Great Lakes Computer Corporation

Managed Service Provider

Bob Martin

By

Hurricanes and Hackers – Are You Disaster Ready?

disaster recoveryThreats to your business come in many forms, from Hurricane Florence threatening the East coast to Harvey in Accounting opening an infected email. While there are many steps you can take to reduce your exposure, it’s almost impossible to prevent disaster completely. Your best move is to have a response plan in place to help you recover as quickly as possible. And it just so happens to be National Preparedness Month, so we’ve got some tips to help you out.

From the United States Computer Emergency Readiness Team (US-CERT):

National Preparedness Month is a good opportunity to assess your emergency preparedness. While general preparedness is essential to getting through an emergency related to a natural disaster, the same is true of preparing for a cyber-related event, such as identity theft or a ransomware infection.

NCCIC encourages users and administrators to be prepared in case of a cyber-related event by regularly backing up files, keeping digital copies of important documents somewhere other than your computer (e.g., in the cloud), and regularly running antivirus scans.

Learn more about individual and family emergency preparedness at Ready.gov. For additional resources on preparing for and responding to unexpected cyber-related events, see Ready.gov/Cybersecurity and the following NCICC Tips:

Great Lakes Computer offers a wide range of Data Security services to protect your data.

We take your data protection seriously. We offer services from cyber security threat prevention to detection to remediation. We can help ensure you data is safe and your systems are healthy. Our newest offering is Security Operations Center as a Service (SOCaaS), which gives SMBs access to enterprise level threat monitoring and detection through the cloud. Learn more by clicking below.

Learn about Our SOCaaS Program

By

What the Three Little Pigs Can Teach Us about Cybersecurity

SOCaaSLast night, as I was putting my kids to bed, I read them the classic children’s story, “The Three Little Pigs”. And you know what it got me thinking about—cybersecurity.

Probably everyone in the audience is familiar with the tale, but I’ll lay out the basics just so that we’re all on the same page.

Our story starts with three little pigs—small, plump, delicious, and utterly opposed to being eaten. The three little pigs each build a house—the first pig out of straw, the second out of sticks, and the third out of bricks.

Then the wolf shows up. It asks the first pig for permission to enter; the first pig (sensibly) refuses, and so the wolf huffs and puffs and blows the house down. Pig numero uno flees, curly tail between its legs, to the house of the second pig—only for the wolf to follow it there.

The stick house is no more huff-and-puff-proof than the straw house, and so soon enough pigs one and two are running for their lives again. They hole up with pig three, the one with the brick house. The wolf comes knocking, and after the pigs refuse him entry, he huffs and puffs once more—but the house of bricks holds firm!

The wolf then gets it into his head to come in through the chimney. But the pigs hear him coming, boil a big pot of water in the fireplace, and when the wolf comes in, they catch him in the pot and cook and eat him. (It’s a pig-eat-wolf world out there.)

Now, what does any of this have to do with the state of cybersecurity?

Well, the way I see it, the house of straw represents an unsecured network and its systems. This is the old way of doing things, the early intranets. There was no need to protect anything, before cybercrime was a meaningful threat! Even nowadays you can find a handful of organizations that haven’t put any thought into securing their networks—but usually a big bad wolf comes along pretty quickly and shows them the error of their ways.

The next house, the house of sticks, represents a network environment that’s using point security solutions. An individual stick is much stronger than an individual piece of straw. In the cybersecurity world that might mean the use of endpoint security, best practices for controlling traffic to and from specific servers, limited port access, and so on.

The problem for our pigs is that the individual sticks don’t provide any real security. Real security comes from the house—from the integrated environment formed by your network, servers, and systems. No single security tool can protect you, unless it’s part of a seamless, comprehensive security solution.

That brings us to the house of bricks. Now, bricks are stronger than sticks or straw. But the real strength in a brick house is in the design: an interlocking set of components that leave no gaps for an attacker. In the cybersecurity world, that would be a comprehensive security strategy, including a solution that monitors all relevant tools and correlates their data.

But even the brick house wasn’t enough to stop the big bad wolf. In the face of robust security, the big bad wolf changed tactics: it targeted the vulnerable opening of the chimney.

The cybersecurity parallels are impossible to ignore.

If you want to protect your computer from hackers, there’s one foolproof way to do it. Take out the WiFi card and the Bluetooth antenna; get into the USB ports with a plier and really mess them up. Stick a carrot in the Ethernet port. I guarantee you you’ll never catch another virus from your email again.

Of course, you’ll never read another email again, either. At the end of the day, we need to keep our computers attached to our local and global networks—the value of network operations exceeds the risks. But when we’re networked, a smart attacker—like a big bad wolf—will be able to identify our vulnerabilities and go after them.

That brings us to the final piece of the cybersecurity fable: active monitoring. When the big bad wolf couldn’t huff and puff his way into the house of pigs, he didn’t give up. But the pigs didn’t let themselves become complacent either. They watched and they listened. When they heard his feet coming up the roof—when they detected early indications of compromise—they prepared an active response, isolating and defending the threat vector.

No matter how carefully you build your house, attackers are still prowling around outside. Sooner or later, one of them will recognize a vulnerability, and move to exploit it. You need to be prepared for that day, ready to identify early signs and act swiftly to deny access to your systems and data.

Great Lakes Computer and Arctic Wolf can help you live securely ever after.

Great Lakes Computer provides expertise in remediation and repair of infected IT. Arctic Wolf provides single pane of glass visibility into your security solutions—and the dedicated security engineers to stand guard, day and night. Together, we’ll help you build your house of bricks—and when the wolf comes through the chimney, we’ll help you get ready underneath, with a nice, boiling pot.

Learn about Our SOCaaS Program

*This blog was originally published on Arctic Wolf.

 

By

Ohio Data Protection Act Just Passed. What Does It Mean for You?

ohio data protectionOhio legislatures just passed the Ohio Data Protection Act, which gives companies a safe harbor in the case of a data breach.  Companies that adhere to the NIST Cybersecurity Framework will be entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of Ohio or in the courts of Ohio and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information.

For your business that means if you take steps to protect your data, you may be protected from claims against you in event of a breach.

Here are the details, from a blog post by Tucker Ellis LLP:

On August 3, Ohio Governor John Kasich signed the Data Protection Act, which provides a safe harbor against data breach suits to businesses maintaining recognized cybersecurity programs. The Act will go into effect on November 2, 2018. Ohio businesses of all sizes and industries should be aware of this new law given the significant legal and reputational risks and costs associated with data breaches.

Businesses taking reasonable cybersecurity precautions that meet certain industry-recognized frameworks will now be afforded a “safe harbor” against tort claims alleging that a failure to implement reasonable cybersecurity measures resulted in a data breach concerning personal or restricted information. See Ohio R.C. 1354.02(D)(2) (effective November 2, 2018). While the safe harbor does not immunize an entity from liability, it does aid businesses that adopt recognized frameworks to protect personal information. It is step forward for both businesses and consumers whose personal information is at risk.

The Data Protection Act, which creates R.C. 1354.01 to 1354.05, is the first piece of legislation introduced as a result of Ohio Attorney General Mike DeWine’s CyberOhio Initiative. The Act was introduced as an effort to encourage businesses to take steps to protect their customer data and minimize costly data breaches by maintaining a cybersecurity program that reasonably conforms with enumerated industry-recommended frameworks. See Ohio Senate Bill 220 (S.B. 220), Section 3(A); R.C. 1354.01 to 1354.05.

Safe Harbor Details

In order to trigger this safe harbor, an entity must adopt cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud. R.C. 1354.02(B). But it is not a one-size-fits-all approach. Instead, the scale of the cybersecurity program should be based on the organization’s size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security, and the resources available to the organization. R.C. 1354.02(C).

The entity’s cybersecurity measures must also “reasonably conform” to one of the industry-recognized frameworks listed in R.C. 1354.03. These frameworks include the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) (45 CFR § 164.302, et seq.) for healthcare-industry businesses regulated by HIPAA, and the Safeguards Rule of the Gramm-Leach-Bliley Act (16 CFR § 314.1, et seq.) for certain financial institutions. R.C. 1354.03.

The Data Protection Act requires businesses to assert this safe harbor as an affirmative defense and establish that its cybersecurity program reasonably conforms with an applicable framework. Although the burden of proof remains with the entity asserting the defense, the Act expressly states that it does not create a minimum cybersecurity standard or impose liability upon businesses maintaining cybersecurity practices that are not in compliance. See S.B. 220, Section 3(B).

Legal Recognition of Blockchain Transactions

The version of S.B. 220 signed by Governor Kasich also includes certain terms of Ohio Senate Bill No. 300, known as the Uniform Electronic Transactions Act. The amendment gives legal effect to transactions, signatures, or contracts secured by blockchain technology by defining these transactions as “electronic records.” Blockchain technology refers to a digital ledger where information, or “blocks,” are connected to each other through written code known as “chains.” The information is held on a decentralized register that is regularly updated and is considered incorruptible. With this amendment, Ohio is one of the most recent states to pass legislation recognizing signatures and smart contracts secured by blockchain technology as legal documents.

No Changes to Breach-Reporting Obligations in Ohio

The Data Protection Act does not affect Ohio’s current notification laws. Entities adopting one of the safe harbor’s cybersecurity frameworks must still provide notification of data breaches involving Ohio residents. See R.C. 1349.19. The specific notification requirements can be found at R.C. 1349.19, but they generally require notification to Ohio residents no later than 45 days following the discovery or notification of the breach, subject to certain exceptions for legitimate law enforcement needs and “consistent with measures necessary to determine the scope of the breach.” Id. 1349.19(B)(2). Section 1349.19 does not apply to HIPAA-covered entities and financial institutions that have their own notification requirements under federal law.

What Can Ohio Companies Do to Take Advantage of the Data Protection Act?

No business is immune from the threat of a data breach. Time alone will test the effectiveness of the Act at protecting consumer data and minimizing data breach costs, but the new safe harbor defense reflects a step in the right direction for Ohio businesses and consumers alike. This new defense provides Ohio businesses the opportunity to evaluate the personal information they create, receive, maintain, and transmit, as well as the program they have in place to protect that information. Businesses should first consult their latest data-mapping and system inventories to understand how information is flowing through the organization and then decide how it should be secured. Businesses should also examine the administrative, physical, and technical security controls they currently have in place and to what extent their overall security program conforms with the cybersecurity frameworks listed in R.C. 1354.03. In doing so, a business may take into account what is reasonable given the organization’s size, revenues, the resources available to it, and the sensitivity of the information it maintains. Because data breaches can happen even if a business adopts strong cybersecurity measures, all businesses should also have a tested incident response plan in place so it is ready in the unfortunate event of a breach.

Great Lakes Computer Corporation can help you with cybersecurity.

We offer a wide range of data security services and products that can ensure you’ve taken the “reasonable” cybersecurity measures necessary to qualify for the protections offered under this act. Call us today to discuss your data protections.

Learn about Our Cybersecurity Program

Contact Us