Monthly Archives: February 2023

Why Should You Care About Your Compliance Posture?

Findings explains why businesses should care about their compliance postures.

In general, compliance means following rules made by an authority body. In practice, it means creating a program that has security controls in place to protect the confidentiality, integrity and availability of data.


Your business and customer data is valuable to cybercriminals who may use it for malicious reasons or personal gain. They could be acting on behalf of the state or an aggressive competitor interested in your trade secrets, technical data or internal communications. Or they may be motivated by money, which they make by selling your customers’ data on the dark web or holding it for ransom. 


Why is Regulatory Compliance Important?


The risk of non-compliance with cybersecurity regulations is too big to take lightly. PCI DDS breaches cost companies a minimum of $5,000 and a maximum of $100,000 per month in fines. Fines per HIPAA violation range from $100 to $50,000. If you do business in California, the state’s data privacy law – California Consumer Privacy Act (CCPA) – will apply to you provided you handle more than 50,000 consumers’ data or have an annual gross revenue of at least $25 million. Under the law, you could be fined up to $7,500 for sharing or processing certain types of employee information without their consent.  


Harsh punitive action apart, the bad publicity that accompanies data breaches can create a trust deficit among customers and make your competitors suddenly look a lot more attractive than you. Intentional or unintentional exposure of your employees’ information due to ineffective controls or training may also cause them distress. 


What Goes Into Maintaining a Strong Compliance Posture?


You’d have to create strong defensive measures for all the places where your data lives, such as systems, networks, smart devices, routers and the cloud. Here’s where industry standards and government regulations on cybersecurity come in. While there are many, not all may apply to your industry. So, the first step in creating a strong compliance posture is to identify the cybersecurity regulations you need to comply with and the cybersecurity frameworks you can adopt to reduce your cybersecurity risk. 


You’ll then have to appoint a person to manage your cybersecurity program and stay updated with compliance requirements. Large organizations have Chief Information Security Officers (CISOs), but in a medium-sized or small company, the IT Manager, CTO or COO performs this role, usually in consultation with a cybersecurity company. 


The individual is in charge of assessing risks and vulnerabilities, and implementing technical controls based on applicable cybersecurity regulations or a cybersecurity framework (e.g NIST, ISO/IEC 27001 or PCI DSS) with added technical controls to meet those regulations. They will also be responsible for implementing, in collaboration with other leaders, non-technical controls such as cybersecurity policies, procedures, audits and training, which are equally important to compliance. 


Cybersecurity requirements change. New threats emerge. The controls you have now may not stack up against new laws and evolving threats. Regularly assessing your security controls is necessary to identify security gaps due to any new risks that have emerged and enforce changes required to continue maintaining a robust compliance posture. If things appear complicated, a cybersecurity company or attorney specializing in cybersecurity compliance will prove to be a valuable ally by providing clarity on laws and recommendations on risk management.

A New Method of Attacking: Malicious Packages

Findings.co makes note of a new attack called malicious packages

It’s not always easy to spot malicious impostors posing as legit downloads. Researchers have uncovered yet another supply chain attack targeting an open source code repository, showing that the technique, which has gained wide use in the past few years, isn’t going away anytime soon. In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems.

Spotting Malicious Impostors in Open-Source Repositories

Open-source repositories are a great source of code and libraries, but malicious actors can also target them. In a recent incident, researchers uncovered a supply chain attack targeting an open-source code repository – the Python Package Index (PyPI) – that deployed information stealers on developer systems.

This attack highlighted the need for vigilance and safety measures when it comes to downloading code from open-source repositories, as malicious actors can use these code repositories to spread their malicious payloads. Developers should take extra precautions when downloading code from open-source repositories, such as scanning code for malicious content and ensuring that the code is from a trusted source. These steps can help ensure that developers are not unknowingly exposed to malicious attacks.

Attack on PyPI Repository

The attack involved six malicious packages that were inserted into the PyPI repository. The packages were designed to steal vital information from developers’ systems, such as usernames, passwords, and other sensitive data. The attack was successful since the malicious code was not detected until after unsuspecting developers had installed it.

Unfortunately, the attack was successful, as the malicious code was not detected until after developers had already installed the packages, making them vulnerable to the malicious attack. This underscores the need for heightened vigilance and vigilance against cyberattacks that target repositories and the unsuspecting public.

How to Protect Your System

Fortunately, there are ways to protect your system from malicious packages. One of the most effective methods is to use antivirus software to detect and remove malicious packages before they can cause any damage. Additionally, keep your system up to date with the latest security patches, and always download packages only from trusted sources.

Additionally, it is important to keep your system up to date with the latest security patches and only to download packages from trusted sources. This will help protect your system from malicious actors further, as they will not be able to take advantage of any security vulnerabilities present in older software versions. By following these simple steps, you can ensure that your system is well-protected from malicious packages.

Minimize Risk

Malicious packages are becoming increasingly prevalent in open-source repositories, so taking the necessary precautions to protect your system is essential. You can minimize the risk of falling victim to malicious impostors by using antivirus software, keeping your system up to date, and only downloading packages from trusted sources. Additionally, it is important to know the risks associated with using open-source repositories. Be sure to read the documentation and reviews of any package before downloading it, and be sure to keep a backup of your system in case something goes wrong. You can ensure your system remains secure and protected from malicious packages by being diligent and taking the necessary precautions.

The Biggest Supply Chain Compliance Risks To Conquer For 2023

Findings explains the biggest compliance risks in your supply chain in 2023

Now is the time for businesses to overhaul their supply chain compliance strategy. As they head into 2023, organizations should take stock of which supply chain compliance challenges matter most today, as well as which types of practices can help them conquer those challenges.


Let’s walk through the biggest risks that we’re noticing heading into 2023 and what businesses can do about them.

Core Supply Chain Compliance Risks For 2023

There are four overarching types of risks that are likely to shape supply chain compliance challenges for most businesses in the new year.

  1. The Need For Real-Time Visibility

Supply chain visibility, such as through a vulnerability disclosure policy, has always been an important component of supply chain compliance. 


Today, however, basic visibility isn’t enough. Businesses need real-time visibility so that they can detect and react to supply chain risks as they appear. As Blume Global notes, “in a volatile market, real-time information is essential…to maneuver through supply chain disruptions.”


To achieve real-time visibility, businesses need automated tools that can detect and evaluate supply chain risks in real time. Running periodic audits or relying on occasional reports for visibility is not enough.

  1. Supply-Wide Communication

Knowing where supply chain risks lie is only the first step toward supply chain compliance. In order to ensure that they can actually respond to those risks, organizations must be able to communicate and collaborate with stakeholders from across the supply chain – including not just their direct vendors, but also fourth-party organizations.


Communication and collaboration are key to ensuring full adherence with supply chain compliance policies across all layers of your supply chain.


  1. Managing Fraud And Insider Threats

Malicious insiders have always posed some risk to supply chains. But we’re now living in the age of the “super malicious insider,” as DTEX puts it. The term refers to malicious insiders who are not just your typical disgruntled employees. Instead, they are people hired to perform activities like espionage or sabotage, and they will take advantage of insider access to carry them out.


This means businesses need to be more vigilant than ever in detecting cyber security threats such as malicious insiders, not just within their own ranks, but also within their supply chains. They need to know whether their vendors and partners take steps to protect against malicious insiders as part of supply chain compliance initiatives.

  1. Executing On Supply Chain Compliance

It’s one thing to have a written supply chain compliance strategy – which many businesses do at this point, given the attention supply chain compliance has received over the past year.


But it’s another to put that strategy into practice. Going forward, organizations will need to ensure that their supply chain compliance rules and policies become more than just words on paper. They need tools that can operationalize and automate those policies across their supply chains.

But That’s Not All. Be On The Lookout For:


  • Consumer Protection Regulations: The fallout from security or customer service incidents can be devastating for a company’s brand – and critics often don’t know, or care, whether the root cause of the issue was a blunder made by the company itself or by one of its suppliers. That’s why staying on top of supply chain compliance is critical for protecting your brand and public image.

  • Lack Of Regulatory Inventory: To manage supply chain compliance well, businesses and suppliers need to know which specific regulatory rules they must abide by. But many still lack a “regulatory inventory,” meaning an inventory of applicable regulatory rules and frameworks. Getting these up to scratch in a timely fashion should be at the top of your list.

  • Lack Of Culture Of Compliance: Compliance officers should be evaluating how well regular employees recognize the importance of supply chain compliance and processes associated with it. But many are not, which makes it difficult to build an organization-wide compliance culture. The results of these types of initiatives are difficult to quantify, but compliance officers should make an effort nonetheless.

  • No Measurement Of Compliance Effectiveness: You can’t address supply chain compliance risks very well if you don’t measure your effectiveness. Businesses should be systematically tracking compliance incidents and how quickly they respond to them. You don’t want to wait until a major supply chain compliance incident erupts to discover that your compliance strategy is not as effective as you thought it was.


Most of these challenges involve the way businesses approach supply chain compliance internally, as opposed to external risks that complicate supply chain compliance. 

Comprehensive, Real-Time Monitoring To Automate Your Supply Chain With Findings

No matter which specific supply chain compliance challenges you face, Findings can help you conquer them in 2023 and beyond. Findings automates supply chain security, and offers the ONLY end-to-end, continuous monitoring across your entire supply chain to ensure you’re fully covered against all manner of risks.


Learn more by requesting a demo at Findings.co.

US Schools Becoming Targets for Cyber Crimes

Findings explores why US schools are becoming targets for Cyber Crimes

Cyber crimes are becoming an increasing issue for many schools within the United States, with various attacks ranging from data breaches to ransomware. Many believe that attacks began increasing during COVID-19 since schools began implementing remote learning models. 

This caused schools to be more reliant on technology and IT systems, which in turn brought more opportunities for cyber criminals.  

With this alarming rise in recent years, educational institutions need to be aware of the potential risks that they may face and take all necessary steps to safeguard their networks and everyone within their school districts

Types of Cyber Attacks

Cybercriminals can use various tools to target schools, including data breaches, phishing scams, malware, and ransomware.

Ransomware Attacks:

School districts have seen a rise of Ransomware attacks where criminal groups seek to extort money from victims in exchange for the restoration of their IT systems and any sensitive data they may have been able to exfiltrate. 

Data breaches:

Breaches are the most common form of attack, where hackers gain access to sensitive information such as student records and financial data. Phishing scams involve sending emails with malicious links that can install malware on the school’s network.

Malware:

Malware can be used to slow down or completely shut down the school’s network, while ransomware is used to hold the school’s data hostage until a payment is made.

Both of these tactics can be incredibly damaging, causing disruption to school operations and putting the security of student and faculty data at risk.

If detected early, however, these attacks can be mitigated, and steps can be taken to prevent future attacks.

Both malicious tactics, such as cyber-attacks and data breaches, can cause disastrous consequences for school operations, jeopardizing the security of student and faculty data.

If the attack is detected early on, it is possible to take necessary measures to contain the damage and mitigate the risk of a similar attack occurring in the future.

This could include implementing stronger security protocols, increasing monitoring of activities on the school network, and providing regular training to staff and students on cyber security best practices. Additionally, schools should also consider investing in technology solutions such as intrusion detection systems, firewalls, and other security tools that can help protect against malicious cyber incidents.

Taking these proactive steps can significantly reduce the chances of a future attack, and the associated disruption to school operations.

Preventative Measures

Schools need to take proactive steps to protect their networks from cyber criminals.

This includes investing in up-to-date antivirus software and firewalls, conducting regular security audits, and training staff on cybersecurity best practices.

Additionally, schools should have a response plan in place in case of a cyber attack to ensure that any threats can be assessed and dealt with promptly and effectively.

Such plans should detail the steps to be taken to contain the damage and be regularly reviewed and updated to reflect the latest technology and trends in the cybersecurity world.

It is important to note that these plans must be tailored to the specific needs of the organization, taking into account the size, complexity, and industry, as well as any other relevant factors. Additionally, it is essential that all staff involved in the implementation of these plans are well-trained in the latest cybersecurity best practices, in order to ensure that the organization is well-prepared in the event of a breach.

Conclusion

Cyber crimes are becoming a major issue for US schools, and it is important for them to be aware of the potential risks and take steps to protect their networks.

By investing in the right security measures and having a response plan in place, schools can help protect their networks from cyber criminals.

A well-thought out security strategy is a critical component of any school’s security plan, and by taking the necessary steps to ensure their networks are adequately protected, schools can help reduce their chances of falling victim to these malicious activities.

Additionally, by staying up to date on the latest cyber threats and taking the time to educate staff and students on the importance of cyber security, schools can be better prepared to address any potential security incidents that may occur.

How to: Stop Creating a Tedious Sales Cycle

Findings.co shares what IT leaders can do to save their sales teams from tedious sales cycles

Concerned about the time and effort required to close your B2B sales cycle?



There’s no doubt that B2B sales cycles are getting longer and more complex. According to a recent study, 68 percent of B2B customers say the buying cycle has lengthened, with the average time taken to close a deal being 4 to 6 months.


On average, only 47 percent of sales deals are closed across industries, while in the software sector, only 22 percent of deals are closed.


Multiple factors – right from the time and effort involved in finding prospects, and scheduling a demo, to conducting compliance due diligence, impact your sales cycle.



Let’s look at the problem (tedious sales cycle) and the smart solution:



The problem: Tedious sales cycles



A typical sales cycle involves multiple steps:


  • – Finding new leads and qualifying them

  • – Setting up the first appointment or a demo

  • – Discovery work and due diligence

  • – Exchanging ideas and proposals

  • – Presenting a proposal

  • – Closing the sale


SDRs, on average, make 52 cold calls each day while a third of SDRs spend about 20 to 23 percent of their time on discovery meetings.


What’s more, an SDR spends only 35.2 percent of their time actively selling, with the rest of the time spent on prospect research and non-selling activities.


This means that a company spends about $50,000 per sales rep, per year (considering USD $81000 as the average pay for a sales rep in the US) on prospect research alone.


Another factor that contributes to the complexity is the compliance due diligence process which can take anywhere from weeks to months.


Regulatory compliance, however, is vital to protect your business against numerous financial, legal, and reputation-related risks.



Why regulatory compliance is vital



According to an estimate, cybercrime costs are expected to reach USD $10.5 trillion annually by 2025. As the number of cyberattacks increases, so do the regulations designed to protect against them. 


The most recent regulation is the proposed IoT cybersecurity law in the EU. If this bill is cleared, noncompliance with cybersecurity requirements can potentially cost IoT manufacturers a whopping €15 million.


How can non-compliance with cybersecurity laws affect your sales cycles and contracts? For starters, it can affect the value of the deal in addition to impacting the sales win and business reputation.


A case in point is the acquisition proposal of Yahoo! Inc. by Verizon Communications. While the original proposed price was USD $4.83 billion, the price was cut down to $350 million after seven months. The reason? Verizon discovered undisclosed data breaches at Yahoo! while conducting cyber due diligence.



The Solution: Automate compliance due diligence



Thanks to the ever-changing regulatory landscape, most companies struggle to keep up with the constant changes. 


Automating the process can help speed up the sales cycle and make it more efficient. At Findings.co, we have built a smart tool that automates your compliance due diligence to reduce time, improve accuracy, and improve sales win rates.


An automated risk assessment tool captures the threats and vulnerabilities of potential contractors while including recommendations for risk mitigation.


Built-in response automation ensures a quick turnaround time for responding to security incidents and a quicker containment of incidents. With these features, organizations can improve their overall security posture and accelerate compliance due diligence, setting up a win-win situation for the parties involved in the contract.

Importance of ESG in the Finance Sector

findings.co talks about ESG in the finance sector

ESG is now a business reality


Environmental, social, and governance (ESG) is no longer just a buzzword floating around in today’s corporate realm. Issues around these three heads have become the top concern of business management and boards, and there are good reasons for the same.


As climate change is looming as a potential threat to humanity, it’s needless to say that effort has to be made by pretty much all entities of society to create a sustainable world. For the corporate enterprises, ESG is starting to form the foundation of a business framework that helps them achieve their financial and sustainability goals.


The importance of ESG is emphasized in the context of both SMEs and large organizations, especially amidst post-pandemic concerns and climate crises. After all, a conscious society is not solely dependent on government initiatives but also on socially responsible businesses capable of meeting its needs. It can foster equitable growth, employment creation, conservation of natural resources, and protection of consumers’ interests, to name a few.


A high ESG rating lowers the risk profile of enterprises in all industries by facilitating their top-line growth and reducing regulatory and operational hurdles. Many investors seek intelligent investing options in enterprises that adhere to high ESG standards. As such, those small and medium enterprises (SMEs) with a strong focus on ESG will be better positioned to attract investor interest.


What about the finance sector?


While ESG standards are crucial to all industries, the finance sector deserves a stronger ESG focus. Financial institutions across the globe are increasingly confronting risks due to reporting and regulatory requirements that revolve around the impacts of their business operations on ESG. As such, it’s of the utmost importance that financial institutions, which deal in billions of dollars on any given day, devise a robust ESG strategy to achieve long-term competitive success and avoid regulatory complications.


As a part of ESG compliance, the performance of finance companies and financial institutions is steadily shaping lending criteria, investment-related decision-making, and insurance factors. So, it becomes clear that the finance companies that are unable to create and implement an ESG strategy are at a higher risk of losing resilience and the long-term feasibility of their business.


For financial institutions, a primary environmental concern has been the shift to green or sustainable financing, a vital determinant of an organization’s reputation and a regulatory mandate. The governance concerns of financial institutions revolve around board structure, particularly board diversity, transparency and audit quality, and issues around remuneration of professionals, for example, executive pay. Labor management policies, well-being, safety, health commitments, and other labor standards are some social concerns facing financial institutions and social equality, customer privacy, and diversity and inclusion policies.


Conclusion


Financial institutions vary significantly in readiness for the shift to sustainability. As ESG concerns are getting global attention, the need for financial institutions to take action will increase. The agility of organizations to respond to changes in laws, regulations, and market expectations will be critical to success. Companies adopting a systematic and proactive approach to ESG will have greater resilience.

Posted in ESG

January Security Breach Round Up

Findings.co reveals the top breaches in January 2023

While a new year is supposed to bring in new and exciting opportunities, quite the opposite happened to these companies after they had their resolutions spoiled by hackers. Let’s review some of the most interesting data breaches that happened in January..


PayPal:


Yes, even massive financial companies like PayPal fall victim to breaches. On January 18, 2023, PayPal informed customers that unauthorized parties were able to access PayPal customer accounts using their login credentials. In the company notice, PayPal writes, “the personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.” After an incident like this, it is extremely important that users change their passwords for other online accounts as well as activate two-factor authentication, which can prevent hackers from accessing their other accounts. 


T-Mobile:

Another breach? This time, 37 million people were apparently affected. On January 19th, 2023, T-Mobile released a statement writing, “We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.” Obtained information includes name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. T-Mobile further writes, “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.” While we hope that T-Mobile does indeed strengthen their cybersecurity program, we’d like to note that the telecommunications giant has suffered several security incidents in the past few years. 


Google Fi:

Think of a domino effect here. When one goes down, so can the next. It is alleged that Google Fi’s security incident is connected to the T-Mobile incident right above this one. Google Fi is a mobile virtual network operator that uses T-Mobile’s network for the majority of its connections. It is believed that hackers may have accessed customer information such as phone numbers, SIM card serial numbers, account status, and mobile service plan data. To explain the aftermath of this, BleepingComputer explained that, “the exposed technical SIM data allowed threat actors to conduct SIM swap attacks on some Google Fi customers, with one customer reporting that the hackers gaining access to their Authy MFA account. SIM swapping attacks are when threat actors convince mobile carriers to port a customer’s phone number to a mobile SIM card under the attacker’s control.” After the SIM swapping attacks, hackers can access a person’s email, accounts registered with the phone number, and authentication apps. 


Mailchimp:


Don’t be that person – always think twice before opening links from people you don’t know. On January 11, 2023, Mailchimp discovered that an unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors. By doing so, the hacker was able to obtain access to select Mailchimp accounts using employee credentials compromised in that attack. The hacker accessed a tool used by Mailchimp customer-facing teams for customer support and account administration. In a company notice explaining the situation, Mailchimp confirms, “this targeted incident has been limited to 133 Mailchimp accounts.”


JDSports: 


JDSports, a British sports-fashion retail company based in England also unfortunately fell victim to an attack in January. JDSports notified customers via email explaining the situation, pictured below.  


Photo Source:




The sports company warns that the attack resulted in unauthorized access to a system containing customer information for orders placed between November 2018 and October 2020. Information such as full names, billing details, delivery addresses, email addresses, phone numbers, order details, and final four digits of payment cards were accessed.



 

Before wrapping up for the month, did you hear about SwiftSlicer, a new data wiping malware that aims to overwrite crucial files used by the Windows operating system? BleepingComputer explains that it allows “domain admins to execute scripts and commands throughout all of the devices in the Windows network.  SwiftSlicer was deployed to delete shadow copies and to overwrite critical files in the Windows system directory, specifically drivers and the Active Directory database.” Researchers at a cybersecurity company, ESET, say that SwiftSlicer has the ability to overwrite data using 4096 bytes blocks and then the malware can reboot the system. Since this is a new discovery, it’s important that companies continue using the most up-to-date antivirus softwares. 





Learn About Our Continuous Monitoring Solution

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!