Every small business is unique, and should consult a qualified attorney for advice on the FTC Safeguards Rule. But, as cybersecurity professionals we believe you should have access to a way to jumpstart your effort, while you work with counsel on any unique particulars related to your situation. So, today we're offering extremely actionable steps that would be a great step towards some of your FTC Safeguards Rule obligations. Let's cut straight to the chase:
Cyber Security Posts
When founding teams find a way to survive their first vendor risk assessment -- usually on the tail end of making their first enterprise sale -- it's a moment that calls for celebration. At Havoc Shield, one of the absolute best moments for us is when a client calls us back and says "with your help, we made it through that security questionnaire" -- it's a celebration on our end too! But, is the end of a vendor risk assessment the final chapter in the vetting that the startup will face from their new enterprise customer? In a word, no. We'll explore below.
recently dug through 100+ vendor risk assessment templates and released some of our initial findings. We're motivated to understand the prevailing norms in these types of assessments/questionnaires because our clients tend to find themselves on the receiving end of these types of documents on a frequent basis. When we can do a great job of helping our clients predict what security questions are likely to arise, it helps our clients prioritize what security controls to push closer to the top of the prioritization stack. One of the topics that is almost always covered in vendor risk assessment is the matter of infosec policies and infosec plans. 88% of the vendor risk assessments in our analysis contained questions about plans and policies.
Every day we talk with startup founders about small business cybersecurity. Although we'd love to speak with founders that spontaneously decided to "do more" about cybersecurity, our conversations usually start very differently than that.
Most often, there is a very specific and urgent cybersecurity-related need at hand. And an urgent call to our team for help thinking it through. We're happy to help -- not a problem! However, for the benefit of founders that haven't yet hit one of those moments, here's what folks a few steps ahead of you are running into. We're glad to help with these more proactively if you'd like, to save a hectic scramble later.
Maintaining small business cybersecurity while allowing BYOL (bring your own laptop) is one of the hottest topics amongst companies that seek out our help. Although there is no one-size-fits-all solution, it helps to have a contextual sense for the continuum of high risk to low risk decisions that a company can make while navigating this complex topic. Here's our shot at very simply summarizing some of the key stopovers on that continuum that we've seen companies land at.
Would you rather talk about movies, photographs, or SOC 2 Type 1 vs Type 2? If your answer was "all of the above" then you've come to the right place.
Amongst companies evaluating the possibility of obtaining a SOC 2 report, there's been some confusion about the difference between SOC 2 Type 1 vs Type 2. Lets see if we can clear that up; here's what the AICPA says about it.
Apple just released iOS 14.4, with absolutely essential security updates. Although we rarely use this blog as a method of announcing patches and releases from specific vendors, the iOS security vulnerabilities in Apple's recent release are so essential that we'll break with tradition. We'll break down the three key points in Apple's release notes for you below.
If there is one thing we've learned about small business cybersecurity it's that there are a great many operators that are afraid to ask tough questions about cybersecurity... because they are worried what the answers might be. We specialize (tactfully, of course) in helping organizations raise and think through those tough questions -- and come out the other end safer and happier. Today we'll take on the issue of Remote Work, asking four of the tough questions that deserve to be asked. And giving you, our reader, a ray of hope that there are reasonable ways to resolve any cybersecurity loose ends made apparent by the question. Here goes:
Many companies that have "gone remote" have decided to keep some small physical office for occasional team gatherings, customer visits, and regulatory and compliance purposes. However, that has often involved moving from a pre-existing office (often a spacious one) to a more compact one that fits the new normal. A popular request we've received during those transitions is for a small business network setup checklist summarizing the key things that are the largest information security factors in getting a new office network set up safely. Here's our take on that.
Stating the obvious: over the past year, we've come to meet many people who now WFH (work from home). And, many of them rely on Xfinity router security to keep them safe. It's long overdue that we talk about that in specific terms, about what to expect -- and what not to expect -- if that description matches your situation. Equally important, it might describe many employees in your organization -- probably even employees that handle sensitive company information regularly.
For this particular post, we're going to focus mostly on malicious traffic filtering, although we have much more to say about Xfinity router security and WFH threats in future posts.