Don’t Get Hooked: How I Spotted a Phishing Scam

Don’t Get Hooked: How I Spotted a Phishing Scam

Since the start of the Covid-19 pandemic, cybercrime has increased by 600%. With that statistic in mind, my goal since I joined Ntirety has been to create awareness clients of cyber threats such as ransomware and data loss. Although I am still new to the company, I never would have guessed I would be targeted in an email phishing scam attempt.

The Situation

I was checking my emails when I received an email that appeared to be from Emil Sayegh, CEO of Ntirety. He told me he needed me to “complete a task swiftly” and needed my cell phone number. The task was to go to the closest grocery store and buy gift cards for an upcoming presentation. Although I felt that this email was out of character, I was new to the firm and wanted to help a colleague, especially if it was the CEO. So, I drove to the grocery store and went inside to the card section. During this time, I was receiving multiple texts from “Emil” saying this matter is urgent and I should text back when I have purchased the cards.

I was looking for the card he asked me to find, three eBay gift cards with a “denomination of $200 each,” but I was still unsure about his request so I called my manager to confirm if I should buy these cards. I was told, “Don’t buy the cards. You’re being scammed.”

I was startled.

“Me? Someone is scamming me? I’ve only been with the company for three weeks; how could they get my email so quickly?”

The Reality

I didn’t believe it until I looked back at the initial email and saw this was not actually a company email address. I was indeed the target of a phishing attempt. I recently read an article about how scammers call people and pretend to be a DEA agent and telling their victims to avoid indictment, they have to turn over money. In 2020 alone, 19.7 billion dollars were lost to phone scams.

In my scammer’s email, I was told the matter was urgent and needed to be completed as soon as possible. Although I didn’t get an outright phone call, the scammer kept on texting me until they received a response, demanding to know if I bought the cards yet.

Luckily, I trusted my instincts, reached out to my team, and didn’t follow through with the scammer’s demands, but not everyone catches the clues before it’s too late.

The Result

Since I gave my phone number to the scammer, I knew the next course of action was to get a new number. I had many important accounts connected to that phone number and for peace of mind, I changed it. Our Director of Cybersecurity Operations, Christopher Houseknecht, recommends if anyone responds to a scammer text message, especially if they provided information that the scammer was looking for, then it’s best practice to switch phone numbers.

He also shared a few basic ways to avoid a phishing scam:

  • Slow down
  • Read the email without clicking on things
  • Do NOT click on random attachments
  • Check from MAILTO email address

After beating my first phishing scam, our CEO commended my manager and I for raising the red flag when we both thought the activity was suspicious. Within my first month on the job, I learned through firsthand experience the importance of checking the MAILTO email address if I suspect any irregular activity, especially if it seems out of character coming from someone I know.

Ntirety provides Security and Phishing Awareness Training that can help protect you, your coworkers, and employees from getting scammed. To get started with your own training, contact us at https://www.ntirety.com/get-started.

COVID-19 Resource Center

Ntirety is dedicated to providing the latest information and insightful industry perspectives regarding the novel coronavirus COVID-19, as well as helping businesses recover faster from this year’s unprecedented events. For quick and easy reference to all of our reporting and thought leadership on the pandemic and beyond, we have created a Resource Center featuring original articles, blogs, webinars, and more.

Check back often for our ongoing coverage of the crisis and how it continues to impact the business landscape.

Have specific questions regarding your company ITs recovery in the new business landscape? Contact us for a one-on-one with our experts today.

Blogs

Ntirety’s Response Plan to Coronavirus
Cloud Solutions for a Remote Workforce
COVID-19: Managing Cyber Security Risks of Remote Work
Beware the Coronavirus Email Scams

Forbes

There’s No Vaccine For Data Leaks: Why One Cyber Attack Leads To Another
As Businesses Reopen, A New Storm Of Cybercrime Activity Looms
How To Manage The New Remote Work Reality
What It’s Like To Run A Business Deemed ‘Essential’ During A Pandemic
How To Leverage Artificial Intelligence And Machine Learning During A Pandemic
As COVID-19 Pushes Businesses To Their Limit, The Cloud Rises Above
Rethinking Cloud Automation Amid Coronavirus Disruption
In The Era Of The COVID-19 Crisis, Look Up To The Cloud(s)

Webinar

Cybersecurity in a Time of Crisis
The Great Disruption No One Planned For: COVID-19

Beware the Coronavirus Email Scams

COVID-19 is not the only virus associated with the global outbreak. As predictably as night follows day, cybercriminals are using the epidemic as the moment to attack.

While phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems have been a top cybersecurity challenge for years now, the increasing number of coronavirus-based phishing emails is especially nefarious as they prey on the health concerns of the public.

The Attacker Mentality

Most companies are in some sort of varied chaos due to the pandemic, from disaster recovery efforts to struggles with business continuity—the perfect setting for cybercriminals to sneak in. With the majority of enabled workforces moving remote, network traffic is coming from all over the map and IT teams are flooded with making the work from home transition possible. What better time to hide attacks in this varied onslaught of “new” traffic?

In addition, it is only human for individuals to want the latest information on the coronavirus making them all more likely to click on the attacker’s bait. What better place to put an attack then under the guise of “Pandemic Details?”

Cybercriminals aren’t under quarantine and are actively taking these unprecedented times as opportunities to strike.

New Risks from Multiple Angles

Warnings have been sent regarding phishing emails mentioning the coronavirus or COVID-19 outbreak falsely originating from business partners or public health institutions, but as we saw above, many normal cautionary measures are being ignored in the search for more information regarding the outbreak. Phishing emails appearing to be related to remote work or emergency planning are also becoming a popular method to collect employee user names and passwords. Fake Centers for Disease Control and Prevention (CDC) emails or other “official” communications are an especially malicious method to tempt users into opening and infecting their IT systems.

Phishing and social-engineering campaigns using COVID-19 as a lure have greatly increased. According to a recent report, more than 16,000 new coronavirus-related domains have been registered since January. More than 2,200 of them are suspicious and another 93 are being used to serve malware.

Other activities targeting coronavirus fears include fraudulent or spoofed purchase orders for hand sanitizer that can lead to payments or other protective equipment that can result in wire transfers to fraudulent accounts.

Feeding off the public’s ever-growing, legitimate concern over COVID-19, cybercriminals are taking advantage of every avenue for attack, making protecting data and systems a multi-faceted effort.

Your First Defense: Be Aware

Protecting businesses and individuals from potential attacks hiding in plain sight starts with awareness of the heightened risks in their varied forms.

Be careful and take your time to check for phishing attempts in email before opening or clicking. Look closely at who the sender is, scrutinize the subject lines and email content for red flags (example: is it an outlandish claim or obvious scare tactic?), hover over and review links before you click, doubt check links or URLs, and use trusted sources.

Keep confidential information confidential. This means credentials, credit card information, or sensitive data – yours, your company’s, and clients. If you receive a request for username and password, always be sure to check with your IT lead.

When shopping online, use the same method you would checking for phishing emails to vet out any potential fraudulence—double check sellers and product claims, find trusted sources and verifiable reviews, and read all the fine print before handing over any personal information.

Even all the best defense tools and systems still require diligence for the human eye to stay on top of the latest threats as cybercriminals will continue to find new, inventive ways to strike as the crisis continues.

Stronger Security from the Inside Out

Remember, “reasonable security” is still the rule of the day, but enacting and following stricter protocols are important as the pandemic wanes on. Being aware of the recommended practices and security measures is the first step towards better security. See our full list of critical cybersecurity tips for working remote through the coronavirus here.

Stay vigilant—cybersecurity is not immune to the remote work risks from COVID-19.

Committing to your business’s IT security shouldn’t only be a priority during an unprecedented event, like the COVID-19 pandemic. Making sure your infrastructure, mission-critical application, data, and employees are protected is a 24/7/365 job—and managed security partners like Ntirety can help take that burden off your internal IT team and your entire company peace of mind.

We’re here to help win this fight together. Find out how Ntirety’s IT and Security teams can help enhance your cybersecurity posture by scheduling a Security Vulnerability Assessment today.

COVID-19: Managing Cyber Security Risks of Remote Work

With cases of the Novel Coronavirus (COVID-19) emerging in every state, many businesses are taking swift action in an effort to curb its spread.

Teleworking, “remote working,” or simply “working from home,” is a centerpiece of those efforts. While remote working arrangements may be effective to slow the community spread of COVID-19 from person to person, they present cybersecurity challenges that can be different than on-premise work.

If your business is new to these remote work situations, it is crucial to evaluate and ensure your infrastructure, applications, and data are protected—starting with the policies your company already has in place for cybersecurity and business continuity.

Evaluate Current IT Policies

Review your current IT security and similar IT policies to determine if there are any established security guidelines for remote work, especially remote access to company information systems. Some organizations may have policies specifically geared for remote work, while others may provide for contingencies in disaster recovery plans, BYOD (bring your own device) policies, and other similar plans and policies.

It is important to identify where gaps in your security policies may be hiding and cover any vulnerabilities early.

Below is a list of considerations and tips to help guide your business through new cybersecurity challenges your business may be facing with a new remote workforce.

Remote Work Cybersecurity Tips

  • Educating every company employee on security measures (pre-existing or new for remote work) is critical to the safeguard of access to information and mission-critical systems. This can often include confidential information, protected intellectual property, proprietary product information, customer information, employee files, and other personal data.
  • Do not allow sharing of work computers and other devices. When employees bring work devices home, those devices should not be shared with or used by anyone else in the home. This reduces the risk of unauthorized or inadvertent access to protected company information.
  • Company information should never be downloaded or saved to employees’ personal devices or cloud services, including employee computers, thumb drives, or cloud services such as their personal Google Drive or Dropbox accounts.
  • Be sure all employees reboot their computers to ensure that all versions of software are up to date with all necessary patches.
  • Be on the lookout for phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems. There are an increasing number of Coronavirus-based phishing emails going around, preying on the health concerns of the public, with a variety of COVID-19-related topics such as general financial relief, airline carrier refunds, fake cures and vaccines, fake testing kits, and/or claiming to be related to government or charitable organization. With the approval of the economic stabilization package, you must be especially wary of any emails asking you to verify your personal information to receive funds from the government as well.
  • Sensitive information, such as certain types of personal data (e.g., personnel records, medical records, financial records), that is stored on or sent to or from remote devices should be encrypted in transit and at rest on the device and on removable media used by the device.
  • A key to cybersecurity when working remotely is through coordinated visibility of IT systems. Using tools and processes like log review, attack detection, incident response and recovery gives businesses a proactive stance when it comes to protecting data. For companies that don’t have these measures already in place before shifting to a remote workforce, engaging with cybersecurity partners to provide managed services can relieve internal teams already stretched thin from the pandemic. Ntirety’s Security Operations Center (SOC) provides this peace of mind through a trusted services to monitor and mitigate any issues that may arise.
  • Implementing Multi-Factor Authentication (MFA), sometimes referred to as Two-Factor Authentication (2FA), adds multiple layers of access security by going beyond simply asking for a username and password. Users must provide additional credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or even facial recognition. MFA is also often a requirement to meet compliance standards, which companies must continue to uphold through remote work situations.
  • Virtual Private Networks (VPNs) ensure that internet traffic is encrypted, especially if connected to a public Wi-Fi network. If your organization already uses VPN, make sure it covers all departments and all employees. If your company does not use VPN, it is crucial to the security of your business IT to implement this remote work tool. Learn more about VPN and other IT solutions that make remote work more secure and streamlined here.
  • Additional security measures, such as email filtering, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and User behavioral Analytics just to name a few, can bolster a cybersecurity team by automating some of the necessary monitoring and defense responses. Once up and running, these tools and processes can give time and focus back to internal IT teams to help their company manage the new remote workforce reality COVID-19 has brought upon us all.

Following Best Practices is the Best Defense

Whether working remote or in-office, following and integrating these cybersecurity tips into company-wide IT policies will help protect your business’s data while helping employees protect themselves from coronavirus through social distancing.

Above all–stay vigilant. Cybersecurity is not immune to the remote work risks from COVID-19.

Learn more about ways your business can boost your IT security for the remote workforce and beyond. Contact Ntirety’s IT experts to start building a stronger cybersecurity policy today.

Ransomware Response – The Confluence of Security and Disaster Recovery

If at least one major threat could be taken off the table of the cyber-threat landscape, the world would be a better place.

Eradicating ransomware is a wish list item that the technology industry pushes hard to achieve. Despite valiant efforts, the prevalence of ransomware continues its rise. Even the best technologies, combined with awareness campaigns, can only stem the tide of this threat. It is extremely difficult to prevent these incidents from happening, but we can prevent ransomware from mattering through a focused recovery strategy.

Growing Attack Numbers, Growing Risk

Many have become immune to the shock of these attack stories but the recovery costs remain staggering for this digital plague. Reports indicate that the total estimated cost of US ransomware attacks for 2019 was over $7 billion with the average recovery cost of $1.4 million per attack for an individual organization.

Even industry giants are vulnerable—manufacturer Visser Precision reported in early March 2020 that it was hit by ransomware DoppelPaymer, which began publishing breached data online from Visser customers including Tesla, SpaceX, Boeing and Lockheed Martin. Their case is still ongoing.

Ransomware is a common doctrine for cybercriminals and state-sponsored parties because mobilizing a cyber-offensive army is one of the cheapest threats to leverage and develop. A rogue nation or criminal operation does not need to buy tanks, airplanes, or organize the logistics that come along with an offensive operation—these operations can inflict maximum damage with digital currencies, credit cards, and an internet connection. Cyberwarfare and ransomware attacks have become a great equalizer against enterprise security on the battlefront for global power and influence.

Shifting Definition of “Disaster”

In many ways, the definition of a “disaster” has changed in the IT landscape. At one time, the concept of disaster recovery incorporated absorbable risks, a calculation that IT could put together and plan around. For example, there’s a probability that can be determined of a hurricane affecting a Florida datacenter, a tornado-alley storm knocking out power to a corporate IT center, “Billy-Backhoe” cutting a non-redundant fiber route during nearby construction…

These are disasters that businesses can envision, establish recovery plans for and have a general sense of when they are most likely to occur. Even with the current global pandemic COVID-19 coronavirus, organizations can take proactive measures through cloud-based tools and business continuity plans to combat the potential risks to customers, employees, and the company as a whole before disaster truly strikes.

But Ransomware differs in that it can come any time, from anywhere, and once an attack hits, an outage can effectively shut a business down for days, even weeks on end. The ransomware threat is virtual and therefore mobile and their timing less easily predicted, yet their impact could be as, if not more, impactful than the physical disasters people have long contemplated. Fortunately, some of the same recovery tactics we have long considered can be perfect tools for a speedy recovery – not involving ransom.

Standard Disaster Recovery Services, when offered in an indexed manner can enable restoration to a prior version of an application or environment replicated before infection by Ransomware. Where in usual Business Continuity planning you strive for the lowest tolerable RPO (Recovery Point Objective) and RTO (Recovery Time Objective), whereas in a Ransomware situation a company may accept a longer RPO to lower the RTO. Basically, one would sacrifice some data aggregated between when the Ransomware was placed and when it was triggered. While no doubt there would data loss, the functional recovery of the system(s) could be much quicker—and with no ransom paid. Such disaster recovery planning involves increased storage of version snapshots and may drive up some costs. However, the ever-decreasing cost of storage and the ever-increasing frequency of Ransomware “disasters” will drive a confluence of Security and Disaster Recovery considerations henceforth.

Being thoroughly prepared for any disaster can be outside the bandwidth of internal IT team, which ideally should be focused on more business value driving tasks and initiatives. Even with plans in place, threats at the forefront of the latest IT innovation are often one step ahead of traditional disaster recovery and business continuity strategies.

Working with an IT partner solely focused on formulating and ensuring the most up-to-date DR plans take the burden off internal teams. Ntirety alleviates this stress through a tried-and-true process starting with an in-depth assessment to testing and implementing end-to-end recovery tactics and all the way through 24x7x365 support in case of any issues that may arise. From platform management to continuous data protection and architecture design, Ntirety’s Recovery Services empower you to provide continuous and first-rate service to your customers and stakeholders. Overall, Ntirety aims to deliver true peace of mind.

Ready to make the threat of ransomware one less thing your IT team has to worry about? Start your business on the path to IT resiliency and schedule a Ntirety Vulnerability Assessment today. 

Ntirety Achieves Major Compliance Attestations in First Audit After Merger

Continuing Compliance Excellence

Ntirety is pleased to announce successfully achieving 2019 compliance attestation for PCI, SOC 1, 2, & 3, and HIPAA. With the start of the new year, Ntirety proves to continue upholding high compliance standards after the merger.

See the official press release here»

Beyond Ntirety as an enterprise demonstrating compliance with PCI DSS, this attestation includes certification of our services so clients electing to use these managed services can rely on Ntirety’s AOC to meet specific controls for their PCI requirements.

    • Antivirus/Anti-spyware Service
    • Backup Service
    • File Integrity Monitoring
  • Multi-Factor Authentication
  • Threat Management
  • Vulnerability Scanning Service
  • Web Application Firewall
  • Availability & Capacity Monitoring
  • Patching Service
  • Database Management
  • Vulnerability Management
  • Logging Service
  • IDS/ Service
  • Encryption Service

Meeting all regulations for PCI, SOC 1, 2, & 3 and HIPAA was an opportunity to showcase our people, process and technology. Throughout the assessment cycle, our tireless team stood front and center working with our assessors, Online Business Systems and Linford and Company LLP.

Ntirety’s Hardworking Experts Make Compliance Achievable

Our teams displayed layers of expertise as more than 50 of our SME’s presented our processes and technologies to the assessors, all while their Ntirety peers supported through various efforts over the 4-month period.

This achievement is a great example of the continuing excellence Ntirety brings to the managed IT solutions market. With the focused efforts and support of our cross-functional teams, we forge ahead with other ongoing compliance assessments and continue to deliver exemplary—and compliant—services to reduce risk and increase agility for modern enterprises.

Learn more about Ntirety’s Compliance-as-a-Service solutions.

Ready to get the support and guidance your enterprise needs to meet compliance? Schedule a consultation today.

Security Threats are Changing…Has Your Protection?

Introducing the New Managed Security Service from Ntirety

In today’s enterprise business world, if a company hasn’t gone through or started a digital transformation yet, it’s clear the organization is falling behind. As the enterprise market sprints towards the next iteration of IT, the hurdles ahead are becoming more apparent—but companies may already be stumbling without the proper security to keep up with evolutionary challenges.

To bridge this growing gap between same-old security and what companies need today, Ntirety has created the next generation of protection with our new Managed Security Service. Designed to meet the critical needs of enterprise IT teams, this new offering comes from our extensive research into where the most detrimental gaps arise from, the tools needed to fill them, and how this next generation of security is vital for data and infrastructure protection.

Innovation, Infiltration, Exploitation

Artificial intelligence and machine learning are now more accessible as enterprise tools and creating equally accessible avenues for attacks. Other emerging threats like cryptojacking, cross-site scripting, and compromised IoT devices present critical dangers that previous IT security measures never had to consider. This opens the door for malicious intruders to hack their way in over time. For example, it was recently discovered that a cryptojacking attack targeting a water utility company in Europe was responsible for malware discovered in the background of the company’s industrial control system, quietly disabling the system’s defense tools and taking control of its applications. Opportunities to attack cropping up in new places—from personal devices to enterprise infrastructures—and the risks are often hard to spot until it’s too late.

Internal security concerns are also on rise, whether businesses realize it or not. From unscrupulous employee hacking to unwittingly relaxed practices regarding sensitive information, security risks are spilling from the inside out. Even third-party providers, who have access to other organization’s internal systems, are vulnerable to their own breaches causing a ripple effect for hacker access and have led to several big-name brands becoming the subject of some shocking data breach headlines. From internal risks to access issues, lack of adequate security opens the door for many different avenues for attack.

With the push to adopt new technologies, the focus is often on implementation, but the question remains: is properly securing infrastructure and data becoming an afterthought during these transitions?

More In-Depth Reporting is No Longer a Nice-to-Have—It’s Essential

IT security has come a long way from reactive defenses to proactive detection, but not every Managed Security Service Provider (MSSP) can meet the skyrocketing demands and more advanced standards for effective data protection.

To truly learn from the information captured through log data, companies are craving more context from MSSPs. While quantity of collected logs, alerts, and escalations once met security expectations, staying ahead of future threats now requires quality insights and inferences to make a difference for organizations. Understanding the threat intelligence associated with the events—including potential attribution, motivation, and even next steps of an adversary—is a critical component to security and has become an insight that few MSSPs can provide. The greater understanding of threats and organization’s systems security programs can provide will in turn reduce the waves of arbitrary alerts and notifications. More actionable alerts with less unnecessary interruptions gives companies more focus on their business goals, rather than sort out what notifications need to be taken seriously. Reducing the risk while increasing business agility is formula enterprise companies need to stay ahead.

How Ntirety Managed Security Services Meets This Need: With this new service, enterprise companies gain access to full, real-time reporting of incidences directly from analysts at dedicated Security Operation Centers (SOCs), in-depth explanations of alerts/risks, and recommendations on how to mitigate attacks as they are detected. This expeditious service and accompanying insights are possible in part due to Ntirety’s dedication to understanding each client’s individual needs and challenges. From networks to human bandwidth, Managed Security Services are tailored through close collaborations between dedicated teams. Ntirety truly becomes the reliable, proactive partner enterprises need for comprehensive, customized protection.

Slow, Inefficient Communication Leads to Chaotic Escalations

From big-picture perspectives and proactive measures to the tactile practices necessary to tackle today’s threats, most MSSPs can only cover some of what’s truly needed. Longtime MSSP clients know that most incident response workflows used to start with an email, then included a ticket and the occasional phone call when necessary—a cumbersome system that slowed responses against increasingly insidious infiltrations. But automation, remediation, and chat capabilities have revamped the escalation process to create real-time collaborative war rooms during critical events.

How Ntirety Managed Security Services Meets This Need: To prevent issues before they even arise, our next-generation security offering provides managed detection and automated reactions for rapid responses. This Deep Packet Inspection service—coupled with advanced application policy configuration—keeps networks free from unwanted traffic. Defending networks from edge to endpoint, Ntirety’s modern firewall services amplify the firewall itself, taking IT security to the next level.

See how standard security practices compare to Ntirety’s Managed Security Services

Stay Ahead of Threats–and the Competition–with GLAs

It has become abundantly clear that the threat environment and what companies expect from MSSPs is only expanding. Enterprise organizations require more than just an average Service Level Agreement (SLAs) to not only protect systems from all threats—they also need to consistently gather insights and adjust course for better security as technology risks evolve.

How Ntirety Managed Security Services Meets This Need: Only Ntirety offers an industry exclusive Guidance Level Agreement (GLA). Paired with Ntirety’s Monitoring Insights service, Managed Security builds the next-level layer of protection that simultaneously helps companies achieve better business outcomes. Ntirety’s solutions enable the transformation from reactive to become a future-ready, agile enterprise.

An industry first, Ntirety’s GLAs provide:

  • Three actionable recommendations provided on a quarterly basis (or as dictated by your SOW) to reach desired business results
  • Trusted commitment to availability, performance, security, and cost
  • Business insights reviews on a business-specific basis
  • Commit to a defined, measurable level of quality, availability, or responsiveness

Ntirety Managed Security Services with the included GLA gives enterprise organizations consistent and iterative improvement and optimization over time with the assurance of stability and—most importantly—unmatched security.

Next-Level Threats Demand Next Generation Security

With new risks appearing every day, from internal oversights to malicious hacking, businesses can’t afford to leave IT security as an afterthought. The more advanced technology becomes, the more sophisticated attackers become, leaving enterprises overwhelmed with the complexities of modern IT security. Protection is possible, and detection and insights make prevention achievable with the right proactive partner.

Want to stay ahead of security threats and protect your data? Schedule a Ntirety Vulnerability Assessment today.

Stricter Data Privacy Regulations Start January 2020. Is Your Business Ready for CCPA?

Cybersecurity and data protection are top priorities for the modern enterprise, and the concern is growing for today’s consumers as well. Beyond best practices and self-imposed processes, certain governing bodies can require organizations to meet even higher security standards through different compliance initiatives, such as HIPAA, FERPA, or GDPR. Starting in 2020, California companies will be adding California Consumer Privacy Act (CCPA) to their list of regulatory requirements—and the rest of the country may not be far behind in adopting this new consumer privacy bill.

Recognizing the Need for New Compliance Standards

The need for these new compliance measures are outlined within the bill’s text, stating that “California law has not kept pace with [technology] developments and the personal privacy implications surrounding the collection, use, and protection of personal information.” Sparked by the “devastating effects for individuals” through the “misuse” of data by Cambridge Analytica and other data breaches, CCPA intends to enable California consumers to “exercise control over their personal information” with “safeguards against misuse of their personal information.”

Protecting and empowering consumers is a key component of building trust and long-lasting relationships with customers, but is your organization ready to comply with CCPA requirements?

What is CCPA?

Passed on September 13, 2018 and effective on January 1, 2020, the California Consumer Privacy Act, or AB 375, will require organizations to focus on user data and provide transparency in how they’re collecting, sharing and using such data. This new privacy law grants any California consumer the right to:

  • Know what personal data is being collected about them
  • Know whether their personal data is sold or disclosed and to whom
  • Say no to the sale of personal data
  • Access their personal data
  • Request a business delete any personal information about a consumer collected from that consumer
  • Not be discriminated against for exercising their privacy rights

Like GDPR and other compliance measures, CCPA is designed to advocate and support individual consumers in this ever-evolving IT environment.

Does Your Business Have to Comply with CCPA?

Any for-profit organization doing business in California that collects consumers’ personal data and meets the following qualifiers must comply with CCPA:

  • Has annual gross revenues in excess of $25 million
  • Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

While the current compliance requirements are limited to California, this new privacy law could signal the beginning of a nationwide change, similar to GDPR regulations in Europe.

What are CCPA Requirements?

For businesses that must adhere to CCPA law, compliance breaks down into 5 main requirements:

  1. Data inventory and mapping of in-scope personal data and instances of “selling” data
  2. New individual rights to data access and erasure
  3. New individual right to opt-out of data selling
  4. Updating service-level agreements with third-party data processors
  5. Remediation of information security gaps and system vulnerabilities

Companies already following GDPR guidelines will have a bit of a leg up becoming CCPA-compliant with the two privacy measures overlapping in certain areas. But meeting all the requirements for the new CCPA standards will still take diligence even for those already compliant in other areas—and face new consequences for any gaps.

CCPA Penalties and How to Avoid Them

As with any compliance enforcement, violating the CCPA comes with a price tag. under Section 17206 of the California Business and Professions Code penalties are $2,500 for an unintentional violation, and $7,500 for intentional violations. Yet, the real potential impact for organizations to get hit under CCPA comes from consumers’ ability to sue companies if CCPA guidelines are violated, even without any evidence of actual damage. The new privacy law will allow individuals to recover between $100 and $750 per incident—or greater if there’s solid evidence that damages exceed $750.

Preparing for CCPA—and mitigating the risk of penalties—is possible through steps like data mapping, third-party assessments, revamping internal privacy policies, and studiously monitoring for compliance updates. Designating a risk or compliance lead within organizations to initiate modifications to meet and maintain the CCPA standards is the ideal way to stay on top of not only CCPA but all other necessary compliance guidelines.

But, understandably, not all enterprises can assign new responsibilities or roles to me the upcoming CCPA compliance mandates. Partnering with trusted cybersecurity and compliance experts can lift the new burden of assessments, adjustments, and ongoing maintenance required for California’s privacy bill. Even businesses outside the Golden State must start evaluating their own plans to tackle heavier compliance measures. Engaging with managed IT compliance partners today will save you from scrambling to understand new policies and procedures later.

Ntirety Delivers Leading Compliance-as-a-Service Solutions

As a leading HIPAA-compliant, HITRUST- and PCI-certified service provider with 20 years of industry experience, Ntirety a trusted partner and knowledgeable resource positioned to guide enterprises through the next wave of compliance requirements with CCPA.

Through our unique Compliance-as-a-Service (CaaS) offering, organizations can take advantage of Ntirety’s compliance experts in a number of different ways depending on each individual company’s level of resources, budget, and assistance needed. Ntirety’s CaaS provides guidance from the very beginning, interpreting the often complex and frequently changing compliance requirements and identifying the gaps in current policies and procedures that could led to failing an audit. In-depth advisements help further prepare companies for risk assessments and compliance audits—and free an organization’s valuable time and resources to focus on business goals beyond complying with requirements.

Dedicated to keeping businesses secure and compliant, Ntirety provides a proven track record to help companies avoid penalties, reduce risk, optimize IT costs and enable the future-ready, agile enterprise.

Ready to find your compliance officer? Schedule an assessment to find out what Ntirety can do for your business.

 

Security Gap Gives Hacker Access to 100 Million Bank Customers’ Personal Information

Capital One is the Latest Enterprise to Hit the Headlines Over a Data Breach

On Monday, July 29, 2019, Capital One Financial Corp. announced that more than 100 million of its credit card customers and card applicants in the U.S. and Canada had their personal information hacked in one of the largest data breaches ever.

Paige Thompson, a software engineer in Seattle, is accused of breaking into a Capital One server and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information. The Justice Department released a statement Monday confirming that Thompson has been arrested and charged with computer fraud and abuse.

As the CISO of a global IT solutions provider, I am always hesitant to comment on these situations because if it can happen to one of the biggest players in the industry, then everyone is at risk. Bad actors have unlimited time, resources and motivations—that’s why advancing a cybersecurity program is critical to every organization’s maturity process. We, the cybersecurity community, must do better collectively.

While the Capital One data breach is staggering with more than 100 million affected, this is just another event in a long list of massive data incidents during recent years, including Equifax, Marriott, Home Depot, Uber, and Target. Adding to the list of compromised information, “improper access or collection of user’s data” like Cambridge Analytica or WhatsApp have also made recent unsettling headlines.

Don’t Wait for Hackers to Find the Vulnerabilities from Within

Court filings in the Capital One case report that a “misconfigured web application firewall” enabled the hacker to gain access to the data. As infrastructures, support structures, and data flows become more complex, the security and need for visibility exponentially increases. Fundamentals like asset management, patching, and user access with role-based access is critical and cannot be over looked.

These pillars of protection are achievable with the help of experienced partners, like the managed security experts at Ntirety, focused on finding and filling any gap in existing infrastructure and applications.

Learn more about how Ntirety’s Managed Security services can be the better shield for your data against hackers. >>

Take Charge on a Personal Level by Using a Passphrase

Even with all the internal work and effort businesses put towards protecting data, consumers should still take precautions and be proactive protecting their identity. Never give personal information out over the phone—even if the caller appears to be from a reputable organization like Capital One. Phishing scams through calls, emails, and text messages are only increasing. Even offers for IT protection from unvetted parties can be attempts to gather or “fill in” additional information for malicious purposes.

One of the quickest ways to boost protection of your personal information is to change your password to a passphrase. Create a great passphrase in three easy steps:

  • Use personally *meaningless* passphrases
  • A pseudo-random mixed 15-character password
  • Pick a minimum of 4 words—RANDOMLY

Simply combining random words (like DECIDE OVAL AND MERRY = Decide0val&andmerry) can build a new passphrase far more secure than “12345” or “password1”.

Let Partners Provide You Peace of Mind Against Security Threats

While every individual should be an active participant in protecting their identity and personal data, enterprise companies can’t ignore the devastating regularity of these hacks and breaches. IT security is a crucial component for any modern business, and equally important is the constant vigilance to keep those security measures validated and updated. Vulnerabilities emerge with every new technological advance, making an experienced partner to keep a steadfast watch necessary to allow organizations’ own IT teams to focus on innovation and business goals.

Ntirety’s Managed Security services bridges the gaps every company faces as systems, tools, and data grow rapidly. Expert monitoring and risk reduction and mitigation from trusted IT partners empower internal teams to focus on pushing business forward. Don’t trust that your basic security is enough to keep your company out of the hacker headlines—get real peace of mind with cybersecurity experts like Ntirety watching your backend systems, infrastructure, and applications.

Schedule a consultation with Ntirety today to proactively protect your data from hacker threats and data breaches.

Top 4 Hybrid Cloud Use Cases

For today’s enterprise business, a wholesale migration to the cloud likely isn’t the right solution. From firsthand experience since the early days of the cloud, we witnessed out a lift-and-shift migration of traditional workloads to cloud services didn’t deliver the expected benefits – whether those were reduced cost, better resiliency, or increased performance. Sometimes, a hybrid deployment could improve the outcome where public cloud alone couldn’t deliver. We thought this might be a transitional state while cloud technologies matured.

Since the early days, public cloud functionality has grown by leaps and bounds – features and functionality have improved at near exponential rates. Even still, public cloud doesn’t often deliver all the benefits companies need or expect. And keeping your IT workloads where they run today certainly isn’t going to improve things either. Instead, a hybrid approach to cloud adoption has proven to be the winning strategy across a variety of workloads and use cases—and that’s why hybrid cloud has become the new normal.

Let’s explore several use cases to highlight some of the benefits that hybrid cloud can provide.

You’re Looking to Optimize Costs

The rise of cloud adoption has proven that all cloud options are not created—or billed—equally.

The public cloud adopted a pricing model similar to a pay-per-use taxi, making it convenient and relatively low maintenance. Although a taxi is logical for short trips, it isn’t cost effective for long term transportation. For traditional workloads that run all the time, the public cloud functions like a taxi with its meter running all the time, unable to turn off. After experiencing the cost of the constantly-running meter with no off switch, more enterprise businesses are exiting the public cloud in search of something more economical.

Leveraging the public cloud to optimize costs requires a bit more work. Applications need to be rearchitected to leverage cloud-native concepts, such as auto-scaling groups, microservices, and application self-healing. This work can’t be ignored, but often the cost of a complete application rewrite is prohibitive, either in time or with lack of know-how. A hybrid approach can allow a more gradual upgrade path by allowing you to thoughtfully choose application components you’d like to migrate to the cloud piece by piece while maintaining more complex or hard-to-rebuild components in their current state. By taking this hybrid approach rather than forklifting all of your applications at once, you can see the benefits of cloud-based services, including a more optimized price tag.

Hybrid environments can also give organizations more control with a custom blend of cloud solutions and dedicated infrastructure. For enterprise businesses, the hybrid cloud often makes better financial sense.

You’re Still Using Legacy Application Components

Well-established enterprise organizations are often overladen with legacy systems and applications but look hopefully to the cloud to help. Unfortunately, the public cloud cannot be their cure-all in many scenarios, such as when a massive amount of data is too expensive to move, locked in too extensively to existing solutions, or demands specific requirements, such as compliant systems. Although a full lift-and-shift may seem appealing, the hybrid cloud is often the better solution for supporting legacy applications on dedicated systems and supplementing with cloud solutions to leverage advanced functionality and services, like machine learning.

However, before making the hybrid cloud shift, companies must dig deeper into current infrastructure to understand the costs and risks of moving elements to the cloud versus simply exposing these applications to cloud services to leverage new functionality. A strategy for each application that considers benefits and risks at this level will prepare a company much better for success in their digital transformation.

Even companies already in the public cloud—especially those might be questioning if they moved too fast—can take a similar step back to evaluate their strategy and find ways in which hybrid cloud solutions can save IT costs and gain better efficiency. Evaluating legacy applications and future IT goals with the guidance and insights of cloud solutions experts is key to making an optimal transformation.

You Need to Support Peak Traffic

The scalability and flexibility the hybrid cloud offers cloud makes it ideal to manage fluctuating traffic levels enterprise companies experience, from the high-peak usage to periods of steady plateaus. The holiday shopping season, sales promotions, or other events can cause rapid demand spikes, which may subside just as quickly once the event is over. Traditional solutions required companies to maintain extra resources to accommodate these peak times, which is an extremely costly option. Remember—the public cloud works like a taxi with the meter always running, but hybrid cloud solutions support these bursts while also supporting the baseline more efficiently.

While some components of your application may need to run all the time, others don’t. Let’s look at an example: Databases function best when they are always operational. Web servers or web services may be much easier to scale out as demand spikes. A hybrid approach to this example application (where the database would remain on a dedicated machine while web services can be rapidly added on demand in the public cloud) represents an approach that provides the right match of platform to application function. Pay-per-use spend on public cloud is optimized based on on-demand usage and can scale rapidly to follow demand spikes (both up and down), while database operations benefit from the stability and reliability of dedicated hardware.

While peak traffic can be predictable for some industries, enterprise organizations should use insights and analytics to best architect their hybrid cloud solutions. Along with upfront research, consistent testing and evaluation of traffic patterns and demand signals are critical for companies to take full advantage of the hybrid cloud.

You Want More Economical Options

A disaster recovery plan is crucial for every enterprise organization but implementing and maintaining one is easier said than done. Traditional disaster recovery plans require you to move entire applications to a dedicated backup environment—an expensive and tedious process. With such a financial burden attached to traditional methods, it isn’t that shocking that 30% of businesses don’t have any disaster recovery plan in place at all.

But building better IT resilience can be more affordable with a hybrid cloud approach. Providing businesses with scalable and more agile options to meet their specific disaster recovery needs, the hybrid cloud presents economic options not available through traditional offerings. For example, taking a traditional workload and creating a failover environment in the cloud can save significant costs. Rather than maintaining the failover environment in a running state, it can be built in the cloud, then snapshotted to storage. With proper scripting to ensure rapid re-provisioning of the environment, costs of maintaining the cloud DR site can be limited to storage costs, saving significantly over the costs of maintaining a full duplicate environment that is always running

Yet just like traditional strategies, the hybrid cloud still requires detailed planning that takes time and expertise. Although some disaster recovery service providers may not be current with best practices in the cloud, finding a capable managed cloud provider is often the key to a more economical disaster recovery plan in the hybrid cloud.

Working Better Together

The hybrid cloud brings multiple platforms together to solve problems—reducing IT costs, optimizing legacy systems, maintaining reliable performance, ensuring resiliency—and working with experienced managed cloud experts allows your business to harness the power of hybrid.

Start exploring how the hybrid cloud can transform your business with a free consultation today.