A cyber thief once tricked an employee into transferring millions of dollars from the employer’s account into the thief’s account. How? By mimicking the employee’s CEO’s distinctive writing style. This wasn’t an attack on the company’s IT network. It was something far darker. Read more
PCI-DSS, ISO, HIPAA; you have probably heard many acronyms like these in reference to IT security. There are so many laws and organizations these days, it can be difficult for a person to know where to begin looking. This blog post will help introduce you to the topic so you can consider what might apply to you.
There are three different categories of acronym you will typically see: Legal requirements, organizations, and specific standards.
HIPAA is an example of a legal requirement. HIPAA is short for the Health Insurance Portability and Accountability Act of 1996. HIPAA is a law applying to certain kinds of healthcare companies. Rather than detailing specific requirements, HIPAA lists broad security objectives and leaves companies to decide how to implement them. This allows the law to scale for company size and with changing technology. Some other examples of legal requirements are: HITECH (Short for “Health Information Technology for Economic and Clinical Health,” an amendment to HIPAA), GLBA (Short for “Gramm–Leach–Bliley Act” which governs financial companies), and FISMA (Short for “Federal Information Security Management Act of 2002” which regulates federal agencies and their contractors).
ISO is an example of an organization. ISO is an abbreviation for the International Organization for Standardization. ISO is an international effort to come up with standardized terms and measurements for everything from timber sizes to laboratory glassware to fingerprint image data. One set of standards is ISO 27001, which details specific IT security requirements. TechGen is ISO 27001 certified, which means we have demonstrated that we meet those security standards. Other examples of organizations that publish their own standards are: The SANS Institute (“SysAdmin, Audit, Network and Security Institute” which is a private company that offers security training), ISACA (Formally the “Information Systems Audit and Control Association” which is a professional association), and HITRUST (The “Health Information Trust Alliance” a joint creation of several healthcare companies).
PCI-DSS is a specific list of standards. It was created by and utilized in the Payment Card Industry to offer a Data Security Standard across businesses that accept credit cards to keep consumers safe and meet government regulations. Lots of organizations have their own list of security standards or certifications, which adds more acronyms to the mix. The SANS Institute offers GIAC or the “Global Information Assurance Certification.” ISACA publishes COBIT, which stands for “Control Objectives for Information and Related Technologies.” HITRUST regularly updates what they call the CSF or “Common Security Framework.” Some organizations use their name in their list of controls, such as CIS (the “Center for Internet Security”) which writes “CIS Controls” and “CIS Benchmarks.”
When looking at IT certifications, it is important to look up what a company claims to have. A company that says they are “HITRUST Certified” is saying that an auditor has evaluated them and found they meet the CSF standards published by the HITRUST organization. That also means there is no such thing as “HIPAA Certified” because HIPAA is a law, not a list of standards or certification. A more accurate designation would be “HIPAA Compliant.”
If you are interested in increasing your level of IT security, you should research what organizations specialize in creating standards for your industry. Unlike some kinds of certifications, there is no “one size fits all” standard for technology, and there are multiple different ways to address a security problem. One sure-fire way to increase security is to utilize vendors that have their own IT certifications, that way you can trust a third party has evaluated their security.
Hopefully, this guide has given you a good start for where to begin your investigations into IT certifications. Thank you for reading, and have a secure day.
It’s the end of the year, and with the holidays wrapping up it means “time to get back to work” for most of us, but it means “time to kick into high gear” for hackers. With many companies running with partial staff, identity thieves see them as prime targets. When employees have extra workloads, they can’t spend as much time carefully reading emails, but that just means we need to train ourselves to be cautious.
Every year scammers start bringing out their old standbys for year’s end because people still respond to them. Here are some of the most common tactics, so you and your users can be ready:
- Employee benefits/Health Savings Account scams
These types of scams rely on employees not being informed of company policies. The scammer will send an email telling the employee that their benefits are about to expire, or they need to renew them for the new year. They provide a fake website to “log in” and steal credentials. Avoid this by making sure to ask the appropriate person in your organization about anything benefit related – don’t rely on random emails.
- Microsoft (or other software) End of Year upgrade:
This type of scam involves an email telling you that your software is about to expire, and you need to send money to renew it. Typically, they will try to scare you and tell you that your email account will be closed by Microsoft or something similar. Always ask your IT vendor about the status of your licenses. TechGen will be happy to work with you to manage your software licenses and keep you in compliance.
- Phone call scams (“Vishing”):
With staff overworked, hackers are more likely to try to leverage employee exhaustion by calling directly instead of sending an email. These types of scammers will pretend to be from the IRS, or Microsoft, or some other group that needs credentials, passwords, or access to a computer. None of these organizations will call you out of the blue and make you resolve an issue on the spot.
- Charity scams:
Lots of people want to contribute to charities toward the end of the year, and who doesn’t like making the world a better place? Scammers will utilize this to send fake charity emails, hoping people will send them money. You can avoid these by navigating directly to the website of the charity you want to go to. Don’t send money to people who ask for it over email.
Finally, scammers have been watching the news as well, and they’ve seen the confusion resulting from the new tax law that congress has passed. Expect there to be lots of phishing emails sent out on this topic. Hackers may be sending fake articles for you to click, asking for your information to “help you calculate your new tax liability” or most dangerously, pretending to be government agents and demanding money. The IRS has released a page talking about fake IRS communications and how to avoid them. You can see that here https://www.irs.gov/privacy-disclosure/report-phishing
Stay warm, and stay safe.
Everyone should use a password manager like LastPass, 1Password or Roboform to ensure they’re using separate, complicated passwords on each website visited. This article will specifically show some quick tips/videos about using LastPass.
- You’ll primarily use the app through Chrome/IE extension. The video below will show you how to use it.
- Creating secure passwords is easy. You’ll need to do this for NEW sites that you go to, as well as sign in to existing websites, then go through each site’s process for changing your password. Here’s a quick video on how to create passwords.
- The Vault is the place where all of your passwords are stored – protected by your master password. You can organize your passwords by folder here, and share them with others. This video shows you how to access the vault.
- Visit the app store on your mobile phone to download the LastPass app there.
We can help your organization setup LastPass Teams, as well as train users on how to use the software, to keep their online accounts protected.
Need help? Contact us!
September 1, 2017
TechGen is pleased to announce that it has been awarded the ISO 27001:2013 certification.
ISO 20071 is an internationally recognized set of security standards that outlines hundreds of controls designed to protect IT infrastructure as published by the International Organization for Standardization (ISO). These standards address a wide range of physical, technical, and legal controls relevant to mitigating vulnerabilities and risks to data. The 2013 edition of the standards is the most recent, and most rigorous; addressing policies around access control, business continuity, human resources, incident management, physical security, and technical procedures.
TechGen has demonstrated to A-LIGN, an independent, third-party auditor, that it has technical controls in place and formalized IT Security policies and procedures. A-LIGN is an ISO / IEC 27001 certification body accredited by the ANSI-ASQ National Accreditation Board (ANAB) to perform ISMS 27001 certifications. Customers can be assured that TechGen takes concerns about the safety of their data extremely seriously, and has committed to meeting the highest standards available to protect them. This certification is a demonstration of that commitment to clients. TechGen continues to design, implement, monitor and maintain security controls that protect client information.