PCI-Compliance-IT-Security

4 Signs that You’re Out of PCI Compliance

Compliance with the standards set by the Payment Card Industry (PCI) Security Standards Council can be cumbersome and flat out difficult. And the punishment for non-compliance can be stiff penalties and fines – or even worse, non-compliance could allow a hacker or data thief to get into your company’s systems and steal critical data from you or your customers. To avoid these unsavory outcomes, it is best to make sure that your business gets PCI compliant and maintain that compliance status. It is critical that you know if your company is PCI compliant so that you can keep your business protected from fines and hackers alike. Here are some of the ways that you can know if your business is not compliant. If any of these signs describe your business, then it is time to make a change and get back into compliance.

You Store Cardholder Data

Storing cardholder data means that you have highly sensitive information that can be stolen on your systems. To maintain PCI compliance, you should not save or store any cardholder data, whether in digital or written form. To avoid storing cardholder data, you can use a card reader, POS terminal, or a payment processor that doesn’t retain that information. That way, you don’t have to think about protecting or encrypting that data on your systems.

You Don’t Have A Separate Network For Payment Processing

PCI compliance can put extra pressure and security measures on your network. That’s why it is a good idea to have a separate system for your regular business connection just for payment processing. This is especially relevant if you are using IP-based credit card terminals.

You Don’t Automatically Log Customers Out

When your customers log in and make a purchase, they might be doing so on a public computer or at a public kiosk. When they leave that computer, they might forget to log out, allowing another person to stumble upon their open session and make unauthorized purchases. Make sure that you avoid these kinds of scenarios by automatically logging your users out of their sessions after a set period. If for example, users are automatically logged out after five minutes being idle, you have a significantly higher chance of stopping unauthorized purchases.

Your Employees Don’t Have Unique Login Information

To be PCI compliant, all of your employees need to have their unique login information for sensitive systems. That way, if there an issue, you know which employee was responsible.

regulatory compliance

Three Most Important Facts About Regulatory Compliance

When it comes to regulatory compliance, even the most enthusiastic managers can quickly get bored. It’s not hard to see why—regulatory compliance can be a long and frustrating process if you are trying to stay compliant without any professional help. Because regulatory compliance is so complex, it can be difficult to understand some of the legal concepts behind the process. That’s why we’ve broken down the three most important facts, so that you can easily know what’s vital to your business without having to pore over dozens of policy documents or looking through legalese.

  1. You Need Physical and Digital Security Policies

Sure, digital security policies get all of the press. And they are absolutely critical to your company’s regulatory compliance, as well as your long term success. But you need physical security policies too. You need to specific which employees are allowed physical access to particular facilities. This includes guests and vendors too—you have to be able to know who is able to access server rooms and other rooms that house critical IT infrastructure. These policies breed accountability. In order to uphold these physical security policies, you can use key codes, badges, or other ways to regulate access.

  1. Compliance Issues Must Be Relayed To Employees

Because regulatory compliance issues are so complex, it can be difficult to make them seem relevant and purposeful to employees. But if your regulatory compliance efforts are to succeed, you must let your employees know the importance of compliance and train them to make sure that they are up to date. The best way to do this isn’t to throw complex legalese at them, but to use simpler terms. Compliance isn’t always black and white, there are always grey areas, and your employees need to know what is expected of them when they encounter a grey area.

  1. There Are Hidden Benefits To Compliance

Often, it is assumed that there are no benefits to regulatory compliance other than avoiding fines and penalties. That isn’t true. There are hidden benefits to compliance that your business can take advantage of. Compliant businesses are more up to date on industry trends, and generally have more streamlined employee processes, where employees know what the appropriate decisions are. Compliance can improve standardization across your business, which can ultimately result in greater efficiency as well. Businesses that are compliant tend to have greater transparency, with workers at all levels—from the top down—more aware of what is expected of them.

Network Security Specialist

Take Advantage of A Network Security Specialist for Your Business

The more our society becomes dependent on technology, the more we see an increase in data breaches, cyber crimes, and leaking of sensitive information. This is why the government and businesses of all sizes are focusing more of their efforts on network security. When it comes to keeping your information safe, you can’t go at it alone. Network security specialists are in high demand for assisting companies with their online safety needs. Below we discuss the importance of working with a network security specialist to keep your business secure and information safe.

 

Role of a Network Security Specialist

Your network security specialist is in charge of safeguarding your computer system and protecting it from threats. Threats may be external or internal in nature, but some of the biggest threats to network security generally come from outside sources. The network security specialist will install firewalls and programs that issue alerts when there is an attempt to infiltrate the system. Network security specialists are constantly updating their level of knowledge to keep up with the growing technology industry.

 

Advantages of Hiring a Network Security Specialist

Having a network security specialist in your arsenal of weapons to combat hackers has many advantages, including:

 

Protection of Company Data

Part of the job of a network security specialist is to constantly monitor the flow of information within the network, prevent unauthorized users from accessing sensitive data, and check on bandwidth usage. This data may be pertaining to customers when dealing with companies like banks or other large corporations. Information such as phone numbers, account numbers, credit card numbers, addresses, and emails can become exposed. Government agencies will have information that pertains to internal communications and secret operations, posing as threats to national security. A network security specialist is vital to the safety of these organizations’ information.

 

Setting IT Infrastructure Usage Rules

A network security specialist is one who is in charge of designing and implementing security protocols within a computer network. This involves having control over the data that users have access to and setting up password authentications and firewalls. The specialist is able to block access to particular websites as well as prevent the installation and usage of certain applications that may pose a threat to the network infrastructure. With a network security specialist on board, they will be able to catch employees violating company computer policies and notify their manager.

 

Custom Security for Your Network

Your network security specialist will sit down with you and create a plan that is specific to your business’s needs. There is no “one-size-fits-all” model for any company and should never be offered to clients. Your custom network security plan will help your business grow much quicker by eliminating potential technology roadblocks that pop up. If you do not have a network security specialist working with your organization, you run the risk of losing customers to security breaches.

 

We want to be your network security specialist! Contact us today and we will discuss the best path for your company to follow when it comes to data and network security.

Network Security

Benefits of Network Security

You’ve spent countless hours, days, months, maybe even years building your business…what if everything you had worked for was ruined because of a security breach? All it takes is one bad security breach and you’re out of business. This is why your company needs CognoSecurity. Let’s look at the benefits of network security.

Reduced Stress

With CognoSecurity you will never lose sleep over stressing about your business’ security. We will handle everything so that you don’t have to. Now you have more time to focus on making your business even more successful, because you know it’s safe with CognoSecurity.

Decreased Risk

Think about all of the risks you’re taking without having your business protected by network security. Are you willing to risk your business’ reputation? What about your data? Or even your entire company? If not, you need network security to make sure none of these things are put at risk.

Disaster Recovery

Unexpected things happen – that’s just life. But wouldn’t it be nice to be prepared for the unexpected? Well, with CognoSecurity you can be. When disaster strikes, CognoSecurity will help your business recover quickly, whether you’ve suffered a security breach, natural disaster, or anything else that might happen.

Increased Productivity

When you aren’t stressing over network security issues and security breaches, you and your employees can focus on the business’ success. You’ll become more productive and you’ll also save your hardware and software from any potential harm caused by security breaches.

Ready to protect your business from harm? Let’s talk today about your business’ security needs.

Malware for Christmas

Don’t get caught by this holiday email scam!

The holidays are a busy time for all of us and with the advent of online shopping to avoid the crowds we are becoming conditioned to receiving purchase related emails from a variety of sources.

The cyber crime community is well aware of this and a new trend in cyber crime using fake order confirmation and other typical purchase-related emails has been noticed, as reported by internet security company Malcovery. The primary payload of these emails is the malware known as ASProx, a particularly nasty trojan that collects email addresses and passwords from it’s victim’s computers, then turns the infected machine into a botnet relay allowing spam messages to be passed through it.

Malcovery reports that in December 2013, spammers used ASProx to deliver fear in the form of a Failed Delivery email from CostCo, BestBuy, or WalMart.  Malcovery analysts identified more than 600 hijacked websites that were used as relays to prevent detection by causing the spammed links to point to websites that had been “white listed” until the very day of the attack. People responded because the email told them their Christmas gift shipment had been delayed and the only way to get a refund was by clicking the (infected) link.

This year the scammers are getting even craftier and their tactics have changed. Fake order confirmation emails appeared after cyber Monday with titles like “Thank you for your confirmation,” “Order Confirmation,” “Thank you for buying from [company name],” “Acknowledgement of Order,” and “Order Status.”. The email content now targets people’s greed by saying that a delivery (that they didn’t order) is waiting for them:

“We are happy to inform you that our online store HomeDepot.com has an order whose recipient details match yours.  The order could be received in any Local Store of HomeDepot.com within the period of 5 days.  Open this LINK to see full information about your order.”

Opening the link infects the victim’s machine.

Another trend is with hijacked credit card numbers. Instead of charging several hundred dollars on a single credit card – which is immediately noticed and blocked – online thieves are now content to charge several thousand people $20 – $30 each, which is less likely to be noticed by either the bank or the victim.

Cognoscape is committed to your security

There are a few simple rules to follow whenever you open your inbox:

  • Ask yourself: Were you expecting this email?
  • Check the sender’s address – hover over the address to verify the sender
  • Check the link address – hover over the link to read the address it is sending you to. Does the domain name look valid?
  • Learn to spot fake domain addresses
  • If you have any concerns DO NOT click the link, instead type the address into your browser and access the information from there
  • Review your credit card statement regularly for fraudulent transactions
  • Remember scammers target people’s greed – if it sounds too good to be true, it probably is!

Would you like to learn these techniques and have them taught to your colleagues? Cognoscape are now providing a series of lunch and learn presentations to avoid phishing scams and keep you safe from these attacks. Fill in the “Request a Consultation” form to the right of this blog post if you would like more details.

Don’t forget your friends need to know about this too – please share this post!

shutterstock_211420975

Top 5 Reasons You Need Network Security At Work

Conducting day to day business can be consuming and stressful. Making sure that your company network is secure does not always rank number one on your list of things to do. There are so many things that need to be tended to! Here are the top 5 reasons why network security should be your top priority:

1. First and foremost, without network security at work your livelihood is at stake. As a business owner, most of your important documentation and records are stored on a computer. Leaving your network unprotected means that at any time your system could be infiltrated by unwanted viruses, trojans or even worse – malicious hackers who could obtain and distribute personal information.

2. Not only can your vital company information can be compromised, your identity could be stolen and used. Different types of computer viruses and trojans do different things. If a virus relays information to a third party your identity could be used by that person or worse. It could be sold to other people.

3. If losing your identity isn’t bad enough, it can get worse. Without network security you could unknowingly provide internet predators with your customer’s information. This means that your reputation as a company is at stake. Any business owner would agree that a good reputation is your best asset and a bad reputation could mean your demise.

4. By having a good network security system in place, you will be saving money in the long run. Companies that are constantly putting out fires and spending unnecessary money to fix problems as they occur. Each time they pick up the phone to call an IT specialist money flies out the door. By being proactive you will keep your budget minimal.

5.  Using network security guarantees that you will be successful in your endeavors. By protecting your assets you will be able to focus on what you do best. Safeguarding your network allows others to trust in your ability to conduct business and do what is best for everyone.

Network security at work is beneficial in many ways. It helps you to save money. It also offers security to your team of employees and customers. Network security prevents unexpected problems. In conjunction with these benefits, network security is necessary to safeguard your personal information and that of your affiliates. Without network security your business could be in serious jeopardy.

70

Why SMBs Must Proactively Address the Threat of Mobile Hacks

70More cyber criminals are targeting small-to-medium sized businesses. One reason for this is too many workplaces have insufficient bring-your-own-device (BYOD) policies in place. Some have none at all. Although firms are generally more knowledgeable about network security risks than in years past, they still woefully underestimate the security vulnerabilities linked to mobile devices like smartphones and tablets.

This is a real cause for concern since data breaches have the ability to put many already financially challenged SMBs out of business.

If customer/client data has been breached, there could be potential litigation costs, and naturally, lost goodwill and an irreparable hit to brand or company reputation.

Don’t Just Say You’re Worried About the Bad Guys… Deal With Them

SMBs say they view network security as a major priority but their inaction when it comes to mobile devices paints a different picture. An April 2013 study found that only 16% of SMBs have a mobility policy in place.

Despite the fact that stolen devices are a major problem in today’s mobile workforce, only 37% of mobility policies enforced today have a clear protocol outlined for lost devices. Even more troubling is the fact that those firms who have implemented mobility policies have initiated plans with some very obvious flaws.

Key components of a mobility policy such as personal device use, public Wi-Fi accessibility, and data transmission and storage are often omitted from many policies.

Thankfully, most SMB cybercrimes can be avoided with a comprehensive mobility policy and the help of mobile endpoint mobile device management services.

A Mobility Policy Is All About Acceptable/Unacceptable Behaviors

Your initial mobility policy doesn’t have to be all encompassing. There should be room for modifications, as things will evolve over time. Start small by laying some basic usage ground rules, defining acceptable devices and protocols for setting passwords for devices and downloading third-party apps. Define what data belongs to the company and how it’s to be edited, saved, and shared. Be sure to enforce these policies and detail the repercussions for abuse.

Features of Mobile Device Management Services

MDM services are available at an affordable cost. These services help IT managers identify and monitor the mobile devices accessing their network. This centralized management makes it easier to get each device configured for business access to securely share and update documents and content. MDM services proactively secure mobile devices by:

  • Specifying password policy and enforcing encryption settings
  • Detecting and restricting tampered devices
  • Remotely locating, locking, and wiping out lost or stolen devices
  • Removing corporate data from any system while leaving personal data intact
  • Enabling real time diagnosis/resolution of device, user, or app issues

It’s important to realize that no one is immune to cybercrime. The ability to identify and combat imminent threats is critical and SMBs must be proactive in implementing solid practices that accomplish just that.

CLICK HERE for a free technology assessment.

69

Just Because You’re Not a Big Target, Doesn’t Mean You’re Safe

69Not too long ago, the New York Times’ website experienced a well-publicized attack, which raises the question – how can this happen to such a world-renowned corporation? If this can happen to the New York Times, what does this bode for the security of a small company’s website? What’s to stop someone from sending visitors of your site to an adult site or something equally offensive?

The short answer to that question is nothing. In the New York Times’ attack, the attackers changed the newspapers’ Domain Name System (DNS) records to send visitors to a Syrian website. The same type of thing can very well happen to your business website. For a clearer perspective, let’s get into the specifics of the attack and explain what DNS is.

The perpetrators of the New York Times’ attack targeted the site’s Internet DNS records. To better understand this, know that computers communicate in numbers, whereas we speak in letters. In order for us to have an easy-to-remember destination like nytimes.com, the IP address must be converted to that particular URL through DNS.

Therefore, no matter how big or small a company’s online presence is, every website is vulnerable to the same DNS hacking as the New York Times’ site. The good news is the websites of smaller companies or organizations fly under the radar and rarely targeted.  Larger targets like the New York Times, or LinkedIn, which was recently redirected to a domain sales page, are more likely targets.

For now… There is no reason to panic and prioritize securing DNS over other things right now. But there is a belief that DNS vulnerability will be something cybercriminals pick on more often down the road. Here are a few ways to stay safe:

Select a Registrar with a Solid Reputation for Security

Chances are, you purchased your domain name through a reputable registrar like GoDaddy, Bluehost, 1&1, or Dreamhost. Obviously, you need to create a strong password for when you log into the registrar to manage your site’s files. Nonetheless, recent DNS attacks are concerning because they’re far more than the average password hack.

It was actually the security of the registrars themselves that was compromised in recent attacks. The attackers were basically able to change any DNS record in that registrar’s directory. What’s particularly frightening is the registrars attacked had solid reputations. The New York Times, along with sites like Twitter and the Huffington Post, is registered with Melbourne IT. LinkedIn, Craigslist and US Airways are registered with Network Solutions. Both had been believed to be secure.

So what else can be done?

Set Up a Registry Lock & Inquire About Other Optional Security

A registry lock makes it difficult for anyone to make even the most mundane changes to your registrar account without manual intervention by a staff registrar. This likely comes at an additional cost and not every domain registrar has it available.

Ask your registrar about registry locking and other additional security measures like two factor authentication, which requires another verifying factor in addition to your login and password, or IP address dependent logins, which limits access to your account from anywhere outside of one particular IP address.

While adding any of these extra safeguards will limit your ability to make easy account change or access your files from remote locations, it may be a worthwhile price to pay.

CLICK HERE for a free network assessment and avoid cybercrime with Cognoscape.

68

Why it’s Time to Move on if Your Hosting Cloud Provider Won’t Sign a HIPAA BAA

68Despite new HIPAA Business Associate Agreement (BAA) regulations going into effect in 2013, many healthcare organizations are still encountering the occasional cloud service provider who refuses to sign a BAA. Although they may have a logical explanation, any refusal to sign a BAA should be seen as a red flag.

Here’s the logic from their angle. There are still many cloud vendors who view themselves more as conduits of Personal Health Information (PHI). They feel their role is more akin to that of a mailman. They’re merely transporting data to others and have no real access to the actual contents.

If the data is encrypted and cannot be read, or If they don’t touch the actual PHI data at all, the cloud service vendor will argue that HIPAA regulations do not apply to them and possibly refuse to sign a BAA.

Fair enough, right? If the data is encrypted and the vendor doesn’t hold the encryption key, what’s the problem? Well, here’s the problem.

File this in the unlikely yet not improbable category. Let’s say that the PHI data wasn’t properly encrypted before it was sent into the cloud or unencrypted data was mistakenly transferred over to the cloud service provider. If the cloud provider has refused to sign a BAA, this jeopardizes your HIPAA compliance and could potentially result in a fine anywhere from $50,000 to $1.5 million.

This is why those in the healthcare sector must move on from any cloud provider that is reluctant to sign a BAA. They are basically refusing to be complaint since the new HIPAA Omnibus Rule clearly defines a business associate as anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity. By refusing to share accountability for HIPAA compliance, they’re a liability to your organization that you just can’t afford.

CLICK HERE for a free network assessment.

 

66

2 Steps to Ensure Healthcare Data Availability in the Cloud

66In 2013, major companies like Google, Amazon, and Microsoft experienced outages. Not only were these big name outages disruptive to users, but they also made headlines and proved to be costly to each brand. Google’s hiccup footed an estimated bill of $500,000 while Amazon’s 30-40 minute blackout contributed to roughly $3 million in losses.

2013 was also the year the healthcare industry embraced cloud computing thanks to modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules. With these modifications extending the definition of a Business Associated (BA) to cloud service providers, many of the data breach concerns that had previously kept the healthcare sector from taking to the cloud have been quieted.

But as more patient health data is electronic and residing in a virtual environment, the availability of this data is just as important, if not more important, than securing it. Unlike Google, Amazon, and Microsoft, the disastrous effects of data outages in the healthcare sector can have potentially deadly consequences.

Not only is high uptime mandatory in a healthcare cloud, business continuity and disaster recovery (BCDR) plans are also crucial. The good news is the cloud’s virtualized infrastructure, coupled with the expertise and cloud monitoring of a trusted Managed Service Provider (MSP) can help healthcare organizations maintain uptime and reliability. Here are two helpful steps:

  1. Risk Assessments Are Absolutely Necessary

While risk assessments are critical to protecting patient health information, a 2012 audit conducted by the Office of Civil Rights revealed that many healthcare entities and contracted service providers fail to perform them. These evaluations must be conducted regularly and require an honest assessment of probable risks ranging from malicious cybercrime attacks to acts of nature such as natural disasters, flood, earthquakes and power outages. Analyze both the architectural vulnerabilities relative to data availability and security as well as the effectiveness of the counteractive measures in place. The goal is to minimize the plausible impact of such an event and prevent service disruption.

 

  1. Proactively Monitor for Cybercrime

It is often months before a security breach is detected. By this time, hackers have had ample time to infiltrate your system and feast on its data. Since cybercriminals use an unpredictable array of methods to strike, such as viruses, malware and phishing schemes to steal credentials, the strength of your detection system is key. Alerts should be set up to identify anomalies such as unusual application requests, forced entry attempts, suspicious spikes in traffic, and abnormal data patterns that suggest a breach. The proactive monitoring tools available through a MSP can help scan, pinpoint, and remediate such attacks.

Any BCDR plan must be built upon your organization’s recovery time objective (RTO) and recovery point objective (RPO). Your RTO is the duration of time in which your service level must be restored to avoid dire consequences. Your RPO is the maximum age of the recoverable files in storage to resume normal operations. A MSP can help determine the optimal scenario for your healthcare organization and prioritize the most critical health care information with near real-time replication.

Through this preparation and foresight, your organization can lay the groundwork to not only protect healthcare information in the cloud but potentially save patients’ lives in the event of an unforeseen outage.

CLICK HERE for a  free network assessment.