Ransomware On The Rise | Cybersecurity

Cover picture of Hacker accessing system using ransomware

Ransomware is a form of malware that threatens users with damage by refusing access to their data. As a ransom, the attacker promises to restore access after the victim pays.

A new wave of ransomware has hit in the year 2021.

 

This blog contains the following information:

  • Ransomware Statistics
  • Five Of The Largest Ransomware Payouts
  • How Does A Ransomware Attack Work?
  • What Factors Contribute To The Success Of A Ransomware Attack?
  • Who Are Most At Risk Of A Ransomware Attack?
  • Ransomware Assault On A German Hospital Results In The First Death
  • Prevent Ransomware Attacks
  • How Can databrackets Help You In Mitigating The Threat Arising From Ransomware?

 

Ransomware Statistics

  •  It’s estimated that a business will fall victim to a ransomware attack every 14 seconds
  • From 2013 to 2016, the primary ransomware variants reported were CryptoLocker and CryptoWall
  • In 2017 and 2018 that transitioned to WannaCry and SamSam
  • In late 2018 and early 2019, the primary ransomware families have been GandCrab and Ryuk
  • 68,000 new ransomware Trojans for mobile were detected in 2019

 

 

 

Ransomware Will Remain The Number One Threat

  • The average cost of ransom per incident is on the rise:
    • 2018 – $4,300
    • 2019 – $5,900
    • 2020 – $8,100

 

  • The average cost of ransomware caused downtime per incident:
    • 2018 – $46,800
    • 2019 – $141,000
    • 2020 – $283,000
  • Businesses lost around $8,500 per hour due to ransomware-induced downtime
  • Ransomware attacks have cost U.S. healthcare organizations $157 million since 2016
  • The individual ransom of 1,400 clinics, hospitals, and other healthcare organizations varied from $1,600 to $14 million per attack
  • Global damage caused by ransomware grew from $11.5 billion in 2019 to $20 billion in 2020.

(Source: https://purplesec.us/resources/cyber-security-statistics/ransomware/)

 

Five Of The Largest Ransomware Payouts

A few years ago, one may not have ever heard of ransomware (crypto-locker software). Modern-day cybercrime is worth £10 billion per year and is now viewed as one of the major dangers to companies, institutions, and critical services.

Companies are locked out of their files and forced to pay exorbitant ransoms in dozens of cases each month. An attacker’s current price for decryption keys could be in the neighborhood of 0.3 bitcoin (approximately £100,000, or $140,000).

Reviewing five of the biggest recorded ransomware payments, we examine some of the occasions attackers have done this.

 

San Francisco State University ($2.3 million)

According to reports, a month-long battle with criminal hackers ended with the University of California San Francisco (UCSF) paying $1.14 million in bitcoin to unlock its systems in June 2020.

As a result of the original ransom demand, the institution countered with an offer of $780,000.

Network administrators sought to isolate and ringfence a number of systems as the discussions proceeded. In this way, the malware was stopped from reaching the UCSF core network and causing additional harm to the system.

Travelex ($2.3 million)

Travelex’s IT department was dealing with a ransomware virus on New Year’s Eve 2019 when most were celebrating. Not before paying a reported $2.3 million ransom, the currency exchange agency was able to restore its internal systems. Staff had to use pen and paper during this time, severely delaying the few operations that could still take place, while numerous UK banks who work with the company were obliged to turn away customers who were trying to order foreign currency.

Brenntag ($4.4 million)

Chemical distribution firm Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware group to get a decryptor for encrypted files and prevent the threat actors from publicly releasing stolen data. As a result of a ransomware assault, Brenntag’s North American division was the target. Threat actors encrypt devices on the network as part of this assault, then stole unencrypted material from the network. An anonymous source told BleepingComputer that the DarkSide ransomware gang took 150GB of data during their attack. This page contains a summary of the sorts of data that were stolen and screenshots of some of the files that were taken.

Colonial Pipeline Co ($4.4 million)

When an employee received a ransom letter from hackers on a control-room computer, the operator of Colonial Pipeline knew it was in danger around dawn on May 7, 2021. A difficult decision had to be made that night by the company’s CEO. Joseph Blount, CEO of Colonial Pipeline Co., sanctioned the ransom payment of $4.4 million because management was unclear as to the extent of the hack and how long it would take to restore the pipeline.

A group of hackers had “exfiltrated” documents from the company’s shared internal hard drive and demanded $5 million in exchange for the contents. It was infected by a ransomware application produced by DarkSide, an alleged Russian cyber-criminal organization. FBI worked with Colonial Pipeline to trace the bitcoin after the payment was made to get the money back, CNN reported at the beginning of the month.

Officials said Colonial Pipeline’s fast response in notifying federal authorities allowed investigators to swiftly recover most of the cash, which was recovered after identifying the virtual wallet used in the transaction, according to officials. According to investigators, the DarkSide hackers would not “see a cent” of the ransom money.

 

CWT Global ($4.5 million)

CWT Global, a US travel services firm, paid $4.5 million in bitcoin to the Ragnar Locker ransomware group in July 2020.

Two gigabytes of data were allegedly hacked. Among the records impacted were financial records, security documents, and employee personal information, such as email addresses and payment data.

Remarkable is that both parties engaged in talks in a public, anonymous chat room.

After the ransomware group demanded $10 million, those who followed the negotiations were able to observe how CWT Global handled the situation.

Replying on behalf of the organization’s chief financial officer, the representative indicated that COVID-19 had badly impacted CWT Global and that it was unable to pay what the attackers wanted.

A little less than half of the initial amount was agreed upon, but it was still more than any other organization had ever paid. CWT agreed to pay $4.5 million in bitcoin, which is a form of digital currency.

 

How Does A Ransomware Attack Work?

Computer hackers utilize current encryption techniques to create ransomware, which is a form of the virus meant to make money. Modern technology makes it difficult to decipher encryption methods in use today, such as the Advanced Encryption Standard (AES).

As a result, companies are denied access to mission-critical files and data.

As a consequence of this invasion, people and organizations are compelled to pay the ransom. Once data has been encrypted by one of these algorithms, the only way to access it is with the corresponding encryption key. 

Using this information, cybercriminals attack computers with malware. Spear-phishing emails are one of the most popular ways to achieve it. Word macros (or other techniques) can be used to download and run ransomware.

Executive assistants might be targeted by fraudsters posing as C-level executives and demanding a transfer of money or gift cards.

As soon as Spear-phishing emails are on the machine, it begins to encrypt all of the user’s files. This may depend on the sort of ransomware versions that have been used. A few users may encrypt all files, leaving only those that are vital to the computer’s functionality.

In certain cases, the attacks are more focused, targeted at specific files that are more likely to be valuable to the intended victim(s)

After the initial attack, many ransomware variations will try to propagate to additional systems. This vulnerability is the primary infection method for WannaCry, although many contemporary versions will search for portable media (i.e., USB drives), attached devices, or file servers to spread their infection. 

It then displays a ransom note to the user. An example of this is seen in the image above; however, the specifics will vary from one version to the next. For the user’s decryption key and software, these messages generally demand a ransom in Bitcoin.

Ransomware-as-a-Service has also contributed to the expansion of the ransomware industry (RaaS). Users who are less technically savvy can purchase ransomware-related services or kits from ransomware developers and then use them to launch ransomware attacks against targets of their choosing.

Ransomware writers profit from this since it allows less competent crooks to carry out assaults.

 

What Factors Contribute To The Success Of A Ransomware Attack?

Ransomware attacks are so successful because they are so simple and have a clear psychological impact on their target. They have the ability to infect any type of computer (laptops/desktops, mobile devices, IoT, routers, cloud storage, and so on) and deny the owner access to the data stored on these systems.

Considering sophisticated ransomware kits are freely available on the dark web, this form of attack is very profitable for threat actors. Healthcare providers are one of the most susceptible and worst impacted sectors for two reasons:

1. Personal health information (PHI) may be traded for hundreds of dollars per record and is frequently resold to a variety of threat actors.

2. Health-care system security is often driven by compliance rather than appropriate security hygiene.

Running vulnerability scans, for example, will report on Critical, High, Medium, and Low vulnerabilities. While Critical to High vulnerabilities are frequently prioritized, it is the Medium or Low vulnerabilities that might prove to be a great threat. Overlooking these vulnerabilities on devices such as a printer, medical equipment, or other connected devices allows threat actors to get access to the network. 

Looking ahead to 2021, there are no signs of ransomware stopping off. Indeed, anticipation is high on the development of new tailored versions with the objective of infecting certain industries, such as education, mining, transportation, and energy, to mention a few.

 

Who Are Most At Risk Of A Ransomware Attack?

Previously, ransomware attackers chose a “quantity over quality” strategy. WannaCry ransomware outbreaks attempted to infect as many machines as possible and demanded a modest payment from each.

Hacker performing a ransomware attack

However, attackers discovered that this technique was not cost-effective. The procedure of acquiring and delivering Bitcoin to pay a ransom is beyond the ordinary user’s comprehension.

As a consequence, hackers either did not get ransoms or were forced to spend time on customer service, which reduced their earnings.

The current ransomware threat mostly targets larger businesses and demands higher ransom payments from each target. Typical objectives include:

 

 

 

• Transportation: the trucking industry has been a significant target of ransomware because it cannot afford ransomware-related delays

• Legal Firms: Following a ransomware assault, a Providence-based law company lost access to data for three months

Dental Practices: In addition, approximately 100 dental clinics were affected by a ransomware assault on a seller of IT services

• City/Municipal Administrations: In 2019, ransomware struck over 70 state and local governments

• Hospitals: Ransomware attacks cause hospitals to turn away patients

Industrial Sectors: The Snake ransomware version targets the industrial sector particularly

 

Ransomware Assault On A German Hospital Results In The First Death

In the first known case of a death directly connected to a cyber attack on a hospital, the ransomware assault took place at the Duesseldorf University Hospital. The woman has been transported to a clinic about 20 miles away since the hospital couldn’t accept emergency patients due to the attack, the Associated Press reports.

A report from the German news channel RTL claims that the hospital was not the target of the attack. A local university was the intended recipient of the message. Assailants halted their attack after officials informed them that their strike had shut down the hospital they were targeting.

 

Prevention Of Ransomware Attacks

Hacker doing a Ransomware Attack

 

Educating the users, automating backups, minimizing attack surfaces, establishing a plan for incident response, deploying endpoint monitoring and protection throughout the network, and securing ransomware insurance are all ways to minimize or avoid a ransomware assault. After infecting backups, ransomware might take over the computers. As an extra layer of protection, physical and offsite backups might be performed in this situation.

An infected PC can no longer be saved after the ransom notice appears. A cyber assault can be prevented by taking precautions in advance.

It is estimated that in 2017 and 2018 the vast majority of ransomware attacks were not specifically targeted. Higher companies with the ability to pay larger ransoms have been targeted by ransomware methods in 2019.

As a result, attackers were able to infect and encrypt endpoints and propagate over the network, often causing hundreds of thousands, if not millions, of dollars in damages to businesses.

Education and Training for Users

Many malware kinds, including ransomware, are propagated by phishing and other forms of social engineering. Infection risk can be reduced by training users to detect these risks. 

Backups that are Automated.

Ransomware attacks require victims to pay a fee to gain access to encrypted files. There is no reason to pay the ransom if recent backups are available. It’s crucial to remember that offline and offsite backups can be utilized as an extra layer of security if backups get contaminated.

Reduce the Attack Surface

Malware frequently exploits existing vulnerabilities, unsecured services (such as RDP), and tools such as PowerShell. The attack surface is reduced by keeping vulnerabilities patched, antivirus up to date, and superfluous services deactivated.

Incident Response Plan 

Responding quickly and appropriately in the aftermath of a ransomware attack is critical. Having a strategy in place ensures that the IT/security team tackles a possible issue appropriately.

Monitoring and Protection for Endpoints.

It is feasible to stop a ransomware outbreak before too much harm has been done by detecting the virus early. Monitored endpoints should be able to detect possible infections and stop them in their tracks.

Insurance coverage for ransomware.

Bringing business back up and running after a ransomware attack may be quite expensive. The expense of ransomware can be minimized if a company has insurance in place.

 

How Can databrackets Help You In Mitigating The Threat Arising From Ransomware?

Our mission is to assist organizations in developing and implementing practices to secure data and comply with regulations.

With several years of experience in IT and industry verticals, databrackets is your perfect partner for your Cybersecurity, audit, and compliance needs.

databrackets maintains an educational and transparent approach to our customers’ data security and compliance obligations. Using our safe and user-friendly platform, our team of specialists assists you in understanding your choices and developing a bespoke solution tailored to your business’s needs in the most effective manner. We invest in your long-term success so you may run your business without stress. Some of our programs and services, mostly in the Cybersecurity and Privacy Audit, Compliance, Certifications & Attestation Areas, include CMMC, SOC 2, and MFA, which are outlined below and will assist clients in combating threats and preventing attacks by keeping systems safe and secure.

 

Security Standards Can Be Enforced by CMMC

As a compliance standard, the Cybersecurity Maturity Model Certification (CMMC) has been under development for a long time. As part of DFARS and NIST 800-171, CMMC will require DoD vendors to implement and maintain a variety of security measures based on the type of data they store or access.

In the last several months, a new criterion was introduced, requiring businesses also to certify that they’re striving toward CMMC certification. This situation has arisen due to the fact that these security best practices were not being adopted honestly by organizations.

A more uniform security standard in the United States is the goal of the CMMC.

 

Services for Security Operations Centers (SOC) Will Mitigate Cyber Attacks

In order to mitigate or prevent cyber assaults when they occur, Security Operation Centers (SOC) provide real-time monitoring, detection, and response services. Benefits from a SOC offer businesses a comprehensive approach to security, according to the report.

As a result, centralized asset displays, cross-departmental collaboration, and maximum awareness are used to save expenses.

Due to the rapid development of cloud services in recent years, SOCs are more accessible today than in the past. Another reason for its rise has been the continual need to bring security down to smaller business models, which has been a significant factor in its rapid expansion.

With our trained privacy and security specialists, together with our CPA partners, we can assist your business meet Security Operation Centers (SOC 2) audit certification criteria in an efficient and cost-effective manner.

 

Multi-Factor Authentication Use Will Step Up Security

Multi-factor authentication (MFA) is generally considered the gold standard when it comes to authentication. Authentication can be through SMS or phone calls.

Microsoft recommended customers cease utilizing MFA through mobile phones in early November and instead advocate using app-based authenticators and security keys.

One-time passcodes are stored in plain text. As a result, the messages sent are not encrypted, even though SMS has some security built-in. This implies that threat actors can use an automated man-in-the-middle attack to obtain the one-time passcode in plain text.

Online banking is one of the most vulnerable sectors because authentication is generally done by SMS. According to a recent study, a huge financial fraud operation infiltrated 16,000 devices, incurring over $10 million in losses.

Given this danger, companies will increasingly opt for application-based MFA, such as Google Authenticator. We also strongly advise utilizing a hardware MFA device such as the YubiKey.

To learn more about the services, please visit www.databrackets.com.

 

 

HIPAA Doesn’t Ban Questions About Your Vaccination Status

Think About It! Who Has The Right To Question Whether You’ve Been Vaccinated?

Kindergarteners, tourists on exotic holidays, healthcare professionals, and Ellis Island immigrants all have something in common.

The majority of them had to show that they would not accidentally transfer potentially fatal diseases to others. They couldn’t start school, fly, work in a hospital, or start a new life in America if they didn’t have these documents.

So, why has the COVID-19 vaccination become a hotspot for controversy about “vaccine passports,” medical privacy concerns, and individual rights violations?

Institutions rarely have the authority to compel that you to be vaccinated. Still, if you want to work somewhere specific or have others supply you with services (such as schools, companies, or travel), they may have the authority to ask for proof of vaccination.

Vaccination – Lets Take A Look At The Smallpox Legacy

The 1918 influenza pandemic has received a lot of attention because of its resemblance to the COVID-19 pandemic and the ability of masking and reduced public meetings to “flatten the curve” of cases. After examining the effectiveness of preventative actions in 1918 and 1919, Markel coined the word.

However, Markel claims that the history of smallpox is a better analog for vaccine privacy. Before it was eliminated in the late 1970s, that illness tormented humanity for thousands of years, killing one in every three persons who contracted it.

Unlike the past mandated smallpox vaccine requirements, no one is claiming that all Americans must get vaccinated against COVID-19.

In 1905, the Supreme Court upheld the jurisdiction of health authorities to enforce smallpox immunization.

 

Fine, What Has HIPAA Got To Do With Vaccination Status?

While some people may be hesitant to disclose their vaccination status, no legislation prohibits companies, employers, or anyone from asking.

As the Centers for Disease Control (CDC) continues to loosen safety restrictions for persons who have been completely vaccinated against the coronavirus as the country reopens, many companies, companies, families, and friend groups are finding themselves in the awkward situation of having to inquire about others’ vaccination statuses.

The use of HIPAA as a justification for avoiding disclosing vaccination status is frequently an “impulsive reaction” that “soon gets converted into a statement that seems like law.”

HIPAA, also known as the Health Insurance Portability and Accountability Act of 1996, and the Privacy Rule that followed it include safeguards to prevent a person’s identifiable health information from being disclosed without their knowledge or agreement.

However, the legislation only applies to certain health-related businesses, such as insurance companies, healthcare clearinghouses, healthcare providers, and business connections.

That implies that if a friend, favorite restaurant, or grocery shop shared confidential health information with you, they would not be in violation of HIPAA since they aren’t “covered entities.” However, other federal and state privacy regulations may force employers and schools to secure your personal information.

 

No, HIPAA Doesn’t Apply To Employers, Businesses Asking For Vaccination Status

It’s one of the biggest questions about the guidance from the Centers for Disease Control and Prevention: Who is and isn’t allowed to ask if you’ve received the COVID-19 vaccine?

HIPAA, or the Health Insurance Portability and Accountability Act, stops healthcare providers from accessing your medical information without your explicit permission.

But does it stop your employer? Your employer is not a covered entity, and therefore HIPAA would not apply. That means that your employer can ask if you’ve been vaccinated, and they can require you to get it.

But what about private businesses?

Nothing about HIPAA prevents a business from asking if you’ve been vaccinated or even denying you entry if you refuse to answer.

One potential legal gray area is an employer asking why someone hasn’t been vaccinated. More than 40 states across the nation have introduced legislation to ban mandates that require getting the vaccine.    

 

According to experts, companies, airlines, companies, schools, and even those protected by HIPAA are forbidden from requiring you to divulge your vaccination status or produce your vaccine record card in very few, if any, cases under federal rules. If your health care professional revealed your vaccination status with someone who requested without your agreement, it would be a violation of HIPAA.

A doctor is not permitted nor allowed to divulge that medical information without my patient’s permission under HIPAA.

Employers are also permitted by law to inquire about or demand proof of immunization from their workers. The Equal Employment Opportunity Commission, which oversees federal anti-discrimination rules in the workplace, said in a December advisory that “there is no indication that the employer asking this question would be violating any federal law.” If an employer’s efforts to find out why a worker didn’t get vaccinated elicits information regarding a disability, it might be a violation.

 

Other Examples Of “Vaccination Proof” Requirements

So, if your buddy posts on social media about vaccinated against COVID-19, and you tell someone else that you saw it,  it is not in violation of HIPAA since you weren’t protected by it. Your buddy may dislike you, but you are not breaking the law.

It would be a HIPAA violation if the nurse who gave your friend an injection snapped a photograph of her and put it on personal social media account without your friend’s written authorization. On the other hand, nurses are taught how to follow the law, and if they do, they and their employers face fines and public scrutiny. Hospitals that require patients to be tested for COVID-19 before receiving further treatments are another example. They can proceed if the patient does not have COVID-19. If they do, and the therapy they want isn’t life-threatening, physicians may opt to wait. If a patient refuses to get tested in the first place, they are very certainly infected.

 

The Misuse Of HIPAA

HIPAA is one of the country’s most misunderstood healthcare legislation. Only a few individuals truly get what it means. They believe it provides full health information privacy safeguards in all instances, whereas it does not.

HIPAA only applies to specific types of businesses, such as your doctor, hospital, or other healthcare providers. It does not apply to the normal individual or a company that is not in the healthcare industry. In addition, it does not provide personal protection from having to divulge personal health information

A person cannot simply assert that they have a HIPAA “right” to enter a company or an enclosed place without wearing a mask.

If a public health order in that state, county, or city requires mask-wearing indoors, companies have the right and legal responsibility to do so, and they might be punished if they don’t.

 

Is It Necessary For Me To Respond?

No, you have the option of not disclosing your immunization status. However, if you choose not to reveal, experts say there will almost certainly be consequences.

Private enterprises that serve the public are not prohibited by federal law from requiring personnel and customers to get vaccinated.

While they can’t reject service because of color or gender, there’s no regulation that says “companies can’t discriminate based on your COVID-19 vaccination status during the epidemic.”      

 

About databrackets

databrackets is accredited to ISO/IEC 17020 by the American Association for Laboratory Accreditation (A2LA) for Cybersecurity Inspection Body Program (Certificate Number: 5998.01)

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001  for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

To learn more about the services, please visit www.databrackets.com

Some of The Most Vulnerable Industries To Cyber Attacks

Cybercrime Statistics

These are the data compiled based on the public sources from the cyber-attack timelines that have been reported so far in 2021.

  • With 86 percent of the vote, cybercrime is the most popular motivation (it was 85.82 percent in Q1 2020.)
  • Malware continues to lead the Attack Techniques chart with 32.3 percent (it was 37.8 percent in Q1 2020, but one must take into account that too many ransomware attacks appear as “Unknown”).
  • With 16.7%, multiple industries topped the Target Distribution chart.

(Source: https://www.hackmageddon.com/)

Some of the Most Vulnerable Industries to Cyber Attacks

Regardless of the fact that cybercriminals rarely discriminate, some industries are more vulnerable than others. So, here are some of the industries and sectors that are most vulnerable to cyber assaults and breaches:

Let’s first look at the latest hack that happened on May 7, 2021, which hit the headlines as “Colonial Pipeline attack.

 

Pipeline

In the United States, there are more than 2.7 million miles of pipeline. Hazardous liquids such as crude oil, diesel fuel, gasoline, and jet fuel are transported over a distance of approximately 216,000 miles. There are currently around 3,000 pipeline firms.

Colonial Pipeline, a privately held company, is one of the country’s largest pipeline operators, supplying nearly 45 percent of the East Coast’s fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies. According to the corporation, it transports approximately 100 million gallons of fuel a day from Texas to New York.

On May 7, 2021, Colonial Pipeline announced that it had been forced to shut down operations due to a cyberattack and freeze IT systems.

According to reports, this action “temporarily froze all pipeline operations,” and cybersecurity firm FireEye, which runs the Mandiant cyber forensics team, was called in to help.

What did happen was that Colonial Pipeline’s networks were hit by a ransomware attack linked to the DarkSide organization.

The starting assault vector is obscure, but it may have been ancient, unpatched powerlessness in a framework; a phishing e-mail that effectively tricked a staff; the utilize of already spilled get to qualifications acquired or gotten somewhere else, or any of a number of other cybercriminal strategies utilized to invade a company’s network. It’s worth noticing that DarkSide administrators focused on corporate frameworks instead of operational frameworks, inferring that the objective was to create cash instead of bringing the pipeline down.

DarkSide may be a Ransomware-as-a-Service (RaaS) group that provides its claim brand of malware to clients on a membership premise. The ransomware is, as of now, in adaptation 2. According to IBM X-Force, the malware, once conveyed, takes information, scrambles frameworks utilizing Salsa20 and RSA-1024 encryption conventions, and executes an encoded PowerShell command to erase volume shadow copies.

At the time of the assault, supply deficiency concerns incited gasoline prospects to reach their most elevated level in three a long time. The request has risen, but drivers are being encouraged not to freeze purchase, as this may affect costs that have already increased due to the pipeline disturbance by six cents per gallon within the past week.

With normal operations adversely impacted,  the nation will likely see fluctuations and possibly a rise in prices owing to demand in fuel supplies over affected regions within the US.

On May 13, Bloomberg detailed that the company paid a ransom request of nearly $5 million in return for a decoding key.

What should the Pipeline companies do to comply?

Indeed not another “check-the-box kind of compliance” regime. The Department of Homeland Security is aiming for the first time to regulate cybersecurity in the pipeline business.

Officials said the Department of Homeland Security’s new cybersecurity rules for pipeline businesses are just the “first step” in a “multi-pronged” attempt to prevent a repeat of the deadly Colonial Pipeline ransomware assault. DHS is all set to issue the first cybersecurity regulations for pipelines.

 

Pipeline firms must alert the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours if a hack interferes or threatens to impair their operations, according to the “Round 1” standards.

 

According to TSA’s new security mandate, pipeline firms must disclose cyber events to TSA and CISA and have a cyber official — such as a chief information security officer — with a direct line to TSA and CISA to report an attack 24 hours a day, seven days a week. It will also compel businesses to review their systems’ security in comparison to existing cyber rules; currently, any vulnerabilities must be filled on a voluntary basis.

Officials said the new guidelines, which are anticipated to be released in the coming weeks, will oblige corporations to remedy any errors and address any shortfalls or face financial penalties. They will signal a significant shift for TSA, which has previously depended on consultation with pipeline firms rather than imposing statutory standards.

Security procedures such as verifying distant network connections on a regular basis are outlined in the current TSA standards. Experts agree that a “performance-based” approach is preferable, stating, for example, that the aim of reviewing such connections is to verify that a hacker cannot break into an industrial control system. The aim is to define the company’s core objectives, which will allow it to develop and keep up with technology in order to achieve them, according to experts.

 

Manufacturing

Manufacturing enterprises (such as those in the automotive, electronics, textile, and pharmaceutical industries) are also particularly vulnerable. Automobile manufacturers were the target of almost 30% of the attacks in this industry. Chemical makers were in close second place

 

Finance

According to a Clearswift survey conducted in the United Kingdom, more than 70% of financial institutions have been hacked.

This is from special research on cyberattacks on US 401Ks and retirement plans, money that has been unjustly taken from retirement accounts is impossible to recoup.

According to a report on retirement plans, IRA contribution limits increased to $6,000 in 2019, with catch-up contributions of $1,000 for those 50 and over.

Experts predict that, with the plans reaching about $6 trillion this year, it will be increasingly in the crosshairs of criminals, especially since the account holders are considerably less likely to be up to date on the current cybersecurity trends.

Institutions are spending a lot of money on cybersecurity these days, making them much safer and less vulnerable than they were previously. J.P. Morgan Chase, Bank of America, Citibank, and Wells Fargo have all put $1.5 billion on cyber protection. Cybercriminals are increasing their investment in their strategies and strategies as a result of this. Because many of these businesses don’t have the time or money to invest in cybersecurity, they prefer to target smaller businesses in the financial sector.

 

Government Agencies

Hackers would want to get their hands on data from government organizations, such as security information, commercial contracts, social security numbers, birthplaces, and digital fingerprints. You’ll be surprised by the number of attacks on the government. According to Info Guard Security, the Pentagon’s five websites have 138 cybersecurity flaws. Since 2006, this number has climbed by 1,300 percent. In just one year, 11 of the government’s 18 high-impact systems were subjected to 2,267 cyberattacks, 500 of which resulted in the introduction of harmful code into their systems.

Although the government believes that rotating its in-house IT team will solve the problem, it puts the security of the material in danger. Due to government bureaucracy, which also makes it difficult to swiftly purchase systems that protect themselves against today’s dangers, this isn’t likely to change very soon. As a result, today’s attacks are much more successful than those of the past.

 

Small and Medium-sized Business

Small enterprises are the target of 43% of cyber attacks. While the media has focused on significant cyber-attacks like Target, Netflix, and financial institutions like JP Morgan, small and medium-sized enterprises have been the most frequently targeted. As a result, 85 percent of small firms want to boost their investment in managed security services.

According to industry analysts, 60 percent of small businesses would collapse within six months due to a cyber-attack, which can range from phishing schemes to malware attacks. Furthermore, there appear to be some industries that cybercriminals prioritize.

 

Construction

Phishing is still one of the most common attack vectors used by hackers, making the human factor one of the most vulnerable aspects of a company. According to phishing research, the construction industry is the most vulnerable to phishing assaults of all businesses. Construction organizations are particularly vulnerable to ransomware and malware since highly private designs, blueprints, bids, financial information, and even Personally Identifiable Information (PII) are typically maintained on a single system. Companies that are attacked face long-term implications such as lost sales and negative press coverage, in addition to financial loss.

 

Retail

Some people are surprised that hackers target the retail industry. However, this mindset encourages retailers to deploy ineffective security measures, making them easy targets for hackers today. These hackers aren’t targeting the retailer’s inventory or orders, but rather the credit card information of their customers, which they maintain on file. Additionally, these retailers are occasionally hacked by competitors who seek to know about their customers’ online behavior to upsell and cross-sell. As a result, this industry sees a lot of sponsored attacks, as well as DDoS attempts during peak business hours.

CEOs concerns about Cybercrime

According to the annual CEO survey conducted by PWC in 2020, cybersecurity is the top concern for senior executives in North America, with half of those polled expressing “severe concern” about their cyber vulnerabilities. Furthermore, organizations are preparing for 2021 cybersecurity dangers as data breaches and attacks become more common, with estimates indicating one every 5 minutes since GDPR legislation went into effect.

Investors and other stakeholders are also putting increasing pressure on businesses. Again, it’s the situation with cybersecurity, which many companies have confined to the CIO’s domain when what’s needed is a comprehensive approach to managing corporate complexity while developing governance and shared responsibility framework.

Corporate complexity has its drawbacks. The complexity caused by firms expanding their external partnerships to offer digital solutions and layering them onto old IT architecture tends to increase cyber risk. It’s easy to get caught up in the lure of concentrating security efforts on risk dashboards, surveillance, and technology projects. Leaders who are serious about cybersecurity, on the other hand, must embrace simplicity in their strategic discussions about business models, ecosystems, and internal processes.

 

Cybercrime rise in Europe

Cyber is the greatest threat for CEOs in North America and Western Europe.

CEOs in the asset and wealth management, insurance, private equity, banking, and capital markets, and technology industries are most concerned about the cyber threat

According to a recent estimate by DLA Piper, European businesses experienced 60,000 data breaches in the eight months following the GDPR’s implementation, or one every five minutes. Ransomware assaults are also on the rise, with more than 350 % of firms reporting that their security risk has increased significantly since 2017. According to a report by PrivacyAffairs, cyber warfare is on the rise, which implies that enterprises and governments, and consumers must think twice about their data.

The reports appear to be reflected in the media, with recent data breaches reported by Microsoft, Facebook, and even home improvement retailer B&Q. Despite the fact that both Microsoft and Facebook were hacked, B&Q’s shop theft records were made public merely because the data was housed on open source search engine technology that was not set up to need user-ID authentication.

This highlights an often-overlooked truth about data breaches: Although cyber attacks garner greater attention in the media, data breaches are more commonly caused by human error or plain ignorance.

In just eight months, 60,000 data breaches have occurred in European companies.

According to recent estimates, more than 59,000 data breaches have been recorded across Europe since data protection regulations were enacted last year.

According to legal firm DLA Piper, the Netherlands, Germany, and the United Kingdom topped the list of countries with the most reported breaches in the eight months since the new GDPR legislation went into effect.

Public and private organizations in the 26 European countries where data is accessible reported breaches ranging from trivial mistakes like misdirected emails to massive cyber intrusions.

Following an outbreak by ransomware NotPetya, even DLA Piper was struck by a cyberattack in 2017, with workers’ access to emails and documents being blocked.

 

Cybersecurity Solutions

Every industry faces its own set of security issues. Developing and maintaining effective cybersecurity plans necessitates a thorough grasp of a company’s cyber history and threat landscape.

Every business is vulnerable to data breaches, system hacks, virus or ransomware attacks, and cybercriminals gaining unauthorized access to their network’s processing power.

We live in a digital world full of cyber dangers and vulnerabilities on a global scale. For critical infrastructure cybersecurity, both public and private sector security specialists will need to use a highly collaborative and networked platform.

“Securing critical infrastructure is a shared duty — shared by Federal, State, Local, Tribal, and Territorial governments; private organizations; and ordinary citizens,” according to the Department of Homeland Security (DHS). As a result, even on a macroeconomic level, cybersecurity has become a shared responsibility in our daily lives.

 

Methods for preventing data breaches that have been demonstrated to be effective.

Inventoy of Assets

An asset inventory can be used to categorize and rate the threats and vulnerabilities that assets might face. These vulnerabilities can be categorized and rated to assist in better prioritize the remediation efforts for these assets.

Endpoint protection has become increasingly important as a result of data breaches. Antivirus software alone is insufficient to prevent a big data breach. In fact, relying solely on anti-virus protection leaves endpoints, such as computers and laptops, vulnerable. PCs and laptops might serve as a primary entry point for hackers.

A complete endpoint solution will use encryption to minimize data loss and leakage and enforce uniform data protection standards across all servers, networks, and endpoints, lowering the chance of a data breach.

Vulnerability and Compliance Management

Vulnerability And Compliance Management (VCM) solution can be used to detect holes, flaws, and security misconfigurations in physical and virtual environments. VCM can monitor your infrastructure and IT assets in real-time for vulnerabilities, compliance flaws, and best configuration practices.

Allowing the security team to better understand the security vulnerability risks of the environment, i.e., Threat Landscape and priorities around what needs to be remedied, are some of the benefits that will assist mitigate a data breach. Establish an action plan to address these vulnerabilities and allocate them to the right staff members with excellent Vulnerability and Compliance Management.

Security Posture Audits on a regular basis

Regular audits will aid in assessing security posture by identifying any new weaknesses in compliance or governance. In comparison to vulnerability assessments or penetration testing, a security audit will provide a more detailed examination of your security procedures. A security audit takes into account the organization’s dynamic character as well as how it handles information security.

Train and Educate Your Employees

After the completion of security policy audits, prepare and put in place a written employee data privacy and security policy. Regular security training will be necessary to ensure that all employees are aware of the newly implemented policies after all, people cannot freely follow unfamiliar policies.

 

About databrackets

databrackets is accredited to ISO/IEC 17020 by the American Association for Laboratory Accreditation (A2LA) for Cybersecurity Inspection Body Program (Certificate Number: 5998.01)

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001  for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

To learn more about the services, please visit www.databrackets.com.

 

Healthcare

This year, healthcare institutions remain the most vulnerable to cyber-attacks. Last year, data breaches and ransomware attacks cost the industry an estimated $4 billion, recording for more than four out of 10 breaches.

The healthcare business is in charge of a great deal of personal information contained in their patients’ medical records. Every year, nearly one million records are compromised. According to the PwC Health Research Institute, these attacks cost an average of $200 for each patient. Downtime at the plant, reputation repair, litigation, and company loss are all included. However, preventing such an attack from ever occurring costs only roughly $8 per patient.

Ransomware assaults have also become relatively “popular.” These attacks target the hospital’s vital life support systems, which, if disrupted, can result in the death of a large number of people.

 

Manufacturing

Manufacturing enterprises (such as those in the automotive, electronics, textile, and pharmaceutical industries) are also particularly vulnerable. Automobile manufacturers were the target of almost 30% of the attacks in this industry. Chemical makers were in close second place

 

Finance

According to a Clearswift survey conducted in the United Kingdom, more than 70% of financial institutions have been hacked.

This is from special research on cyberattacks on US 401Ks and retirement plans, money that has been unjustly taken from retirement accounts is impossible to recoup.

According to a report on retirement plans, IRA contribution limits increased to $6,000 in 2019, with catch-up contributions of $1,000 for those 50 and over.

Experts predict that, with the plans reaching about $6 trillion this year, it will be increasingly in the crosshairs of criminals, especially since the account holders are considerably less likely to be up to date on the current cybersecurity trends.

Institutions are spending a lot of money on cybersecurity these days, making them much safer and less vulnerable than they were previously. J.P. Morgan Chase, Bank of America, Citibank, and Wells Fargo have all put $1.5 billion on cyber protection. Cybercriminals are increasing their investment in their strategies and strategies as a result of this. Because many of these businesses don’t have the time or money to invest in cybersecurity, they prefer to target smaller businesses in the financial sector.

 

Government Agencies

Hackers would want to get their hands on data from government organizations, such as security information, commercial contracts, social security numbers, birthplaces, and digital fingerprints. You’ll be surprised by the number of attacks on the government. According to Info Guard Security, the Pentagon’s five websites have 138 cybersecurity flaws. Since 2006, this number has climbed by 1,300 percent. In just one year, 11 of the government’s 18 high-impact systems were subjected to 2,267 cyberattacks, 500 of which resulted in the introduction of harmful code into their systems.

Although the government believes that rotating its in-house IT team will solve the problem, it puts the security of the material in danger. Due to government bureaucracy, which also makes it difficult to swiftly purchase systems that protect themselves against today’s dangers, this isn’t likely to change very soon. As a result, today’s attacks are much more successful than those of the past.

 

Small and Medium-sized Business

Small enterprises are the target of 43% of cyber attacks. While the media has focused on significant cyber-attacks like Target, Netflix, and financial institutions like JP Morgan, small and medium-sized enterprises have been the most frequently targeted. As a result, 85 percent of small firms want to boost their investment in managed security services.

According to industry analysts, 60 percent of small businesses would collapse within six months due to a cyber-attack, which can range from phishing schemes to malware attacks. Furthermore, there appear to be some industries that cybercriminals prioritize.

 

Construction

Phishing is still one of the most common attack vectors used by hackers, making the human factor one of the most vulnerable aspects of a company. According to phishing research, the construction industry is the most vulnerable to phishing assaults of all businesses. Construction organizations are particularly vulnerable to ransomware and malware since highly private designs, blueprints, bids, financial information, and even Personally Identifiable Information (PII) are typically maintained on a single system. Companies that are attacked face long-term implications such as lost sales and negative press coverage, in addition to financial loss.

 

Retail

Some people are surprised that hackers target the retail industry. However, this mindset encourages retailers to deploy ineffective security measures, making them easy targets for hackers today. These hackers aren’t targeting the retailer’s inventory or orders, but rather the credit card information of their customers, which they maintain on file. Additionally, these retailers are occasionally hacked by competitors who seek to know about their customers’ online behavior to upsell and cross-sell. As a result, this industry sees a lot of sponsored attacks, as well as DDoS attempts during peak business hours.

CEOs concerns about Cybercrime

According to the annual CEO survey conducted by PWC in 2020, cybersecurity is the top concern for senior executives in North America, with half of those polled expressing “severe concern” about their cyber vulnerabilities. Furthermore, organizations are preparing for 2021 cybersecurity dangers as data breaches and attacks become more common, with estimates indicating one every 5 minutes since GDPR legislation went into effect.

Investors and other stakeholders are also putting increasing pressure on businesses. Again, it’s the situation with cybersecurity, which many companies have confined to the CIO’s domain when what’s needed is a comprehensive approach to managing corporate complexity while developing governance and shared responsibility framework.

Corporate complexity has its drawbacks. The complexity caused by firms expanding their external partnerships to offer digital solutions and layering them onto old IT architecture tends to increase cyber risk. It’s easy to get caught up in the lure of concentrating security efforts on risk dashboards, surveillance, and technology projects. Leaders who are serious about cybersecurity, on the other hand, must embrace simplicity in their strategic discussions about business models, ecosystems, and internal processes.

 

Cybercrime rise in Europe

Cyber is the greatest threat for CEOs in North America and Western Europe.

CEOs in the asset and wealth management, insurance, private equity, banking, and capital markets, and technology industries are most concerned about the cyber threat

According to a recent estimate by DLA Piper, European businesses experienced 60,000 data breaches in the eight months following the GDPR’s implementation, or one every five minutes. Ransomware assaults are also on the rise, with more than 350 % of firms reporting that their security risk has increased significantly since 2017. According to a report by PrivacyAffairs, cyber warfare is on the rise, which implies that enterprises and governments, and consumers must think twice about their data.

The reports appear to be reflected in the media, with recent data breaches reported by Microsoft, Facebook, and even home improvement retailer B&Q. Despite the fact that both Microsoft and Facebook were hacked, B&Q’s shop theft records were made public merely because the data was housed on open source search engine technology that was not set up to need user-ID authentication.

This highlights an often-overlooked truth about data breaches: Although cyber attacks garner greater attention in the media, data breaches are more commonly caused by human error or plain ignorance.

In just eight months, 60,000 data breaches have occurred in European companies.

According to recent estimates, more than 59,000 data breaches have been recorded across Europe since data protection regulations were enacted last year.

According to legal firm DLA Piper, the Netherlands, Germany, and the United Kingdom topped the list of countries with the most reported breaches in the eight months since the new GDPR legislation went into effect.

Public and private organizations in the 26 European countries where data is accessible reported breaches ranging from trivial mistakes like misdirected emails to massive cyber intrusions.

Following an outbreak by ransomware NotPetya, even DLA Piper was struck by a cyberattack in 2017, with workers’ access to emails and documents being blocked.

 

Cybersecurity Solutions

Every industry faces its own set of security issues. Developing and maintaining effective cybersecurity plans necessitates a thorough grasp of a company’s cyber history and threat landscape.

Every business is vulnerable to data breaches, system hacks, virus or ransomware attacks, and cybercriminals gaining unauthorized access to their network’s processing power.

We live in a digital world full of cyber dangers and vulnerabilities on a global scale. For critical infrastructure cybersecurity, both public and private sector security specialists will need to use a highly collaborative and networked platform.

“Securing critical infrastructure is a shared duty — shared by Federal, State, Local, Tribal, and Territorial governments; private organizations; and ordinary citizens,” according to the Department of Homeland Security (DHS). As a result, even on a macroeconomic level, cybersecurity has become a shared responsibility in our daily lives.

 

Methods for preventing data breaches that have been demonstrated to be effective.

Inventoy of Assets

An asset inventory can be used to categorize and rate the threats and vulnerabilities that assets might face. These vulnerabilities can be categorized and rated to assist in better prioritize the remediation efforts for these assets.

Endpoint protection has become increasingly important as a result of data breaches. Antivirus software alone is insufficient to prevent a big data breach. In fact, relying solely on anti-virus protection leaves endpoints, such as computers and laptops, vulnerable. PCs and laptops might serve as a primary entry point for hackers.

A complete endpoint solution will use encryption to minimize data loss and leakage and enforce uniform data protection standards across all servers, networks, and endpoints, lowering the chance of a data breach.

Vulnerability and Compliance Management

Vulnerability And Compliance Management (VCM) solution can be used to detect holes, flaws, and security misconfigurations in physical and virtual environments. VCM can monitor your infrastructure and IT assets in real-time for vulnerabilities, compliance flaws, and best configuration practices.

Allowing the security team to better understand the security vulnerability risks of the environment, i.e., Threat Landscape and priorities around what needs to be remedied, are some of the benefits that will assist mitigate a data breach. Establish an action plan to address these vulnerabilities and allocate them to the right staff members with excellent Vulnerability and Compliance Management.

Security Posture Audits on a regular basis

Regular audits will aid in assessing security posture by identifying any new weaknesses in compliance or governance. In comparison to vulnerability assessments or penetration testing, a security audit will provide a more detailed examination of your security procedures. A security audit takes into account the organization’s dynamic character as well as how it handles information security.

Train and Educate Your Employees

After the completion of security policy audits, prepare and put in place a written employee data privacy and security policy. Regular security training will be necessary to ensure that all employees are aware of the newly implemented policies after all, people cannot freely follow unfamiliar policies.

 

About databrackets

databrackets is accredited to ISO/IEC 17020 by the American Association for Laboratory Accreditation (A2LA) for Cybersecurity Inspection Body Program (Certificate Number: 5998.01)

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001  for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

To learn more about the services, please visit www.databrackets.com.

 

Is HITRUST Worth The Investment?

 

HITRUST is a non-profit organization that helps the healthcare industry control data protection standards. It’s similar to HIPAA, but instead of being written and implemented by the federal government, HITRUST is regulated by a group of healthcare professionals.

HITRUST is a way for the healthcare sector to self-regulate security practices while also fixing some of HIPAA’s shortcomings and providing a PCI-like enforcement system for businesses to adopt. Read more

 

Why is HITRUST important?

For a variety of factors, HITRUST is critical to the healthcare industry:

In the United States, HITRUST is the most widely used security device in the healthcare industry. It sets an industry-wide standard for handling Business Associate compliance.

HITRUST is updated daily. The framework is updated daily to keep healthcare organizations up to date on new regulations and security threats. It is the most frequently updated security framework in use, with periodic updates and annual audit revisions. This ensures that those who follow the CSF work tirelessly to ensure that their safety is maximized.

Some large payers need HITRUST. On February 8, 2016, five major healthcare payers assured their business associates that they would comply with the HITRUST Common Security Framework within two years. As a result, companies must consider “what HITRUST entails” and “what changes will we need to make to achieve and maintain certification.”

 

Why is HITRUST Certification more expensive than other security certifications?

One must factor in the detail-oriented approach, thoroughness, and dependability.

A thorough examination

Depending on the company’s risk profile, a single HITRUST assessment may include up to 400 control criteria. This is in addition to the three forms of protection required by HIPAA regulations, the 12 PCI DSS compliance standards, COBIT’s five domains, 37 processes, and the 80-100 included in a SOC 2 audit.

The fact that HITRUST CSF blends these and other regulatory standards into a single, overarching risk management and enforcement program is one of the most tangible benefits of the framework. It brings together information management, financial services, technology, and healthcare standards. As a result, businesses will streamline their enforcement processes, resolve security concerns in all sectors, and reduce the time and expense associated with maintaining compliance with multiple standards.

Detail-oriented approach

Each control in your organization’s assessment must be reported, assessed, checked, and verified by an accredited external assessor before being evaluated by HITRUST. In addition, each control is assessed using the HITRUST Maturity Model, which has five levels.

Throughout this phase, an average of 1.5 hours per control is spent, with the number of controls assessed varying depending on the organization’s size, risk profile, and scope. In most cases, 2,000-2,500 separate data points are examined. The HITRUST CSF certification process covers a lot more ground than any other security evaluations.

Dependability

The HITRUST CSF system was created to give enforcement programs more structure and continuity. Recent enhancements have also sought to increase scoring accuracy over time and between internal and external assessors.

HITRUST has strict standards for the assessor firms and experts involved as part of its commitment to solid assurance. Firms must apply for and receive approval from HITRUST to conduct assessments and services related to the CSF Assurance Program, and they must work hard to retain that status.

Certified CSF Practitioners (CCSFP) are HITRUST Approved External Assessors responsible for assessing and validating security controls. HITRUST CCSFPs have extensive IT enforcement and auditing experience. To become accredited, they must complete a training course, pass an exam, and then retain their certification by regular refresher courses. HITRUST helps organizations by providing qualified personnel and ensuring the evaluation and certification process is accurate through this service.

 

The HITRUST Certification Fee

 

If you’re looking for a ballpark figure, the best guess will be $50,000 to $200,000, not including ongoing recertification costs. However, the range is so wide that it is ineffective for your business.

It depends on the assessment’s reach and the organization’s size, the state of its information system, and the steps taken to plan for a HITRUST assessment.

 

What exactly is included in this price?

Costs directly related to:

The HITRUST MyCSF® gateway and services are made available.

Companies can take a readiness assessment and rating it

Conducting a difference analysis, administering and rating a validated evaluation

Indirect costs incurred as a result of:

Employee time spent on participation,

Security data recording and updating,

Initial setup,

Developing corrective action plans and remediation initiatives,

Assistance locating and submitting necessary documents, and

Other services provided by the HITRUST Approved External Assessor.

HITRUST Certification won’t be easy

Many business associates will find it challenging to obtain HITRUST CSF certification because the vast majority will be unprepared and caught off guard. This is due to the fact that many organizations, especially smaller vendors, lack the resources to complete HITRUST CSF Certification. Organizations must not only meet the CSF criteria, but a third party must also audit them before being approved, and they must be recertified every other year.

Any incident of Breaches after HITRUST Certification?

Anthem, a HITRUST-certified company, was hacked, which resulted in a breach impacting nearly 80 million individuals.

While HITRUST released a statement in its defense that “the healthcare payer did not have a breach in any system or area of the organization that was within the scope of its HITRUST CSF Certification,” some security experts did question the significance “what did it mean to be HITRUST certified?” given the scale and sheer magnitude in the numbers.

Is HITRUST worth the investment?

When it comes to HITRUST certification, several businesses are taken aback by the cost. In reality, one of the most common gating factors is the cost of assessment and assessor services. From an investment point of view, HITRUST certification’s importance becomes more evident when viewed it as a medium or long-term commitment. Still, one must also assess the cost to your business and think about the returns.

Many of the customers are hesitant to invest in HITRUST because they are afraid of failing. It is not, however, a pass/fail situation.

When considering HITRUST CSF® certification, one of the first questions small and mid-sized companies have  how much it will cost?” It’s a serious problem, and it’s well-founded. Budgets are often tight, and data protection is an important investment. And the resources required and time for certification could be telling.

When clients ask for HITRUST® certification in a specific time period, the advice given is “take it slowly”.

The cost might be too steep for small and medium enterprises, and HITRUST might be perceived more in cost. For enterprises, HITRUST Certification could be seen as an investment rather than an expense. So, it depends.

So, what about the SMEs? Are there no alternatives?

HITRUST certification, according to some security experts, is no guarantee of a strong security policy. They also point out that businesses will consider a variety of other viable security frameworks.

As alternatives to HITRUST, several other organizations have security governance frameworks like the National Institute of Standards and Technology and SOC Reports SOC 1, 2, and 3 Form 1 and 2 and ISO 27001 Certification.

 

databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

databrackets is accredited to ISO/IEC 17020 by the American Association for Laboratory Accreditation (A2LA) for Cybersecurity Inspection Body Program (Certificate Number: 5998.01).

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001  for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

To learn more about the services, please visit www.databrackets.com.

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

databrackets Compliances

Many organizations are turning to certification authorities and security standards/frameworks for demonstrating privacy and security best practice adherence of customer data, compliance with regulatory bodies, and building trust with partners/customers. There are several standards, frameworks, and guidance that helps organizations bring a structured approach to cybersecurity.

databrackets with the help of its partners and consultants has complied the important standards/frameworks for security in the industry based on practical aspects for considering or adopting those standards. We also pulled some data from Google Trends to understand more about customers’ interest in the compliance/cybersecurity standards:

Comparing NIST, ISO 27001, SOC 2 and other Security Standards and Frameworks
Google Trends search interest in different security standards/frameworks

 

A quick summary of each of the standards/frameworks used in our comaprison:

NIST Security Guidelines: NIST security standards are based on best practices from several security documents, organizations, and publications, and are designed as a framework for federal agencies and programs requiring security measures. In addition, several non-federal agencies are adopting these guidelines to showcase the adoption of authoritative security best practices guidelines.

ISO 27001:ISO 27001, on the other hand, is less technical and more risk-based standards for organizations of all shapes and sizes. ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

SOC 2 Type 1 or 2: SOC 2 reports covers controls of a Service Organization Relevancy to Security, Availability, Processing Integrity, Confidentiality or Privacy.
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

FedRamp: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.

HITRUST: HITRUST stands for the Health Information Trust Alliance. HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework.

Cloud Security Alliance: The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM).

Shared Assessments: Shared Assessments provides the best practices, solutions and tools for third party risk management with the mission of creating an environment of assurance for outsourcers and their vendors. 

 

NIST Stds, ISO 27001, SOC 2 and Other Framework Comparisons

Key Features NIST Standards ISO 27001 SOC 2 Other Standards/Frameworks (including FedRamp, CSA, HITRUST, Shared Assessments, etc.) Notes
Certification Not Applicable Yes Yes Yes Need to engaging certifying bodies/approved vendors
Approach Control-based Risk-based Controls-based Maps to other standards Technical and general controls
Principle Control Families Information Security Management Systems Trust Services Criteria & Ethics Depends Platform specific controls are not covered by the standards/certification bodies
Certification Method Self Authorized Third-party Authorized CPA Firms Third-party vendors Certification bodies require accreditation
Best Suited For All Service Org. Service/Product Companies Service/Product Companies Increasingly customers/marketplace requires some sort of certification
Popular in … US Federal/Commercial International US Companies US ISO 27001 standard seems to be more popular globally
Customer Acceptance Not Widely Accepted Preferred Preferred Depends Refer to Google Trends graph: In order of acceptance ISO 27001, SOC 2 and other certifications
Duration Point-in-time Point-in-time 6-month period(Type 2) Point-in-time Surveillance audit is in place for most of the certifications
Audit Frequency Not Applicable Every Year Every Year to 18 months Depends Minimum of 12 to 18 month period
Cost $$ $$ $$$ $$$ HITRUST certifications cost in the north of 50k+

The above table is the most simplified representation of many of the standards and it may not accurately portray the individual standards/framworks.

databrackets specializes in assisting organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platformawareness training, policies, and procedures and consulting expertise, our customers and partners are meeting the growing demand for data security and evolving compliance requirements more efficiently.