Monthly Archives: June 2023

Unveiling the Power of ESG Stakeholders

Who are the stakeholders influencing ESG investing?

Overview

  • ESG stakeholders, including investors, nonprofits, governments, customers, and employees, collectively drive and shape ESG metrics, promoting sustainability and responsible business practices.

  • Investors play a significant role by utilizing ESG criteria and ratings to identify companies that prioritize environmental and social responsibility, while nonprofits and NGOs advocate for ESG regulations and reporting frameworks.

  • Government regulations worldwide, such as those implemented by the EU, encourage companies to embrace sustainability and accurately report their ESG performance. Additionally, customer demand for ethical brands and employee expectations for purpose-driven work further push companies to adopt ESG values.

The Influence of ESG Stakeholders in Driving ESG Metrics

As the importance of environmental, social, and governance (ESG) factors continues to gain traction in the business world, a wide range of stakeholders is playing a crucial role in shaping and driving ESG metrics. From investors and nonprofit organizations to governments and employees, these stakeholders are collectively pushing for a more sustainable and responsible approach to business. This blog post, I will explore the different groups of ESG stakeholders and how they are influencing the implementation and reporting of ESG programs.


Investors and ESG Ratings

There’s a growing question of “are ESG investors underperforming?” With a prevalence of ESG in private markets increasing, a significant rise in the number of private equity firms signing the Principles for Responsible Investment (PRI) and raising $2.5 trillion in capital has also increased. However, there is limited data on ESG fund performance, and analysis shows no significant performance differences between PRI signatories and non-signatories. Bloomberg Intelligence predicts that the market size of ESG investments will reach $50 trillion by 2025, nearly three times the level in 2014. And with this in mind, investors are playing a significant role in driving ESG metrics. After all, many do utilize ESG criteria and ratings to identify companies that prioritize environmental and social responsibility. Raters and score providers are also amplifying the impact of ESG leaders by spotlighting purpose-driven companies through their sustainability rankings and reports.


Nonprofits and NGOs as Catalysts

Nonprofit organizations and non-governmental organizations (NGOs) are at the forefront of advocating for ESG regulations, standards, and reporting frameworks. Organizations like the International Financial Reporting Standards (IFRS), Carbon Disclosure Project (CDP), Sustainability Accounting Standards Board (SASB), and Global Reporting Initiative (GRI) are working towards establishing consistent and transparent ESG guidelines. Through their research, advocacy efforts, and collaborations, nonprofits and NGOs are shaping the ESG landscape and encouraging businesses to adopt sustainable practices.


Government Regulations

Governments worldwide are recognizing the need for ESG regulations to protect human rights and the environment. Countries such as Germany, the United States, the United Kingdom, Canada, and the European Union (EU) have introduced new ESG disclosure requirements and due diligence standards. The EU, in particular, has taken significant steps by implementing various regulations, including the General Data Protection Regulation (GDPR), Directive on Corporate Sustainability Due Diligence, EU Taxonomy, Corporate Sustainability Reporting Directive (CSRD) and European Single Electronic Format (ESEF) reporting, and Sustainable Finance Disclosure Regulation (SFDR). These regulations create a legal framework that drives companies to embrace sustainability and report their ESG performance accurately.


Customer Demand for Ethical Brands

Consumers are increasingly drawn to ethical brands, placing pressure on businesses to prioritize ESG practices. According to surveys, 74% of customers consider ethical corporate practices and values as a crucial factor when choosing a brand. Furthermore, a significant percentage (66%) of consumers plan to make more sustainable or ethical purchases in the coming months. To cater to this demand, companies are adopting sustainability initiatives, including carbon-labeling on products, to provide transparency and facilitate informed consumer choices.


Employee Expectations and Social Impact

Employees have become increasingly conscious of the impact their organizations have on society and the environment. They want to work for companies that align with their values and contribute positively to the world. A survey revealed that 93% of employees believe that companies must lead with purpose, while 65% feel that organizations should aim to leave their people “net better off” through work. Businesses that prioritize ESG values and make a positive impact on people and the planet are likely to see higher levels of employee satisfaction and attract top talent. Moreover, social impact has become an essential aspect of corporate philanthropy, with companies increasing community investments and providing opportunities for employees to engage in social initiatives.


ESG Stakeholders Pave the Way for a Sustainable Future

In short, ESG stakeholders, including investors, nonprofits, governments, customers, and employees, collectively drive and shape ESG metrics. The growing interest in ESG investing, the influence of ESG rating agencies, and the demand for ethical brands from customers all contribute to the momentum behind sustainable business practices. Additionally, nonprofits and NGOs drive the establishment of ESG regulations and reporting frameworks, while governments are implementing legal requirements to ensure corporate accountability. As employees prioritize purpose-driven work and communities expect businesses to give back, organizations are compelled to integrate ESG considerations into their operations. By recognizing and responding to the diverse interests of ESG stakeholders, businesses can thrive in a changing landscape and contribute positively to the world.

 

The Dark Side of Ransomware Attacks

The Dark Truth Behind Ransomware

 

Ransomware attacks have become an alarming threat in our increasingly digital world. As cybercriminals employ sophisticated techniques to exploit vulnerabilities, the consequences are felt by individuals, businesses, and even entire nations. In this blog post, we will delve into the dark side of today’s ransomware attacks, exploring the alarming trends and consequences that accompany these malicious acts.

 

The Rising Sophistication of Ransomware Attacks

 

Over time, ransomware attacks have evolved into more intricate and advanced operations. Cybercriminals now employ sophisticated tactics to maximize their impact. Spear-phishing, where attackers carefully craft personalized emails to trick victims into revealing sensitive information or downloading malware, has become a prevalent method. Additionally, zero-day exploits, which target software vulnerabilities unknown to the vendor, provide attackers with an advantage. Encryption algorithms used by ransomware have also become increasingly complex, making it extremely challenging for victims to recover their data without paying a hefty ransom. The complexity and ever-evolving nature of these attacks have made them a formidable menace.

 

Devastating Impact on Individuals and Businesses

 

The consequences of ransomware attacks are devastating for both individuals and businesses. Personal files, sensitive data, and intellectual property can be irreversibly encrypted or stolen, leading to significant financial losses and emotional distress for individuals. Businesses, on the other hand, face even more severe repercussions. Operational disruptions caused by ransomware attacks can halt critical processes, leading to significant financial losses. Moreover, the reputational damage resulting from an attack can have long-lasting effects, causing a loss of customer trust and potential bankruptcy.

 

Here are some notable examples of destructive ransomware strains witnessed in recent years:

 

CryptoLocker (2013): CryptoLocker emerged in September 2013 and caused widespread havoc until its neutralization in May 2014 by an international cybersecurity task force. Its propagation was facilitated through the extensive Gameover ZeuS botnet.



Petya (2016) & NotPetya (2017): The Petya ransomware family first emerged in 2016, but it was the devastating NotPetya strain that garnered widespread attention in 2017. NotPetya caused more than $10 billion in damages across Europe and the US.

 

WannaCry (2017): In May 2017, the WannaCry ransomware launched a highly impactful attack, infecting over 230,000 computers in 150 countries within a single day. The resulting damage and cleanup expenses were estimated to reach $4 billion.

 

DarkSide (2020): DarkSide gained notoriety in 2020 and 2021 for their RaaS model, which resulted in significant ransomware attacks and extortion demands. Although they claimed to avoid targeting government and healthcare entities, the group was responsible for the 2021 Colonial Pipeline attack, which disrupted fuel supplies across the US East Coast.

 

Nvidia (2022): In 2022, Nvidia, the semiconductor giant, was hit by a ransomware attack. Employee credentials and data were leaked online. The hacking group Lapsus$ claimed responsibility, demanding a $1 million ransom and a percentage of fees.

 

By highlighting these significant instances of ransomware, it becomes evident that this form of cyber threat has evolved over time, growing in complexity and impact.

 

Targeting Critical Infrastructure

 

The dark side of ransomware attacks extends beyond individual targets to critical infrastructure. In recent years, cybercriminals have shown an increased interest in targeting hospitals, energy grids, transportation systems, and government institutions. The motivation behind these attacks is not only to compromise sensitive data but also to put lives at risk and disrupt essential services. The consequences of successful attacks on critical infrastructure can be dire, underscoring the urgent need for robust cybersecurity measures to protect these vital systems.

 

Ransomware as a Service (RaaS)

 

The advent of ransomware-as-a-service has further exacerbated the threat landscape. Cybercriminals now offer ready-to-use ransomware kits to aspiring attackers, enabling them to execute sophisticated attacks without advanced technical skills. This commodification of ransomware has significantly contributed to its widespread proliferation and increased the number of potential attackers. The availability of RaaS lowers the entry barrier for cybercriminals and poses a challenge for law enforcement agencies and cybersecurity professionals.

 

Evolving Payment Methods and Cryptocurrencies

 

To facilitate ransom payments while maintaining anonymity, cybercriminals have turned to cryptocurrencies like Bitcoin. These decentralized digital currencies allow transactions to occur without being easily traceable. The use of cryptocurrencies complicates law enforcement efforts, as traditional financial institutions have limited visibility into these transactions. The relative anonymity offered by cryptocurrencies enables cybercriminals to operate with a reduced risk of detection and apprehension, adding to the challenges faced by authorities in combating ransomware attacks.

 

Collateral Damage and Hidden Costs

 

Beyond the immediate impact of ransomware attacks, there are hidden costs and collateral damage that organizations must face. The financial burden associated with incident response, recovery efforts, and potential legal actions can be significant. Furthermore, the loss of customer trust and diminished market reputation can have long-lasting effects on businesses, amplifying the damage caused by these attacks. Rebuilding trust and restoring operations after an attack can be a lengthy and costly process.

 

Urgent Need for Cybersecurity Collaboration and Proactive Measures

 

Today’s sophisticated ransomware attacks pose a severe and escalating threat to individuals, businesses, and critical infrastructure. The dark side of these attacks encompasses the rising sophistication of techniques, the devastating impact on victims, the targeting of critical infrastructure, the accessibility of ransomware-as-a-service, the use of cryptocurrencies, and the hidden costs incurred. To mitigate this menace, it is crucial to prioritize cybersecurity measures, stay informed about emerging threats, and foster collaborations to combat this growing cyber threat landscape. Proactive measures such as regular software updates, employee training on cybersecurity best practices, and robust incident response plans are essential for organizations to defend against these ever-evolving ransomware attacks. By working together, we can make significant strides in protecting ourselves and our digital assets from the dark side of ransomware attacks.

 

 

 

 

How Does Partnering With Findings Benefit MSPs?

How does partnering with Findings.co benefit you as an MSP? managed service provider

First and Foremost: What Even Is an MSP?

MSPs or Managed service providers are at the forefront of providing IT services to a growing number of businesses worldwide. They are an entity that is entrusted with the responsibility of overseeing and providing services to another organization based on their specific needs and demands. MSPs have the ability to combine their proprietary services with offerings from other providers, such as a security MSP offering system administration, but it is common for MSPs to incorporate services from various providers. While the term MSP initially referred to infrastructure or device-centric services, its definition has broadened to encompass continuous, regular management, maintenance, and support across diverse areas. 

As the digital landscape evolves, so do the challenges faced by enterprises. Findings gives MSPs a chance to improve their value proposition and meet the growing needs of their clients, who grapple with unsustainable, disjointed, and labor-intensive demands to scrutinize their supply chain amidst an escalating and evolving threat landscape. By partnering with findings, MSPs get a proven solution that can be customized to streamline processes, reduce risks, and improve security overall. 

 

What does Findings Offer?

Findings provides a range of invaluable features that empower businesses to streamline their operations, enhance compliance, and make informed decisions. Our features include:

 

  • Audit management

  • Monitoring

  • Evidence management

  • Assessment management

  • Vendor disclosure

 

So, What’s in It for MSPs?

 

Fully Customizable Processes:

 

Customize assessments, scoring, findings, reporting, and verification processes to meet your company’s unique needs. This ensures you can give your clients tailored solutions, and in turn save them money.

 

Adaptive Assessments:

 

Change evaluation criteria in real time based on new data and threats. This flexibility lets businesses keep their security strong and stay ahead of the constantly changing threat landscape.

 

Comprehensive Reporting and Verification:

 

Full reporting and verification tools to verify their services are honest and trustworthy. With these features, MSPs can build trust with their clients by demonstrating how well their security measures work.

 

White Label and Branding Opportunities:

 

Customizable white label branding options for a smooth, professional experience. This personalization helps establish a strong brand identity and further differentiate themselves in the market.

 

Internal Process Customization:

 

Customizable internal processes, such as business owner/security workflow, internal dashboards, and vendor inherent risk classification for better management and monitoring for your clients’ security operations. The Findings automated monitoring, tracking, and alerting features reduce manual efforts and help you stay ahead of emerging threats.

 

Third-Party Tool Orchestration:

 

Integrated apps such as cloud posture management, threat intelligence, penetration testing, and security ratings allow holistic security solutions to your clients.

 

Multi-Jurisdictional/Entity Support:

 

Multi-jurisdictional/entity data segregation ensures that MSPs can cater to the unique compliance requirements of their clients operating across different regions and industries.

 

 

 

Partnering with Findings offers MSPs a range of benefits, including customizable solutions, adaptive assessments, comprehensive reporting, white-label branding, streamlined internal processes, integrated third-party tools, and multi-jurisdictional support. By becoming a partner, MSPs can enhance their value proposition, save clients money, improve security, and differentiate themselves in the market.

 

 

 

Top Cyber Attacks and Data Breaches: May 2023 Round Up

May 2023 data breaches

In an era dominated by digital connectivity, the frequency and impact of data breaches continue to escalate, leaving individuals and organizations vulnerable to devastating consequences. From state-sponsored hacking campaigns to opportunistic cybercriminals, the realm of data security is constantly under siege. Recent events have once again thrust data breaches into the spotlight, as major corporations and industry giants grapple with the aftermath of malicious intrusions. In this blog post, I will delve into a series of alarming incidents that have unfolded in May 2023, shedding light on the tactics employed, the extent of compromised information, and the potential ramifications for affected individuals and businesses. Brace yourself for an eye-opening exploration of the evolving threat landscape as we navigate the treacherous waters of data breaches and their far-reaching impact.

 

  1. On May 24,2023, Microsoft reported that it found targeted malicious activity by Volt Typhoon, a state-sponsored group from China, aiming to access unauthorized credentials and explore critical infrastructure networks in the US. This campaign supposedly  intends to disrupt communication infrastructure between the US and Asia during future crises. Volt Typhoon has been active since mid-2021, primarily targeting critical infrastructure organizations in Guam and other US regions across various sectors. They employ stealth techniques, living-off-the-land methods, and manipulate systems using command line instructions. The threat actor maintains persistent access and attempts to conceal their activities by routing network traffic through compromised SOHO network equipment. 

 
  1. Sysco, a major U.S. multinational food distribution corporation, recently revealed that approximately 126,243 current and former employees may have had their sensitive data accessed and acquired in a cyberattack that took place in January. According to notification letters sent to affected individuals, Sysco’s systems were initially breached on January 14, but the intrusion was only discovered nearly two months later. The company assured that its operational systems, business functions, and customer services remained unaffected by the breach. While specific details about the data accessed for each individual are yet to be confirmed, Sysco stated that the compromised information may include personal data provided for payroll purposes, such as names, Social Security numbers, account numbers, or similar information. 

 
  1. On May 26, 2023, Managed Care of North America (MCNA) Dental published a data breach notification on its website, informing approximately 9 million patients that their personal data was compromised. MCNA Dental is one of the largest government-sponsored (Medicaid and CHIP) dental care and oral health insurance providers in the U.S. On March 6, 2023, the insurance provider discovered unauthorized activity in their computer system. They took immediate action to halt the activity and initiated an investigation with the assistance of a specialized team. It was determined that an unauthorized user was able to access and make copies of certain information between February 26, 2023, and March 7, 2023. The potentially compromised information includes contact details such as first and last name, address, date of birth, phone number, and email address. Social Security numbers, driver’s license numbers or other government-issued ID numbers were also accessed. Additionally, health insurance information such as plan details, insurance company information, member numbers, and Medicaid-Medicare ID numbers may have been involved. Specific information related to dental care, including visits, dentist and doctor names, past treatments, x-rays/photos, prescribed medicines, and treatment details, as well as bills and insurance claims, were also potentially exposed. 

 
  1. NextGen Healthcare, a vendor of cloud-based electronic health records, has been informing over 1 million individuals about a data compromise that involves the unauthorized acquisition of login credentials. This incident marks at least the second alleged data security breach that the company has probed since January. The company explained an unknown third-party gained unauthorized access to a limited set of personal data between March 29, 2023, and April 14, 2023. The accessed information includes names, dates of birth, addresses, and social security numbers. Out of the 198 significant breaches of health data that have been reported on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website in 2023, impacting a total of 17.4 million individuals, it has been disclosed that at least 75 of these incidents affecting 9.8 million individuals were reported to involve business associates. Approximately 38% of the major health data breaches reported on the HIPAA Breach Reporting Tool website in 2023 involved vendors and other business associates. Interestingly, despite accounting for a smaller proportion of breaches, these incidents were responsible for impacting 56% of the individuals affected by breaches in the healthcare sector.

 
  1. Luxottica, the world’s largest eyewear company known for brands like Ray-Ban, Oakley, and Chanel, has officially confirmed a data breach that occurred in 2021 via BleepingComputer. The breach exposed the personal information of approximately 70 million customers when a database was recently made available for free on hacking forums. Luxottica revealed that one of its partners experienced the breach, involving a security incident that affected a third-party contractor responsible for holding customer data. The exposed data includes sensitive details such as full customer names, email addresses, phone numbers, residential addresses, and dates of birth. Luxottica emphasized that financial information, social security numbers, login credentials, and other critical data that could endanger customer safety were not compromised. The FBI has made an arrest in connection with the incident, resulting in the shutdown of the website where the data was published. 

 
  1. On May 11, 2023, Brightly informed present and past SchoolDude users that a security incident occurred. SchoolDude is an online platform used by educational institutions for placing and tracking maintenance work orders. Information such as name, email address, account password, phone number, and school district name were potentially breached. 

 
  1. On May 8, 2023, Dragos, a company specializing in industrial cybersecurity, experienced a failed extortion scheme by a cybercriminal group. The group gained unauthorized access by compromising the personal email of a new sales employee, allowing them to impersonate a Dragos employee and access resources in SharePoint and the contract management system. Although they accessed a report with customer IP addresses, Dragos’ security controls prevented the threat actor from deploying ransomware or making further infrastructure changes. The cybercriminals resorted to extortion attempts, escalating their messages and contacting Dragos executives and known contacts. However, Dragos chose not to engage with the criminals and promptly activated their incident response retainer and involved their third-party MDR provider. The investigation is ongoing, but Dragos has implemented additional verification steps for their onboarding process and emphasizes identity and access management, multi-factor authentication, continuous monitoring, and incident response preparedness.

 

In other news, in May, it was discovered that Apple banned its employees from using generative AI tools like OpenAI’s ChatGPT and GitHub’s Copilot due to concerns about potential data leaks and disclosure of sensitive information. Apple’s decision is based on the fact that OpenAI stores all user interactions by default, including conversations with ChatGPT, which are used for training and subject to moderation. While OpenAI introduced an option to disable chat history, conversations are retained for 30 days for abuse review before permanent deletion. Apple worries that employees may unintentionally reveal confidential project information within ChatGPT, which could be accessed by OpenAI moderators. Similar restrictions have been implemented by other companies like JP Morgan, Verizon, and Amazon. Despite the ban, OpenAI recently launched an iOS app for ChatGPT, making Apple’s decision notable, considering the app’s availability and future expansion plans. 

 

As data breaches continue to make headlines, it becomes abundantly clear that the protection of sensitive information is of paramount importance. The incidents highlighted in this blog post serve as a stark reminder that no individual or organization is immune to the persistent and ever-evolving threats posed by cybercriminals. As we move forward, it is imperative for individuals and businesses alike to prioritize robust security measures, including stringent access controls, advanced encryption protocols, and employee education programs. By staying vigilant, proactive, and informed, companies can fortify their defenses and mitigate the risks associated with data breaches. 

 



Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!