(866) 251-4459 support@compnetsys.com
Risk Analysis vs. Gap Analysis

Risk Analysis vs. Gap Analysis

The government, as well as other stakeholders and interested parties, have emphasized the importance of following the laws and regulations on cyber security. With the ever-growing increase in cyber security threats, these regulations have become imperative.

All organizations, both large and small, must ensure they take the necessary steps to prevent, reduce the risk, and mitigate the effects of cybercrime. The terms ‘risk analysis’ and ‘gap analysis’ are used often when considering appropriate steps to take to ensure cyber security. An analysis of the definition and impact of these terms is therefore important to understand their difference and applicability.
Definitions
It is currently a legal requirement, pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the accompanying Privacy, Security, and Breach Notification Rules that cover entities and their business associates to protect electronic health information. These institutions are required to put in place appropriate measures to ensure the security of this information.
Risk analysis, as the name suggests, consists of steps taken to analyze the risks that an organization or an industry faces. In terms of cyber security, risk analysis is composed of researching and discovering the risks associated with a particular organization or industry; for instance manufacturing firms. After discovering the specific risks, the person conducting the analysis looks at the level of exposure. In this regard, the person will examine the likelihood of each specific risk affecting the organization and grade them in ascending order, from the most serious threat to the least serious. The aim of risk analysis in this regard is to make users aware of the greatest risks they face. The ultimate goal of risk analysis is to empower organizations at risk to protect themselves from cyber theft with the goal of reducing risks to a reasonable and appropriate level.
Gap analysis, on the other hand, takes place mostly after risk analysis has been conducted.  The aim of gap analysis is to determine the level of preparedness and protection that an organization has in place. This piece of information is then analyzed so as to reveal whether adequate steps have been taken to completely protect these organizations from cyber-crimes. Gap analysis is thus geared towards discovering the shortfalls of the procedures in place. This gives the organization a picture of where they’re at in terms of best practices. They can then take steps to adopt better procedures.
Requirements for risk analysis
Risk analysis, while required by the rules, does not have to be conducted using any specific method. This means that those affected are at liberty to choose whatever techniques they deem appropriate. Whatever the method, risk analysis must consider all the potential dangers that electronically protected health information (ePHIL) might be exposed to.
Entities are required to identify all the locations and information systems where the data to be protected was created, received, maintained and even transmitted. This list takes into consideration the mobile devices, electronic media, and communications equipment. The risk analysis system is also required to identify and to document potential threats and vulnerabilities.
The next step to be taken by the risk analysis is to access the current security measures that have been put in place by the organization. In so doing, the firm is required to document how effective the firm’s current controls are. This is to be followed by an assessment of the current risks facing the firm or the organization. This will enable the entity to gauge which risk is greatest and to what extent the entity is protected against the risk. The firm conducting the risk analysis should then document these findings. This provision is not a requirement under the security rules. However, for future reference, it is important the information obtained from the risk analysis be documented. Finally, the entity should ensure that it conducts frequent periodic reviews and updates.
Conducting gap analysis
Gap analysis is not a requirement under the HIPAA rules. Entities, however, are advised to conduct periodic gap analysis as a follow-up to the risk analysis or at the same time with the risk analysis. Gap analysis, if well conducted, enables the entity to discover the extent to which the protective measures it has undertaken are effective. Having explained the difference between gap analysis and risk analysis, it is important to note that while gap analysis is critical for proper protection, conducting a gap analysis does not satisfy all requirements under the security rules. Organizations are required to conduct a risk analysis, but a gap analysis can provide helpful information.
Final thoughts
In this day and time, an organization can’t be too careful with their data, especially those who hold sensitive health information for patients. The news laws include serious penalties for those who are not careful enough. In addition, patient confidence can be diminished when an organization is careless with handling health records.

Challenges Law Firms Should Be Ready To Face In 2018

Challenges Law Firms Should Be Ready To Face In 2018

A critical skill that an aspiring lawyer must possess is commercial awareness. One particularly important aspect is to demonstrate a comprehensive understanding of the market in which these law firms work. At the end of the day, any firm is just a business like all the others and therefore, it should react similarly to the changes made in the industry.
fpar
A law firm should capitalize on new opportunities that pop up while also working on overcoming the obstacles so that it can stay ahead of other law firms. The year 2018 brings about a new set of challenges that law firms should work on if they wish to thrive in this globally competitive sector. Below, we cover three of the major issues that law firms will be facing this year:
Cybersecurity
Cybersecurity is becoming a big issue, and hackers have started to target an increasing number of institutions. For instance, there was a ransomware hack back in 2017 that threatened numerous organizations in more than 150 countries across the globe.
Hackers target law firms since they possess exceptionally confidential and valuable information that hackers can use for monetary purposes. Sensitive information that law firms possess include patents, bank information, trade secrets, and in some cases, government secrets as well. One key task for law firms is to make sure that the client’s data is protected at all times. However, with the increasing number of threats, as well as the complexity of the attacks, security has become a great challenge.
Failure to protect the data adequately can cause two major problems. Firstly, law firms can face claims of negligence and claimants can argue that law firms are negligent about taking care of data. They can also argue that law firms have breached the contract that stated they would carry out services with reasonable care and skillfulness.
Secondly, when looking from an economic and business perspective, it can undermine the reputation of the firm.
The solution to this challenge is to choose only top-of-the-line security. This year, firms should make security their top priority. An attorney must make sure that the firm itself, as well as third-party vendors, adhere to advanced industry standards to guarantee that a secure environment is maintained. They should follow practices such as conducting training with users regarding best security practices, never storing data on personal devices, and multi-factor authentication.
Incorporating technology
Technology also plays a big factor in determining how employees work in law firms. Due to technological advancements, efficiency has increased such that the time lawyers spend on a task is reduced.
While technology that enables lawyers to become more productive has been evolving for a number of years, the underlying problem is that firms usually have many people working for them that may not be well-trained. This failure has led to data breaches and ransomware attacks when employees take certain actions that allow cyber thieves inside. Training for all employees must be ongoing. People get busy and forget, then make careless mistakes. Monthly training sessions can raise awareness.
Though some security solutions promote unrealistic and lofty expectations, simple monthly training has proven to be very effective.  Human error is most often the reason why a law firm’s network is infected with a virus or worm.
The easy solution for this problem is mandatory monthly security training. People can be readily taught exactly what to look for in emails. A security professional can explain how phishing scams work. Better informed employees are far less likely to click on a suspicious link that downloads a deadly ransomware attack.
Helping users accept change
Implementing change is difficult because humans are just naturally resistant to change. Research suggests that 70% of initiatives taken for organizational change do not achieve their target. While there are numerous factors that can be blamed for this failure, employee resistance is the biggest one, contributing to 39%. While change is often not welcome, it is definitely possible. Employees must understand the reason for these changes. They must fully grasp the cost of one single breach.
Employees once resisted new technology as well, but today, people seem to enjoy learning about all the new robotic gadgets being invented. Users of new technology or changes to security should be fully involved from the beginning. The key is to keep it simple. The management is responsible for communicating their expectations and explaining to the staff why the change is critical.
Once employees understand why new security measures have been put in place, they should be fully on-board. After all, if a law firm experiences a huge breach that costs millions, it will affect everyone that works at the firm. Jobs could be lost, along with damage to the firm’s reputation.
Each year brings new challenges with it. Though new technology is often viewed with some trepidation, the end result is that law firms will be able to get more done with fewer resources. This can improve the bottom line and help a firm move ahead of the competition. Whether you’re dealing with new security challenges or a new content management system, face the challenge head-on.

Better Get Ready – The GDPR Goes Into Effect May 25, 2018!

Better Get Ready – The GDPR Goes Into Effect May 25, 2018!

What Is It?  What Do We Need To Know?  What Should We Do?
First step:  Watch our training session on GDPR – Click Here
If you don’t know what the GDPR is, and if you’re not ready for it, you’re going to get caught short because this is a legal deadline and it’s coming up fast. The General Data Protection Regulation goes into effect May 25, 2018.  It’s a privacy law that the European Union is enforcing to protect the personal data businesses collect. Even if your business is outside of the EU, you must comply.

What is the GDPR?
The GDPR affects all internet business worldwide. It’s a very complex law, so we can’t explain everything here. We’ve provided some resources below that you should check out.  Keep in mind that there are many gray areas where this law is concerned. So, you should do some research to determine how the law affects your organization’s unique situation.
The GDPR is an internet privacy law. All businesses, small or large, and even entrepreneurs who do business on the Internet with consumers located in the European Union need to be aware of how the law affects them.
It doesn’t matter if your company is inside the EU, or anywhere else in the world– If you do business with anyone in the following countries, you must comply with this new law by May 25th:

Austria
Belgium
Bulgaria
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Ireland
Italy
Latvia
Lithuania
Luxembourg
Malta
Netherlands
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
United Kingdom

The GDPR is a consumer data protection law. It ensures that individuals can:

Access their personal data.
Export their personal data.
Correct errors in their personal data.
Object to the processing of their personal data.
Erase their personal data.

The GDPR applies to the acquisition, processing, and storage of personal data – from initial gathering to final deletion of this data and every point in between. It applies specifically to personal data and anything that pertains to identifiable data such as:

Names
Email Addresses
Physical Addresses
Phone Numbers
Birthdate
Age
Sex
Race
ID Numbers
Nationality
Citizenship
Marital Status
Family Data
Health Data
Physical Characteristics
Profile Pictures
Occupation
Employment History
Income
IP Addresses
Cookies
(and more)

This could be information you collect automatically from Google, an opt-in, or other collection methods online – anything that would identify an individual.
How Will The GDPR Affect My Business?
If your business has a website or an email list, you may be affected.
The GDPR affects any business relationship or transaction whether commercial or free where one or more of the entities are in the European Union. It’s not based on citizenship, rather location.  Any business within the EU must comply with the GDPR across its entire audience. If your business is in any of the 28 European Union Member States, you must comply with the law if you conduct a transaction with anyone located anywhere. If your business is located in the U.S. and you collect data about any business or person in the EU, you must comply with the GDPR.
How Should We Prepare For The GDPR?
There are three requirements you must meet before May 25th.
Controls and Notifications

Protect personal data using appropriate security.
Notify authorities of personal data breaches.
Obtain appropriate consents for processing data.
Keep records detailing data processing.

Transparent Policies

Provide clear notice of data collection.
Outline processing purposes and use cases.
Define data retention and deletion policies.

IT and Training

Train privacy personnel and employees.
Audit and update data policies.
Employ a Data Protection Officer (if required).
Create and manage compliant vendor contracts.

Some Examples
Before the GDPR:
Let’s say you offer a whitepaper or free video to people online. Before the GDPR, your prospect provided their information, you gave them the freebie, and the consent was assumed because they accepted your gift.  Pretty easy, right?
After the GDPR:
You can no longer assume that their consent is given if they accept your gift. Now you must specifically obtain their consent. It must be given freely, specifically, and be unambiguous. Nor can you require them to give their consent to receive the gift.
Note: This new standard applies to all of your existing lists. Beginning May 25th, you can no longer send marketing emails to anyone who hasn’t given their precise consent for you to keep their personal information.  Plus, you cannot go back and ask them for their consent. You’ll need a stand-alone system to do this.
What Can We Do To Comply With These Strict Rules?
This is important. You must do this BEFORE May 25, 2018.
Compliance/Preservation
Step 1. Segment your email mailing lists into two parts.

Non-EU subscribers
EU-based subscribers and any unknowns

You want to continue to build goodwill with your Non-EU contacts so reach out to them as you would have before.  The EU-based and unknowns you’ll need to re-engage with. Here’s what we mean:
Step 2. Re-engage EU-based and Unknowns.

Before emailing them, add additional value and content to your website.
Then send them a link to your website and request their specific consent to keep their personal information.
Set up a system to migrate those who give consent over to it.
On May 24, 2018, you must delete anyone in this group who hasn’t consented. 

Remember, storing and deleting their information is considered processing. That’s why you must do this BEFORE May 25th.
Breach Notification Requirements
The 2018 GDPR replaces the old Data Protection Directive of 1995. The most recent GDPR breach notification requirement was enacted in April 2016.  It set a higher compliance standard for data inventory, and a defined risk management process and mandatory notification to data protection authorities.
Breach notification is a huge endeavor and requires involvement from everyone inside an organization. In-house tech support and outsourced Technology Service Providers should have acquired a good understanding of the consequences a data breach causes and the data breach notification requirements for their organization.  They must be prepared in advance to respond to security incidents.
The Following Are Additional Steps You Should Take To Prepare Your Technology Before May 25th  
Your Technology Solutions Provider Can Help

Perform a thorough inventory of your personally identifiable information, where it’s stored–in onsite storage or in the Cloud. And determine what geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
Perform a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your Technology Solution Provider (TSP) can then create an action plan to fill in the gaps. The right TSP will understand the GDPR regulations and how your IT must support your compliance efforts.
Develop an Action Plan. Your TSP should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
Ensure data privacy. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for any-sized organization. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.”  This is a concept that was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
Be sure to document and monitor everything that you do that’s related to GDPR Compliance. This includes any changes or upgrades that your Tech Company makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.

Resources To Check Out For More Information
The European Commission’s website regarding the GDPR:
https://ec.europa.eu/info/law/law-topic/data-protection
Wikipedia
General Data Protection Regulation
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
Information from the service vendors you use:

Mail Chimp
Salesforce
Google
Microsoft

These and other services have GDPR-centric web pages with helpful information that impacts your relationship with them, how they handle processing, and how they can help you comply with the new regulations.
Get going now. There’s a lot to do before May 25th!

New Microsoft Excel Data Visualization Features That Experts Are Excited About

New Microsoft Excel Data Visualization Features That Experts Are Excited About

There is no denying how critical Microsoft Excel is for day-to-day data processing and visualizations across organizations. Still, many users are not as familiar with the complete functionality of this handy tool as they could be. Today’s users say they have a fairly good knowledge of Excel and yet Microsoft adds new features each year to make it even more useful. Most companies simply don’t have a decent Excel training program to keep their employees up-to-date on the latest new spreadsheet features.
The most recent version of Microsoft Excel – both on traditional offline Office platforms and the cloud-based environment Office 365 – have new charts that introduce a whole world of data visualization.
You’ll be happy to know that Excel opens in your web browser just like Word, OneNote, PowerPoint, and PDF documents – making it a breeze for you to work with your data in the cloud.
The new Excel charts that were recently added are pretty handy. It is well worth knowing how and when to utilize them. This guide will walk you through three of the best to be released this year.
Waterfall charts
Businesses and organizations always seek to understand their finances better so that they can make their revenue projections more effective. It is critical for them to assess how profits and losses play out at different financial periods. One way to quickly understand and communicate these sets of financial data is through the visualization of financial statements. This is where Waterfall Excel charts come in.
Waterfall charts allow you to quickly illustrate the line items available in your financial data in a manner that provides a clear picture of how each item impacts your bottom line. They help make it easier to understand the cumulative effect of positive and/or negative values that are sequentially introduced.
You could use a Waterfall chart to illustrate how the negative and positive values in your data cumulatively affect the totals or final value such as net income, for instance.
Normally, the outlays or losses that occur throughout the business period should appear as negative integers, while profits or gains are stipulated as positive figures in the Waterfall chart.
Here are some revenue data from the Seattle Art Museum that we will use in our illustration:
To create a Waterfall chart, select your data and head to the ‘Insert’ tab on the Excel ribbon. From there, navigate to the Charts section and click the Waterfall icon.
Once you do that, Excel inserts a Waterfall chart for you, with all the values in the dataset you selected.
Suppose we select the positive values above (first data set); Excel will automatically detect that these are all positive values and color them green as follows:
Notice however that Excel does not identify the last value (Total Operating Revenue) as a total; that’s why it has calibrated it with the same green color.
To resolve that issue, double-click on that total and check the box marked “Set as Total” in the Format Data Point pane that appears.
You’ll see that this action immediately updates the chart, changing the color of the total value from green to grey, reflecting that all the other values colored green actually accrue to that total.
If we follow the same procedure for the Total Operating Expense (second set of data), our final Waterfall chart would look something like this:
Treemaps
Treemaps are great for showing relationships between sets of data. They use colors to create a contrast between the data sets so that you can capture the information on a Treemap at a glance. Let’s use these ticket sales data from the Seattle Art Museum to illustrate what we’re saying:
As you can see, all the ticket sales have been divided into either online or onsite subcategories and the many different classifications of ticket types. By so doing, we are indicating to Excel how we want to organize our chart.
To create the Treemap chart, we have to first select our entire data, then head to the ‘Insert’ tab on the Excel ribbon, and navigate to the hierarchy map symbol. Click the symbol to automatically insert a Treemap chart showing different relationships between online and onsite ticket sales broken down by ticket type.
Map charts
Map Charts help you draw comparisons of values and show how categories compare across different geographical regions. This is to say you may use map charts only when your data have geographical regions included.
A map chart, for instance, would help us visualize the geographical distribution of revenue from the ticket sales above.
To create a Map chart, we would select our data, tap the Insert button and click the map symbol.
This automatically inserts a chloroplast chart with the selected data geographically distributed in it. We can further customize the chart by double-clicking the legend and using the options on the Format Legend Entry menu.
Conclusion
Graphical representation can be quite helpful when it comes to making comparisons of various sets of data or when you want to pinpoint a trend at a glance. With good knowledge of these charts, you have even more tools in your arsenal to take on any data analysis project.

2018 Security Breaches Indicate That Cybercrime Is On The Rise

2018 Security Breaches Indicate That Cybercrime Is On The Rise

Cyber breaches have become the norm across the United States and in many parts of the world. Regardless of the size of your company or your budget for security, your company could be at risk. This has caused rapid growth in the cybersecurity industry. According to Forbes, this market will reach 170 billion dollars by the year 2020.

Some of this growth is being fueled by the advancement of new technology in cloud-based applications, the Internet of Things, and the increase in the number of computers and mobile devices. However, much of it is being initiated by the constant onslaught of cyber-attacks at home and at work.
Biggest Data Breaches of 2017
During 2017, there were actually hundreds of data breaches in the US, though the public only heard about a fraction of those.
The Equifax hack topped the list with a devastating breach that affected 145 million customers. It stunned the public, proving once again, that no one is out of reach of hackers. With each passing breach, hackers refine their techniques so that more consumers are affected and even more extensive damage is done.
The financial data for over 3 million customers was compromised in the Hitachi Payment Services malware hack. This was reported in February 2017 and eventually led to a massive decline in credit card use. Hitachi suffered damage to their reputation and loss of profits and revenue.
Regardless of how many attacks there are, they continue to have the same effect on the public. Cyber breaches cause consumers to be leery of doing business with the company. People stopped buying products from Target stores right after that breach. The cost to Target was substantial. Breaches damage a company’s brand name and cost millions to resolve in many cases.
Worldwide Data Breaches
The largest leak in the world, known as the Big Asian Leak, exposed the personal information of 185 million customers. Though the names, addresses, passcodes and some financial information was stolen by hackers, most of the Asian companies who were hacked refused to admit they’d been breached and most refused to comment as well.  The stolen data was eventually offered for sale on the dark web by an online vendor known as “DoubleFlag.”
In the US, consumers expect companies to be fully transparent when a breach does occur. They expect certain steps to be taken to avoid future attacks. Sometimes this happens and sometimes it doesn’t. Company leaders tend to think that if they’ve already been hacked once, there’s very little likelihood that it will happen again. There’s no solid proof to indicate that this is true. Hackers search for easy targets; companies with weak, ineffective cybersecurity.
How data breaches for 2018 are shaping up
The last few years have shown a few definite trends. For instance, in 2015 and 2016, businesses were targeted 40.1 percent of the time with the healthcare industry a close second at 35.4 percent. In 2017, there were a total of 868 cyber breaches with businesses and health care agencies the main targets.
Major businesses across the country have stepped up their security on every level and yet 2018 has already proven to be a busy time for hackers.  A new trend involves cyber thieves looking beyond computers and phones for targets. They’ve discovered a whole world of unsecured devices, such as medical devices, educational and government organizations, and other vulnerable technology.
A new study shows that only 51 percent of all companies monitor and analyze their security information on a regular basis. About 45 percent subscribe to some type of intelligence service, while only 52 percent said they used high-tech intrusion detection systems. These numbers indicate a troubling trend. Only about half of all American companies are actually taking their cybersecurity seriously enough.
Ransomware attacks are on the rise as well. In some cases, the cyber thieves do not ask for much money. They demand smaller amounts like $1900 or $4,500. This strategy makes it far more likely that a business will pay the ransom. It’s just more prudent to pay those smaller amounts than to call in the authorities or security experts to resolve the issues.  Below are a few of the major cyber-attacks that have occurred for 2018.
Cyber Breaches and Ransomware Attacks January 2018
Several Indiana hospitals reported ransomware attacks. In one instance, the hospital paid $55,000 to thieves but reported that no data was stolen. The San Diego Office of Education reported a breach of employee retirement data. It was discovered that an unknown number of email addresses were leaked from MailChimp. National Stores, Inc. reported that some financial data from an unknown number of its credit card users was leaked.
WordPress continued having major issues with cyber thieves who were secretly placing crypto-mining code on the computers of its users. This code is designed to run in the background on a user’s computer without their knowledge for the purpose of mining cryptocurrency.  A major embarrassment to Kansas officials, it was reported that the Kansas Secretary of State website accidentally leaked the last four digits of hundreds of Kansas state government workers.
Cyber Breaches and Ransomware Attacks February 2018
The City of Allentown, PA was crippled by a malware attack that has to date cost at least one million dollars. Both financial and public safety systems were attacked. In a phishing attack, 50,000 Snapchat users had their log-in credentials stolen. A hospital in Tennessee revealed that 24,000 of its past patients may have been exposed to crypto-mining attacks.  Both Chase and Hometown Banks revealed that customer data may have been compromised due to skimming/shimming devices placed at ATM machines.  A dangerous T-Mobile bug was responsible for hackers being able to highjack the accounts of T-Mobile customers.
Cyber Breaches and Ransomware Attacks March 2018
In March, the city of Atlanta reported various government systems were down due to a ransomware attack. Several schools and hospitals reported malware and ransomware attacks that shut down their systems for indefinite periods of time. Some data was compromised in these attacks. Other hospitals reported that employee email accounts were hacked leaking confidential patient information. Even the National Lottery Association reported the loss of log-in info for over 10 million players. Emails were sent out instructing players to change their passwords. A point-of-sale breach occurred at some Applebee’s Restaurants exposing the credit card information of its patrons.
Cyber Breaches and Ransomware Attacks April 2018
April was a busy month for hackers. Over 72 million records were leaked in a long string of ransomware, malware and data breaches. The most notable included Sears Stores, Delta Airlines, K-Mart and Panera Bread. A service that connects handymen with customers called TaskRabbit had to shut down its website and suspend use of its app due to a massive data breach. SunTrust admitted that a former employee had stolen the customer data of 1.5 million customers. A data search service called LocalBlox reported that 48 million records were left accessible on the Internet. The data included personal info, as well as psychographic data used by marketing agencies.
Moving into the Future
Though the numbers are not out yet for May, experts believe that there will continue to be massive data leaks, ransomware attacks, malware attacks, and cyber breaches. Cyber thieves refine their strategies with each passing month. Consumers and business owners must stay on top of the activities of cyber thieves. Experts recommend hiring security experts to gauge how effective your cybersecurity is and recommend methods to improve it. The best defense continues to be a strong offense.