Monthly Archives: November 2023

Integrating ESG Goals with Cybersecurity Strategy: A Roadmap for Sustainable Business Practices

Automate Your ESG Process

In an increasingly interconnected world, the importance of integrating Environmental, Social, and Governance (ESG) goals with cybersecurity strategies is paramount. As businesses strive for sustainability, understanding the intersection between ESG and cybersecurity becomes essential. This article explores how companies can align their cybersecurity strategies with ESG objectives, enhancing both their security posture and corporate responsibility.

Understanding the Intersection of ESG and Cybersecurity

The ESG-Cybersecurity Nexus

Cybersecurity is no longer just a technical issue; it’s a crucial component of a company’s social responsibility. Protecting customer data and ensuring privacy is integral to ethical business practices, aligning directly with the ‘Social’ aspect of ESG. Environmental and governance factors also intertwine with cybersecurity in less obvious, yet equally significant ways.

Case Study: SolarWinds Attack

The SolarWinds attack highlighted how cybersecurity breaches can have far-reaching implications, affecting not just the targeted organization but also its stakeholders and the environment. The breach had governance implications, highlighting the need for better oversight and risk management strategies.

Steps to Align Cybersecurity with ESG Goals

Assessing Cybersecurity in the ESG Context

Start by evaluating how your cybersecurity practices impact your ESG goals. This involves assessing data protection policies, the environmental impact of your security infrastructure, and governance structures in place for cybersecurity risk management.


Building a Responsible Data Management Framework

Data is at the heart of both cybersecurity and ESG. Implementing a framework that emphasizes data privacy and ethical handling aligns with the ‘Social’ commitment of ESG, reinforcing trust and transparency with stakeholders.


Minimizing Environmental Impact

Consider the environmental impact of your cybersecurity solutions. Opting for energy-efficient data centers and supporting sustainable technology practices can align your cybersecurity strategy with environmental goals.


Enhancing Governance through Cybersecurity

Robust cybersecurity policies contribute to good corporate governance. Regular audits, transparent policies, and board-level oversight of cybersecurity risks are key to achieving this alignment.


Case Studies of Successful Integration

A Leading Financial Institution

A prominent financial institution integrated its cybersecurity strategy with its ESG goals by implementing green data centers and promoting transparency in its data handling practices. The move not only strengthened its cybersecurity posture but also its reputation as a responsible corporate citizen.


A Global Retailer

A multinational retailer aligned its cybersecurity initiatives with social responsibility by ensuring stringent data protection measures, conducting regular privacy impact assessments, and engaging in community education about digital safety.


Challenges and Solutions

Balancing Security with Privacy

Balancing the need for robust cybersecurity with privacy concerns can be challenging. Implementing privacy-by-design principles in cybersecurity measures can help mitigate this.


Keeping Pace with Evolving Threats

The cybersecurity landscape is constantly evolving. Staying abreast of the latest threats and integrating adaptive security measures is crucial for maintaining alignment with ESG goals.


Measuring Impact

Quantifying the impact of cybersecurity on ESG goals can be challenging. Developing clear metrics and regular reporting can aid in this process.


Conclusion

Integrating cybersecurity strategies with ESG goals is no longer optional; it’s a necessity for sustainable business practices. By adopting a holistic approach that considers the ethical, environmental, and governance implications of cybersecurity, businesses can protect not just their data but also their reputation and the world around them. As we move towards a more interconnected and digitized future, the convergence of ESG and cybersecurity will be a key driver of responsible and resilient business operations.

The Role of AI and Machine Learning in Enhancing Compliance Protocols

The role of AI and Machine learning in enhancing compliance protocols

In the fast-paced world of regulatory compliance, Artificial Intelligence (AI) and Machine Learning (ML) are revolutionizing how businesses manage and adhere to legal requirements. As organizations grapple with an ever-growing body of regulations, leveraging AI and ML can significantly streamline compliance processes, ensuring adherence while driving efficiency.

The Compliance Challenge in the Digital Age

The Expanding Regulatory Landscape

Businesses today operate in an environment where regulatory demands are not just complex but also constantly evolving. From data protection laws like GDPR to financial regulations like Sarbanes-Oxley, staying compliant requires continuous vigilance and adaptability.

The Cost of Non-Compliance

Failing to comply with regulations can result in substantial financial penalties, legal repercussions, and reputational damage. In this context, traditional manual compliance methods are no longer sufficient, given their time-consuming and error-prone nature.

AI and ML: A Game-Changer for Compliance

Automating Compliance Monitoring

AI-driven systems can monitor and analyze vast amounts of data to ensure regulatory compliance. For instance, AI can track changes in legislation and automatically update compliance frameworks, reducing the burden on legal teams.

Enhancing Risk Assessment with ML

Machine Learning algorithms can assess and predict compliance risks by analyzing patterns in historical data. This predictive capability allows organizations to proactively address potential compliance issues before they escalate.

Case Study: Financial Compliance

In the financial sector, AI tools are used to detect and report suspicious transactions in real-time, aiding in anti-money laundering (AML) efforts and fraud prevention.

Implementing AI and ML in Compliance Protocols

Data Quality and Integration

For AI and ML to be effective in compliance, integrating high-quality data from diverse sources is crucial. This requires robust data management practices and a clear understanding of the data landscape.

Ensuring Ethical AI Use

While AI can enhance compliance, it’s essential to ensure its ethical use. This means considering data privacy, avoiding bias in ML models, and maintaining transparency in AI-driven decisions.

Training and Continuous Learning

Implementing AI and ML in compliance is not a one-time effort. Continuous training of the algorithms and updating them with new regulatory information are key to maintaining their effectiveness.

Overcoming Challenges

Balancing Automation with Human Oversight

While AI can automate many aspects of compliance, human oversight remains critical. Experts need to interpret AI recommendations and ensure that the system aligns with the organization’s broader compliance strategy.

Navigating Regulatory Uncertainty about AI

As AI in compliance is a relatively new area, regulatory frameworks specific to AI use are still in development. Organizations must navigate this uncertainty by staying informed and adaptable.

The Future of Compliance: AI-Enabled and Efficient

Transforming Compliance into a Competitive Advantage

By integrating AI and ML into compliance protocols, businesses can turn regulatory adherence into a competitive advantage. Efficient compliance not only mitigates risks but also builds trust with customers and stakeholders.

A Catalyst for Broader Organizational Change

Adopting AI and ML in compliance can act as a catalyst for broader digital transformation, encouraging a more data-driven and proactive approach to business operations.

Closing Thoughts

The integration of AI and Machine Learning in compliance protocols represents a significant leap forward in how businesses approach regulatory adherence. By automating routine tasks, enhancing risk assessments, and providing actionable insights, AI and ML can transform compliance from a cumbersome necessity into a dynamic asset. As we look to the future, the successful implementation of these technologies will be crucial for businesses seeking to navigate the complexities of the regulatory landscape effectively and responsibly.

The Evolving Landscape of Cybersecurity Laws and Regulations: What Businesses Need to Know

Supply Chain Cyber Security with Findings

In an era where digital threats are rapidly evolving, the regulatory landscape governing cybersecurity is becoming increasingly complex. Businesses across the globe face the daunting task of navigating this ever-changing terrain. Understanding the latest developments in cybersecurity laws and regulations is not just a matter of legal compliance; it’s a strategic imperative.

The Global Picture: Diverse Regulatory Frameworks

EU’s GDPR and NIS Directive

The European Union has been at the forefront with the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Directive. GDPR, known for its stringent data protection rules and hefty fines, has set a global benchmark. The NIS Directive, meanwhile, focuses on the security of network and information systems.

US’s Sector-Specific Approach

In the US, there’s no single federal-level cybersecurity law. Instead, regulations vary by sector, like HIPAA for healthcare and FISMA for government agencies. The recent Cyber Incident Reporting for Critical Infrastructure Act of 2022 marks a shift towards more comprehensive federal oversight.

Asian Perspectives: Emerging Frameworks

Countries in Asia are ramping up their cybersecurity laws. Japan’s Cybersecurity Basic Act and China’s Cybersecurity Law are just two examples of the regional commitment to tackling cyber threats.

Compliance Challenges and Business Impacts

Navigating these diverse regulations can be challenging. Businesses operating internationally must comply with multiple, sometimes conflicting, regulations. Non-compliance can lead to penalties, but the greater risk lies in reputational damage and loss of customer trust.

Case Study: Cross-Border Data Transfers

A key challenge is managing cross-border data transfers, especially given the differing regulations on data sovereignty and privacy. For instance, the Schrems II decision by the European Court of Justice disrupted the EU-US Privacy Shield, creating uncertainty for businesses reliant on transatlantic data flows.

Steps to Ensuring Compliance

Conducting Regular Risk Assessments

Regularly assessing cybersecurity risks and aligning them with the regulatory requirements is crucial. It’s not just about IT infrastructure, but also about policies, training, and incident response strategies.

Implementing Robust Data Governance

Effective data governance policies ensure data is handled correctly – a vital step in compliance, especially with regulations like GDPR.

Leveraging Technology for Compliance

Automation and AI can streamline compliance processes. Tools like compliance management software can keep track of regulatory changes and help ensure ongoing adherence.

Looking Ahead: Staying Informed and Agile

Keeping Abreast of Changes

Regulatory landscapes are dynamic. Staying informed through reliable sources, industry groups, and legal advisories is key to navigating these changes.

The Role of Cybersecurity Insurance

As risks evolve, so does the role of cybersecurity insurance. It’s becoming an essential part of the risk management strategy, not just for mitigating financial losses but also for accessing expertise in the aftermath of a breach.

Conclusion

In the digital age, a robust cybersecurity strategy that aligns with the global regulatory environment is a cornerstone of business resilience and success. The key lies in staying informed, agile, and proactive in compliance efforts. By embracing these challenges, businesses can not only safeguard themselves against cyber threats but also gain a competitive advantage in the trust they build with their customers and partners.

Cybersecurity Under Fire: Top October 2023 Breaches

October security breach round up - findings.co

The digital world is full of cyber threats that can affect any industry, and recent incidents have shown that even the most secure systems can be vulnerable. For example, Okta recently admitted to a security breach. Below you will also read about a sophisticated campaign called Magecart that stole credit card details by exploiting webpages. The impact of these breaches can be seen in various industries. For instance, five Canadian hospitals experienced disruptions in their services, and genetic testing company 23andMe had their data compromised. Even businesses in the hospitality and retail sectors are not safe, as shown by the data breach at Marina Bay Sands and Casio’s apology to its users. October’s breaches emphasize the importance of taking swift action and being transparent. As companies navigate through these challenges, it is crucial to strengthen cybersecurity measures and ensure the integrity of customer data.

  1. Okta

Okta has expressed regret to its customers for a recent security breach, emphasizing its dedication to maintaining transparent communication with them. On October 19, Okta notified its customers about a security breach that occurred between September 28 and October 17, wherein unauthorized access was gained to the support system affecting files related to 134 customers, which is under 1% of Okta’s customer base. HAR files containing session tokens were accessed, which led to session hijacking for 5 customers, with 3 customers openly discussing their experiences. The breach was enabled through the misuse of a service account within the customer support system. This service account had been inadvertently synced with an employee’s personal Google account, potentially through the compromise of the employee’s personal Google account or device.

Okta faced challenges in detecting the breach due to the difference in log events when files were accessed directly rather than through case files, which was the method used by the threat actor. Upon receiving a suspicious IP address from BeyondTrust on October 13, Okta could trace and shut down the unauthorized access, revoke the stolen session tokens, and notify affected customers.

  1. 23andMe

23andMe, a genetic testing company, has reported unauthorized access to customer data. The incident did not result from a system breach, but from attackers who managed to guess user login details and subsequently scrape information from the “DNA Relatives” feature. This feature allows users to voluntarily share their genetic information to connect with relatives. A sample of the compromised data, affecting at least one million data points related to Ashkenazi Jewish ancestry and hundreds of thousands concerning individuals of Chinese descent, was put up for sale online. The available data includes personal identifiers and ancestry details, though not the raw genetic data.

The company has advised users to secure their accounts with strong, unique passwords and to enable two-factor authentication. They are still in the process of validating the leaked data, which includes profiles of public figures like Mark Zuckerberg, Elon Musk, and Sergey Brin. However, the legitimacy of this particular data remains unconfirmed, as there are inconsistencies, such as Musk and Brin having identical profile information in the leaked dataset.

The situation underscores the dangers of data breaches, especially with sensitive genetic information, and highlights the continuing issue of “credential stuffing”—where hackers use leaked login details from one breach to access accounts on other platforms. The motive behind targeting data related to Ashkenazi Jews and the extent of additional compromised data are yet to be fully understood. This breach raises significant concerns about the privacy and security risks associated with DNA databases and similar platforms that facilitate the sharing of personal data.

  1. Marina Bay Sands

Marina Bay Sands has reported a data breach affecting approximately 665,000 members of its non-casino rewards program. The breach, which occurred on October 19-20, 2023, involved unauthorized access to customer data, including names, email addresses, phone numbers, countries of residence, and membership details. There is no indication that the casino rewards program was compromised or that the data has been misused. The company has apologized, initiated an investigation with cybersecurity experts, and is contacting affected customers. Authorities have been notified, and measures are being taken to enhance data security.

  1. Casio

Casio Computer Co., Ltd. has recently extended an apology to its users following a security breach that compromised personal data on its educational web application, ClassPad.net on October 11. The breach came to light when a database malfunction was noticed within the development environment for ClassPad.net. Further investigation revealed that this issue was not isolated but part of a larger intrusion that occurred the following evening, leading to the compromise of data belonging to users from various countries.

It was determined that the breach occurred due to deactivated network security protocols within the development system, compounded by a lack of rigorous operational oversight. To address the breach, Casio has temporarily disabled the affected development databases to block any further unauthorized access and has been proactive in contacting the appropriate Japanese data protection authorities. The company is currently consulting with cybersecurity and legal experts to conduct an in-depth investigation and take appropriate measures, as well as cooperating with the police in their investigation.

The types of personal information accessed included customer names, email addresses, countries of residence, purchasing history, and usage details for the service. Casio has confirmed that credit card information was not retained in the database and therefore not at risk. The incident impacted data related to 91,921 Japanese customers, including individuals and educational institutions, along with 35,049 international customers spanning 148 countries.

Casio reiterates its deep regret for the breach and the resulting impact on its customers, pledging a steadfast effort to bolster its security systems to prevent such occurrences in the future.

  1. D-Link

D-Link Corporation faced an alleged data breach after an unauthorized third party claimed on an online forum that they had stolen data. D-Link responded quickly, initiating an investigation and implementing precautionary measures. Their findings, supported by external experts from Trend Micro, indicated that the claim was largely exaggerated and misleading. The data in question was traced back to an obsolete D-View 6 system, decommissioned since 2015, and used for product registration. It did not include user IDs or financial details but contained some low-sensitivity information like contact names and office email addresses.

The breach is thought to have originated from a phishing attack that an employee inadvertently fell victim to, which led to the exposure of the outdated data. D-Link has reviewed its security measures and shut down the servers suspected to be involved, as well as disconnected the test lab from their network. The company reassures that the security systems meet the standards of the time and that they are committed to enhancing their security to prevent future incidents.

In summary, D-Link’s prompt response to the alleged data breach led to findings that contradicted the severity of the online claim. Measures have been taken to safeguard against similar occurrences, and customers have been advised on how to protect their information.

  1. Online stores’ 404 pages stolen

The Akamai Security Intelligence Group has uncovered a novel Magecart web skimming campaign that’s infiltrating a broad range of websites, including those belonging to major players in the food and retail sectors. This particular campaign is notable for its innovative use of three advanced techniques to hide its malicious code, one of which involves exploiting the default 404 error pages of websites—a method previously unseen.

The campaign’s method of operation begins with the injection of a small piece of obfuscated JavaScript, known as a loader, into the website. This loader is responsible for setting up the full malicious attack by initiating a WebSocket channel for communication with the attackers’ command and control server. The attackers then deploy the main skimming code that targets sensitive pages, such as checkout pages, to steal personal and credit card information from unsuspecting users.

Three variations of the campaign have been identified, each showcasing the evolution of the attackers’ methods to evade detection. The first variation uses an image tag with a malformed source attribute to execute JavaScript, while the second mimics legitimate services like Facebook’s Meta Pixel to blend in. The third and most sophisticated variation involves inserting the skimmer within the HTML of the website’s 404 error page, making it extremely difficult to detect and remove. This third variation also employs a different tactic for data exfiltration, using a fake form that overlays the legitimate payment form. This technique captures the user’s data twice—once through the fake form and then again when the user is prompted to re-enter the information on the real form.

The Akamai team tested their Client-Side Protection & Compliance solution against this skimmer and found that it successfully detected and alerted them to the high-severity threat. This case serves as a critical reminder of the importance of advanced security measures to combat the increasingly sophisticated techniques used in web skimming attacks. This emphasizes the importance of vigilance and the adoption of advanced security measures for organizations to protect against these evolving threats. Additionally, it’s a call to action for companies to monitor their websites actively and to consider client-side protection solutions that can detect and mitigate such attacks in real time.

  1. Air Europa

Air Europa, a Spanish airline headquartered in Madrid, is currently in the process of being acquired by International Consolidated Airlines Group, which owns British Airways. The airline has experienced a cyberattack targeting its online payment system, which resulted in some customers’ credit card details being compromised, as reported by the company. The airline has responded by contacting those customers whose information was potentially exposed and has informed the appropriate financial entities about the breach. The exact number of customers impacted and the financial repercussions of the incident have not been disclosed by Air Europa, and they stated that no other personal information was at risk. 

In a previous incident in 2018, which affected 489,000 customers, Air Europa faced penalties for not reporting the breach within the mandated 72-hour period, taking 41 days instead. This past breach was highlighted by the OCU, emphasizing the airline’s obligation to timely report such incidents.


  1. TransForm

A cyberattack on TransForm, a shared service provider, has disrupted operations across five hospitals in the Erie St. Clair region of Ontario, Canada. This attack led to system outages, affecting patient care and resulting in the rescheduling of appointments. TransForm, established by these hospitals to handle IT, supply chain, and accounts payable, acknowledged the cyberattack in a statement and indicated an ongoing investigation to ascertain the attack’s cause and reach. It is currently unclear whether patient information has been compromised.

The affected hospitals include:

  • Windsor Regional Hospital: A major healthcare facility with 642 beds.

  • Hotel Dieu Grace: Specializes in complex care, mental health, and rehabilitation with 313 beds.

  • Erie Shores Healthcare: A significant provider with 72 beds.

  • Hospice of Windsor-Essex: Offers end-of-life care with 23 beds.

  • Chatham-Kent Health Alliance: A community hospital with a 200-bed capacity.

Patients with upcoming appointments at these hospitals are being contacted for rescheduling. Meanwhile, the hospitals have advised individuals not requiring emergency care to seek alternatives such as primary care providers or local clinics to lessen the burden on hospital resources during this period.

As the specifics of the cyberattack are still under review, past patients of these institutions are encouraged to be vigilant, particularly regarding unsolicited communications that may be suspicious.

It’s clear that no entity, regardless of size or industry, is immune to the threat of digital incursions. The essential lesson here is not found in the recounting of breaches but in understanding the dynamic and persistent nature of cyber risks. To navigate this complex landscape, companies must adopt a posture of continuous monitoring and regular security assessments to stay ahead of threats. Utilizing automated tools for real-time analysis and proactive threat intelligence is no longer optional but a critical component of modern cybersecurity strategies. These practices, combined with a culture of security awareness and training, can form a robust defense against a tide of evolving digital dangers. As businesses forge ahead, the integration of advanced cybersecurity measures will be the beacon that guides them through the murky waters of potential cyberattacks, ensuring resilience and trust in the digital era.



Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!