The Defense Federal Acquisition Regulation Supplement (DFARS) applies to all Department of Defense (DoD) contractors with access to Controlled Unclassified Information (CUI). This supplement details the general requirements and identifies the types of information that need additional controls. NIST SP 800-171 is the document that details the security requirements to keep that information safe.

If you want to stay active as a DoD contractor, you must be up to date on the required security methodologies. That can be a tough challenge when operating with little to no in-house IT support. However, the DoD specifically says that “Small manufacturers may use subcontractors and/or outsource information technology requirements, but they are responsible for ensuring that these entities they use to meet the cybersecurity standards.” This means that you don’t have to take direct ownership of all security updates. The right partner can enable you to focus on your business, while the IT company worries about securing your networks.

Minimum Requirements for DFARS

While data security is an increasingly important field, the DoD has kept the requirements on contractors straightforward and reasonable. To meet the minimum requirements, you must:

1. Provide adequate security to safeguard covered defense information that resides in or transits through your internal unclassified information systems from unauthorized access and disclosure.

2. Rapidly report cyber incidents and cooperate with the DoD to respond to these security incidents, including providing access to affected media and submitting malicious software.

While that sounds straightforward and easy to meet in-house, the term adequate security can cover a lot of ground. The DoD references 14 different areas with individual minimum security requirements. These include:

• Access Control Media
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

When your area of expertise and the services provided to the DoD fall outside of the technical, meeting this level of required security can be challenging with existing resources. After all, “Meeting the SP 800-171 is not a one-time fix, rather it is a continuous assessment, monitoring and improvement process.”

That means a considerable number of man-hours devoted solely to ensuring that your business remains compliant with constantly evolving security requirements. Thankfully, the DoD understands the challenge and allows for the use of subcontractors. Data breaches happen even in the most secure computing environments. Working with a security-centric third-party provider like SysArc can give you access to the additional security required without a massive capital investment to develop internal controls and cybersecurity departments.

Cyber Security Breaches Happen… What’s Next?

Even when your systems meet or exceed the minimum requirements for DoD contractors, breaches happen. In 2017, sensitive information was found on an unsecured Amazon server. Not only was the data unencrypted, you didn’t even need a password to gain access. While this isn’t an actual intrusion into a protected system, it easily demonstrates the need for tighter controls over sensitive information. To help with those controls, the DoD now requires rapid reporting on all intrusions and potential security threats. Rapid reporting means within 72-hours of the discovery. While the DoD makes reporting easy using this link, getting together all of the needed information could be a challenge without a cybersecurity expert on hand to help.

Benefits of Subcontracting Cyber Security

Creating internal security systems that meet all 14 areas of required security minimums for the DoD would not only be cost prohibitive, it would take a lot of time. Since all contractors are required to meet these standards before starting work, and thus collecting invoices, that’s a substantial upfront investment with little guarantee of eventual profit. Third-party providers like SysArc already have the security in place to meet the minimum requirements.

If you need cloud-based services, their systems are compliant. If your on-the-ground systems need updating, instead of devoting every in-house IT resource you have, you can rely on their security options.

Service Guide

A large portion of DFARS/NIST 800-171 requirements falls under the heading of reporting and auditing.

• SysArc’s virtual CISO services give you access to the documentation you need to handle an audit, create a strategic plan to handle security moving forward and generate reports on existing systems and potential breaches.
• With Security Incident Response support, you have a team of security experts responding to every breach.
• Advanced Cyber Security Monitoring tracks intrusions in real time and watches for odd network behaviors that could indicate a breach.
• You not only get security during an incident but also have regular scans to identify potential areas of weakness along with remediation reports to help you close those security gaps.
  Security Awareness Training is another essential part of keeping your network closed to intruders.
• SysArc offers all of these options under the heading of their ProtectIT Managed Security Service.

Essentially, you go from underprepared to ready for DoD contract requirements quickly and seamlessly. Best of all, as a subcontractor solely on board for IT services, you can scale up or down depending on your needs. If you choose not to continue with DoD contracting and no longer need that level of security, downgrading is simple. If you scale up your contracts and expand business operations, your security scales with you.

Sources:
https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars800-171-compliance
https://dibnet.dod.mil/portal/intranet/
https://www.sysarc.com/services/managed-security-services/
https://thenextweb.com/security/2017/05/31/department-defense-data-discovered-unprotected-amazon-server/
https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars800-171-compliance
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdF

The words General Data Protection Regulation (GDPR) should strike at least a little fear in the hearts of organizations doing business in the European Union. These new regulations are due to come into effect on May 25, and they will impact any business dealing in personal, classified and sensitive data. But what is GDPR, and how should an organization prepare for the new legislation?

What Is GDPR?

General Data Protection Regulation (GDPR) is an update to the existing guidelines for dealing with personal data that were established by the Data Protection Act of 1998. The original act defined what personal data was and gave specific guidelines on how data must be stored, accessed and controlled by the organization that kept the information. It also detailed specific penalties for companies who experienced breaches or allowed personal data disclosures without permission. The GDPR updates this legislation to allow for more consumer control of the personal data, as well as enacting specific guidelines regarding data privacy officers and what penalties will apply when breaches occur.

GDPR Business Requirements

Businesses need to address some specific areas to become compliant. One is the creation and separation of the roles of data controllers and data processors. A data controller is a company that interacts with customers and records their email addresses. A processor is a company that manages the email list and sends emails on the companies’ behalf.

The GDPR also introduces the role of the Data Protection Officer. Any public organization–or any company that has more than 250 employees or 5000 customer records–must employ a data protection officer, whose main role is to manage privacy, consumer data rights and GDPR compliance.

The legislation also details rights concerning consent to collection of personal data, what can be collected, how the data may be used, and how and what customers can do with their personal information. It spells out the fines associated with noncompliance as well.

US vs Them

One of the most controversial changes stemming from GDPR is that it will pertain to any companies that deal with customer data from the EU. The requirements to retain customer data contain the same standards and rules for compliance, and any company that does not follow the rules will be bound to the same fines as any EU-based organization.

The complexity increases when the Internet becomes involved. There is technically a GDPR requirement when an EU-based consumer purchases an item from a US-based company, so the rules , as well as the penalties, will apply.

Becoming Compliant

With fines that can amount to more than twenty million pounds or 4% of global revenue, the cost to become compliant provides a substantial return on investment. Initially, a GAP analysis needs to be performed. This analysis will examine the data processes and policies that the company already has in place, and it includes an employee engagement. Once the GAP analysis determines the risks to compliance, a remediation plan is created.

The remediation plan identifies the risks and barriers to becoming GDPR-compliant and provides a detailed plan with costs for to compliance. This plan will often include long-term compliance management in the form of educational engagement for employees on an annual basis. It also includes the deployment schedule for data mapping and policy creation, as well as a readiness assessment after everything has been rolled out.

Companies must be compliant with GDPR legislation by May 25th, 2018, and time is running out. The legislation impacts all areas of business, and all companies will need to be on board to succeed.

SysArc helps US-Based companies comply with GDPR. Get Your Free GDPR Gap Analysis Today! >>

Source List

http://www.itpro.co.uk/security/27563/how-to-get-ready-for-gdpr-2018-data-protection-changes-2/page/0/2
https://www.dataiq.co.uk/blog/summary-eu-general-data-protection-regulation
https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/

A few years ago, the much-publicized takedown of the Silk Road — an online marketplace for illicit activities of all kinds — put the “Darknet” into public awareness for the first time. Since then, government agencies and law enforcement entities have issued dire warnings about the dangers lurking in these hidden corners of the internet. But in a digital world where personal information is available for the taking, the anonymity of the Darknet might be valuable for anyone concerned about protecting privacy online — not just those with something to hide.

The Surface Web, the Deep Web – and the Darknet

The internet is made up of many parts — billions and billions of sites around the world, transferring data continuously over a vast network of servers and nodes. But not all of that data is accessible in the same way. The “Surface Web” that most people use every day consists of sites and data based on links that can be indexed by search engines like Google or Bing.

But a great deal of entirely legitimate information is not accessible online through links, and so it’s never indexed. Many websites contain information that can only be found by using on-site search boxes. Likewise, databases held by government or corporate entities may not be available to a search engine’s crawlers — and some data simply doesn’t contain relevant keywords for search. This is the world of the “Deep Web,” and many people use it every day without realizing it.

The Darknet Offers Deliberate Anonymity

The Darknet is a part of the Deep Web, but only a small part — and the information it contains is deliberately cloaked in anonymity, hidden from standard internet service providers and the search engine indexing of the Surface Web. In the Darknet, users’ IP addresses and other kinds of information are bounced through a series of worldwide nodes to conceal them, and transactions are conducted with cybercurrency such as Bitcoin, and concealed behind layers of encryption.

Anyone can access the Darknet, though guides for doing so typically come with warnings about the dangers that lie ahead. All that’s needed is to download a special browser. The best known and most popular of these is the TOR browser, which also allows users to access the Surface Web like any other browser does. Other Darknet interfaces include I2P and Freenet, and users can add an extra layer of anonymity by using any of these with a virtual private network, or VPN.

The Darknet and the Search for Online Privacy

Some advocates of Darknet privacy point out that the dangers of the Darknet may be an exaggeration. They say that if the average user can access the Darknet with a few relatively simple steps, it’s certain that government and law enforcement agencies have done that too — and are on the watch for questionable activities there. And many of the illegal goods and services traded on the Darknet are also readily available on the surface web. Given these considerations, what makes the Darknet so dangerous?

The answer may lie in the Darknet’s promise of privacy for all. Since the Silk Road became the public face of the Darknet, it also became a convenient cautionary tale used by law enforcement and the government to warn users away from ways to conceal personal information from their view. But recent high-profile hackings and the growing list of threats including online scams and malware point out just how vulnerable personal information can become when it’s posted on the Surface Web in any way.

Though it’s often said that there’s no need to worry if there’s nothing to hide, in the digital world that isn’t always true. And that makes the anonymity of the Darknet appealing not only for those with criminal intent — but for anyone who wants to keep personal information safe from prying eyes.

Sources:

https://fossbytes.com/difference-deep-web-darknet-dark-web/
https://www.youtube.com/watch?v=luvthTjC0OI
https://www.cloudwards.net/how-to-access-the-deep-web-and-the-dark-net/
https://www.comparitech.com/blog/vpn-privacy/how-to-access-the-deep-web-and-darknet/
https://www.wired.com/2013/11/silk-road/

Getting hacked is a nightmare scenario that, unfortunately, is becoming more commonplace. According to CNBC, not only are 14 million businesses in the United States at risk of being hacked, but many small business owners don’t make potential cyber attacks a priority. Knowing what to do if your data is compromised may be the difference between surviving and shutting your doors.

Start by Containing the Damage

When you first realize you’ve been hacked you’ll want to immediately run an anti-virus program as well as reset all passwords. Determine which systems or files were compromised, and remove any corrupted files. This won’t solve all your problems regarding the hack, but it may help prevent more damage.

Alert Your Web Hosting Service

You’ll need to give your web host as much information as possible, as soon as possible. Some web hosting companies provide tips or assistance for their customers if they’ve been hacked. They may recommend applications that can be used to remove malware.

Inform Customers

Your natural inclination will likely be to fix things without telling your customers. Hiding a problem like this is never a good idea. Fortune states that a written notification should be sent out to each of your customers. You’ll need to let them know what type of information or data was compromised and what you’re doing to remedy the situation.

Get Legal Advice

Laws are constantly changing regarding hacking and data breaches. Laws also vary from state to state. It’s necessary to contact an attorney that specializes in internet law. If you’re running a financial or health-related business, it’s important to know that laws regulating these industries can be more stringent.

Be Transparent

Being transparent means not just alerting customers. It’s crucial to tell all the necessary people as quickly as possible. This can include employees, customers and other companies you do business with. Depending on the business you’re in, it may also involve contacting certain regulatory agencies. It’s also important to be forthcoming will all the information related to the hack.

Repair Damage and Rebuild

You’ll want to start rebuilding your website and your reputation as quickly as possible. To do this you should start by prioritizing which computers or systems you’ll work on cleaning up first. Replace corrupt data, files and applications with a clean backup. While you’re repairing and rebuilding systems, you should maintain contact with customers, partners and authorities. Alerting the right people isn’t a one-time deal. You should keep those who need to know informed during the entire process of rebuilding.

Update Your Security

You’ll likely want to do something different than what you had in place before. Most small business owners are on a tight budget, but security is not one area you want to skimp on. You’ll need to create layers of security to protect your information. This can include adding encryption as well as more than one password to retrieve the most sensitive information.

After coming up with a new detailed security plan you’ll need to make sure all employees are aware of the plan and properly trained. Networkworld suggests getting your team together after a breach is cleaned up to go over how the cleanup went and how to improve if it happens again. Cyber security should become ingrained in the company culture. Finally, if it’s financially possible, you may want to consider cyber insurance.

If a hack does occur, following these steps will help minimize the damage and keep your business running as smoothly as possible. The best time to plan for a security breach, however, is before it happens. Considering how often hacks take place, investing in IT services is almost certainly worth the money. You’ll want to find a company that can provide cyber security as well as backup security and cloud services.

Sources:

CNBC – https://www.cnbc.com/2017/07/25/14-million-us-businesses-are-at-risk-of-a-hacker-threat.html
Fortune – http://fortune.com/2016/09/30/10-things-business-hack-attack/
Networkworld – https://www.networkworld.com/article/2938013/security0/7-things-to-do-when-your-business-is-hacked.html

The General Data Protection Regulation (GDPR) will be coming into effect in the first half of 2018, and any companies that do business in the European market need to be in compliance with the regulations surrounding data and personal information before the deadline or face significant repercussions.

What Is General Data Protection Regulation (GDPR)?

GDPR refers to legislation enacted jointly by the European Parliament, the Council of the European Union (EU) and the European Commission. The goal of this regulation is to increase data security as well as strengthen and unify data protection protocols for all people living in or doing business in EU countries. Unlike previous data protection legislation, this regulation applies to any business with a presence in the EU, not just companies that are based in the EU. GDPR applies even if the data processing company, such as a cloud storage company, is based in an EU country. GDPR becomes effective on May 28, 2018.

The goal of GDPR is to give EU residents back a large measure of control over their sensitive, personal information and how that information is being used. It also seeks to unify how each country within the EU is regulating the use of personal information and thus make it easier for companies who do business in multiple EU countries to ensure compliance.

How GDPR Applies to US Businesses Doing Business in the European Union

For companies collecting data from EU citizens (whether or not they are based in the EU), GDPR means ramping up their company’s data collection systems, improving accountability, and in most cases, hiring or promoting a data control officer, whose primary responsibility is ensuring that the company’s proper data collection protocols are followed. Ignorance of the provisions of the regulation is not a valid excuse under GDPR, and companies face strict financial penalties for noncompliance.

What Are the Requirements of GDPR?

GDPR defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” The regulation applies only to data collection for private sector enterprises and some court of government agencies. It does not attempt to regulate national security or law enforcement agencies.

The key provisions of GDPR include:

• Every company or entity is required have a data control officer, who accepts responsibility for acquiring, storing, deleting and processing personal data. Data security must be among this person’s primary duties.
• Under the regulation, personal data may only be collected if the subject (or his or her legal representative) has given consent.
• Such data can only be acquired when necessary to complete a contract to which the subject is party, when necessary to meet legal requirements, when necessary to protect the vital interests of the party, when necessary to perform the legitimate interests of the company as long as the rights of the party are not compromised, and when necessary for carrying out a task in the public interest.
• Consent to data collection for children must be given by the child’s parent or guardian, and the company must be able to show a record of this consent.
• Companies must encrypt the data they collect in such a way that it cannot be readily tied to the subject should the data be compromised
• Data control officers must notify the GDPR Supervisory Authority in a timely manner in the event of a data breach.
• Companies must submit to periodic random data audits to ensure that they are in compliance.

What Are the GDPR Deadlines?

GDPR was first proposed in January, 2012. The final version of the regulation was enacted on April 15, 2016. The regulation goes into effect (and becomes enforceable) on May 25, 2018.

What Are the Penalties If You Don’t Comply?

Failure to comply with GDPR can bring stiff and potentially crippling penalties to companies, whether or not they willfully ignored the regulation. For the first, unintentional offense, a company will be given a written warning. However, intentional violations and/or second or subsequent offenses carry financial penalties of up to €20,000,000 or 4 percent of annual worldwide sales, depending on the offense. Clearly, this is not legislation that any company can afford to ignore.

How an IT Company Can Help

One good way to ensure that your company is prepared for the GDPR deadline and to make sure that you continue to meet the regulation’s guidelines is to enlist the assistance of a good IT consulting company like Sysarc. We are intimately familiar with the provision of GDPR and can help you set up systems that will make compliance seamless without disrupting your key business activities.

Making sure that your company is ready for GDPR doesn’t have to be complicated or take up a lot of your valuable time and resources. To learn more about how a quality IT company like Sysarc can help you and your staff meet all of the GDPR regulations, contact us today.

Sources:
http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en

After lots of bidding and lots of hope, many companies finally land a Department of Defense (DoD) contract and are anxious to get started. Still, they want to be sure they are totally in compliance so they can maintain a long and profitable relationship with the government, and so they hesitate.

Or, organizations that have been doing business with the DoD for some time may know there are some major IT rule changes coming but aren’t yet up to speed. They may understand that the new rules are complex and have to do with cybersecurity. But, since they don’t know much else about cybersecurity, they kick the can down the road.

Either way, the time is nearly up to get compliant. Here is the most important information about the Defense Federal Acquisition Regulation Supplement (DFARS) implementation.

What Is DFARS and What Does It Mean for DoD Contractors?

All contractors working for DoD, even subcontractors, face a December 31, 2017, deadline to comply with DFARS 252.204.7012. This clause is in direct response to data breaches and cybersecurity threats and will be part of DoD contractor responsibility going forward. Each DoD contractor must meet technical and procedural controls spelled out by the National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-171.

Following NIST Requirements

In short, SP 800-171 spells out the responsibilities of contractors to protect sensitive information and report cyber incidents quickly. The publication from NIST also expands the types of information that must be safeguarded and includes “Unclassified Controlled Technical Information (UCTI).”

According to NIST, UCTI is information “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance.” For this reason, all DoD contractors are subject to the DFARS clause and need to understand it and their responsibilities. The information security requirements of NIST 800-171 were created for non-federal/contractor information systems. Nonetheless, they are significant requirements in 14 different areas of IT security, ranging from access control and risk assessment to maintenance, media protection and overall system and information integrity. Here is the full list of areas addressed by SP 800-171:

• Access Control
• Media Protection
• Awareness and Training
• Personnel Security
• Audit and Accountability
• Physical Protection
• Configuration Management
• Risk Assessment
• Identification and Authentication
• Security Assessment
• Incident Response
• System and Communications Protection
• Maintenance
• System and Information Integrity

Clearly, the NIST is taking cyber threats very seriously and expects all DoD contractors to do likewise.

Rapidly Reporting Cyber Incidents to DoD

Another major provision of DFARS is the requirement for DoD contractors, whether the prime contractors or subcontractors, to directly report to the government within 72 hours when there is a “cyber incident.” DFARS defines a cyber incident as “actions taken through use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.” This means hacking, potential hacking, attempted hacking or other disruptions. In fact, the FBI defines a cyber incident as an event that “impairs or is likely to impair the confidentiality, integrity, or availability of electronic information, information systems, services, or networks.” Obviously, contractors and their IT support personnel need to be on top of their game to ensure they catch any of these types of incidents and stay out of hot water with federal law enforcement.

DFARS also requires a System Security Plan for sensitive information, audit logging, multi-factor authentication for network access, and advance reporting of use-of-cloud computing services. No doubt, these requirements will have wide-ranging impacts on current business procedures, information security and information governance, as well as data storage and security. DoD contractors need to read the new guidelines, put their security plan in place, enlist IT consulting help as needed, and be ready to implement the changes before the New Year.

How SysArc Helps DoD Contractors Comply

Because DFARS compliance will require far-reaching combinations of technology, procedural controls and technical controls, contractors have basically two choices for ensuring they are in compliance with all of them. They can either upgrade their on-premises IT system to NIST requirements, complete with IT support and network security personnel qualified to keep it running smoothly, or they can migrate to a NIST-secure, cloud-based solution. Either way, the importance of working with an exceptional IT consulting company cannot be understated. And working with an IT company in Washington, D.C., gives DoD contractors the assurance that the agency knows the requirements and how to implement them for the best security.

SysArc offers DoD contractors expertise in government IT security issues to safeguard their business and bring it into compliance with all of the new rules. The company understands modern cybersecurity and can explain it to partners in layman’s terms so that they understand it as well. Even better, SysArc can help with strategic IT planning, which allows DoD contractors to reduce internal IT costs, training and turnover. No matter who shows up, or who doesn’t, at the office on Monday morning, there will be continuity of the company’s IT systems, with no downtime, as well as a disaster backup and recovery plan. For DoD contractors, outsourcing IT to SysArc is a smart choice. SysArc can be reached at
(800) 481-1984

Sources:

https://www.sysarc.com

http://info.summit7systems.com/blog/how-to-prepare-for-dfars-compliance-by-the-december-31-deadline

https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

http://www.aia-aerospace.org/report/safeguarding-of-unclassified-controlled-technical-information/

https://www.fbi.gov/file-repository/law-enforcement-cyber-incident-reporting.pdf/view

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

The information security talent shortage is among the most challenging of issues facing today’s organizations. There are currently an estimated 1 million unfilled cybersecurity specialist jobs worldwide, and analysts believe the skills gap is growing rapidly. An estimated 25 percent of U.S. businesses are exposed to hackers due to a lack of internal talent or resources.

While the state of information security talent is dismal, HR leaders aren’t without hope when it comes to winning the run on talent. Consider the following four facts about outsourced IT, and what they mean for your organization in the fight against security threats.

1. Think Outside Your Organization: Outsourced IT

Organizations with the ability to hire outsourced cyber-security specialists may unlock a dramatically-expanded talent pool. Indeed reveals there is a talent mismatch “in the employer’s favor” in certain markets worldwide; including a significant rise of security professionals in the United States in 2016.

SysArc, a Washington DC based IT company, states that its clients have expressed that they’ve opted for an outsourced IT team because of the inherent benefits outsourcing provides. First, it provides substantial cost benefits by having an entire team of talent at a company’s disposal, rather than one or two salaried employees. And secondly, it provides a fresh, outside perspective to seize opportunities and exploit weaknesses unique to the company.

2. Internal Cyber-Security Training Matters: IT Consulting

Providing your current talent with the skills, experience, and certifications needed to fight cybercrime could mitigate disappointing applicant pools. A staggering 45 percent of security leaders recently reported that job applicants “didn’t understand the business of cybersecurity,” an alarming statistic in an age of growing threats.

Because of this, many SysArc clients value a hands-on approach to cybersecurity, offering clients’ employees cyber-security training on best practices to mitigate the risk of cyber threats.

3. Technology is Improving: Staying Ahead of the Curve

As the field of artificial intelligence (AI) advances rapidly, tomorrow’s next best hire may not be human at all. It could be software. The Harvard Business Review writes that today’s cutting-edge AI tools are up to 60 times faster than humans at identifying security threats.

Companies rely on outsourced IT companies like SysArc to stay ahead of the curve, leveraging new cyber security technologies and techniques so they can, not only minimize costs, but focus on running their businesses and not have to worry about trends in information technology.

4. Hiring Talent is Getting More Expensive

For some organizations that are struggling to fill job vacancies, a core issue could be failing to dedicate sufficient resources towards salaries. With median computer security specialist salaries currently at over $76,000, the skills gap has made it costlier than ever to hire the right talent. Another study revealed that less than half of organizations are putting more resources towards their security programs.

This fact further emphasizes the need for companies to consider outsourcing their IT to a local IT company, such as SysArc, which specializes in partnering with small and medium sized business who may not have the luxury of hiring an internal team of IT professionals.

Conclusion: The Security Skills Shortage isn’t Simple, But There is Help

The arms race for security talent, as well as the fast-changing nature of the threat vector, are a complex challenge. “Businesses can’t solve the skills gap with just a few training sessions,” writes Security VP Ryan Barrett. Any single-focused approach to on-boarding talent may not be enough to get desperately-needed talent in the doors. However, by expanding your talent pool by partnering with an experienced outsourced IT company that leverages the skills and talents of its team of IT professionals, you may gain an edge in the information security arms race.

Just weeks after the WannaCry virus affected hundreds of thousands of computers in 150 countries worldwide, the security threat vector grew even more frightening. On Tuesday, June 27, 2017, Petya was unleashed. While this Trojan CryptoLocker resembled a traditional ransomware virus in many ways, including its demand for $300 worth of Bitcoins for files to be released, it soon became apparent that Petya was “worse than ransomware.”

The Petya attack was initially targeted at computers in Ukraine, who likely suffered the worst impact. Countless individuals were impacted as the Ukrainian central bank, utilities and the airport were forced offline. Impact was global, and FedEx is one of many well-known corporations who’ve suffered significant financial losses due to the event.

Unlike true ransomware, Petya is not designed for a computer’s files to be decrypted and released after the ransom is paid. Instead, this “wiper virus” destroys data assets permanently. While your current risk of suffering from Petya is likely low, per Symantec analysts, this virus is a sobering reminder that today’s threats aren’t getting any easier to fight. Here are five ways to prepare your business for the state of information security in 2017.

1. Wiper Viruses Have Serious Impact

While wiper viruses, or viruses designed to permanently remove a user’s access to data, aren’t new, Petya is perhaps the most impactful example to date. Researchers at Kaspersky were unable to successfully decrypt data, even after tens of thousands of dollars in Bitcoin were paid according to instructions.
Paying ransoms to cybercriminals remains highly controversial, and the U.S. FBI does not currently advise organizations in decision-making. However, the lasting financial impact of Petya is a clear lesson that ransoms don’t always guarantee you’ll regain access to data.

2. Data Mapping Is Critical

It’s impossible to protect data that you’re not fully aware of. Accurate, comprehensive data mapping, when coupled with secure off-site backups can mitigate your risks associated with data loss. Not only is creating a complete picture of your sensitive data’s formats and locations an important tool for backup and risk planning, it may be legally required for your organization as a compliance measure.

3. Network Segmentation Isn’t Optional

In the cases of both WannaCry and Petya, infection spread rapidly through organization’s networks as the viruses worked to disable security tools. Network segmentation, the act of having multiple networks within your organization’s tech ecosystem, isn’t guaranteed protection against total infection, but it may mitigate the rate at which viruses like Petya can spread.

4. Patching Still Matters (Really)

In one of the more sobering realizations post-Petya, it became apparent that the virus was not dependent on a software vulnerability to unleash damage. While this fact is an important motivator toward comprehensive information security, it doesn’t diminish the importance of applying regular updates to software and systems. According to one Information Security pro, patching should be as “common as locking your doors” to mitigate risks of other widespread viruses.

5. Adopt Stronger Password Management Practices

Stolen and brute-forced credentials are a factor in countless information security incidents worldwide. While viruses like Petya are a sobering reminder that hackers are innovating quickly, 85 percent of incidents in the previous year fit just one of 10 patterns. Supporting positive password hygiene with two-factor authentication, user education and password management tools is too important to ignore.

Conclusion:

Comprehensive Information Security Is Your Best Bet Against Petya
While it remains unclear whether Petya was a politically motivated attack, this wiper virus is a strong message to global information security pros that a comprehensive approach to risk prevention matters. Best practices such as data mapping, patching, smarter password management and network segregation can play a crucial role in your fight against the cybersecurity threats of today and tomorrow.

Sources:

http://www.businessinsider.com/petya-petrwrap-cyberattack-companies-government-agencies-affected-2017-6/#ukraine-banks-airports-government-offices-power-grid-1
https://www.theverge.com/2017/6/28/15887496/petya-virus-not-actually-ransomware-analysis-shows
https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html
http://www.washingtontimes.com/news/2017/jul/19/fedex-warns-material-losses-cause-petya-computer-v/
https://www.symantec.com/security_response/writeup.jsp?docid=2016-032913-4222-99
http://thehackernews.com/2017/06/petya-ransomware-wiper-malware.html
https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise
http://searchsecurity.techtarget.com/feature/How-to-keep-track-of-sensitive-data-with-a-data-flow-map
http://www.computerweekly.com/news/450421669/Key-lessons-from-Petya-ransomware-attack
https://www.arbornetworks.com/blog/asert/patching-not-enough-stop-petya/
https://www.cimcor.com/blog/myth-busted-10-security-myths-the-2016-verizon-dbir-just-crushed
http://www.healthcareitnews.com/news/era-petya-wannacry-good-news-users-are-getting-better-about-passwords