InfoSec at Your Services Meetup: Staying on Top of Your Info Sec Game by Candy Alexander – Thursday, January 19, 2017

Join us for our next InfoSec at Your Services Meetup:

“Staying on Top of Your Info Sec Game”
by Candy Alexander

 

When:

Thursday, January 19, 2017
6:30 PM to 8:00 PM

Where:

Margaritas Mexican Restaurant
725 Cochituate Rd , Framingham, MA

Host: Candy Alexander

meet-ciso
Meet Candy >

We will discuss:

As you’ve probably heard, the CyberSecurity profession is one of the hottest today. With headlines stating that there are anywhere from 500,000 to millions of job openings around the globe.

Join us for this Meetup to learn the story behind the headline, what’s causing this phenomenon, what steps you can take to get in the game, what you can do to stay on top of your game, and what businesses should know to met their needs of protecting their assets. This is meant to be an interactive discussion lead by Candy Alexander, so bring your thoughts and be prepared to share!

Click here for more information and to register >

 
 

What is the General Data Protection Regulation and why should you care?

Find out how to prepare for new EU legislation on data collection and security

In 2012, the European Commission proposed new regulations on data protection that would supersede the national laws of the 28 EU member states. It was formally approved in April this year, and it will go into effect May 25, 2018.

This General Data Protection Regulation (GDPR) introduces several major changes that will impact many organizations worldwide.

The smart move is to familiarize yourself with the incoming regulation now, and begin preparing to comply with your obligations. The GDPR will apply to any business that operates within the EU, but also any company that processes data from EU citizens. It doesn’t matter where the organization is located.

 

Personal data and consent

The GDPR applies to personal data, but the definition of that data has been significantly broadened compared to former legislation. Customer lists and contact details will obviously fall within it, but even online identifiers such as IP addresses could be defined as personal data under this new regulation.

The rules of consent are also changing.

Before companies can process any personal data, they must explicitly obtain clear and affirmative consent. It cannot be presumed due to silence or inactivity on the customer’s part. For children under the age of 16, parental consent must be obtained, though EU member states have the right to lower the age to 13.

 

Privacy by design, DPO and risk assessments

Systems and processes related to data collection must be designed with privacy in mind from the outset. The GDPR stipulates that organizations should only collect the data they need to fulfil specific purposes and that they can’t keep it for any longer than is strictly necessary.

For public authorities, and companies processing large amounts of special categories of personal data, the appointment of a data protection officer (DPO) is mandatory. Organizations will be expected to hire someone who has real expertise and knowledge of the latest laws and practices.

It’s also going to be mandatory to conduct privacy risk-impact assessments to analyze the risk of data breaches and take steps to minimize it.

 

Transparency and data breach notifications

When a data breach occurs, organizations must report it within 72 hours initially to the protection authority. However, if there’s a big risk to customers, then customers must be notified, too.

Transparency is at the heart of the legislation, so companies will be expected to maintain a clear audit trail and justify the security decisions they make surrounding data.

 

Rights for individuals

There’s a series of rights that individuals have under the GDPR. In addition to the right to be informed about breaches, they also have the right of access, so they can request a copy of personal data in a format that’s accessible for them.

There are also rights pertaining to rectification, erasure and data portability. Individuals will even have the right to restrict processing and challenge automated decision making and profiling. There are a lot of details expanding on these rights and when they can be enacted, but that’s beyond the scope of this article.

It’s not yet clear how strictly they’ll be enforced and adjudicated, but organizations should take the time to ensure that they’re in compliance.

 

Penalties are substantial

If you’re still wondering why you should care about the GDPR, then consider that any organization found to have breached the regulation can be fined up to 4 percent of annual global turnover or 20 million euros ($21.7 million). It’s worth noting that’s turnover they’re talking about, not profit, and that fines will be whichever amount is larger.

The GDPR is designed to protect EU citizens, but it will also help organizations to mitigate the risk of a data breach, which can only be a positive thing.

The average cost of a data breach now stands at $4 million, according to the 2016 Ponemon Cost of Data Breach Study. A hefty fine on top could be enough to put you out of business permanently.

You can review the full GDPR legislation for yourself, but it’s a lengthy document packed with legalese. It may be easier and more effective to seek out some security expertise and work out a solid strategy for compliance.

 

This article was originally featured in NetworkWorld >
Image credit: Bykst via Pixabay

Towerwall Named Cyber Security Leader for 2016

Company among top 20 recognized for their IT security leadership and innovation

 

BOSTON – November 15, 2016Towerwall (www.towerwall.com), a data security services provider for small to mid-size businesses, today announced that Cyber Defense Magazine has named Towerwall a “Cyber Security Leader for 2016.” Towerwall was among the top 20 companies to receive the recognition for exceptional information security (InfoSec) products and services.

“The personal relationship Towerwall extends is very reassuring. In data security, it’s important to trust the integrity of your security professionals and we do,” said Ron Gove, IT Director for Longs Jewelers. “Towerwall is always there to educate us on new security trends and products to help protect our data.”

“We’re honored to be named a cyber security leader among such a distinguished group of security vendors and service providers,” says Michelle Drolet, CEO. “Our team of professionals have helped scores of companies protect their data and leverage their investment in IT with advanced information security solutions and services. Organizations need to get smart about conducting regular assessments to ensure their data is safeguarded and not held for ransom.”

Most recently its founder and CEO Michelle Drolet was voted an “Outstanding Women in Business” by the Worcester Business Journal. The WBJ profile on Michelle can be found by clicking here.

Towerwall is the co-founder of the Information Security Summit at Mass Bay Community College, now in its fourth year.

 

About Towerwall

Founded in 1993 and based in Framingham, Massachusetts, Towerwall provides organizations such as AMG, Middlesex Savings Bank, Becker College, CannaCare, Allegro MicroSystems and Smith & Wesson, with IT security technology services required for secure business-class networks.  Strategic partnerships with Sophos, Varonis, AlienVault, Websense, Snoopwall, Qualys, and many other nationally recognized security vendors allows Towerwall to offer its customers an integrated approach to solving their security needs by coupling best-of-breed technology with top-notch integration services. For more information please call (774) 204-0700 or email us at info@towerwall.com.

 

Media Contact:

Victor Cruz
Principal, MediaPR
vcruz@mediapr.net

 

 

7 Steps to Proactive Security

The key to securing against this threat lies in a common metaphor—if a ship has a hole, it is better to patch the breach than bail the water

 

Data breaches are increasingly becoming an expensive problem for more and more companies. According to the most recent Ponemon Institute Data Breach report, insecure data cost companies an average of $221 per compromised record in 2016, an increase of 7 percent from the previous year and an all-time high.

The key to securing against this threat lies in a common metaphor—if a ship has a hole, it is better to patch the breach than bail the water. Effective cybersecurity means being proactive, getting ahead of the problem and addressing the issue at its core rather than operating in a reactive fashion, constantly fixing the symptoms.

With this in mind, it is crucial for security professionals to understand the seven components of “offensive security.” Doing so will give one the ability to get ahead of threats, keep networks running and allow employees to continue being productive. This easily understood framework also gives an outline of how to handle corporate politics, budget issues, resource issues and time constraints.

7 steps to Offensive Security

1. Get executive support

Establishing comprehensive security against data breaches require management’s full support, so it is necessary to get executives to understand the scale of the threat and the potential consequences of inaction.

The first step to gaining this support is to schedule a meeting with key executives, including the CEO, CFO, CIO and potentially members of the board. Executives are most interested in raw numbers, so when making the case, it is imperative to explain the potential costs involved and why the organization is at risk.

It is also important to establish that security is an ongoing process. It is not just “fixed” once and for all. With that in mind, lay out a documentation process and schedule follow-up meetings to discuss progress and continued efforts.

2. Deploy continuous backups and test them regularly

Crucial to securing against data breaches is the use of continuous data protection (CDP), also called continuous backup or real-time backup. In this model, a copy of computer data is automatically saved on every change, capturing every version.

To set this up, cybersecurity professionals should conduct an inventory of all network-attached assets throughout the organization, noting the operating system in particular. Armed with this information, a search can then be conducted to find a CDP product that runs on the operating systems that hold valuable data. Before it is implemented, this backup system should be tested to confirm that it can restore data properly. Once this is confirmed, it can be deployed throughout the organization.

Digital transformation is no longer a nice-to-have; it’s a competitive necessity. Where does your enterprise stand on the path to digital transformation? How do you compare to others?

3. Set up corporate-wide encryption

Encryption is one of the most powerful ways to keep data safe from prying eyes, protecting both networks and physical hardware that is regularly carried by traveling employees.

Conduct an inventory of all network-attached assets and find an encryption solution that will secure them. This most likely will necessitate the use of multiple solutions from a number of different sources and vendors. When testing, make sure the solution has the ability to recover keys or reset passwords without losing access to data.

4. Create a “living” corporate security document

The best way to coordinate various security efforts is to put together a policy in a “living” document. This document can be said to be “living” in that it is never final, is always being updated, and evolves and changes over time. Some of the issues covered in this document might include password management, network access control, encryption and enforcement procedures.

To create this document, it is necessary to review various corporate security models and explain how important this documentation is to both executives and employees. Once this has been established, make sure the document is updated regularly.

5. Train employees on best practices

With a corporate security document in place, it is crucial that employees from the reception desk to the C-suite understand its significance and are familiar with the guiding policies. This is particularly important in the area of Bring Your Own Device (BYOD) and in keeping antivirus protections up to date.

Further, employees should understand the risks inherent in sending and receiving unencrypted emails, clicking on email links and opening attachments. All of these activities leave organizations at risk for social engineering hacks. Schedule regular training to ensure employees are aware of current threats and risky behavior.

6. The BYOD dilemma

Perhaps nothing presents a bigger threat to organizational security than the proliferation of personal electronic devices and their increasing presence in corporate offices. Unfortunately, these devices often don’t follow strict security guidelines and may provide hackers with a path to sensitive data.

With this in mind, security professionals should create a “living” BYOD policy and make sure everyone understands and agrees to follow its dictates. It is also necessary to train employees about the potential security holes inherent in free apps on their personal electronic devices.

7: Deploy breach prevention

The bad news is having a firewall and antivirus programs in place is only 5 percent of the battle. The other 95 percent can be covered with breach prevention tactics such as internal intrusion prevention devices, anti-malware gateways, anti-phishing email systems and others. The best breach prevention system will document and mitigate risk, especially serious vulnerabilities. It will also provide network access control and quarantine high-risk, rogue and infected devices.

 

Many thanks to my partner Gary Miliefsky, CEO of SnoopWall, for providing information shared in this blog.

For more details, see our white paper, 7 secrets to offensive security.

This article originally appeared in Network World.
Image credit: Thinkstock

Michelle Drolet featured in WBJ: Building Walls and Breaking Barriers

Michelle Drolet, CEO of Towerwall in Framingham, is an innovative thinker. Never one to shy away from looking at new factors that come into a situation with an open perspective, she has a few things she’s learned about good management and good leadership along the way.

First, she delegates more.

“When I first started, it was all about internal, and we had to do it all. As I’ve gotten older, I’m able to hand things over and say, ‘We can’t do that well, but I know they can do that well,'” Drolet said.

Secondly, she works hard to be a support for other women, involved with groups such as the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girls’ mentorship program. She has three daughters and is personally mentoring a woman on the brink of a career change.

Third, Drolet, with a deep respect of the business acumen and talent of her team, admits when she’s wrong. She says she is the first one to say she’s sorry.

“We take responsibility and never play the blame game here,” she said, creating what she hopes is an empowering environment as the company readies for growth and adds a new vertical market.

Hackers, Inc.

With five full-time, on-site employees, much of the Towerwall team is virtual, Drolet said.

Towerwall works to prevent hackers, trying to break into clients’ systems and then helping remediate the system weaknesses. Drolet herself has been in the field of information security for more than 20 years. That’s about the same amount of time the company has been trusted as a security partner by the municipal government of New England’s second-largest city.

“Drolet’s integrity, professionalism and expertise in network and data security continues to guide us in safeguarding the city’s data,” said Eileen Cazaropoul, deputy chief information officer for city of Worcester.

Towerwall also specializes in regulatory compliance in fields like health care and banking, which carry potential fines for non-compliance.

How Towerwall got to where it is today – with major clients like Smith & Wesson, Boston College and David’s Bridal – is a telling narrative of Drolet’s tenacity and achievement. Where it’s headed is a story of her ability to recognize opportunity.

Drolet founded a company called CDG Technologies in 1993, sold it in 1997 and remained part of the team.

She didn’t agree with the direction in which the company was headed, so in 1999, she bought it back and named the company Towerwall. The company’s new strategic plan, meanwhile, involves not only repackaging some of Towerwall’s current client services but expanding into a new, much-talked-about compliance space: cannabis.

Business opportunity: marijuana

Cannabis is a new regulation vertical for Towerwall, said Drolet. It’s still being assessed, and deciding to delve into the industry took some serious consideration.

Drolet said when all positives and negatives were considered, she and her team concluded that from a strategic standpoint, it made sense.

“It’s exactly what we do with everything else,” she said, “to help organizations do what they are supposed to do, consistently.”

Although marijuana companies are not supported by the federal government, they still must comply with rules of federal agencies. It’s one of the most-regulated industries out there, she said.

“What we want to do is help Massachusetts be a gold standard,” Drolet said.

Expanding technical prowess

She foresees more hires at Towerwall and the addition of more tech resources in the coming year.

In the meantime, Drolet keeps up on her industry with various LinkedIn groups and listening to customers and consultants. She is also new to Twitter. She writes regular articles on cyber security for Network World – where her blog Infosec at Your Service can be found – and for InfoSecurity magazine.

Drolet makes it a point to reach back to the next generation on a larger scale as well as in a more personal way. She has earned citations from State Sen. Karen Spilka (D-Worcester) and former State Sen. David Magnani (D-Framingham) for her involvement with the community. She works with organizations such as Mass Bay Community College Foundation and Middlesex Savings Bank.

“It’s all about a hand up, not a handout. With the MassBay Community College Foundation, we’ve gone from 30 to over 250 scholarships,” Drolet said and fostered strong college and business community relationships.

For the past few years, she has organized a MassBay information security summit. The college will offer cyber-security associate’s degree this fall.

“I try and help everyone understand what they can bring to the table,” said Drolet.

By Susan Shalhoub

This article was featured in the Worcester Business Journal >