Behind every successful technology infrastructure is a framework that has been tried, tested, and proven.  In cybersecurity that framework, or the “best practices”, is used for determining risk tolerance while securing systems, networks, software, devices, and data.

Unfortunately, many cybersecurity professionals today have not been very effective at adhering to these frameworks simply because you are already stretched thin and likely working well-beyond the standard 40 hour work-week.  Factor in the cost for a business to certify within a framework and then you rarely will find leadership buy-in, and let’s be honest that money is often better served elsewhere in a tight budget.

International frameworks like the Center for Internet Security (CIS) Controls, System and Organization Controls (SOC2), International Office of Standardization (ISO) 27001, Factor Analysis of Information Risk (FAIR), Internet of Things Security Compliance Framework (IoTSF), MITRE, and Country or Regional specific ones like the National Institute of Standards and Technology (NIST), Cybersecurity Maturity Model Certification (CMMC), General Data Protection Regulation (GDPR), European Telecommunications Standards Institute (ETSI), UK’s Cyber Assessment Framework (CSF), New Zealand Protective Security Requirements (PSR), and Australian Signals Directorate (ASD) Essential 8 there is likely at least one government related framework that your business has to comply with.

Industry specific frameworks like HITRUST, Payment Card Industry Data Security (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Financial Industry Regulatory Authority (FINRA), and even states like California are deploying their own like the California Privacy Rights Act (CPRA) which replaces CCPA in 2023 guarantees that every business public and private needs to review compliance regulations.

Cyber insurance policy insurers are following suit with new multi-page questionnaires outlining what your potential risk is to determine your coverages and premium or in some cases now the denial of your coverage.  After years of paying claims, insurers are looking to better protect themselves from claims which should then force businesses to improve their cybersecurity posture as well.

In my experience the most common one being obtained today is the SOC 2 which looks at security, availability, processing, integrity, confidentiality, and privacy around customer data.  But if you are just getting your feet wet with compliance frameworks I would recommend start with the CIS Controls.

The bottom line, find the frameworks that impact your business and start adopting those best practices today.  While there are more than 50 frameworks available the majority of them utilize the same basic principals so while you complete the ones that impact you directly you are also checking boxes off with others as well.

Don’t let all the different frameworks or their requirements scare you.  Using common sense basics like ensuring patches and firmware updates are completed, all employees complete annual cybersecurity training, and that everyone doesn’t have access to everything you’re probably most of the way there.

You do however have to take the first step, do an online search for requirements to be complaint with the framework of your choice and you’ll see a number of options right off the bat giving you oftentimes free information to help you on your journey.  You then have to budget for the annual expense and make this a standard part of doing business to protect your customers and your data.

If you’re not looking into these yet, the days are numbered and soon you will be forced too.

If you have questions, let’s talk.

November 11, 2022 - Orlando Florida | Scott R. Davis along with 16 fellow IT Security Professionals participated in the inaugural Charity Beard Shave at Connectwise's IT Nation.  Spearheaded by Ian and Carrie Richardson and Matt Lee the Charity Beard Shave targeted $100k in donations which would benefit Hackers 4 Vets, Women Who Code, Bits and Bytes Cybersecurity, Bike Walk Wichita, and the Diversity Cyber Council.

The group of 17 included industry veterans such as Jason Slagle, Adam Evans, Matt Lee, Cole Halpin, Mike Jones, Joshua Simmons, Sam Carmichael, Henry Timm, Sean Lardo, Michel Richardson, Vince Crisler, Alex Farling, Bob Coped, Matthew Hache, Brent Flamm, and William Emmerich from the Managed Services Provider community.

September 16, 2022 – The Cyber Security Association of Pennsylvania and it's President Scott R. Davis has issued a recommendation for users of popular ride share service Uber to update their user credentials.

Uber has announced that they are investigating a wide-reaching security breach that was started when an employee answered a text message from a person impersonating IT support with their user credentials.

This gave the impersonator access to Uber's systems which from screenshots surfacing online include the employee Slack (communications) tool, and Uber's Cloud Services on Amazon Web Services (AWS) and Google Cloud (and likely others).  Shortly before Uber’s Slack system was taken offline, Uber employees received a message that read “I announce I am a hacker and Uber has suffered a data breach.”

While the cyber threats facing businesses are becoming more sophisticated and complex, oftentimes, it’s the foundation of security practices that leave the most significant gaps in the modern security posture.

MSPs know this issue better than most organizations.

Security threats are everywhere, and most experts agree that it’s no longer a matter of if but only a matter of time until a company is breached. The mentality of “I am too small” or my “business is of no value to cybercriminals” is no longer true.

The majority of successful attacks are random, and the attacker doesn’t know who was breached until after the attack has occurred. However, companies should take steps to prepare, and fortunately, an increasing number of organizations are stepping up their defenses.

It’s Time To Mitigate The Weakest Link

Scott R. Davis has been called to testify to a join session of the PA Legislature on the PA Breach Notification Law of pending legislation SB696.  

Watch the testimony here

­Dear esteemed members of the State Government Subcommittee of Government Information Technology and Communication and the Senate Communications and Technology Committee.

On behalf of The Cybersecurity Association of Pennsylvania, I thank you for the opportunity to submit this testimony to you on behalf of our members and community.

Currently, Pennsylvania has the third oldest breach notification law on record, only Minnesota and Wisconsin are older.  The Breach of Personal Information Notification Act (P.L. 474, No 94) passed on December 22, 2005 and became law on June 19, 2006.  To put that into perspective of modern technology, the first iPhone was released in 2007 and ransomware didn’t become a common word until 2011.