Cathy Diehl, Author at Third Rock

CCPA enforcement has begun

Cathy Diehl — Mon, 20 Jul 2020 13:19:47 +0000

The California Attorney General’s office recently confirmed that July 1 remained the start of enforcement for the new California Consumer Privacy Act (CCPA). The office has already sent it’s first round of compliance letters to businesses, giving them 30 days to cure any violations before facing an investigation or lawsuit.

With the disruptions that occurred due to the COVID-19 pandemic in the United States, many may have thought CCPA would be pushed back to allow businesses to deal with other issues. However, with the exponential increase in cyber threats, better data protection is exactly what we need.

The focus of CCPA is giving consumers more control of their data. Consumers must be clearly notified when their data will be collected, have the option to opt out, request information about how their data is used and sold, and require their data to be deleted.

There is also a provision for consumers to bring allegations against a company if they feel their data was not properly managed. Though some small lawsuits have been filed, one of the largest to date was recently brought against Walmart by a San Francisco resident, claiming they “Failed to implement and maintain reasonable security procedures and practices”.

Will this set the tone for businesses to be sued by customers looking for a payout? Hard to say but no doubt there will be many more complaints and lawsuits. Is your business both complaint and protected? Our CCPA compliance packages offer a range of services to meet your needs rapidly and protect your business. Contact us today.

The post CCPA enforcement has begun appeared first on Third Rock.

Cyber Safety for working at home

Cathy Diehl — Thu, 23 Apr 2020 18:20:32 +0000

Our work environments have been turned upside down. We are all in a place of creating new work routines. Having left the cyber safety net of a central office designed to protect company cybersecurity, IT departments are juggling a dispersed workforce while maintaining cybersecurity standards that protect private data.

Before COVID-19 forced a remote workforce, anywhere from 60 – 90% of breaches were caused by human error. We are seeing cyber criminals take advantage of extra vulnerabilities created with employees working from home. Cybersecurity is no longer just an IT thing. Protecting your company and their private data has never been closer to home, literally. Mistakes that could hurt the company start on your own network, which could also affect your personal security. Your business, IT department and your family are relying on your vigilance to be cyber safe.

Cyber safety habits to put into practice

Separate work and personal devices
If your company provides you a device, use it only for work purposes. Have a separate device for family and personal use. If separate devices are not a possibility, create separate profiles with different security settings. Use your work profile only for work purposes. If you have children who need to use the same computer, create separate profiles with parental controls that limit their ability to access and/or download content that could infect your computer.

Lockdown your device
You may feel that your device is physically safe in your home office, but you still need to protect data safety. Set a unique password for your device and lock it every time you walk away. If you are using one device for multiple profiles, have a private, unique password for your work profile that no one in your household can access. This is good practice for after quarantine as well.

Be wary of add-ons and downloads
There are many add-ons and extensions that promise to make your work run faster, smoother and better. Be cautious of downloading these onto your device. Many contain malware that give hackers access to the data on your computer. If you then link to your company network, they could gain access there as well. A good cyber safety practice is to research on trusted sites before downloading a new program or add-on.

Use company approved sharing sites
With your entire team working remotely, there is a greater need to communicate digitally. It may be more comfortable to use data sharing platforms you are used to, they may not be the most secure. Only send private data through company approved sharing sites.

Know signs of a breach

Preventative measures are important to cyber safety, but breaches are still possible. It’s important to know what signs to look for in the event of a breach.

Increase in unwanted pop-ups
Pop-ups are a widely seen by-product of malware. If advertisements or system pop-ups begin appearing outside of any program, you may have been infected.

Processing slows down
Is it taking longer than usual for your computer to boot up or for programs to load? Viruses and malware run in the background, slowing down the programs you are attempting to run.

New programs appear
Computers do not add content on their own. If a new program, app or internet add-on appears on your computer, you may have a virus that inserted content onto your computer.

How do you handle a potential breach?

Report it!
Inform your IT department of what you are experiencing. Send screen shots of error messages, pop-ups and other unwanted content. Be specific about when it started happening and what is going on.

Don’t click
Never click on suspicious content, even to try and close pop-up windows. Malware is the gateway for a virus. Clicking on the content can give them access to the data they are looking for.

Scan with anti-virus software
Company devices should be equipped with anti-virus software. If your company does not provide a device, get with your IT department about them providing access to anti-virus software. While it should do scans in the background, if you notice any of the above issues, tell it to run a full system diagnosis.

Don’t access private data
Until your issue has been resolved, do not attempt to access the company network or open any private data. If a hacker is monitoring your computer through malware, you run the risk of giving them access to that information.

While human error will never be eliminated, we can all take steps to increase our awareness and cyber safety to lower our risk.

Want a reference to share with family, friends and coworkers? Download our checklist to make your most secure home office environment.

Download your checklist

The post Cyber Safety for working at home appeared first on Third Rock.

Cyber Protection as Your Business Deals with Social Distancing

Cathy Diehl — Tue, 10 Mar 2020 12:00:00 +0000

Cyber Safety Tips for Businesses When Employees Work from Home

With the threat of the Coronavirus, many companies are allowing or requiring employees to work from home. If your company deals with protected information such as healthcare, financial, consumer or personal, you should have policies and procedures in place to protect that data within your normal work environment. However, having your work force suddenly need to access this information from home may not be normal. Systems may be overloaded, sensitive information distributed in a way that you never anticipated and lines of communication disrupted. Do your policies and procedures cover such a situation, like a pandemic? Here are 6 tips to best protect your business and your clients.

Train Your Employees

We are not talking about the once a year standard, boring videos people half heartedly watch so they can print off a certificate proving they did it. Your employees must know key elements of cyber safety that they are regularly reminded of. If nothing else, make sure they know these 3 things.

Anticipate phishing and spear phishing attacks. Word will travel fast that everyone is working from home. Hackers will recognize you are vulnerable and try to take advantage of it. Tell your workforce to anticipate phishing and spear phishing attacks that will attempt to take advantage of pandemic fears. Give visual examples, have your IT on high alert searching for phishing attempts and contact employees immediately when one gets through your firewall.
Do not access sensitive information on unauthorized devices. The biggest culprit: cell phones. Have policies about what devices they are allowed to use to remotely access information and make sure they know. Never store sensitive information unencrypted on a portable device.
Do not access sensitive information on unsecure networks. Like working from Starbucks because they have free WiFi? That may be fine for personal use, but not when you’re accessing sensitive information. Public WiFi makes it easy for a hacker to infiltrate your computer, stealing the information you accessed.

Determine Critical Processes and Access Control

This is a key component to any Pandemic plan. Who is authorized to access sensitive information, and how do you ensure they can actually access sensitive information in a highly distributed environment? Minimize your exposure by controlling access to data. Not everyone working from home needs access to sensitive information. Make sure you lock down access to only essential employees. Follow through by monitoring who is accessing data, what they are accessing and why.

Multifactor Authentication

For those employees who need to access sensitive information, require multifactor authentication every time they remotely access a private server. This is an easy step to implement that can have a big impact on keeping cyber criminals out. Explain to your employees why the two-factor authentication is an important safety capability.

Network Access Control

While you should train your employees not to access sensitive information on unsecure networks (see tip #1), you can implement access controls that actually block a user if they do not meet a certain level of security. You should implement a Virtual Private Network (VPN) which provides higher security for your workers using their home and/or public internet that are not secure. It’s fairly easy and inexpensive to implement. For more information on VPNs, click here.

Encrypt Data

If information is stored locally on a device, make sure it is encrypted. Portable devices are often stolen that contain sensitive information. A simple step of encryption protects your clients’ information and protects you from hefty breach costs and fines.

Provide Company Devices

Laptops and cell phones should always be running the most up to date version of an operating system available (i.e. Windows 10 vs Windows 8). They should also have up to date firewall protections and antivirus software. If employees are permitted to use personal devices, it is difficult to ensure these protections stay up to date. Providing company devices that are properly configured and regularly updated help strengthen the barrier against cyber criminals.

Protection doesn’t have to be complicated, but it does have to be intentional. Simple steps taken by the company and the employees can go a long way. While we want to stay physically safe through this wave of the Coronavirus, let’s make sure we stay cyber safe too.

Concerned if you have the right precautions and planning in place? Contact Third Rock at info@thirdrock.

The post Cyber Protection as Your Business Deals with Social Distancing appeared first on Third Rock.

Announcing CyberCompass, LLC

Cathy Diehl — Wed, 01 Jan 2020 16:45:00 +0000

Since 1995, Third Rock has been leading in improving privacy compliance and cybersecurity affordably. Starting with HIPAA compliance and seeing how healthcare was strapped with only spreadsheets as their only tool, Third Rock developed automation tools with built-in expertise to move their clients to faster and more complete cyber risk management.

“Healthcare organizations are highly-targeted by cyber threats yet have the lowest utilization of risk management software to help manage their risks.” stated Robert Felps, Third Rock CEO.

CyberCompass® cloud-based platform was born as a solution to automate the workflow and provide the navigation needed for businesses to protect themselves today and stay current as the cyber landscape and privacy laws evolve. Third Rock quickly saw that its solution was adopted by Texas Medical Liability Trust, the largest insurer of physicians in the country, Texas Health Services Authorization with its SecureTexas certification, and Texas Medical Association.

With the enactment of privacy laws and the expansion of the tool into other industries, CyberCompass has gone through significant and more user-friendly enhancements to save companies up to 70% of work hours. The most powerful enhancement is the capability to do multiple regulations with one streamline assessment. Excess Line Association of New York is currently offering CyberCompass as a free membership benefit so insurance brokers can meet New York Department of Finance 500 cybersecurity compliance certification. CyberCompass includes the following privacy and cybersecurity regulations: CCPA, CIS-20 GDPR, HIPAA, NAIC 668, NYDFS 500, NIST 171 800, and numerous state regulations.

Seeing the increased demand for the software and its ability to simplify cyber risk management, streamline privacy compliance and improve cybersecurity holistically, CyberCompass, LLC becomes effective on January 1, 2020. Spinning off as a separate entity, CyberCompass as well as its other tools such as CyberQuickCheck, will have greater flexibility to establish various distribution opportunities through resellers, value added resellers, strategic alliances, and partnerships.

“With CyberCompass as a separate legal entity, we have simplified the ability for our partners so we can develop more focused leadership and meet changing market demand faster,” stated Felps.

Do you have clients in need of holistic risk management across people, processes, technology and vendors? Learn more about partnering with CyberCompass today to provide the most affordable and complete solution.

The post Announcing CyberCompass, LLC appeared first on Third Rock.

Travel Cyber Safe

Cathy Diehl — Tue, 26 Nov 2019 15:21:23 +0000

The holidays get busy. Traveling is stressful and we aren’t always as vigilant as we should be. In today’s world of data breaches, identity theft and cybercrime, there are many things we know to be cautious about. You wouldn’t give away your credit card number or let a stranger have access to your driver’s license. But are cyber safe with your phone? We have become so dependent on our phones to store sensitive and private data. Sometimes forget that we need to protect it too.

Let’s take a look at a scenario that could happen to any of us:

The morning was a rush and you made it to the airport on time, thankfully. After getting through security, there is a little time to breath. You grab some coffee, check your phone and realize you forgot to charge it. Ugh. Your phone needs to be charged to last the whole flight and still have juice when you land. You notice a charging station near your gate. There are even cords already plugged in, so you don’t have to dig yours out of your mess of a bag. Score!

You may not be as lucky as you feel. Cyber criminals are taking advantage of how dependent we are on our devices and their need to be charged. This new scam, known as “juice jacking” takes advantage of your connection to your phone.

How does it work?

Phone cords are designed for 2-way communication. Data can come in, but data also goes out. This can be seen every time you attach an iPhone to your computer and iTunes wants to download your data. Convenient when you want it, but bad when the criminals want it. Criminals download malware into the charging station or physically alter the charging station installing a cable connected to a virus laden device, and wait until you connect. They then have access to everything on your phone. What do you keep saved?

Passwords?
Credit card information?
Communications?
Photos?

Depending on the malware, they could download your data or install malware on your phone that will continue to monitor your usage. They might even lock you out of your phone completely. The biggest concern; you may never know. A week later you’re seeing fraudulent charges on an account and trying to figure out what happened. This is very similar to the card skimmers installed at gas stations.

What can you do?

Thankfully there are easy ways to avoid this scam.

Use your own AC adapter and cord
Plug into a wall outlet, not a charging station
Use a “charge only” cord at a charging station
Use personal car chargers
Use a portable charger

Be cyber safe this holiday season

Physical security is important and easy to remember. We see our wallet; we protect our wallet. This holiday season, let’s also remember our cyber safety.

The post Travel Cyber Safe appeared first on Third Rock.

Brand Impersonation

Cathy Diehl — Wed, 01 May 2019 14:00:03 +0000

Have you ever received an email from a trusted company saying that your account needs maintenance? The only problem, you don’t have an account with that company. So why are they sending you an email? Most likely, it’s scammers using a popular technique called brand impersonation.

Brand impersonation has become so popular that 83% of all spear phishing attacks use this tactic. A scammer sends a very legitimate looking email, complete with logo and, what appears to be, legitimate email address. The goal is to get you to give up credentials or click on a malicious link. Some links take you to, again, what looks like a real website asking you to enter your login information to “fix” your account. These websites are actually hosted by the cybercriminal, and once you enter in your data, they have it. Nearly 1 in 5 attacks involve the impersonation of a financial institution, in order to gain access to your login, account numbers and other personal information. The highest impersonated company though is Microsoft, being used for 32% of known attacks.[1] If the cybercriminal can gain access to your email, they can monitor it without you knowing. Then they can learn details about you, send password resets from you valuable accounts and capture the email to login.

What to look for

Misspellings or questionable domain name in sender’s email
Misspellings or questionable domain name in any of the hyperlinks
Vague description of the “issue” with your account
If you click a link, check the web address it sends you to
Is this normal practice for the company to communicate with you?

Best practices to protect yourself

Make sure the information presented in the email actually matches your use of that product. (i.e. if you receive an email about an iTunes purchase, but haven’t made any purchases)
If you want to check your account, do not follow links in the email. Go to the company’s website directly to log in
When in doubt, call the company to ask about your account
Send the fake email to the legitimate company. Many companies invest in the protection of their customers and will investigate brand impersonations.
If you do make a mistake and type in your user id and password to an impersonating web site, immediately go to your real account and change the password.

The post Brand Impersonation appeared first on Third Rock.

Is that email really from your boss?

Cathy Diehl — Thu, 25 Apr 2019 14:00:21 +0000

Email spoofs and phishing have greatly evolved in the last few years, with criminals upping their game to trick you. Instead of casting a wide net, criminals are utilizing Spear Phishing, a highly personalized attack. Attackers research their targets and craft a carefully designed message impersonating a seemingly trustworthy person or company. According to Beazley’s 2019 Breach Briefing, business email compromise increased 133% with financial institutions, healthcare and education being the top targets. While it only accounts for 6% of all spear phishing attacks, it has proven very lucrative for criminals.

Business email compromise (BEC) occurs when a cybercriminal uses a compromised email account or spoofs a legitimate email address to trick an employee into transferring money or sensitive data. The financial industry is the highest targeted due to their easy access to funds. An employee gets an email from a “senior executive” requesting a wire transfer, giving this attack its nickname of CEO fraud. Attackers use a sense of urgency in their emails to encourage quick action by the receiver without investigation. The FBI reports a loss of $12.5 billion since 2013 due to BEC.

Criminals must do their research to pull off a BEC attach successfully. They must learn names of employees, hierarchy of the company and who controls the funds. Then, using a spoofed or compromised attack, they send an email requesting a wire transfer with a fraudulent account number or sensitive data with financial information. These tend to not have any links or malicious attachments so they are hard to detect through email security. An email may look similar to this:

From: Jane Johnson

To: Michael Blake

Subject: Request

Hey Michael,

Are you in the office? I need to process a bank transfer for me.

Give me a quick reply when you can get it done.

Regards,

Jane Johnson

CEO, Corp Corporation

Cell: 408-292-2020

On first glance it looks legitimate and has a sense of urgency. On closer inspection, you see the sender is using a spoof account of @conp.com instead of @corp.com. If this money is sent, it’s almost impossible to get back. This criminal did his research.

Hard to Defend

Targeted attacks that are not mass produced, so they aren’t flagged as spam
Emails come from reputable email services (gmail.com is used for 1 in 3 attacks)
No malicious links or attachments
Domain and display name spoofing make convincing impersonations
Compromised accounts used to send requests are even harder to trace
Social engineering tactics such as brevity, urgency, personalization and pressure increase chances of success

Steps to Protect your business

Enable multi-factor authentication for remote access to systems and apps
Implement regular anti-fraud training for your employees
Establish a process for employees who travel and need to request funds. Do not document the process in the network.
Limit the employees who have the authority to submit or approve wire transfers
Verify any vendor requests to change account details with verbal confirmation
Utilize artificial intelligence technology that recognizes when an account has been compromised

The post Is that email really from your boss? appeared first on Third Rock.

Third Rock Crushed OCR Audit in less than 14 days

Cathy Diehl — Wed, 29 Aug 2018 07:00:21 +0000

Do you have a looming cybersecurity compliance audit with a seemingly unrealistic deadline? This case study shows how Third Rock, using CyberCompass™, was able to meet a tight OCR deadline for a healthcare client. Our Rapid Response Team, using our automated risk management platform, CyberCompass™, delivered in less than 2 weeks what competitors claimed would take at least 10. If you are facing a cybersecurity compliance audit, recently experienced a breach, or are in need of an information security checkup, contact us today to see what we can do for you: info@thirdrock.com | 512.310.0020.

Protect your Clients. Protect Your Organization. Protect Yourself.™

Download the Case Study for more details.

The post Third Rock Crushed OCR Audit in less than 14 days appeared first on Third Rock.

Meet Hayden

Cathy Diehl — Fri, 24 Aug 2018 16:00:11 +0000

Meet Hayden. He was born at 7:23 am on May 3. He started breathing too soon and swallowed liquid which caused him to struggle to breath. Within an hour of being born, he was taken to the NICU. For 2 days he received amazing care from the doctors and nurses. He was discharged, happy and healthy, ready to take on the world. His future is bright and open to all possibilities. Or is it? While the hospital protected his body, are they protecting his personal information? Can someone steal his identity, potentially jeopardizing his future? Children are a common target of identity theft because there is a false belief they are too young to have any “valuable” credentials. What are you doing to make sure the Hayden’s in your hospital are protected? Be cyber confident so your patients (and their parents) can be confident in you.

Protect your Patients. Protect your Organization. Protect Yourself.™

The post Meet Hayden appeared first on Third Rock.