Sep 16, 2021 12:15:00 PM

How Do You Manage Ransomware Risk?

Ransomware has become an all-too-common occurrence in today's digital world. With threat actors constantly evolving their tactics and developing new threats, protecting your organization against ransomware attacks can be difficult. However, following these 5 best practices can minimize your risk:

Topics: cybersecurity, password security, securing your data, Vulnerabilities

Sep 9, 2021 9:29:26 AM

What to Know About Cybersecurity For Your Home & Family

Internet is an integral aspect of modern life. One that has brought us many conveniences and transformed businesses and human connection. However, this world of connection has brought many challenges and risks to our doorstep. Over the last year and a half, we have seen our homes become centers not only for leisure online activities such as social media, personal banking, gaming, and TV streaming, but also virtual schools and offices. Below, we share a few of our go-to best practices for upping your family’s cybersecurity awareness and protection.  

Topics: cybersecurity, password security, securing your data, Vulnerabilities

Aug 25, 2021 7:30:00 AM

What is the number one way to prevent shadow IT?

Shadow IT continues to be prevalent in many organizations, bringing unknown and unmitigated risks into your environment. Several factors have accelerated the presence of shadow IT in recent years, such as bring your own device policies, the increased need within business units to have flexibility to affect outcomes, tension between IT/GRC stakeholders and other operating areas, an exponential reliance on employee devices and remote work due to the COVID-19 pandemic.

Topics: IT administration, information security

Jul 28, 2021 7:30:00 AM

Web Application Security 101

  What is a Web Application Pen Test? In today's interconnected business world, web applications (web apps) are indispensable. Whether they are a client portal or online shopping site, attackers can compromise web apps, impair business function, and steal sensitive data if they are not adequately tested and secured by your organization. Fortunately, these vulnerabilities can be mitigated through proper cyber hygiene and integrating penetration testing into the web app development lifecycle.   

Topics: data security, cybersecurity, Vulnerabilities

May 13, 2021 8:37:22 AM

Impact and Mitigation of the KRACK WiFi Vulnerability

A vulnerability has been disclosed in the most popular and recommended security protocol for WiFi networks: WPA2. The weaknesses, discovered and documented by Mathy Vanhoef, may change the way your organization uses wireless until vendor patches are available. The purpose of this post is to discuss the potential impact on your organization and discuss how you can layer security around protocol weaknesses such as this one.

Topics: Attack Surface

May 13, 2021 8:37:01 AM

Is Your Google Chrome Browser Up-to-Date?

Late last week, Google announced an urgent Google Chrome browser update (78.0.3904.87) for Windows, Mac, and Linux platforms. The update includes security fixes for two identified vulnerabilities within the current Chrome browser. Very little information about the two vulnerabilities has been released at this time; however, Google noted that one of the exploits is actively being exploited “in the wild”.

Topics: cybersecurity

May 12, 2021 9:10:06 AM

Conducting Regular HIPAA Security Risk Analyses is Critical

Clients frequently ask the question, “How often should I perform a security risk analysis as a covered entity under HIPAA?” While the HIPAA security rule does not require a security risk assessment to be performed within a certain timeframe, it does state that the risk analysis process should be ongoing and continuous. Similarly, the Quality Payment Program (for covered entities accepting Medicare) does evaluate if an organization has performed a security risk analysis within a 12 month period (January through December) as a required measure.

Jan 1, 2021 4:30:00 PM

Why "I'm Just Not Technical" is No Longer an Excuse in the C-Suite

I cannot tell you how many board presentations and meetings I have been in and heard "I am just not technical". Not being “tech savvy” is no longer a valid excuse to not understanding the threats your organization faces and what needs to be done to provide protection. If you are in the budgeting, decision making or approval process of technology in your organization, you have no choice.

Jan 1, 2021 4:21:00 PM

Don't Let Cyber Risk Derail Your M&A Deal

Headlines around hacking and data breaches have become a regular occurrence over the last few years. When a business loses the trust of its customers, it can be nearly impossible to win it back. Cybersecurity, or the lack thereof, can famously destroy existing companies, but could it also be killing future business deals?

Topics: risk management, cybersecurity

Jan 1, 2021 4:03:00 PM

XaaS, Part 2: Infrastructure as a Service (IaaS)

Getting Started with IaaS As a businessperson, deciding whether to deploy an aspect of your business to the cloud can be an ordeal, especially if cloud computing discussions are not a standard part of your workday. In XaaS Part 1, we defined cloud computing, the three standard cloud services models, and four cloud computing architectures. 

Topics: Cyber Assurance Insights

Jan 1, 2021 4:01:00 PM

What would you do with a million dollars in a pandemic?

Over the past few months I’ve worked with multiple teams at HORNE as we’ve assisted State and Local Governments determine how to spend the funds provided to them through the Coronavirus Relief Fund (“CRF”) that was a result of the CARES act, which appropriated $150 billion to the fund to be directed to U.S. State, Local, Territorial, and Tribal governments.

Topics: COVID 19

Jan 1, 2021 3:59:00 PM

3 Simple Ways to Test Your Business Continuity Disaster Recovery Plan

There are numerous resources that provide the means for developing a business continuity plan. These include the achievement of such activities as team formation, business impact analysis, evaluation of legal and regulatory requirements, etc. This is not one of those.

Topics: cybersecurity awareness month

Jan 1, 2021 3:56:00 PM

Pt. 5: 7 Tips for Achieving CMMC Level 4 Readiness

In our previous blog, we discussed the purpose of Level 3 and the requirements that potential contractors will need to meet to achieve Level 3 readiness. As we continue along the maturity model to Level 4, we will provide *Readiness Notes* to point out potential roadblocks for achieving Cybersecurity Maturity Model Certification (CMMC) Level 4 readiness.

Topics: CMMC

Jan 1, 2021 3:54:00 PM

Pt. 6: A Readiness Roadmap to the CMMC Level 5

In our previous blog, we discussed the purpose of Level 4 and the requirements that potential contractors will need to meet for Level 4. As we continue along the maturity model to the final level, we will provide *Readiness Notes* to point out potential roadblocks for achieving Cybersecurity Maturity Model Certification (CMMC) Level 5 readiness.

Topics: CMMC

Jan 1, 2021 10:45:00 AM

COVID-19 Impacts on HIPAA: Maintaining Security and Privacy for Your Organization

COVID-19 has changed the HIPAA landscape in the short term, and  some of these changes will undoubtedly echo long after the pandemic has ended. We’ve summarized the latest changes and how you can maintain the security goals for your organization and stay in compliance.

Topics: HIPAA, COVID 19

Jan 1, 2021 10:40:00 AM

Cloud Computing & Risk Management: A Review of the FFIEC's Recent Statement

Out of sight out of mind feels pretty good, doesn’t it? Especially with not only is it out of sight, it is off the ground. Your organization’s data is so far out of reach not only does it feel like you can’t get to it, but there’s an illusion that no one else can either.

Topics: risk management, the cloud

Jan 1, 2021 10:23:00 AM

A Tactical Crisis Response to Healthcare Cybersecurity

Introduction In May the Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) collectively created a tactical guide for how healthcare organizations can manage their cybersecurity threats during a crisis like COVID-19. During a crisis, the way your company works, specifically your technology and processes, can change dramatically. These changes create new attack surfaces and vulnerabilities.

Topics: COVID 19

Jan 1, 2021 10:11:00 AM

6 Steps to NIST 800-171 Compliance

NIST 800-171 provides a framework for the protection of controlled, unclassified information (CUI). The framework is intended to provide guidance for nonfederal entities working with and accessing the data of federal entities. However, NIST 800-171 serves as a best practice for controls for privacy and security for many types of unclassified data.

Topics: Cyber Assurance Insights, IT GRC, Cyber GRC, Cyber Regulations, Compliance, NIST 800-171

Jan 1, 2021 9:54:00 AM

Providing Peace of Mind Around Your Law Firm's Data Security

Have you ever wondered why Amazon Web Services (AWS) is so focused on security? When you visit their compliance page, they have nearly every privacy and security badge available, noted with the global standards highlighted below:

Topics: cybersecurity, SOC 1 Audit, securing your data, SOC for Cybersecurity, Cyber Assurance Insights, Cyber SOC, Compliance

Jan 1, 2021 9:30:00 AM

OCR Proposed Changes to HIPAA Privacy Rule Part 1

Introduction In January 2021, the Office of Civil Rights (OCR) published its proposed Modifications to the HIPAA Privacy Rule to Empower Individuals, Improve Coordinated Care, and Reduce Regulatory Burdens, and opened for public comment until March 22, 2021. As of March 9, 2021, this comment period has been extended to May 6, 2021.

Jan 1, 2021 9:28:00 AM

OCR Proposed Changes to HIPAA Privacy Rule Part 2

Introduction   In January 2021, the Office of Civil Rights (OCR) published its proposed Modifications to the HIPAA Privacy Rule to Empower Individuals, Improve Coordinated Care, and Reduce Regulatory Burdens, and opened for public comment until March 22, 2021. As of March 9, 2021, this comment period has been extended to May 6, 2021. In Part 1 of our blog, we highlighted the first 4 of the proposed eight (8) changes and how these may impact providers. Today, we’ll go over the remainder.

Topics: HITECH, HIPAA

Apr 13, 2020 6:00:00 AM

COVID-19 and Maintaining the Integrity of Your Information Security Policy

Remote Work and Information Security Policy Exceptions   There is a well-known metric included in risk assessments known as the Annualized Rate of Occurrence, or ARO. Risk events have varying AROs depending on the frequency with which they are expected to occur. Many risk events have AROs that are so low, meaning that the event is so unlikely to occur, that an organization may not have a formal, documented policy or procedure (such as Pandemic Response) that describes how the organization will react or account for the impact of such an event.

Topics: risk management, COVID 19

Apr 10, 2020 8:00:00 AM

5 Policies Critical for Maintaining Security Standards During Pandemic

As businesses continue to work from home in an effort to flatten the curve during the COVID-19 pandemic, it is critical to have effective policies in place. More importantly, your employees should be trained in said policies and be following them accordingly, both in and out of the office. Policies are only as good as your employees’ behavior - strong security hygiene at the user-level helps responsibly manage security risk.

Topics: Cyber Assurance Insights

Apr 7, 2020 6:00:00 AM

5 Tips for Securing a Remote Workforce

As the COVID-19 pandemic continues, a new global remote workforce has emerged in an effort to help flatten the curve. As organizations make this necessary transition, changes to infrastructure to support remote workers may create unprecedented risks and vulnerabilities.

Topics: remote workforce

Apr 2, 2020 6:30:00 AM

Pt. 4: 6 Pitfalls to Avoid in CMMC Level 3

In our previous blog, we discussed the purpose of Level 2 and the requirements that potential contractors will need to meet to achieve readiness for Level 2. As we build upon Level 2 and progress to Level 3, we will provide *Readiness Notes* to highlight potential roadblocks for achieving Cybersecurity Maturity Model Certification (CMMC) Level 3 readiness.

Topics: CMMC