Pratum Blog

Iranian Cyberattack on United States

If you’ve been following recent news, concerns over retaliation from Iran are on the rise after a recent bombing in the country by the U.S. military. After that airstrike, Iran vowed “severe revenge” in response. The political situation is now raising concerns for all citizens regarding their cybersecurity.

Just last week, the Cybersecurity and Infrastructure Security Agency (CISA) Director sent out a Tweet, alerting people to an increased risk potential.

CISA Director Tweet about Iran Cyber Attacks

This warning from the Department of Homeland Security is due to a heightened threat of cyberattacks from Iran. Over the summer there was a rise in malicious cyber activity. Now, recent reports show that is yet again a concern. While your cybersecurity firm or IT department should be monitoring any suspicious activity, there are other ways you can protect yourself and your business.

Action Steps:

1. Raise awareness within your organization.
The best thing you can do to protect your assets is to make sure those who have access to them are diligent. Re-emphasize cybersecurity training. Put notices on walls, such as educational security posters. Make sure everyone is familiar and reminded of current cybersecurity initiatives.

2. Review your permitted and successful traffic on a regular basis.
Taking inventory of your traffic should be a regular practice, but it is even more crucial right now. Continually check any new or unusual activity. Be extra aware of what is happening within your network.

3. Respond to suspicious activity quickly!
If you do notice something that seems suspicious, or even just a little strange, investigate it immediately. Use the adage, “see something, say something.” Contact your cybersecurity representative for more instruction.

4. Have backups in place.
These hackers will not be interested in negotiating for your business’s information. According to former military personnel, once they have it, Iranian hackers are going to keep what they find. Continually update your backup system.

5. Don’t assume you’re immune to an attack.
One of the biggest misconceptions people have is that they wouldn’t be a target of these cyber attacks. That’s simply not true. No matter the size or industry of your organization, there is a potential threat.

The threat of a cyber attack is not to be taken lightly. In 2017 an attack against Ukraine, which officials blamed on Russia, was able to target government ministries, banks and companies across the country. The White House called it “the most destructive and costly cyber attack in history.”

While Iran’s cyber capabilities are said to rank below Russia’s, they have been able to attack Saudi governmental and private-sector networks. With the increased tensions between the U.S. and Iran, it is believed a cyber attack is imminent.

Here at Pratum we are remaining vigilant to ensure our clients’ information is protected. For more details on the services we offer, contact a Pratum representative today.

Information Security Policies, Procedures, and Standards

Information security Policies, Standards, and Procedures typically fall to the bottom of many companies’ to-do lists. While these documents may seem tedious, the effort you put into the creation and maintenance of them will pay off in the long run!

What They Are

First, let’s break down what each of these governance documents are, and how to take care of them.

Information Policies – The “What”
Policies are the high-level statements that communicate a company’s objectives. This is typically the philosophy of solving security problems that may arise. Here you will find out what the organization’s objectives are, and how they are designed to protect the company’s assets.

Information Standards – The “How Often/Much”
Policies and Standards are similar but do differ in some very important ways. Standards go more in-depth and elaborate on the Policies. Who will be involved in implementing the Standards? What are the specific responsibilities of the associated departments? Who does the Standard pertain to? Who owns the individual Standard? Specific requirements are laid out here for a comprehensive look at how each control area fits into the overall information security program. Standards are what most compliance requirements and frameworks ask for.

Information Procedures – The “How”
Procedures are the step-by-step instructions for fulfilling the Policies and Standards. For every control area your Policy covers, there needs to be corresponding sections for how the company will carry out that Policy. Procedures take Policies and Standards and creates tangible action steps. In these procedures, the business should call out specific employees and technologies that are used to carry out each procedure.

Why You Need Them

Now that we’re on the same page about what these governing documents are, let’s explore why they’re important for your business!

Establishes Continuity
Showing your employees exactly what is expected of them is crucial. Without a clear vision set, there will inevitably be questions. Creating a universal guide for everyone to see and understand will unify the team in times of crisis or confusion.

Allows Easy Enforcement
Without implementing a governance program Executives will have no way to enforce the practices they want employees to follow. If these expectations are laid out clearly in easy to find Policies, Standards, and Procedures there will be proof to hold people accountable for not abiding by them.

Creates a Security Culture
Usually if an Executive is involved in the creation of Policies, Standards, and Procedures they’re more likely to understand what’s happening when problems arise. That makes it easier for IT professionals, and other employees, to communicate and understand what is important to the Executives. (Many companies will ask employees to sign a document saying they are aware of the Policies, Standards and Procedures and agree to comply with all security controls and directives.)

How to Get Started!

1. Figure Out Your Needs
What an organization’s size or niche is will mandate what their governance documents should be. If you have a large business with several employees, you may need a more detailed plan. If you have a small organization with people who do a little of everything, you should consider what guidelines to put in place to enable employees to effectively perform their job duties in a secure manner.

2. Build an Action Plan
Next, address how to get the governance program in place. Talk with your IT operations team to make sure they are in compliance with the program you are trying to build. If not, find out what resources and tools they need to achieve the organization’s security goals. Open communication is key!

3. Maintain and Update
Last, once you have your Policies, Standards, and Procedures in place, the work is not finished. Maintaining and updating your documents is just as important as the initial creation process. Times change, and so should your security governance. Be sure to do annual reviews of all these important documents to proactively evaluate the security controls related to the confidentiality, integrity, and availability of your business’ sensitive information.

If you need help creating and maintaining policies, standards, and procedures, Pratum can help. Contact us today.

Information Security Questionnaire

When working with a client, vendors are often asked to supply some sort of proof they will protect the client’s sensitive data. While this may seem like a reasonable request, knowing how much information to share and the best way to do that can be tricky.

As a vendor, you may receive multiple requests from clients for compliance reports or third party validated security reports, such as a SOC 2. If you don’t have a third-party compliance report the client may ask you to complete a security questionnaire. (Something we discussed in a recent blog, here.) That process can be very time consuming, especially with multiple questionnaires asking for different information.

We’ve created five guidelines to help vendors meet their clients’ needs, without risking their own security:

1. Analyze your relationship with the client.

Sometimes clients will send out questionnaires to every vendor they use, without really looking at what that vendor has access to. If you are a vendor, but do not deal with the client’s sensitive data, you may not need to fill out tedious questionnaires. That client could be following their own company protocol without considering each request being made.

2. Know which data you should provide your client.

We typically don’t advise vendors to share Policies, Standards, and Procedures with a client. This sort of information could put you, the vendor, at risk. Be cautious and make sure you’re not sharing more information than what is required. It is not necessary to risk your own companies’ security to comply with a client’s wishes.

3. Know when to push back, and how.

If a client asks for more information than you’re comfortable with, you have the right to object. Oftentimes this will be a conversation, rather than a finite “no”. Ask for your client’s reasoning for the information they’re requesting. If it is still too much, explain why you are uncomfortable with the situation.

4. Offer up an alternative.

If you’ve turned down the client’s questionnaire or request for your Policies, Standards, and Procedures, they may still need some proof that you are ready to protect their security interests.

  • One way to do that is with a pre-filled questionnaire. A method used in many of these cases is called SIG (Standardized Information Gathering). This questionnaire tool allows vendors to create a standard form, ready to be handed out to any clients who need an explanation of your security procedures. You can also create an inventory of your Policies and Standards with only the Table of Contents visible. This shows the documents are in place but doesn’t give all the details.
  • Another option is to set up a meeting with the client. This can be a video call with screen sharing, or a webinar. If you plan to show the client any sensitive data, make sure they do not screen-grab or record the conversation. We suggest having the client sign an NDA beforehand.
  • If a client requests a SOC 2 report, but you have another form of compliance report already completed, ask the client if that will work instead. They may be able to accept a different type of third party validated report, even if they did not specifically ask for it.

5. Decide if this client is worth the effort.

Completing compliance reports, filling out dozens of questionnaires, and sharing sensitive data can come at a cost to you. You need to decide if the client in question is worth the time and resources their requests will take. Sometimes it’s more cost-effective to let that client go than to jump through more hoops.

Hopefully this helps you know how to handle the inevitable security requests vendors face! If you need more assistance with preparing a SIG or knowing which information may be too sensitive to share, be sure to reach out to a cybersecurity expert.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.