Category Archives: security compliance

Latest Insights on Security Compliance Trends

The Evolution of Compliance Automation

Illustration depicting the evolution of compliance automation in security and supply chain

The Revolutionary Impact of Compliance Automation

Cybersecurity and ESG criteria are evolving everyday and the significance of compliance is undeniable. Compliance automation has emerged as a beacon of innovation, reshaping how companies navigate the complex landscape of regulatory requirements and societal expectations. Here at Findings, we’re leading the charge in harnessing the power of AI automation to reshape how companies demonstrate their commitment to security and sustainability. This transformation is not just about staying within legal boundaries; it’s about leveraging technology to demonstrate a company’s commitment to security and sustainability in a transparent, efficient manner.

The Evolution from Manual to Automated Compliance

Our journey began against the backdrop of an era dominated by manual compliance processes.

Think: endless excel spreadsheets.

The initial focus was on digitizing paperwork and making audits more manageable. However, as regulations grew, and continue to grow increasingly complex, the limitations of manual processes became glaringly apparent. This challenge paved the way for the era of compliance automation—an era we’re pioneering. By integrating generative AI and machine learning, we’ve transformed difficult, error-prone tasks into streamlined, precise operations.

We’re at the forefront of this transformative wave, offering a comprehensive suite of services, including audit automation and assessment automation, as well as offering our clients continuous risk ratings, and continuous monitoring. Our approach to compliance automation doesn’t just simplify adherence to regulations; it completely redefines the landscape. Our platform enables real-time assessment of compliance postures and transparent demonstration of adherence to both industry standards and ESG principles. For CISOs, compliance officers and cybersecurity professionals, we provide not just the tools to meet compliance expectations but the means to surpass them with unparalleled efficiency and dependability.

The rise of automation marks a pivotal shift for professionals. Freed from the burdens of manual oversight and exhaustive paperwork, you can now pivot towards strategic imperatives. This enhancement in decision-making capabilities fosters a culture of proactive risk management and corporate accountability, aligning closely with our mission to empower businesses.

Automate Your Compliance Journey With

* indicates required
Your work email please

Intuit Mailchimp

Transforming Compliance and Corporate Resilience

As we look into the future, it’s evident that compliance automation is a fundamental evolution in how businesses meet regulatory obligations. Our journey exemplifies the potential of automation to not only streamline compliance processes but also to bolster a company’s standing and trustworthiness among stakeholders. For businesses ready to embrace this change, it signifies a gateway to growth, resilience, and a competitive edge.

The evolution of compliance automation is a testament to technology’s capacity to effectuate positive change. By automating routine tasks, we enable companies to concentrate on what truly matters—building a safer, more sustainable future for all.

2024 Trends Unveiled: Cybersecurity as a Key Business Enabler

As 2024 unfolds, we are witnessing a revolutionary transformation in the cybersecurity landscape. No longer a mere aspect of IT, cybersecurity is now a pivotal driver in reshaping business operations on a global scale. This blog post delves into the forefront of cybersecurity, compliance, highlighting pivotal regulations such as the ASEAN Guidelines on Consumer Impact Assessment (CIA), CMMC, PCI DSS 4.0, DORA, and SEC incident disclosure regulations. These emerging trends are rapidly becoming the gold standard in global business cybersecurity practices.


CMMC: Evolving from Defense to a Universal Cybersecurity Benchmark

  • The Cybersecurity Maturity Model Certification (CMMC) is evolving from its U.S. defense sector roots to a worldwide cybersecurity standard. Now applicable across various industries, CMMC’s layered cybersecurity approach is garnering universal acceptance. Its comprehensive framework, focused on continuous improvement, is especially vital for entities managing sensitive or critical data, signifying a move towards standardized cybersecurity excellence.

PCI DSS 4.0: Revolutionizing Payment Security Standards

  • PCI DSS 4.0 is revolutionizing payment security standards globally in 2024. This updated version introduces an adaptive, risk-based approach, essential for any business involved in digital transactions. Its flexibility and focus on tailored security measures are vital for e-commerce, financial institutions, and others in the payment ecosystem, making PCI DSS 4.0 compliance synonymous with secure and trustworthy payment processing.

DORA: Spearheading Digital Resilience in the Financial Sector

  • The Digital Operational Resilience Act (DORA) is a groundbreaking EU regulation shaping the financial sector’s approach to digital risks in 2024. Its influence extends globally, affecting financial entities interacting with the EU market. DORA emphasizes operational resilience, highlighting the need for robust digital risk management in today’s interconnected digital finance landscape.

SEC Incident Disclosure: Championing Transparency in Corporate Cybersecurity

  • The SEC’s incident disclosure regulations are leading a worldwide movement towards transparency in corporate cybersecurity. These mandates, which require prompt and detailed disclosure of cybersecurity incidents, are becoming critical for publicly traded companies globally. This shift towards transparency and accountability in cybersecurity reflects an increasing demand from investors and consumers for trustworthiness and integrity in corporate practices.

ASEAN CIA: Redefining Cybersecurity with a Consumer-Centric Approach

  • The ASEAN Guidelines on Consumer Impact Assessment, originating from Southeast Asia, are now setting a global precedent. These guidelines shift the focus towards assessing cybersecurity’s impact on consumers, prioritizing their rights and data privacy. This consumer-centric approach, especially critical for businesses in or targeting the ASEAN market, is now a global best practice. It underscores the imperative of balancing robust security with consumer rights, a notion gaining traction across various industries.

Other Regulatory Developments Shaping the Cybersecurity Domain

Additional global regulations also predict significant cybersecurity trends:

  • GDPR: Continues to influence data privacy and protection globally, impacting businesses handling EU citizens’ data.

  • ISO/IEC 27001: Gaining traction as a comprehensive framework for managing information security, key for organizations striving for global best practices.

  • NIST Framework: Increasingly adopted worldwide, indicating a move towards unified approaches in cybersecurity risk management.

Cybersecurity Compliance: A Strategic Business Advantage

In 2024, adherence to these emerging cybersecurity regulations offers businesses a strategic advantage. It transcends legal compliance, fostering trust, enhancing brand reputation, and providing a competitive edge. The integration of AI in cybersecurity is another emerging practice, offering efficient and effective solutions for meeting these standards.

  • Increased Focus on Supply Chain Attacks: Modern supply chains are interconnected and complex, making them susceptible to cyberattacks. A breach in one part can have a cascading effect, impacting multiple businesses. This emphasizes the need for rigorous cybersecurity measures across the entire supply chain.

  • Collaborative Risk Management: The trend towards collaborative defense strategies is based on the principle that sharing threat intelligence and best practices can strengthen the security posture of all involved parties. By learning from each other’s experiences, industries can develop more effective defenses against common threats.

State-Sponsored Cyber Attacks: An Escalating Concern

  • Global Ramifications: State-sponsored cyberattacks are particularly concerning due to their scale and impact. These attacks target critical infrastructure, such as energy grids or financial systems, and can compromise national security. The global nature of these threats requires an international response and cooperation.

  • Advanced Countermeasures: To combat these sophisticated threats, organizations need to implement advanced threat detection systems that can identify and neutralize attacks quickly. A zero-trust security model, where trust is never assumed and verification is required from everyone, can be crucial in mitigating these risks. Continuous monitoring ensures that any suspicious activity is detected and addressed promptly.

AI in Cybersecurity: A Complex Role

  • Enhanced Detection and Response: AI can significantly improve threat detection by analyzing vast amounts of data to identify patterns that may indicate a cyberattack. However, this technology can also be used by attackers to create more sophisticated threats, such as deepfakes or AI-driven phishing attacks.

  • Proactive Mitigation Strategies: Organizations must not only invest in AI-based defense systems but also ensure that their workforce is trained to recognize and respond to AI-generated threats. This includes understanding the limitations of AI and being able to identify when a human response is required.

Ransomware Evolution: The Changing Landscape of Cyber Extortion

  • Sophisticated Tactics: Modern ransomware attacks are more than just data encryption; attackers are now threatening to leak sensitive data if the ransom isn’t paid, adding an extra layer of coercion. This dual-threat approach makes it even more challenging for victims to decide whether to pay the ransom or risk public exposure of their data.

  • Comprehensive Defense Strategies: To protect against these evolving ransomware threats, organizations must have robust backup systems that can restore data with minimal loss. Employee training is crucial to help staff recognize and avoid potential ransomware attacks. Additionally, a well-prepared incident response plan can ensure quick action to mitigate damage if an attack occurs.

The Metaverse and Cloud Security: New Frontiers, New Risks

  • Expanded Attack Vectors: As businesses venture into new digital domains like the metaverse and cloud platforms, they face new cybersecurity challenges. These platforms can provide attackers with novel ways to exploit security vulnerabilities.

  • Proactive Security Measures: Ensuring security in these new environments involves a comprehensive approach that includes strong encryption to protect data, robust identity management to verify users, and regular security audits to identify and address vulnerabilities.

The Human Element: Bolstering the Frontlines of Cyber Defense

  • Empowering Through Training and Awareness: Regular and comprehensive training programs are essential in equipping employees with the necessary skills to recognize and prevent security breaches. This training should cover the latest cybersecurity threats and best practices.

  • Cultivating a Security-First Mindset: Creating a culture of security within the organization is crucial. This involves fostering an environment where employees are aware of the importance of cybersecurity and are motivated to take proactive steps to protect the organization’s digital assets.

As 2024 progresses, it’s clear that these cybersecurity trends and regulations are not just shaping, but redefining business strategies. From the consumer-centric ASEAN CIA guidelines to CMMC’s comprehensive security model, and the transparency demanded by SEC disclosure regulations, these developments are crucial in enabling businesses to thrive in the digital era. By staying ahead of these trends, companies can harness cybersecurity not only as a compliance requirement but as a cornerstone for growth and success. Understanding evolving regulations, embracing innovative technologies, and reinforcing human-centric defenses remain key to ensuring business resilience and triumph in an increasingly digitized world.

Integrating ESG Goals with Cybersecurity Strategy: A Roadmap for Sustainable Business Practices

Automate Your ESG Process

In an increasingly interconnected world, the importance of integrating Environmental, Social, and Governance (ESG) goals with cybersecurity strategies is paramount. As businesses strive for sustainability, understanding the intersection between ESG and cybersecurity becomes essential. This article explores how companies can align their cybersecurity strategies with ESG objectives, enhancing both their security posture and corporate responsibility.

Understanding the Intersection of ESG and Cybersecurity

The ESG-Cybersecurity Nexus

Cybersecurity is no longer just a technical issue; it’s a crucial component of a company’s social responsibility. Protecting customer data and ensuring privacy is integral to ethical business practices, aligning directly with the ‘Social’ aspect of ESG. Environmental and governance factors also intertwine with cybersecurity in less obvious, yet equally significant ways.

Case Study: SolarWinds Attack

The SolarWinds attack highlighted how cybersecurity breaches can have far-reaching implications, affecting not just the targeted organization but also its stakeholders and the environment. The breach had governance implications, highlighting the need for better oversight and risk management strategies.

Steps to Align Cybersecurity with ESG Goals

Assessing Cybersecurity in the ESG Context

Start by evaluating how your cybersecurity practices impact your ESG goals. This involves assessing data protection policies, the environmental impact of your security infrastructure, and governance structures in place for cybersecurity risk management.

Building a Responsible Data Management Framework

Data is at the heart of both cybersecurity and ESG. Implementing a framework that emphasizes data privacy and ethical handling aligns with the ‘Social’ commitment of ESG, reinforcing trust and transparency with stakeholders.

Minimizing Environmental Impact

Consider the environmental impact of your cybersecurity solutions. Opting for energy-efficient data centers and supporting sustainable technology practices can align your cybersecurity strategy with environmental goals.

Enhancing Governance through Cybersecurity

Robust cybersecurity policies contribute to good corporate governance. Regular audits, transparent policies, and board-level oversight of cybersecurity risks are key to achieving this alignment.

Case Studies of Successful Integration

A Leading Financial Institution

A prominent financial institution integrated its cybersecurity strategy with its ESG goals by implementing green data centers and promoting transparency in its data handling practices. The move not only strengthened its cybersecurity posture but also its reputation as a responsible corporate citizen.

A Global Retailer

A multinational retailer aligned its cybersecurity initiatives with social responsibility by ensuring stringent data protection measures, conducting regular privacy impact assessments, and engaging in community education about digital safety.

Challenges and Solutions

Balancing Security with Privacy

Balancing the need for robust cybersecurity with privacy concerns can be challenging. Implementing privacy-by-design principles in cybersecurity measures can help mitigate this.

Keeping Pace with Evolving Threats

The cybersecurity landscape is constantly evolving. Staying abreast of the latest threats and integrating adaptive security measures is crucial for maintaining alignment with ESG goals.

Measuring Impact

Quantifying the impact of cybersecurity on ESG goals can be challenging. Developing clear metrics and regular reporting can aid in this process.


Integrating cybersecurity strategies with ESG goals is no longer optional; it’s a necessity for sustainable business practices. By adopting a holistic approach that considers the ethical, environmental, and governance implications of cybersecurity, businesses can protect not just their data but also their reputation and the world around them. As we move towards a more interconnected and digitized future, the convergence of ESG and cybersecurity will be a key driver of responsible and resilient business operations.

Navigating the GDPR Compliance Labyrinth: A Practical Guide

Navigating the GDPR Compliance Labyrinth: A Practical Guide

In the digital realm, data is the cornerstone upon which businesses are built. However, with great data, comes great responsibility, particularly in the eyes of the law. The General Data Protection Regulation (GDPR) is a mandate that oversees the data governance within the European Union (EU) and the European Economic Area (EEA). Its ripple effects are felt far and wide, transcending geographical borders. This guide aims to demystify the GDPR compliance journey, offering a structured checklist to ensure a seamless adaptation to these regulatory requisites.

Understanding Your Data Landscape

Before diving into the GDPR compliance checklist, it’s pivotal to have a clear understanding of the data you hold. This includes knowing the type of data, its origin, and its purpose.

  • Data Inventory: Conduct a thorough data inventory to identify the type of data you process and store.
  • Data Flow Mapping: Trace the journey of data within your organization to understand how it’s processed and shared.

Aligning with GDPR Principles

The GDPR is hinged on seven fundamental principles which form the bedrock of data protection.

  • Lawfulness, Transparency, and Fairness: Ensure your data processing activities are lawful, transparent, and fair.
  • Purpose Limitation: Process data strictly for the purposes it was collected.

Technical and Organizational Measures

A robust data protection framework is the linchpin in ensuring GDPR compliance.

  • Data Protection by Design and Default: Implement data protection from the onset of any process or system development.
  • Data Security: Employ robust security measures to safeguard data against unauthorized access and data breaches.

Individual Rights and Requests

Under GDPR, individuals have been accorded a set of rights concerning their data.

  • Right to Access: Ensure individuals can access their data and understand how it’s being processed.
  • Right to Rectification: Provide a mechanism for individuals to rectify inaccurate data.

Accountability and Governance

Establishing a governance framework is paramount to demonstrate compliance with GDPR.

  • Data Protection Officer (DPO): Appoint a DPO to oversee data protection activities.
  • Training and Awareness: Cultivate a data protection culture through training and awareness programs.

Data Breach Notification and Responses

Preparedness is key in mitigating the impact of a data breach.

  • Breach Notification: Have a solid breach notification process in place to inform relevant parties in the event of a data breach.
  • Incident Response Plan: Develop a comprehensive incident response plan to tackle data breaches effectively.

Regular Audits and Reviews

Continuous evaluation is crucial to ensure that your data protection measures are up to snuff.

  • Compliance Audits: Conduct regular GDPR compliance audits to ascertain adherence to data protection principles.
  • Continuous Improvement: Foster a culture of continuous improvement to enhance your data protection framework.

Embarking on the GDPR compliance journey may seem like traversing a legal labyrinth. However, with a structured approach encapsulated in this checklist, navigating through the GDPR compliance maze becomes less daunting, ensuring your organization remains on the right side of the law.

The SEC’s New Cyber Rules

what every ciso needs to know about the new cybersecurity sec rules

What Every Public Company CISO Must Know:

The role of a Chief Information Security Officer (CISO) in public companies has never been more pivotal. With cyber threats escalating in scale and sophistication, the Securities and Exchange Commission (SEC) has rolled out new cyber regulations aimed at safeguarding investors, stakeholders, and the broader market. Given that the amendments took effect on September 5, 2023, it’s crucial for your organization to be informed. While the final rules are quite lengthy, I’ll offer a condensed and digestible version in this blog post to help you understand the key points – so make sure to read on!

The Backdrop:

Back in March 2022, the Commission took the bold step of introducing a suite of regulations. The intent was clear: fortify public company disclosures concerning cybersecurity. This encompassed key areas such as cyber threats, strategic countermeasures, governance structures, and insights into major cyber incidents.

At the time, there were several major trends that led the Commission to take this action. The digital evolution and massive work-from-home shifts, intertwined with the allure of cybercrime monetization and an overarching reliance on third-party tech services like cloud platforms, have stretched cyber risk boundaries. The financial fallout from cyber incidents have also skyrocketed. Given all of this, the Commission’s move to ensure transparency isn’t just timely—it’s imperative.

Though the Commission offered guidance in 2011 and 2018, the standards remained inconsistent. The 2022 regulations were introduced to bring consistency and offer investors clearer insights.

Key Mandates To Be Aware Of:

Skip ahead to 2023, and the SEC’s proposed rules have officially transformed into finalized rules. Here are the essential highlights you should be aware of…

  1. Form 8-K Item 1.05: A pivotal element in the new regulations. Public companies now have the duty to report significant cyber incidents. Reports must, “describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.” 

  2. Disclosure Timeline: Post a cyber event, companies need to swiftly gauge its significance. If found consequential, a Form 8-K needs to be filed within four business days. However, exceptions do exist. Should the U.S. Attorney General deem a quick disclosure a threat to national or public safety, delays can ensue.

  3. Regulation S-K Item 106: This regulation delves deep. It mandates firms to shed light on their cyber threat assessment, detection, and management strategies. Past incidents that have or might have considerable ramifications also need to be outlined. Plus, it casts the spotlight on how involved the board is in overseeing cyber risks and the prowess of the management in mitigating them.

  4. International Disclosures: The SEC is highlighting that global transparency is crucial. Modifications to Form 6-K and Form 20-F ensure that foreign private entities aren’t left out. Significant cyber events disclosed overseas or required by foreign issuers need to be detailed.

What Lies Ahead:

The new regulations will be operational a month after their Federal Register appearance. For companies, the compliance timelines are split based on the form:

  • Regulation S-K Item 106 & Form 20-F: Disclosure starts with annual statements for fiscal years ending on or after December 15, 2023.

  • Form 8-K Item 1.05 & Form 6-K: Compliance starts 90 days post Federal Register publication or by December 18, 2023, except for smaller firms. They have until June 15, 2024.

  • Finally, when it comes to structured data mandates, the spotlight is on Inline XBRL. The final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language. Entities must tag their disclosures using this format, a year after the kick-off of initial disclosure duties. To simplify what this filing format is for those who may not be aware, it’s a special language for computers that makes it possible to create a single document that’s human and machine readable. So, instead of making two different documents (one for people to read and one for computers to understand), you just make one using Inline XBRL.

Every day we are reminded how crucial cyber resilience is. For CISOs in public companies, aligning with the SEC’s updated cyber regulations is not just about compliance—it’s a commitment to transparency, investor protection, and long-term business sustainability.

The Top 10 Things Every CISO Should Know

what every ciso should know about

What Every CISO Should Know in 2023 to Protect Their Business


In our rapidly evolving digital age, the role of a Chief Information Security Officer (CISO) has never been more crucial. As a CISO, your role stretches far beyond traditional IT security measures. You are the protector of your organization’s most valuable assets, from intellectual property to customer data. The following insights delve deeper into what every CISO should know in 2023 to ensure they’re at the forefront of safeguarding their business.


1. Grasping the Business

Understanding your business inside out is paramount. The best CISOs fully comprehend the company’s goals, mission, and operational mechanics. Why is this so vital? Because only with this understanding can you adequately prioritize and champion security initiatives. Furthermore, by aligning security measures with business goals, you ensure that security is not viewed as a roadblock but rather an enabler of growth and success.


2. Emphasizing Effective Risk Management

Risk management isn’t just a box to tick; it’s a continual process. This involves constant vigilance—identifying emerging threats, assessing their potential impact, and implementing controls to counteract them. Today’s cyber threats are dynamic, with cybercriminals using sophisticated techniques that change by the minute. Hence, regular risk assessments and updates are non-negotiable. But, just as crucial is the art of communication. The ability to articulate these risks, along with their potential implications to the board and executives, can make the difference between proactive action and reactive damage control.


3. Moving Beyond Compliance

While regulatory compliance is essential, in 2023, it’s merely a starting point. With the ever-evolving threat landscape, relying solely on regulations and standards can render a business vulnerable. It’s like only installing a front door lock while leaving all the windows open. Instead, a proactive approach, involving continuous assessment and adaptation of security measures to the unique needs and threats faced by your organization, is pivotal.


4. Championing Security Awareness

The human factor can often be the weakest link in any security chain. As such, empowering every single employee with the knowledge and tools to act as the first line of defense is vital. This means ongoing training, regular reminders, and cultivating a culture where security is everyone’s business. Remember, from the receptionist to the CEO, everyone can either be an asset or a vulnerability.


5. Harnessing the Power of Effective Communication

Clear, concise, and compelling communication can be one of the most potent tools in a CISO’s arsenal. It’s essential to translate the often complex world of security into language that everyone—from the tech newbie to the seasoned board member—can grasp. Regularly updating stakeholders about security postures, potential risks, and ongoing initiatives not only fosters trust but also reinforces the importance of collective vigilance.


Expanding the CISO’s Toolkit in 2023:

But let’s push the envelope further. In addition to the critical pointers above, CISOs in 2023 should be aware of:


6. Embracing the Cloud and Zero Trust: 

As businesses transition to cloud infrastructures, understanding cloud security best practices becomes paramount. Moreover, adopting a Zero Trust approach—where every access request is fully authenticated, authorized, and encrypted before granting access—ensures layered defense in a distributed work environment.


7. Machine Learning and AI:

Cybercriminals are leveraging AI; so should you. Incorporating machine learning can help in anomaly detection, identifying potential threats faster than any human could, and enhancing predictive analytics. Findings not only automates assessments and the auditing process for all of your company’s vendors, but we also offer real time updates on your risk posture powered by RiskRecon and Anomali.


8. Regular Penetration Testing:

Gone are the days when an annual penetration test sufficed. Regularly challenging your systems can expose vulnerabilities before cybercriminals exploit them.


9. Incident Response Preparedness:

It’s not about if, but when a breach might occur. Having a well-rehearsed incident response plan ensures rapid containment, minimizing potential damage.


10. Collaborative Security:

Partnering with other businesses, industry groups, and governmental bodies can provide invaluable intelligence and resources. Cybersecurity is a collective endeavor.


In conclusion, being a CISO in 2023 means juggling many balls—compliance, risk management, employee training, effective communication, technological advancements, and more. The threat landscape might be challenging, but with the right approach, tools, and mindset, CISOs can ensure their organizations are robustly defended and primed for growth.



Automated Security Assessments: Expectations and Preparation

What to expect during an automated security assessment and how to prepare for it -

Automated security assessments are one of the most talked about features in the supply chain management industry. Organizations have turned to automated solutions to enhance their risk management and supply chain compliance after recognizing the need to eliminate the burdensome and time-consuming task of manually auditing and tracking numerous vendors. It makes sense after all. Who wants to spend hours on end of manual work to audit and chase hundreds of thousands of vendors? 

The answer is: no one. 

Findings’ comprehensive platform has gone above and beyond to automate risk management and supply chain compliance, saving organizations of all sizes extensive manual work and reducing friction. 

Now, let’s break down some things you should expect to see when using the platform that will ultimately help you prepare. 

  1. Assessment Logic 

When managing assessments in Findings platform, you can create an assessment from scratch with branching logic or upload pre-existing assessments and tweak it to suit your needs. When you create an assessment from scratch, you can create a question with various answer choices. If the answer choices are branching types such as the Radio button, multiply select, or dropdown, you can create a follow-up question based on a certain response chosen. 

When it comes to uploading assessments from pre-existing documents, you can edit the subjects and alter the logic to suit the vendor’s needs via our assessment wizard. Once the assessment has been uploaded you can clone, edit and tailor custom it with various app integrations for the associated vendors. 

  1. Findings and Remediation:

Imagine the ability to pre-create remediation plans and suggestions. Essentially, rather than sending out an assessment to a vendor and having to review it and write out compliance corrections and suggestions manually, this is pre-prepared before the vendor even begins the assessment. For any answer choice that is not in compliance, you can create a remediation suggested plan for that answer and change the risk level that will affect the vendor’s overall score. When the vendor completes the assessment, they already have a remediation plan ready for them, so that they can bridge the gaps without all the time-consuming back and forth. 

  1. Response Repository (NLP):

Our response repository is based on neuro-linguistic programming and is one of the biggest assets our users hold. When a vendor or customer completes an assessment, our system scans the answers and creates a respiratory for similar written questions the next time an assessment is completed. The next time a user completes an assessment, our automated suggested answers pop up and the user can insert the answers based on the relevant match. This saves numerous hours of manual work by having to complete assessments from scratch. Within seconds, your assessment can be completed and you can focus on other essential tasks. 

Automated security assessments provided by Findings are perfect for organizations seeking efficient risk management and streamlined supply chain compliance. By automating the assessment process, organizations of all sizes can save valuable time and resources that would otherwise be spent on manual audits and vendor follow-ups. By utilizing the features we offer, organizations can complete assessments quickly and focus on other essential tasks, ultimately improving their overall security posture and supply chain management.

Don’t Let Hackers In: Your Company Needs to Enforce 2FA ASAP

what is two factor authentication? 2fa

There’s no denying it – 2FA is a game-changer. Two-factor authentication (2FA) is a security process that requires a user to provide two different factors to verify their identity. It adds an extra layer of security beyond passwords and is an important tool for companies to use to protect their sensitive information and prevent unauthorized access. In this blog post, we will explore the benefits of 2FA and look at some real-world examples of cyberattacks that could have been prevented or mitigated if 2FA had been used.


What is Two-Factor Authentication (2FA)?


2FA is a security process that requires a user to provide two different factors to verify their identity. These factors typically include something the user knows, such as a password or PIN, and something the user has, such as a security token or mobile device. By requiring two different factors, 2FA ensures that only authorized users can access systems and data, helping to prevent unauthorized access and protect against phishing attacks.


Benefits of Two-Factor Authentication (2FA):


The importance of 2FA cannot be overstated. In today’s digital landscape, cyberattacks are becoming increasingly sophisticated, and it’s becoming more difficult to protect against them. However, by implementing 2FA, companies can significantly reduce the risk of a breach occurring.


There are many benefits to using 2FA to protect sensitive information and prevent unauthorized access. Some of the key benefits include:


Increased Security:

  • 2FA adds an extra layer of security beyond passwords, making it more difficult for attackers to gain access to systems and data. By requiring two different authentication factors, 2FA ensures that only authorized users can access sensitive information, helping to prevent data breaches and other security incidents.

Protection Against Phishing Attacks: 

  • Phishing attacks are a common tactic used by cybercriminals to trick users into revealing their login credentials. 2FA can help protect against phishing attacks by requiring users to provide a second factor of authentication, making it more difficult for attackers to gain access to sensitive information.

Compliance Requirements: 

  • Many regulatory frameworks require the use of 2FA to protect sensitive information. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants who accept credit card payments to use multi-factor authentication for remote access to the cardholder data environment. In addition, some states have passed laws that require companies to implement 2FA in certain situations. For example, the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation requires covered entities to implement multi-factor authentication for access to sensitive data and systems. Internationally, the European Union’s General Data Protection Regulation (GDPR) does not explicitly require companies to implement 2FA, but it does require companies to implement appropriate technical and organizational measures to ensure the security of personal data. The GDPR also requires companies to notify data subjects in the event of a data breach, and 2FA can be an effective means of preventing unauthorized access to personal data. Overall, while there is no universal requirement for companies to implement 2FA, many industries and regulatory bodies recognize its importance in improving security and protecting sensitive data. By implementing 2FA, companies can ensure that they are in compliance with these requirements, helping to avoid potential fines and other penalties.


  • Enforcing 2FA builds trust with customers, who will appreciate the additional security measures in place to protect their data. 


Why 2FA isn’t enough sometimes:


The effectiveness of 2FA lies in its deployment, rather than the security measure itself. If any component of the 2FA process is compromised, it can result in a security breach. Traditional methods like phishing and social engineering are now being used to bypass 2FA more and more. As written by Steven J. Vaughan-Nichols, “In short, 2FA can’t stop human stupidity.” 


We all know that cybersecurity is no joke. That’s why 2FA is a must-have tool in any company’s arsenal to safeguard their sensitive information and prevent unwanted visitors from sneaking in. By requiring not just one, but two authentication factors, companies can ensure that only those with the key to the kingdom are granted access to their systems and data. This helps keep everything locked up tight, safe from the prying eyes of cybercriminals. Time and time again, it’s proven to be the hero we need to foil malicious attacks and protect our valuable data.



How Security Assessments Help Prevent Breaches explores how security assessments can help prevent data breaches

Data breaches can cause significant damage to a business, both in terms of financial losses and damage to reputation. In recent years, the number of data breaches reported has increased dramatically, with cybercriminals using increasingly sophisticated methods to gain access to sensitive data. One of the most effective ways to prevent data breaches is by conducting regular security assessments.

A security assessment is a comprehensive evaluation of an organization’s security posture. It involves reviewing all aspects of the organization’s security, including policies, procedures, infrastructure, and personnel. The goal of a security assessment is to identify vulnerabilities and weaknesses that could be exploited by an attacker. There are many types of security assessments, including vulnerability assessments, penetration testing, and risk assessments. Each of these assessments has its own unique methodology, but they all aim to achieve the same goal: to identify vulnerabilities and weaknesses in an organization’s security.

By conducting a security assessment, organizations can identify vulnerabilities before they are exploited by attackers. This allows the organization to take proactive steps to mitigate the risk of a data breach. For example, if a security assessment identifies that the organization’s password policies are weak, the organization can implement stronger policies to prevent unauthorized access.

Another benefit of conducting a security assessment is that it can help organizations comply with industry and regulatory requirements. Many industries have specific regulations that organizations must follow to protect sensitive data. By conducting a security assessment, organizations can ensure that they are meeting these requirements and avoid costly fines and legal action.

Additionally, conducting a security assessment can help organizations identify areas where they need to invest in additional security measures. For example, if a security assessment reveals that the organization’s network infrastructure is outdated, the organization can allocate resources to upgrade the infrastructure to better protect against attacks.

It’s important to note that conducting a security assessment is not a one-time event. Security threats and vulnerabilities are constantly evolving, and organizations must regularly review and update their security measures to stay ahead of attackers.

Why are Security Assessments Important?

Security assessments are essential for preventing data breaches because they help organizations identify vulnerabilities before they are exploited by attackers. By conducting a security assessment, organizations can take proactive steps to mitigate the risk of a data breach.

For example, a vulnerability assessment can identify vulnerabilities in an organization’s software or hardware systems. These vulnerabilities could be used by an attacker to gain unauthorized access to sensitive data. By identifying these vulnerabilities, organizations can take steps to patch or fix them before an attacker can exploit them.

Similarly, a penetration test can simulate an attack on an organization’s systems to identify weaknesses that could be exploited by an attacker. By conducting a penetration test, organizations can identify vulnerabilities and weaknesses in their systems and take steps to improve their security.

Security assessments are also important for helping organizations comply with industry and regulatory requirements. Many industries have specific regulations that organizations must follow to protect sensitive data. By conducting a security assessment, organizations can ensure that they are meeting these requirements and avoid costly fines and legal action.

Examples of Security Assessments in Action:

Now that we’ve explored why security assessments are important, let’s take a look at some examples of how they’ve helped organizations prevent data breaches.breaches.


Example 1: Target Data Breach

In 2013, retail giant Target suffered a massive data breach that compromised the personal and financial information of millions of customers. The breach was caused by a vulnerability in Target’s payment system that was exploited by attackers.

Following the breach, Target conducted a security assessment to identify the root cause of the attack and prevent future breaches. The assessment identified a number of vulnerabilities in Target’s systems, including weaknesses in the company’s password policies and network segmentation.

Based on the findings of the assessment, Target implemented a number of security measures, including two-factor authentication for remote access, improved password policies, and increased network segmentation. These measures helped to prevent future data breaches at Target.

Example 2: Equifax Data Breach

In 2017, credit reporting agency Equifax suffered a data breach that exposed the personal and financial information of over 140 million customers. The breach was caused by a vulnerability in Equifax’s web application software that was exploited by attackers.

Following the breach, Equifax conducted a security assessment to identify the root cause of the attack and prevent future breaches. The assessment identified a number of vulnerabilities in Equifax’s systems, including weaknesses in the company’s patch management processes and web application security.

Based on the findings of the assessment, Equifax implemented a number of security measures, including improved patch management processes, enhanced web application security, and increased employee training on cybersecurity best practices. These measures helped to prevent future data breaches at Equifax.

Example 3: University of Virginia Data Breach

In 2014, the University of Virginia suffered a data breach that exposed the personal and financial information of over 18,000 current and former employees. The breach was caused by a vulnerability in the university’s payroll system that was exploited by attackers.

Following the breach, the university conducted a security assessment to identify the root cause of the attack and prevent future breaches. The assessment identified a number of vulnerabilities in the university’s systems, including weaknesses in the company’s patch management processes, access controls, and network security.

Based on the findings of the assessment, the university implemented a number of security measures, including improved patch management processes, enhanced access controls, and increased network security. The university also provided additional cybersecurity training to its employees to help prevent future data breaches.

As we’ve seen in these examples, security assessments can be a powerful tool for preventing data breaches. By identifying vulnerabilities and weaknesses in an organization’s security posture, organizations can take proactive steps to mitigate the risk of a data breach. This can include implementing security measures such as two-factor authentication, improved password policies, enhanced patch management processes, and increased employee training on cybersecurity best practices.

In addition to preventing data breaches, security assessments can also help organizations comply with industry and regulatory requirements. By conducting a security assessment, organizations can ensure that they are meeting these requirements and avoid costly fines and legal action.

Ultimately, conducting regular security assessments is essential for any organization that wants to protect its sensitive data from cybercriminals. By taking proactive steps to identify and address vulnerabilities, organizations can help prevent data breaches and protect the privacy and security of their customers and employees.




The Great Data Breaches: Tales of Cybersecurity Misadventures talks about the decade's biggest breaches from the past decade.

The Great Data Breaches: Tales of Cybersecurity Misadventures

Data breaches are a nightmare of the digital age that have plagued companies and organizations around the world in recent years. With cybercriminals constantly evolving their tactics, no one is safe from the threat of a data breach. While this list can go on and on we’ve narrowed it down to some of the most well known breaches to date.

Let’s take a look at some of the most notable data breaches that have occurred in the past decade, and the lessons we can learn from them!

Equifax: The One That Got Away

In 2017, Equifax, one of the largest credit reporting agencies, suffered a breach that exposed the personal information of 147 million people, including names, birthdates, Social Security numbers, and other sensitive data. Equifax system administrators discovered that attackers had gained unauthorized access via the Internet to the online dispute portal that maintained documents used to resolve consumer disputes. In a statement released, Equifax writes, “The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application. Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.”


(From SEC filing report)

This was a huge blow for the credit industry, as it exposed flaws in the system that allowed unauthorized access to sensitive personal information. It also highlighted the need for companies to invest in cybersecurity measures to protect their customers’ data.

Yahoo: Twice Bitten, Thrice Shy

In 2013 and 2014, Yahoo experienced two separate data breaches and every user who had a Yahoo account was likely affected by its massive hack. The stolen information included names, email addresses, phone numbers, dates of birth, and security questions and answers. The sheer scale of this breach was unprecedented, and many companies lack the ability to collect and store all network activity that could be used to trace a hacker’s steps, making it difficult to investigate data breaches. This was highlighted by the Yahoo breach in 2013 and 2014, where investigators struggled to follow the hackers’ tracks due to a lack of network activity data.


Marriott: A Wake Up Call

In 2018, Marriott International, one of the world’s largest hotel chains, suffered a data breach that exposed the personal information of 500 million customers. In a company statement, Marriott explains that they “learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.” The breach at Marriott International exposed the personal information of approximately 500 million customers who made a reservation at a Starwood property. The stolen information included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Some guests’ payment card numbers and expiration dates were also compromised, but they were encrypted using AES-128. This breach was a wake-up call for the hospitality industry, which has traditionally lagged behind other sectors in cybersecurity. It highlighted the importance of designing security measures into products and services from the outset, rather than bolting them on as an afterthought.

Target: The Target of Cybercrime

In 2013, Target, a major U.S. retailer, experienced a breach that affected 110 million customers. This was one of the earliest and most widely publicized data breaches. Prior to this event, cybersecurity was not given the same level of attention as it is today. The professional practices that many businesses implemented in response to this event likely prevented numerous data breaches from occurring. The breach began when a third-party contractor for Target, Fazio Mechanical Services, fell victim to a spear phishing attack. The hackers then used the stolen credentials to access Target’s corporate network and install malware on Target’s POS devices. Target’s security team received a notice for a generic threat but did not act on the warning. The breach wasn’t detected until three days later, and the US Department of Justice uncovered the scope of the danger on December 12th. The hackers gained access to data including full names, phone numbers, email addresses, payment card numbers, and credit card verification codes. This breach was a turning point in the battle against cybercrime, as it demonstrated that even the biggest companies were vulnerable to attack. It also highlighted the need for companies to invest in cybersecurity measures and to take a proactive approach to threat detection and response.

Capital One: A Capital Mistake

In 2019, Capital One experienced a breach after an outside individual obtained unauthorized access to personal information of about 100 million US customers and 6 million Canadian customers. Capital One explained that they discovered this security incident after the configuration vulnerability was reported to Capital One by an external security researcher through their Responsible Disclosure Program on July 17, 2019. The accessed information included personal information collected from credit card applications, such as names, addresses, and self-reported income, as well as customer status data, credit scores, and transaction data from 23 days in 2016-2018. Additionally, the individual obtained about 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers. This incident underscores the importance of securing sensitive financial data and having strong cybersecurity policies, including employee training and regular security audits.

eBay: Buy and Beware

In 2014, eBay experienced a massive data breach that affected all 145 million users at that time. The hackers were able to access encrypted passwords and personal details of customers, including names, email addresses, phone numbers, and physical addresses. As a result, eBay was forced to ask all of its users to change their passwords in a surprising turn of events. In many instances, hackers may unscramble encrypted passwords and then use automated softwares that logs into thousands of popular social media sites and banking accounts. At the time, eBay faced extreme criticism for its slow response and poor communication with affected customers following the massive data breach. This incident highlights the importance of swift action and proactive communication with customers in the aftermath of a data breach. Even more importantly, it was a lesson in the importance of password hygiene and the need for companies to implement strong password policies, such as two-factor authentication.

(from eBay’s website)

Anthem: The Healthcare Hack

In 2015, Anthem, one of the largest health insurance companies in the U.S., announced that it suffered a breach that exposed the personal information of 80 million customers, including names, birthdates, Social Security numbers, and other sensitive data. How did it happen? According to the investigative report, the Anthem data breach began in February 2014 when a user in one of the company’s subsidiaries opened a phishing email containing harmful content. This led to the download of malicious files and remote access to the user’s computer, as well as dozens of other systems within the Anthem enterprise, including the company’s data warehouse. The attacker was able to move laterally across Anthem systems and escalate privileges, ultimately compromising at least 50 accounts and 90 systems. This resulted in access to approximately 78.8 million unique user records after querying the data warehouse. This breach was a stark reminder of the importance of securing sensitive healthcare data, which is highly sought after by cybercriminals. It also highlighted the need for companies to invest in cybersecurity measures and to take a proactive approach to threat detection and response.

Microsoft Exchange: The Latest Threat

In 2021, Microsoft Exchange email servers were attacked, affecting 60,000 companies worldwide. The hackers were able to exploit four zero-day vulnerabilities, which allowed them to gain unauthorized access to emails from small businesses to local governments. They took advantage of a few coding errors over three months to take control of vulnerable systems. Once they gained access, they could request data, deploy malware, use backdoors to gain access to other systems, and ultimately take over the servers. Many people assumed that the requests were legitimate because they looked like they came from the Exchange servers themselves. Although Microsoft was able to patch the vulnerabilities, owners of individual servers that didn’t update their systems would still be vulnerable to the exploit. Because the systems weren’t on the cloud, Microsoft couldn’t immediately push a patch to fix the issues. In July 2021, the Biden administration, along with the FBI, accused China of the data breach. Microsoft followed suit and named a Chinese state-sponsored hacker group, Hafnium, as the culprit behind the attack.


These are just a few of the largest data breaches in the past decade, and there have been many others affecting a range of industries and types of organizations. The lessons we can learn from these breaches are clear: companies need to take cybersecurity seriously and implement robust security measures to protect their customers’ data. By staying informed and investing in the latest cybersecurity technologies, we can help to prevent the next big data breach.



Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:


$10 / Month
$10 / Month
$25 / Month
Integrated Apps
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!