samoa. He began his career serving as a U.S. Army Engineer Officer. He is a graduate of the U.S. Military Academy, where he earned an undergraduate degree in mechanical engineering. Mr. Webster is a member of the bar for the states of Texas and Illinois. He also holds certification as a Leading Professional in Ethics & Compliance and is registered to practice before the United States Patent and Trademark Office.

I grew up in: Limerick and Sligo (Ireland) & Schaumburg, Illinois (USA)

Previous and Present Roommates: My wife, two kids, and a Portuguese Water Dog

When I am not at work you can find me: Playing hide-and-seek with the kids

Always in the mood to eat: Ice Cream

Something you won’t find in my bio: I’ve surfed places like: Bali, American Samoa, Lake Michigan, and Cornwall

https://www.linkedin.com/in/noah-webster-86465510/

Noah Webster

Email and Communications Archiving: Best Practices 101

admin — Fri, 14 May 2021 23:46:07 +0000

Email and Communications Archiving: Best Practices 101 admin Fri, 05/14/2021 - 18:46 Archive Noah Webster

Co-Author: Madison Arcemont

The word archiving conjures up images of an infinitely large room of books or computers that have been storing information forever. This image is dated and, in the age of digital transformation, it is critical to think about simplifying the process of archiving electronic data. There is a fear associated with archiving that your data will be held forever, creating budget and resource pressure. But, with the right processes and tools, you maintain control over your data and retention policies while creating a structure that satisfies internal business processes and external legal requirements.

What data are you required to keep?

There are several reasons to maintain your company’s data: you may be required to keep those documents and communications by law, or it may be beneficial to reference in your regular course of business. Depending on whether you need to reference data for compliance, anticipated or ongoing litigation, investigation, or operational needs, you will need to maintain different kinds of data. When building your retention policies, you should start by running an audit to determine what data you create and how long it needs to be maintained.

Compliance

Several laws and regulations require companies to retain certain document types. For example, most companies will be covered by the Internal Revenue Service (IRS) tax audit procedures, employment laws like the Fair Labor Standards Act (FSLA), the Employee Retirement and Income Security Act (ERISA), and mandates by the Occupational Safety and Health Administration (OSHA).

There are also industry-specific requirements. Some of these laws include the Health Insurance Portability and Accountability Act (HIPAA) for organizations handling medical information, the Bank Secrecy Act and the Equal Credit Opportunity Act (among many others) for banking institutions, and the EU’s General Data Protection Regulation (GDPR) to serve customers in the European Union.

In general, your company is required to retain corporate records like: accounting records, employee benefit plan records, insurance records, personnel records, and tax records. Click here for a more detailed list of the documents that fit in each of those categories(compiled by a state CPA Society).

In addition to corporate records, the SEC requires certain companies, like broker-dealers, to retain business-related communications (including work-related social media, like Slack, GroupMe, and WhatsApp). These requirements vary based on your individual industry and company, so consult with your HR, legal, tax, and finance advisors to ensure you are retaining records for the proper length of time.

Operational needs

Beyond legal compliance, data retention can support your business operations. For example, it may be beneficial for your company to maintain sales and product development reports to improve products going forward. Any documents that your teams refer to regularly should also be maintained, which is dependent on your company's needs.

Agreements

Customer or partner agreements should be maintained for at least the duration of the contractual period and a reasonable time afterwards. Your retention practices should align with what your agreements require, especially where you provide services to customers and are responsible for holding their data. These documents and their requirements are important not only if any contractual issues arise, but also to reference necessary information to provide service to the customer.

Anticipated or ongoing litigation or investigation

If incidents occur within the company, internal or external, relevant documents or communications can be useful in helping to understand the scope of the incident. For an internal investigation, relevant documents and communications can help by providing evidence of the event. For a legal incident that brings about litigation, your company will be required to produce relevant documents and communications to help the Court understand the scope of the incident.

If a company loses or destroys evidence that is relevant to the case, it can be sanctioned for spoliation. For example, when a company received a significant number of product complaints and destroyed the relevant documents after only three years, a court determined that spoliation had occurred. On the other hand, a court held that documents destroyed in the ordinary course of business relating to a 35-year-old product (that had never been in litigation) was not spoliation.

The Court’s decision often comes down to whether the party knew that litigation was coming, and whether a company’s data archiving policies are a factor in data deletion or retention.

What is a litigation hold?

During a litigation hold, a company takes steps to appropriately preserve documents needed for anticipated or initiated litigation. The litigation hold directs your company to preserve data that could be relevant evidence to the case. This means that if you have an automatic deletion or archiving program in place, that program will be paused so relevant documents are no longer deleted. Additionally, all employees involved will be directed not to delete documents or communications that may be relevant to the case.

If litigation does arise or is anticipated, it is prudent to work with legal counsel to initiate and maintain a litigation hold on the company.

What data can you get rid of?

It is not necessary to retain indefinitely every piece of data that your organization has, and while it might theoretically be possible to attempt to keep your data forever, it could often be very costly and burdensome. Additionally, the older the data is, the less useful it becomes; therefore, it is not worth the cost of keeping.

There are also times that the law requires you to delete certain data. Some compliance requirements, related to privacy or security for example, require the deletion of certain information when no longer necessary or after a certain period of time. For example, if you serve customers located in the European Union, GDPR provides certain rules that require companies to delete personal data once it has fulfilled its purpose.

If your company has data that doesn’t fit into any of its legal obligations, whether compliance or anticipated litigation, or its operational needs, the data can be deleted.

It is best practice to describe your company’s approach to retention in a documented retention policy to manage retention in a disciplined way. You can use this type of policy to respond to third-parties if you are ever required to explain why you don’t have certain documents.

What are the benefits of using technology to manage data retention?

While the hope is always that nothing goes wrong and litigation and investigations never arise, using technology to manage your retention will save you time and resources if problems do come up. A retention policy can be executed using a variety of technologies, such as an archiving program. With an archiving program, company admins can set up an archiving and deletion policy that will automatically move items to a user’s archive mailbox and delete items from that mailbox after a designated time. The admin places a retention time on messages to be moved to, then permanently deleted from, the archive.

Having an archiving program in place is one way to avoid spoliation if your organization ends up in litigation. Courts expect you to produce documents “in anticipation of litigation.” So, if you have a regular archiving policy in place, courts typically will not expect you to retrieve documents handled according to that policy before you anticipated litigation. Spoken in another way - If you practice a data retention policy (i.e., deleting emails that reach a certain age) and do not yet know about the complaint or the litigation, courts generally will not hold you liable to produce the information ...and its deletion during that time will generally not be considered spoliated.

Archiving technology can also simplify the process of putting a litigation hold in place. If you do anticipate litigation (for example, because an incident has occurred, a complaint has been received, or legal action has been taken), the company’s admin can place a simple litigation hold that will stop the deletion of data.

When litigation arises, having an archiving solution will create efficiencies for your team, saving you time and resources. You can easily access everything you (and the court) need without the burden of maintaining data forever. Click here for more information on information that ��Ƶɫ can archive on behalf of your organization.

Also recommended for you:

Download white paper from Osterman Research “Why You Must Archive All of Your Business Records”

Download Infographic “The Shift from Reactive to Proactive Compliance”

Secure Modern Workplace

Reaching Maturity: Using Feedback to Strengthen Your Compliance Program

admin — Tue, 25 Feb 2020 21:37:59 +0000

Reaching Maturity: Using Feedback to Strengthen Your Compliance Program admin Tue, 02/25/2020 - 15:37 Thought Leadership Noah Webster

This is the third article in a three part series on building effective compliance programs.

Getting your compliance program up and running is a huge accomplishment. It’s also just the first step in an ongoing process. In prior posts on building effective compliance programs, we wrote about the importance of committing to compliance and defining your program. After you’ve defined your program, don’t assume it is perfectly designed. In fact, you should do just the opposite.

No program is perfect, and all require improvements and updates as your company grows, regulatory rules change, and the cybersecurity landscape evolves. To “mature” your company, you need to provide oversight and monitor your compliance activities.

The thing that distinguishes an advanced, mature compliance program from a basic one is the presence of a feedback loop — a method to effectively iterate on the program over and over again. Somewhat ironically, compliance programs improve significantly once companies admit that they’re imperfect and regularly in need of adjustment.

Feedback can come from different sources, including what you learn while investigating a report or from proactive monitoring.

• Reporting: You receive feedback on your compliance when you investigate an issue or question raised by an employee or third-party partner. The issue raised is either confirmed or not, and you can use this information to refine aspects of your program. Sources of reports can include:

Discussions with HR.
“Open-door” discussions with company leaders.
Anonymous hotline reporting.

• Monitoring: You receive feedback by looking into issues that you know are risks to your company. These can be issues you identify during a risk assessment. Such monitoring reveals how much the issue threatens your compliance and gives you an opportunity to respond proactively. Most issues will relate to code of conduct topics such as fraud, bribery, or antitrust. Examples of monitoring can include:

• Fraud: review records and messages related to marketing spend and expense claims.
• Bribery: review messages involving interactions with customers, especially government agencies.
• Antitrust: review for messages exchanged with competitors.

If such monitoring involves personal information, you should notify employees. This can be done through your company handbook or other published corporate policy.

Building a Feedback Loop From the Ground Up

Regardless of whether you decide to rely on investigation or monitoring (ideally both) to look for feedback, you need a source of data to draw on. But a company first establishing a compliance program may not be set up to efficiently collect and review critical data because it exists in informal channels like paper documents, emails, text messages, and social media chats.

Technology tools serve as the foundation for efficient investigation and monitoring. This includes automated approval workflows (e.g., Concur or a Salesforce approval process) and advance archiving tools (e.g., ��ƵɫArchive) These automatically capture and store the documentation and communication you need in order to confirm you are compliant and understand the risks you face.

Email review is critical to most investigations. Archiving provides the tools to understand that data. It can index the contents of messages, complete with metadata, for search and retrieval. Search tools are designed to be intuitive and comprehensive so a user can explore data broadly or deeply — meaning a search can be run internally without the IT team. The right archiving tool can allow you to discretely share findings among different cross-functional teams who are stakeholders in the investigation.

To underscore the importance of technology, imagine managing compliance without it. Try tracking down, reviewing, or sharing analysis of months or years of paper files for written approvals. Or try searching an email .pst file containing 10 years of information — the results of such searching are slow, difficult to share and reproduce, and almost impossible to conduct iteratively (i.e., you have to start from scratch when following up on a new issue later).

Keeping the Feedback Loop Constantly Spinning

Monitoring the information inside your archives should be based on risk so you can focus and efficiently direct the use of your limited compliance resources. Reports and investigation are also important. You may be obligated to catch a reported noncompliance and mitigate. When problems are detected, it’s a good sign because it means your compliance program is working.

The best programs that are mature and optimized have this feedback loop spinning all the time. The highest levels of the company receive reports on these compliance activities. The compliance team can set the performance metrics based on what they know about the company and the feedback obtained. Moreover, the compliance team can conduct additional periodic reviews of their program, such as by conducting additional risk assessments.

As a general rule, it never pays to rest on your laurels when it comes to compliance. These fast-moving and interconnected issues change all the time. Instead of assuming you’re doing everything right, prove it. Ideally, all the evidence you need is inside an archive.

Risk Assessment – Laying the Foundation for a Strong Program

admin — Fri, 14 Feb 2020 21:13:34 +0000

Risk Assessment – Laying the Foundation for a Strong Program admin Fri, 02/14/2020 - 15:13 Thought Leadership Noah Webster

This is the second article in a three part series on building effective compliance programs.

In our first post on building effective compliance programs, we wrote about the importance of committing to compliance. But that is only the first step; the next is to standardize your compliance program with documented policies and procedures. In the compliance hierarchy outlined in the previous piece, this is the point when compliance goes from "fragmented" to "defined."

A risk assessment is key to properly defining a compliance program. The assessment allows you to right-size your program with policies and procedures tailored to the risks you actually face. It results in a program that is practical, connected to the business you conduct and the highest potential threats.

RISK-BASED APPROACH

If it was possible to design a perfect compliance program, we would never hear about fines again. However, the undeniable fact is that compliance is extremely complicated, especially when the preservation of compliance depends on perfectly managing people and complex programs, like cybersecurity. Considering how many different threats (intentional and accidental) can compromise compliance, companies can’t expect to address them all.

A risk-based approach is based on the principle that when threats are myriad and defenses are limited, the limited resources should be focused on stopping the biggest threats. That might mean protecting a certain class of regulated data or defending against a specific cyberattack — it’s all about deploying security wherever it will have the biggest impact. In that way, a risk-based approach helps to maximize the impact of the compliance program instead of spreading it thin.

It also helps produce employee buy-in, which is crucial for avoiding user errors. Framing a threat/defense as the “most important” rather than as “one of many” helps to command people’s attention and make your priorities clear. Users may not become perfect at cybersecurity broadly, but they’ll probably become perfect with regards to the “top risks.”

The most compelling case for a risk-based approach may be that it’s considered part of a best-in-class compliance program. If a prosecutor, auditor, or other third party evaluates the quality of the compliance program in the wake of an incident, the program will likely only be considered adequate if you've conducted a risk assessment and responded to the top risks. And if your program does pass third-party review, you may receive lesser fines and fewer required remedial actions as a result.

The sooner you get serious about risk assessment the better. It’s relatively simple when companies are small, but it becomes harder as companies grow. Rather than trying to start from scratch later, companies should identify their top risks now, then update and expand the list on an ongoing basis.

HOW TO LAUNCH A COMPLIANCE PROGRAM BASED ON A RISK ASSESSMENT

As the foundation for the entire compliance program, the risk assessment needs to be conducted correctly. Follow these best practices to learn as much as possible:

Design the Risk Assessment – Companies can explore their risk exposure using a variety of tools — surveys, interviews, document reviews, market analysis, etc. Start by determining what toolset best supports the assessment and provides the best supporting information. Then identify which stakeholders will be involved with providing information, conducting analysis, and leading decision making.
Research Risk Profile – Risk assessment is all about identifying anything and everything that could compromise compliance. Technical issues are high on the list, but so are things like bribery, burglary, human error, or natural disasters. How these threats rank in the risk assessment will be different for every company, but it's important that as many as possible be included. To put it simply, you can't accurately assess risks until you know what all of them are.
Prioritize Each Risk – Risk is measured based on several factors — the likelihood of an incident, the probability of stopping it, and the consequences if it is successful. Risks that are common, hard to stop, and highly destructive are the priorities, and everything else is ranked below it. Since you're using this list to determine how you'll deploy limited resources, it's important to be accurate and honest about your top priorities.

It’s easy to make assumptions about risk, and it’s also easy to be wrong. As we emphasized earlier, compliance programs need to be systematic, especially in the early stages. Committing to the risk assessment process isn’t always quick or simple — and it can reveal some uncomfortable truths along the way — but diligence in any phase of implementing an effective compliance program is always worth it.

DOCUMENTING YOUR PROGRAM

There should be a policy and procedure to cover the prioritized risks you identify. Obtain help from advisors and peers for the issues you identify. They have been through it before and can let you know what solutions work (and which ones don't).

One of the biggest challenges when developing a compliance program is the tendency to skip steps or overlook details when trying to progress toward goals. An easy way to balance both objectives is to benchmark existing plans, policies, and programs at other companies. Since those plans have already been tested and refined, they usually offer good ideas for the development of effective plans. Just be aware that the risk assessment and program documentation should be tailored to your situation; this should not be a cut-and-paste job.

Once you know where the biggest vulnerabilities exist, your conscientious attempts to improve compliance can have great impact and economic benefits — exactly what a compliance program is designed to do for business.

Are You Compliant With the California Consumer Privacy Act?

admin — Thu, 02 Jan 2020 20:54:40 +0000

Are You Compliant With the California Consumer Privacy Act? admin Thu, 01/02/2020 - 14:54 Thought Leadership Noah Webster

The California Consumer Privacy Act went into effect on Jan. 1, 2020. Now that this game-changing piece of cybersecurity legislation has become law, companies need to get serious about the details.

Does your company have one or more customers in California? If so, CCPA almost certainly affects you. The law grants individuals a right of action (basically, the ability to sue) if their unencrypted or unredacted data is stolen. That right applies even if the stolen data caused no personal harm. Data breaches already are scary, but the threat of class-action lawsuits makes them more so.

More specifically, assuming you meet any of the criteria listed below the CCPA impacts data security and privacy for your business:

If you are part of a for-profit organization doing business in California that earns $25 million or more in revenue per year
If 50% or more of your company's annual revenue comes from selling personal information
If you sell 50,000 or more consumer records per year

Compliance with CCPA means giving California residents the right to know what personal information has been collected and whether it’s been sold, as well as the right to access and delete that information at will. Meeting those mandates won’t be easy, so we suggest you start immediately.

What CCPA Means for Daily Operations

The good news is, the CCPA isn’t drastically different from existing data privacy laws, most notably the General Data Protection Regulation passed in the European Union in 2018. Like its California counterpart, the GDPR requires companies to give individuals more control over their personal data. GDPR rules apply to anyone who does business in Europe, which is likely to be a large swath of companies that do business in California, too. Those companies already have done much of the legwork to comply with CCPA.

The bad news is, the laws are not identical. For example, both involve updating privacy notices, improving opt-in/opt-out requests, and abiding by requests to delete data. Unlike GDPR, however, the California law requires companies to create a “do not sell” link that lets users restrict how their data is monetized. The devil is in the details, and companies can’t assume that complying with another set of rules ensures compliance with CCPA.

Penalties for noncompliance are uncertain, but they’re intended to be meaningful. The California attorney general can levy fines of $2,500 to $7,500 for each user profile handled improperly. Multiply those fines by the thousands of users typically affected by a breach, and it’s clear just how costly CCPA could become.

Getting Compliant on a Short Schedule

If you already have a data privacy program in place, you’re on the right path. With a few updates, you will likely be in full compliance with CCPA. If you don’t have a program, you may have a lot of ground to make up:

Data mapping: Identify exactly what data you have, where it lives, and who does the processing. Understanding what data exists inside your ecosystem is a prerequisite for securing it as CCPA requires.
Data governance: Evaluate your ability to manage and monitor incoming data. Without excellent governance, companies that start compliant may struggle to stay compliant.
Data monetization: Plan how you will monetize data (now and long-term) in ways that comply with CCPA. The law creates strict mandates for monetization.
Privacy controls: Judge whether your existing privacy controls create gaps that might conflict with CCPA. If and when they do, identify how processes and technologies need to evolve to close those gaps.
Compliance management: Make a team or individual responsible for ongoing CCPA compliance. Staying within the letter of the law will take constant evaluation and adaptation — work that companies can’t afford to neglect. Plus, by cultivating in-house compliance experts, companies are better prepared for future data-privacy laws at the local, state, federal, or global level.

If you don’t serve California, be aware that other states are considering similar laws, and tougher privacy protections seem all but guaranteed. Therefore, everyone should take the spirit of CCPA seriously and begin preparing for a future in which data is an asset and a liability.

When you’re ready to get started, contact the team at ��Ƶɫ to properly secure all of your data and help you stay compliant with every regulation that comes to pass.

4 Steps to Protect Intellectual Property from Cybercriminals

admin — Tue, 27 Aug 2019 19:04:29 +0000

4 Steps to Protect Intellectual Property from Cybercriminals admin Tue, 08/27/2019 - 14:04 Thought Leadership Noah Webster

Intellectual property, or IP, is broader than most people expect. It includes trademarks and patents, of course, but also encompasses employee know-how, internal communications, competitive insights, and budding innovations. Overlooking how much data falls under the umbrella of IP can lead to sensitive information being exposed to unnecessary and unacceptable risks.

Cybercriminals of all stripes target IP because it has immense value, especially compared to basic consumer data. IP is under such persistent attack that companies lose an estimated $300 billion annually, which also leads to the elimination of 2 million jobs. The hard truth is that IP theft is and always will be on the front lines of cybersecurity.

The Complex Landscape of IP Theft

Companies that discover their IP has been stolen do have some legal recourse, however. The Defend Trade Secrets Act and the Digital Millennium Copyright Act empower companies to take civil action against anyone who misappropriates intellectual property. Unfortunately, neither law is perfect in practice.

DTSA assigns a heavy penalty for IP theft — up to three times the value of the property — as long as plaintiffs can show they’ve taken adequate steps to protect their intellectual property. The most problematic aspect is that different state courts have defined “adequate” differently, leaving unanswered questions about when and how settlements are awarded.

DMCA also has uncertainty. The law was implemented after easy file sharing on the internet began to exacerbate media theft. Consequently, it provides sweeping protections for copyrights but not for patents, trademarks, or other data that should realistically be considered IP. Despite the expansive legal framework in place, IP theft typically leaves victims with limited options.

The simple solution would be to safeguard all IP, a monumentally difficult proposition when insiders are the biggest threat. Research shows that half of all departing employees leave with confidential information, either accidentally or intentionally. And when insiders are motivated to steal, their close proximity to IP makes it easy for them to bypass security controls.

On the other side of the equation, third-party vendors up and down the supply chain can put IP at risk if they’re not trustworthy. Companies are in the difficult position of having to look both inward and outward with equal scrutiny while hoping the laws provide adequate protection. It’s a dire situation, but that doesn’t mean IP protection is impossible.

The Key Components of IP Cybersecurity

Don’t assume that your existing cybersecurity strategy is adequate at protecting your present and future intellectual property. Fully addressing the unique vulnerabilities of this data will also require a unique strategy with regards to its protection:

Address IP comprehensively: Safeguarding IP requires a constellation of protections — legal, technological, logistical, administrative, etc. It should include everything from data encryption to access controls to nondisclosure agreements. All of these measures are necessary to protect IP from every conceivable threat. Plus, courts are likelier to side with plaintiffs who are proactive about securing secrets.
Define IP clearly: All IP is sensitive, but some more so than others. Start by identifying any data that could fall under the definition of IP. Then, segment that information by type of IP and level of protection needed. For instance, patents and trade secrets are both IP, but the former is public knowledge while the latter is confidential information. Systematically cataloging IP allows you to secure information according to its sensitivity.
Get aggressive about access: Because some of the biggest threats are internal, companies need to think seriously about who has access to IP in any form. All access points need to be identified and strictly controlled; otherwise, it’s impossible to know when trade secrets are drifting out the door. Access controls should include physical security, digital barriers, and data segregation.
Be consistent and recalibrate: As tempting as it may be to bypass protections in order to expedite workflows, a single lapse can put sensitive data in jeopardy. Outdated cybersecurity strategies can do the same thing. IP protections require regular review and revision in order to keep up with evolving threats, changes to the laws, and expanding amounts of IP.

On a fundamental level, IP is the lifeblood of your company. If your intellectual property were to fall into the wrong hands, the damage could be impossible to overcome. Instead of treating this data as sensitive, acknowledge it for what it really is: mission-critical.

Taking the First Steps Toward Systematic Compliance

admin — Mon, 13 May 2019 18:12:07 +0000

Taking the First Steps Toward Systematic Compliance admin Mon, 05/13/2019 - 13:12 Thought Leadership Noah Webster

This is the first article in a three part series on building effective compliance programs.

Compliance is a pass or fail obligation. But achieving compliance, by contrast, can be a slow and systematic process.

Large companies with expansive legal and HR departments can throw lots of resources at the effort. For small and midsize companies, however, ensuring that compliance is comprehensive and consistent tends to be more challenging.

Smaller companies have just as much incentive to avoid the fines, lawsuits, and bad PR that come from compliance breaches. Litigation trolls and hackers target SMBs looking for weakness because SMBs have fewer resources to defend themselves. Fewer SMB resources also mean that an SMB often lacks the staff, expertise, and time needed to fully realize and implement a disciplined compliance approach.

Regardless of company size, however, here’s the typical hierarchy of compliance maturity:

Ad hoc: Compliance lacks structure, accountability, oversight, and understanding.
Fragmented: A compliance program exists but is not documented.
Defined: Compliance program managers ensure that compliance is conducted according to a documented program.
Mature: Monitoring and oversight is in place so that the company coordinates compliance activities throughout, and compliance reports are made to the highest levels of the company.
Optimized: The company considers every decision it makes through a framework of compliance, tracking metrics and conducting periodic reviews. Meanwhile, the company engages in systematic process improvement that incorporates compliance feedback it receives.

Deploying a vigorous compliance program can be a time-consuming; however, it’s not impossible, even for companies that lack large in-house teams.

Compliance is about having the right tools deployed in the service of a smart strategy that resembles the scientific method. A company can start with a basic hypothesis — we are compliant — that it rigorously tests and retests to validate. Then, when issues are discovered, they systematically fix them: written policies are amended, employee training is updated, and finally, the solution is tested again. Considering that compliance is a moving target, it’s essential to have a strategy that can effectively adapt.

TAKING THE FIRST STEP: COMMITTING TO COMPLIANCE

In this blog, let’s look at the first step a company needs to take when it comes climbing the compliance ladder: moving from ad hoc to fragmented.

Early compliance efforts are disjointed since procedures and roles are not defined and set. To go beyond this, a company must make the fundamental decision to become compliant. Once this decision is made, the compliance program can be built around the commitment and intent. Specifically, corporate leaders demonstrate a commitment to compliance by doing the following:

require a unified commitment to compliance across the company.
provide periodic compliance messaging various ways, such by using: email, video/audio messages, all hands meetings, formal training, 1:1 conversations, business meetings. The messaging can be simple, for example: We grow with integrity; We abide by law; We treat each other and our customers with respect.
participate in compliance planning and training.
make certain employees responsible for the compliance program and hold them accountable for progress; and
provide a personal example of how to conduct business with integrity and in accordance with law.

In sum, commitment means sustained, active engagement in support of building the compliance program.

NEXT UP: RISK ASSESSMENT

In most instances, laws and regulations outline a set of rules that must be followed and outcomes that must be achieved. Then it’s up to companies themselves to determine when, where, why, and how those rules impact operations. Eventually, all of those insights are reflected in the companywide compliance policy, which is updated as necessary.

In my next blog, I will discuss the next steps on a company’s journey to compliance and why a risk assessment is necessary to create a compliance policy that is unique to the company.

Your IP is Under Attack: Learn How to Protect It From Every Angle

admin — Tue, 12 Mar 2019 17:41:03 +0000

Your IP is Under Attack: Learn How to Protect It From Every Angle admin Tue, 03/12/2019 - 12:41 Company Noah Webster

By now, it’s a foregone conclusion that intellectual property is one of the most valuable assets any company owns. Leaving this resource vulnerable is an unacceptable risk, which is why protections like nondisclosure agreements and copyright protections are considered standard. But what if the “standard” is no longer enough?

Traditional protections largely ignore the threat of digital theft. A nondisclosure agreement should ideally prevent an ex-employee from talking about trade secrets, but it does nothing to keep sophisticated hackers from breaking into your network and stealing those secrets. In reality, cyber threats are a massive category of IP risk that has not been adequately addressed.

Most organizations have strategies in place that are constructed to deflect hackers and lock down IP. The problem is that what we consider IP has expanded beyond what these defenses were originally designed to protect.

We typically think of IP as structured data — information contained in a file with a clear format and taxonomy (like a patent). But realistically, IP is scattered throughout a company’s digital footprint. Emails, for example, are full of sensitive attachments, private conversations, internal discussions, and official information. This may not contain IP in the strictest sense, but these messages contain information that is just as relevant, sensitive, and valuable.

If that information exists outside of the cyber defenses, it’s completely vulnerable to hackers. It’s also an obvious and easy point of attack. At most companies, the defense does not match up with the offense. As a result, IP is at risk.

Taking a Comprehensive Approach to IP Security

Internal IP theft is also a major concern. Recently, for instance, Uber settled a major lawsuit after one of its executives was accused of stealing information about self-driving technology from his former employer, a Google subsidiary. Companies must address this threat along with the equal risk of attacks from external or unknown sources. You can ensure your IP protections are as strong as possible with these strategies:

Make protection a priority: Employees can make or break your IP protection efforts. Creating policies and processes to safeguard intellectual property is important, but this spirit should really be baked into the culture. Employees need to understand how much is at stake if trade secrets are stolen or leaked. They also need to understand how many different forms IP theft can take. Education and training efforts do a lot to create a culture of healthy secrecy.
Institute best-in-class security: IP is a lot more valuable than a Social Security number. For instance, a Chinese company paid more than $13 million for trade secrets stolen from Samsung. Hackers know that a big payday is on the line, so they target IP with their most sophisticated and aggressive attacks. Cyber defenses must be equally strong and effective, addressing all kinds of attacks and protecting both structured and unstructured data.
Get executive buy-in: How a company feels about its own IP is defined by those at the top. Company leaders need to understand the full value of IP, believe in the necessity of its protection, and model the kind of cautious behavior that all employees should emulate.

Rounding Out IP Protection with ��Ƶɫ

��Ƶɫ is a leader in email security, which is actually the cornerstone of IP protection. Consider the hypothetical email we mentioned earlier, full of at risk confidential information whether sitting in an inbox or in transit. Without the proper strategies and technology in place, it wouldn’t take much for hackers to read the individual message or, worse, break into either inbox and steal all the IP inside. ��Ƶɫ helps prevent this scenario through gold standard email encryption.

The email inbox is also where many cyberattacks are launched. Well-crafted emails can contain dangerous links, malicious attachments, and more. With a single click hackers can suddenly gain unrestricted access to the company's infrastructure and all the IP within. ��Ƶɫ uses a multilayered filtering approach to keep these bad emails out of the inbox. Plus, machine learning helps identify new and emerging attacks.

��Ƶɫ offers end-to-end email protection against a wide variety of threats. From defense against careless clicks to protection from hackers, the safety of your organization’s IP starts with the inbox.

Noah Webster

Ransomware on the Rise

Ransomware on the Rise

Paying the Ransom, Not a Good Option

Effective Law

Bills

Establish a Backup Plan

Noah Webster

Noah Webster

Email and Communications Archiving: Best Practices 101

What data are you required to keep?

What is a litigation hold?

What data can you get rid of?

What are the benefits of using technology to manage data retention?

Also recommended for you:

Reaching Maturity: Using Feedback to Strengthen Your Compliance Program

Building a Feedback Loop From the Ground Up

Keeping the Feedback Loop Constantly Spinning

Risk Assessment – Laying the Foundation for a Strong Program

RISK-BASED APPROACH

HOW TO LAUNCH A COMPLIANCE PROGRAM BASED ON A RISK ASSESSMENT

DOCUMENTING YOUR PROGRAM

Are You Compliant With the California Consumer Privacy Act?

What CCPA Means for Daily Operations

Getting Compliant on a Short Schedule

4 Steps to Protect Intellectual Property from Cybercriminals

The Complex Landscape of IP Theft

The Key Components of IP Cybersecurity

Taking the First Steps Toward Systematic Compliance

This is the first article in a three part series on building effective compliance programs.

TAKING THE FIRST STEP: COMMITTING TO COMPLIANCE

NEXT UP: RISK ASSESSMENT

Your IP is Under Attack: Learn How to Protect It From Every Angle

Taking a Comprehensive Approach to IP Security

Rounding Out IP Protection with �����Ƶɫ

Rounding Out IP Protection with ��Ƶɫ