IT Voice

Blog

  • Your Blog Post Title Here…

  • Technology Audits and Consulting: Achieving Separation of Duty

    Do you fear you don’t have the talent or funds to be able to keep your business secure? Is your IT person maxed out on projects that adding infosec to her plate might be too much? How can you find the balance between getting the cybersecurity expertise your business requires while not breaking the bank?

    The Information Security space has become a multi-billion dollar industry and has a wide range of diverse jobs within it. Whether someone goes down the development path, the testing/forensics path, or even the strategic path there is much opportunity and it’s extremely competitive retaining people. Cybersecurity Ventures predicts there will be 3.5 million cybersecurity job openings by 2021.  Additionally, just because you get someone to fill the role also doesn’t mean 1) They have the skillset to accomplish everything you need or 2) be a strong culture fit that can get their heads out of the technical weeds and talk to you in the business terms you need.

    Often fulfilling those needs can be done in an outsourced way. You have a great Technology audit experience or a great relationship with a fractionalized Information Security Officer that is able to align all the technical projects into the business strategic plans or even better, both! But wait, isn’t that a conflict of interest? Having auditors and ISOs from the same company? At quick glance, I could see why one would think that. But, if managed properly, we believe you could have an even better experience by utilizing one company for both. Here are some of things you can plan for to ensure achieving good separation of duty.

    1) People can’t intermingle into projects – If you have a company doing audits and ongoing consulting make sure you ask who is doing the work behind the scenes and make sure the audit line doesn’t get crossed into managing or mitigating audit findings. Bigger organizations quite often have one person or team handle the audit function and another person manage the mitigation. It’s simple checks and balances.
     
    2) Create organizational clarity on how any security projects are managed – You can do yourself a favor at the front end of a project or even during annual planning process to discuss as a team on how we will achieve separation of duty. Setting separate responsibilities as a part of the project template can create the consistent clarity your team requires.
     
    3) Conduct an After Action Review / Debriefs – In Michael Hyatt’s book, Your Best Year Ever, he shared a tool they use (and it comes out of the military) once a project is complete. It’s called an ‘After Action Review’. Here’s what you go through with your team post-project:
    1. State What You Wanted to Happen
    2. Acknowledge What Actually Happened
    3. Lessons Learned from the Experience
    4. Adjust Your Behavior

    We love this tool as it focuses on the right things with the right mindset. Instead of it becoming a blow-out debate on who’s right and who’s wrong it instead becomes a collaborative, incremental improvement discussion on stating what happened and what can we do next time to improve upon that experience. We highly recommend trying it out!

    In summary, in this competitive cybersecurity world strong, outsourced relationships are hard to find. Businesses should look for ways to leverage their strongest relationships and not get stuck with dealing with a ‘lesser choice’ just because of concerns around separation of duty. You can bring it together and with a little planning (and after action reviews) you can be successful together.

    FAQs on How to Achieve Proper Separation of Duty

    Why is it better for you to work with one company to do both IT audits and consulting?

    Working with an extra vendor adds more conversations, more contractual frustration, and the focus being on vendor relationships instead of where it can be which is making your organization secure.

    What would the obstacle be if you want to work with a company who does both?

    At Vala Secure there is no obstacle. There is no legal requirement to use separate companies. Our clients understand our processes and have been successful in passing exams and adding regulated clients.

    Technology Audits and Consulting - Achieving Separation of Duty - Vala Secure1

    Technology Audits and Consulting - Achieving Separation of Duty - Vala Secure2

     

    (more…)

  • Learn to Fish for Phishing Emails

    Screen Shot 2019-02-21 at 6.37.37 AM

    As you can see in the image here, we deal with email phishing a lot. We get them often and so do our clients. The phishing attacker is playing the odds when it comes to phishing attacks. They can send out thousands or millions of emails at the click of a button and they don’t need a high success rate, they just need one person fall for the trick. If you can start learning how to self-scan your own emails you can ensure you won’t fall prey to this relatively easy attack. Here are some things to look out for:

    1. Per the image here, look at the sender email address. It might say my name but you can tell pretty quickly that it didn’t come from me. Most email clients either will show you the real email it’s coming from OR you can click the name and it’ll expand to see it.
    2. Now, first point is an easy one but note, this can be faked too so if your ‘attacker alarm’ go off, just look at the body of the message and does it seem like it’s in the voice of the person being sent to you? Often attackers are really bad at spelling and grammar as well. And for the record, I can’t think an email in my life I ended with ‘Regards’ (heh).
    3. If you feel like you need to respond to the potential ‘real’ sender just contact the sender back in a different form of communication to verify. Send an instant message, Slack, text or call to simply ask if that was from them. If you’re not sure, don’t make it worse by attempting to reply to that email, clicking any links within the email or opening the attachments.
    Worst case, many IT teams setup a quarantined email box that they can review and do even fancier things, automated email phishing training tools, doing a deeper anti-virus scan or even reviewing email headers. Start with the easiest things you can control and raise your security at the same time.
     
    Have you ever picked a phishing email out of your inbox? Or better yet, ever caught the attacker trying? Share your story with our community using the hash tag #cybersecuritywins and you’ll be entered into a contest for a $50 gift card from Amazon! 

     

  • How to prevent cybersecurity incidents

    For many businesses, cybersecurity can seem like the Wild West. There are good guys (cybersecurity pros like our team here at Vala Secure) and bad guys (hackers and other nefarious characters), plus a lot of townspeople seemingly caught in the middle and at the mercy of the good guys and bad guys. They’re just trying to go through their days without getting hurt.

    But in reality, YOU are the hero of this cybersecurity story. As informed business leaders, you’re taking charge of cybersecurity to protect your business, your employees, and your customers.

    (more…)

  • 5 Frequent Mistakes Made in Vendor Contract Negotiations

    Vendors_Canva.pngNegotiating vendor contracts is never easy. You need strong relationships with your vendors to grow and expand your business, but rushing to sign on with companies may lead to higher risk deals. Your short-term needs may get met, but you suffer over the long-term from it. If you do not have the technology and relationship to scale effectively and securely while maintaining compliance you may not be able to keep up with your competition and customer/client demands.
    (more…)

  • Vulnerability Assessments vs. Penetration Testing: What’s the Difference?

    vulnability assessment vs penetration testing

    If you don’t know much about the world of cybersecurity, some of the terms professionals use may seem a bit opaque. Many people don’t know what vulnerability assessments or penetration tests are, and they may conflate them. A vulnerability assessment is a scan of your network that detects security vulnerabilities, while a penetration test attempts to use these vulnerabilities to discover how they operate in the real world.

    (more…)

  • 5 Reasons Your Legal Firm Should Have a Penetration Test ASAP

    Reasons Legal Firm Needs Penetration Test

    Legal firms face a range of security threats, from theft of sensitive data to malware that can wreak havoc on company computer systems. Penetration testing allows legal firms to test their information security systems to ensure they can stand up to the latest threats. The official definition of a penetration test is that it is a planned, legal attempt to gain access to a protected computer system in order to determine possible security holes.

    (more…)

  • Garland Heart Launches New Website

    Garland Heart is thrilled to announce the launching of our newly designed website –www.garlandheart.com

    Take a look around and see what you think. This new website has a complete new look and feel that will make it easier to navigate and more user-friendly. Try clicking on the pulsing HEART next to our logo!

     

    New_Webite_home_page.jpg

    (more…)

  • 5 Cyber Security Lessons Learned in 2015

    vulnerability assessmentsIt’s no secret that 2015 was another challenging year in cyber security. While fallout continued from the Sony hack, new threats emerged and each one offered a lesson for the future. Here’s what can be learned from the past year as you plan for 2016.

    (more…)

  • 5 Employee Password Habits that are Putting Your Enterprise at Risk

    A truism of the modern workplace is that your employees underestimate the risk that their password habits present to your enterprise. Indeed, a study of password habits by CSID in 2012 showed that more than 60 percent of respondents used the same password on multiple sites. Even worse, nearly 45 percent of those respondents said they changed their password less than once each year.risk management solutions


    Poor password habits are the root cause of many data breaches, even when you maintain good data security otherwise. Here are five bad habits your employees should omit from the workplace immediately.

    (more…)