Cyber Attacks, ESG

Why The Energy Sector Is Especially Vulnerable to Cyber Threats

Posted on January 30, 2023January 30, 2023 by Or Kadosh

Findings.co explains why the energy sector is vulnerable to cyber threats

30
Jan

The energy sector is attractive to hackers for a number of reasons. While there are few documented attacks on energy infrastructure, the inherent nature of the sector makes it vulnerable to hackers. Cybersecurity compliance in this sector is critical simply because of the wide-ranging impact that a successful attack can have. The hackers that targeted the Colonial Pipeline network in early 2021 not only managed to extract a $4.4 million ransom but also pushed per gallon price by six cents in affected areas and gasoline futures to their highest level in three years.

What makes energy companies easy prey for cybercriminals?

1. Highly interconnected

The energy ecosystem is complex, consisting of physical and cyber infrastructure assets distributed across regions or countries. This creates a large surface area for attack. Moreover, the operational technology of grid distribution systems is increasingly allowing remote access to business networks, allowing hackers further opportunity to create inroads to company data.

The energy sector has historically been late to adopt technology and innovate. A lack of cybersecurity expertise means energy companies have to be more proactive in managing risks.

2. More to exploit

Cybercriminals have the chance to exploit vulnerabilities in energy companies’ IT system and operational technologies. IT systems include software, hardware and technologies to run business. Operational technologies include software, hardware and technologies to control motors, pumps and valves, among other devices and equipment.

Energy companies rely on different types of hardware, software and services from third-party vendors worldwide. Attackers can access a company’s network through a third-party vendor or supplier.

3. Always on infrastructure

The energy and utilities sector is increasingly using cloud services, driven by the need for improved flexibility and operational efficiency, and reduced capital expenditure costs. This digital infrastructure supporting the energy sector works 24/7.

4. Wide-ranging disruption

The prospect of severe damage is also an attraction for cybercriminals. A single attack on a network or system in the energy infrastructure can impact a number of entities. For example, a blackout of 6-7 hours from a cyberattack on the energy grid can cause financial loss, affect social-economic life and retard daily life activities.

5. Various motivations

Reliable electricity is a convenience of modern life, and also crucial to the nation’s security and economy. The electricity grid is a prime target for cyberattacks perpetrated by hostile countries. Financial motivation (ransom) and hactivism (to promote an agenda against the oil and gas industry, for example) are prime reasons for cyberattacks in this sector.

Actions to take

Businesses in the energy sector need a multi-pronged risk management strategy to stay compliant with industry standards and government regulations on cybersecurity. Active management of supply chain risk is crucial. Hybrid identity and access management solutions combining cloud and on-premise components can help bridge the gap between IT and OT architectures.

A strong incident response plan will minimize the impact of ransomware attacks while employee training on identifying phishing and other social engineering attacks will be essential to maintaining a robust compliance posture. Last but not the least, ensuring that the company’s cloud-based infrastructure is being monitored, or effective cloud monitoring, can help eliminate potential data breaches.

ESG

What Google’s Latest Layoffs Means for Its ESG Goals

Posted on January 25, 2023January 27, 2023 by Sharon Amor

Findings.co explores What Google's layoffs means for its ESG goals

25
Jan

In January 2023, Google announced it was laying off 12,000 employees globally. This news shook the tech industry, and rumors about how the layoff was done raised questions about the company’s commitment to its environmental, social, and governance (ESG) goals. Let’s take a closer look at what this announcement means for Google’s ESG initiatives.

The Impact on Google’s Economy Goals

Google has set ambitious goals related to its economic impact, such as increasing the number of businesses using its cloud products and services by 50%. To reach these targets, the company employs a large sales force to market cloud services to businesses. With the layoffs, these economic goals will likely take more work to achieve in the short term.

The Impact on Employee Engagement & Diversity Initiatives

Employee engagement and diversity initiatives are essential components of any ESG program. By reducing its workforce, Google has created a difficult situation regarding employee morale and diversity initiatives. While Google did provide severance packages for those affected by the layoffs, many of those impacted may feel slighted or unappreciated after being let go abruptly.

It remains to be seen how this decision will affect employee engagement in other divisions of the company and overall morale among current employees.

Furthermore, with Google’s stated goal of having a “fairly balanced gender ratio” across all departments by 2025, it is unclear if these layoffs have an adverse effect on this goal due to their heavy focus on sales and marketing departments which tend to have higher gender disparities than other departments.

The Impact on Sustainability Efforts

Google has made several commitments related to sustainability over the last few years, including transitioning all global operations to 100% renewable energy by 2030, as well as reaching net-zero emissions across all operations by 2050.

To meet these targets, they need an engaged workforce that understands their sustainability mission and is willing to work towards achieving their goals.

The recent layoffs could adversely affect these efforts if current employees feel disconnected from their employer or lack incentives due to decreased job security or resources available in their departments moving forward.

Conclusion…

Overall, while no one can predict precisely how these layoffs will affect Google’s ESG initiatives in the long run, it is clear that there are potential ramifications for each pillar of their ESG program both directly and indirectly related to this decision.

As organizations continue striving towards meeting their own sustainability goals while also providing secure employment opportunities for existing staff members during uncertain times like these, only time will tell how companies like Google balance both objectives simultaneously.

Uncategorized

The SEC Is Cracking Down on the Crypto Industry

Posted on January 23, 2023January 23, 2023 by Or Kadosh

Findings.co can help with the SEC cracking down on the crypto industry

23
Jan

Crypto this, crypto that. Cryptocurrencies have made a huge rise in recent years, but what does the SEC have against crypto companies?

The Securities and Exchange Commission (SEC) has cracked down on cryptocurrency operations on the back of a crypto market crash that has wiped out investors’ wealth and cast doubt on the future of firms operating in this space. The worries (among many) are that stablecoins, which are pegged to EUR, GBP or USD, are not so stable after all, and that crypto trading platforms have no protections in place for investors should they collapse. Since there aren’t many regulations in place, cryptocurrencies are experimenting and growing quickly, but this rapid growth comes with risky practices that can leave consumers exposed.

The SEC has a bone to pick with crypto companies

Crypto exchanges have faced increasing scrutiny in the past months. The US Treasury has warned in reports that cryptocurrencies, if not properly regulated, pose a risk for consumers, investors and businesses. The reports also state that the SEC and Commodity Futures Trading Commission (CFTC) must launch investigations and enforce actions against crypto companies that do not comply with laws. The Treasury says that the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) should increase efforts to monitor consumer complaints and take action against deceptive or unfair practices.

What is the future of crypto regulations?

Cryptocurrencies aren’t governed by a single regulatory authority. The CFTC considers Bitcoin a commodity while the SEC allows traders to bet on the value of bitcoin through CME’s bitcoin futures contract. The IRS regards Bitcoin as property for tax purposes.

The CFTC, whose enforcement summary for fiscal year 2022 reported that over 20% of its 82 actions were related to cryptocurrency, could become the chief regulator of cryptocurrency. That said, the SEC’s influence in regulating the US crypto market cannot be undermined. In September, SEC Chair Gary Gensler said that the agency would take the lead in regulating the crypto market by monitoring crypto tokens and intermediaries. He also appeared to suggest in a lawsuit that the SEC would assert jurisdiction over the entire Ethereum network.

Can the SEC also regulate Initial Coin Offerings (ICOs)?

ICOs are to cryptocurrencies what initial public offerings (IPOs) are to shares. Gensler has deemed ICOs unregistered securities falling within the purview of securities laws. In 2021, ICOs accounted for 70% of the total of 20 enforcement actions related to crypto brought by the SEC.

What does the crypto community think?

The main attraction of blockchain is that it’s used in a decentralized way. So, it’s not surprising that the crypto community isn’t in favor of cryptocurrency regulations. There are concerns that regulations, if enforced, will not be enforced fairly and that excessive regulation may have the opposite effect of making crypto more risky. Already, decentralized finance (DeFi) built on the blockchain are considered safer and more transparent than traditional financial instruments.

Those in favor of cryptocurrency regulation say it would prevent market manipulation and price volatility, thereby protecting investors, while also highlighting the technological and cybersecurity risks associated with crypto trading platforms. As cryptocurrencies are vulnerable to money laundering, regulations would also keep criminal activity in check.

Whether a legal framework for cryptocurrency is coming next year is anyone’s guess. Whatever governments decide, they should consider the potential economic benefits of virtual currencies in managing risks.

ESG

5 Ways You Can Invest in ESG That Aren’t Costly

Posted on January 19, 2023January 19, 2023 by Yogev Kimor

Findings.co will help you discover 5 ways you can invest in ESG that are not costly.

19
Jan

The hazards of climate change and the need for restorative measures are felt across the business landscape, which is why investors are increasingly looking at the ESG ratings of companies they are choosing to invest in. The channeling of funds towards driving sustainability has become the concern of a huge chunk of investors, who are now showing keen interest in smart investing in green stocks.

If you are considering an investment in ESG companies, you are actually signing up for high future returns. As the focus on maintaining business sustainability is increasing with each passing year, your smart investing strategies should pick the right avenues. Let’s take you through some ways you can go about investing in ESG.

ESG Stocks

One of the most recommendable ways to join the sustainability bandwagon is to invest your money in ESG stocks of companies that you feel will perform well in the future. The best way to evaluate a company’s ESG capabilities is by checking its impact report—a statement that’s released to highlight its sustainability and social initiatives. The report can give you an insight into how the company is handing ESG issues, reducing carbon emissions, and creating a positive impact on the world. Fuel-Tech (FTEK), Invesco MSCI Sustainable Future ETF (ERTH), VanEck Vectors Environmental Services ETF (EVX) are a few companies you can consider for your ESG investment.

ESG Funds

Sometimes, it’s recommended that you avoid screening individual stocks to know if they meet the ESG criteria. An alternative investment solution would be to put your money in an ESG fund. These funds include only those companies that meet the criteria for inclusion. This means that you will know where your money is being channeled. ESG funds are also considered a great option for investors looking to create a diverse portfolio of ESG stocks. The best part: you don’t have to do all the hard work. Shelton Green Alpha Fund (NEXTX) and 1919 Socially Responsive Balanced Fund (SSIAX) are ESG funds doing great in the present times.

Robo-Advisors

If you wish to go off the traditional investment route, you can go for a robo-advisor that offers ESG investing options. Finding such robo-advisors for your ESG investment needs shouldn’t be a difficult task, as the internet has a huge deal of options to offer. After you have identified the robo-advisor of your choice, you need to indicate to them that you are keen on investing in ESG funds. Henceforth, they take care of pretty much everything. You just have to deposit the money regularly and your investment will continue as per a preset plan.

Green Power Stocks

Another great ESG investment avenue for you would be green transportation. Although on a smaller scale, research is underway to use fuel-cell technology to create an alternative powering method for automobiles. Millions of consumers are waiting for this technology’s fruition. Businesses that operate in this space include Ballard Power Systems (BLDP), the producer of cells for vehicles and power backup systems. Also, FuelCell Energy (FCEL) is worth considering because it focuses on offering power options to various industrial and commercial facilities.

Waste Management Stocks

Lastly, you can consider investing in ESG stocks of waste management companies that have large recycling facilities. Companies such as Waste Management (WM) and Republic Services (RSG) are worth considering, especially during times when recycling has become a standard practice across the globe. Most people are becoming increasingly aware that they can reprocess metal, paper and glass and reuse them. However, the number of recyclable things continues to grow. Vegetable oil, Waste oil, cell phones, batteries, computers, and auto parts can have a second life. So, companies engaged in recycling these items can have great return-generating potential for investors.

Learn More About Our ESG Solution

Vendor Risk Management

The Evolving Challenge of Supply Chain Compliance in the Banking Industry

Posted on January 17, 2023January 17, 2023 by Or Kadosh

Findings.co helps with supply chain compliance in the banking industry

17
Jan

Not often would one think to tie a bank and a supply chain together, but the supply chain is everywhere – even in the banking industry.

Managing compliance risks in the banking industry has long been central to banking operations. But the nature of those risks has expanded and evolved – and so have the strategies that banks must adopt to stay ahead of both internal and external compliance challenges.

For example, banks today must grapple not just with conventional compliance risks, like an obligation to identify money laundering, but also with risks that originate from within the supply chain in the banking industry.

Compliance And Banking: The Traditional Approach

In the old days, compliance for banks was relatively simple. It included two key components:

External Compliance. This involved adhering to compliance rules set by regulators or other external groups. On this front, activities like anti-money laundering were banks’ main priority.
Internal Compliance. This meant the establishment of internal systems necessary to identify and adhere to regulatory risks. These internal systems typically weren’t specifically mandated by regulators, but banks implemented them as a means of complying with external regulations.

Whether externally or internally, banks’ traditional approach to compliance was essentially reactive. Businesses focused on detecting and responding to risks, rather than preventing them proactively.

The Challenges Of Banking Compliance And Supply Chain Management

Those days of traditional compliance for banks are over. Today’s compliance landscape within the banking industry looks quite different.

Terrorist Financing: As the IMF notes, “the international community has made the fight against money laundering and the financing of terrorism a priority.” This change has raised the stakes surrounding anti-money laundering compliance for banks and increased the pressure they face from regulators around the world in this area.
Bribery & Corruption: Along similar lines, “the past decade has seen the emergence of anti-corruption compliance systems in companies across the globe,” according to the OECD. Here again, banks face heightened pressure to establish compliance processes that can mitigate activities related to corruption.
Internal & External Fraud: These risks have seen an increase to the tune of 218 percent during 2022 alone, according to TransUnion.
Business Continuity Risks: The need to ensure that banks can remain operational in the face of unexpected disruptions – such as problems within the supply chain in the banking industry – has been a continued challenge for finance compliance officers to master.
Information & Cyber Security Risks: Last but not least, cyber security incidents continue to surge, creating a pervasive compliance challenge for banks.

For all of these reasons, banks today require compliance strategies that are capable of addressing a much broader range of risks than traditional money laundering. At the same time, they must be able to track and mitigate not just those risks that originate internally, but also risks that arise from within their supply chains – such as insecure software provided to banks to third-party vendors, or lack of compliance adherence by a bank’s partners.

Modernizing Compliance And Supply Chain Management In Banking

To meet those challenges, banks must turn to new practices that can supercharge their approach to compliance, such as:

RegTech: RegTech refers to a new breed of IT tools – including supply chain risk management solutions like Findings – that can help banks to streamline and automate compliance operations.
Proactive Compliance: Mandates like SEC Rule 30 require banks to think and act more proactively than they did in the past by establishing plans for dealing with risks ahead of time. Reactive compliance no longer cuts it.
Risk Mitigation Playbooks: In a similar vein, banks should establish “playbooks” that spell out how they’ll react to particular compliance risks or incidents. By establishing playbooks ahead of time, banks can remediate problems much more efficiently when they arise.
Next-generation AML: Anti-money laundering remains a pillar of banking compliance, but as noted above, modern AML must be more expansive than in the past. It must extend to domains like preventing terrorist financing and corruption – and not just among clients that banks deal with directly, but also within the banking industry supply chain.
Reporting: Banks must double down on their approach to compliance reporting by ensuring that they have processes in place to disclose vulnerabilities through a VDP and violations promptly in order to comply with mandates like FINRA Rule 4530.
Regulatory Penetration Testing: Regulatory penetration testing can help banks to identify risks proactively, rather than waiting for real-world violations to occur before they take action.

Put simply, modern banks must adopt more actionable, efficient and comprehensive compliance strategies, and they must ensure that they can enforce compliance across the entire banking industry supply chain.

Compliance solutions like Findings can help. By providing end-to-end visibility into supply chain operations and the compliance status of third-party vendors and suppliers, Findings makes it easy to detect risks in real time, then take action before the risks trigger compliance violations.

Don’t be a stranger! Sign up at Findings.co today and see how Findings can help you showcase your compliance

ESG, Vendor Risk Management

ESG: Nice to Have or a Must?

Posted on January 12, 2023January 12, 2023 by Sharon Amor

12
Jan

Yup, the world has taken a new turn… and I’m not talking about post-COVID-19. Industries, governments, and the environment began adapting to new standards way before the world experienced the effects of COVID-19.

This is what is more commonly known as environmental, social and governance (ESG) data and numerous companies have defined it as a “must have” for supply-chain risk management.

Stakeholders are no longer willing to work with companies who do not take a genuine interest in incorporating ESG measures and let’s just say that investors are following along step by step. In addition, stakeholders and investors want greater transparency of information regarding issues such as carbon emissions and modern slavery.

That being said, as ESG standards and regulations are still developing and have not been considered a “concrete” measure like cybersecurity, companies need to understand what needs to be done to adhere to supply-chain compliance.

Let’s break it down.

What is ESG?

According to Investopedia ESG, “refers to a set of standards for a company’s behavior used by socially conscious investors to screen potential investments.”

In other words, numerous investors have this topic on their minds when it comes to making an investment decision. ESG guidelines and principles are expected to be incorporated into an organization’s culture and business strategy.

This is extremely important, but practically speaking, how do companies measure their carbon footprint and outline the specific steps to incorporate ESG into their supply chain and pipeline? For this, we need to have a better understanding of what each one of the pillars is referring to.

How can companies adhere to ESG standards?

As ESG is still a developing framework across the world, industry best practices based on experts in the field is usually what is adhered to.

In the United States, for example, there is not one body that has created a compliance audit for all companies to follow. Setting aside the political hemisphere, incorporating federal government law can reduce the flexibility and progress of the framework, not to mention that industries vary.

In contrast, the EU has a formal body (the EU Commission) that creates ESG regulations, but here comes the issue of trial and error to continuously stay up to date with standards.

In Singapore, a centralized registry exists where companies can upload all their ESG reporting, but this has only been recently implemented and has very little data currently.

Considering all of these alternatives, it seems the best solution for companies and organizations is to reach out to experts who provide software or auditing services that can review their ESG spectrum.

What can Findings do to Help?

Findings is a centralized, one-stop shop for enterprises and vendors to automate and scale their ESG assessment(s). We enable you to implement a sophisticated, straightforward, and efficient ESG vendor due diligence process.

Enterprises can use pre-built best practices assessments or can be custom-built according to an enterprise’s needs. Vendors can use our automated response to easily and quickly respond to incoming ESG questionnaires. Fast, automated, and at scale all in one place!

Reach out today

Cyber Attacks, Privacy, Supply Chain Security

December Security Breach Round Up

Posted on January 9, 2023January 9, 2023 by Or Kadosh

09
Jan

2023 is here and while I would love nothing more than to say that everything is awesome in the security world, I would be lying to all of you if I said there were no data breaches in the month of December.

While most people usually wind down and enjoy the holiday season with family in December, the top dogs at the companies below probably had nothing but stress on their minds.

Let’s dig in and see what mistakes were uncovered this month.

LastPass:

Well this is a little awkward, isn’t it? Given that LastPass is a password manager, one would think that they would have strong measures in place to protect their consumer’s privacy; however, that does not seem to be the case. In a company notice, LastPass writes: “we recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.” The threat actor copied information from a backup source that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The company continues to explain that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.” It is important to note that many organizations and their employees use LastPass to store passwords. If you were not aware of this incident, it is time you look into protecting your accounts and changing your passwords.

Uber:

When I found out about yet ANOTHER Uber breach, my reaction was a deep sigh of frustration. This time the breach resulted from a compromised third-party vendor. BleepingComputer reported about the incident and shared that “a threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees. While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.” After further investigations, Uber later shared with BleepingComputer that the threat actor stole its data in a recent breach on Teqtivity, which Uber uses for asset management and tracking services. Teqtivity informed that the threat actor was able to access device information such as serial number, make, models, and technical specs. Additionally, user information such as first name, last name, work email address, and work location details were accessed.

Five Guys:

I’ll be the first to admit that Five Guys is irresistible – especially on a cheat day. So of course I hate to be the bearer of bad news here, but alas, it has to be said. On December 29, 2022, Five Guys released a statement confirming a breach that occurred in September 2022 that exposed sensitive customer data by an unauthorized party who accessed a file server. The company writes: “The investigation identified unauthorized access to files on our file server that occurred on September 17, 2022. We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process.” Stolen data would include employee personally identifiable information (PII) such as names, social security numbers and driver’s license numbers. We see this time and time again where threat actors access sensitive information and companies do not inform victims until months later. In those months, the attackers can commit identity and credit fraud and sell user data on the dark web. That is one of the reasons why Findings is so useful – we continuously monitor your systems and the dark web to make sure that if an incident like this does ever occur, it will not take you months to find out.

Sequoia:

For those who are unaware, Sequoia is a popular benefits and payroll management company. In a company notice, they stated: “Sequoia Benefits and Insurance Services LLC (“Company”) recently became aware that an unauthorized party may have accessed a cloud storage system that contained personal information provided in connection with the Company’s services to its clients, including your employer or, if you are a dependent, your family member’s employer.” Information accessed by the unauthorized party consists of personal information including demographic information such as name, address, date of birth, gender, marital status, employment status, social security number, work email address, member ID, wage data for benefits, attachments that may have been provided for advocate services, ID cards, and any COVID test results or vaccine card that may have been uploaded.

Social Blade:

Social Blade is an analytics platform that provides statistical data for numerous social sites such as YouTube, Twitter, Twitch and Instagram. They confirmed that they suffered a data breach after their database was breached and put up for sale on a hacking forum. Social Blade monitors tens of millions of social media accounts and the hacker claims to have obtained 5.6 million records. The sample data that was posted by the hacker also suggests that many of the records contain user information. Users online were quick to share an email that was apparently sent privately to affected users. In the email, Social Blade confirms the breach and reports that the affected data includes email addresses, IP addresses, password hashes, client IDs and tokens for business API users, and authentication tokens for connected accounts. Other non-personal and internal data was also compromised. Roughly 0.1% of users also had their addresses leaked, but credit card information was not exposed. A similarity we see here in comparison to other breaches is that this was not Social Blade’s first breach. In 2016, the company also confirmed that it suffered a breach. Let’s see if the most recent breach will be the push they need to better protect their company and prevent future attacks.

source: twitter

Now that we are in 2023, we hope that companies will take the necessary steps to protect their systems. Findings has a few New Year’s resolutions we recommend companies take on to ensure that they are protecting their employees and consumers.

Attackers prey on those who don’t regularly change their passwords. In fact, it makes their jobs easier. Make sure your systems are secure with New Year’s Resolution # 1: Require your employees to change their passwords every 90 days.

With an increase in cyber attacks being committed against supply chains, it’s vital that every business implements mandatory cybersecurity training programs. Having employees that are aware of all things cyber security is beneficial in minimizing the risks associated with cyber attacks.

Staying vigilant and continuously assessing potential risks in your supply chain is an essential New Year’s Resolution that companies need to follow in 2023.

Updates are usually required for a reason, and many times it’s for security reasons. When systems are up to date, it makes it harder for hackers to attack and find loopholes in the system.

If you haven’t heard of our continuous monitoring solution, you may want to consider looking into it.

Andddd that’s a wrap for this month!

Findings wishes you all a happy and healthy New Year.

We’re here for you. Learn more today.