COVID-19 Resources

Coronavirus (COVID-19): Business Continuity and Cybersecurity Toolkit (Resources and Tools)

Which one are you?

 


Are you feeling anxious and not sure what is going to happen next? Are you concerned about what next week will hold because you already had to cutback on personnel?

For me, and I am sure for you a well, my work is mission-driven. I say it over and over that to me cybersecurity is love. It’s not something a lot of people understand, but it’s about love for your team, love for your clients, love for your stakeholders and even love for your data and systems. It’s about loving yourself enough as a C- level leader to NOT put yourself in a position where a breach could have easily have been prevented. I believe now is a time for us to truly show up for one another and support each other in these unique circumstances. We are here for YOU!

This is information on business continuity we started to share with our clients and members in our PurePoint community on January 30th, 2020 when the World Health Organization, designated the coronavirus as a pandemic. Our goal remains to help companies protect their business and their teams. We have been focused on this since the beginning. This includes securing data, cyber risk, and how to think about managing areas of the company where a core knowledge holder could be out for an extended period of time.

Let me know your questions or concerns, and we will be sharing more later so be sure to check back a few times a week. We are in this together.

*******************************************

We are being asked many questions by our PurePoint Community and I wanted tot be sure to add information and resources to one place. Thank you to all those with the courage to ask and I encourage you to keep asking!

 

Business Continuity, Protecting Systems and Data, and Privacy for Staff during the Coronavirus:

Articles:

1/30/2020 – Situation Update 1: Coronavirus and what you need to know – https://the-purepoint.com/2020/01/

2/9/2020 –  Situation Update 2: COVID-19 and Your Top 3 Priorities httpshttps://the-purepoint.com/2020/02/

3/2/2020 – SHIELD Act

3/11/2020 – Situation Update 3: Taking Care of the Team

3/13/2020 – As a C-level leader, is your team prepared to work securely remotely?

3/23/2020  – COVID-19: The Top Five Focuses You Need to Know for Cybersecurity and Privacy in Your Business 

3/31/2020 – Six cybersecurity tips for your home or work systems during COVID-19.

More too be added

Resources/Tools:

4 Steps to Business Continuity

9 Guideposts for Creating a Consciously Secure Life

More to be added

Webinars:

COVID-19: Cybersecurity, LOVE, and dealing with UNCERTAINTY in your BUSINESS, hosted by FEARLESS Communicators, March 26th, 5pm-6pmEST

COVID-19: BUSINESS CONTINUITY, CYBER RESILENCY and UNCERTAINTY, hosted by Luminary-NYC, March 27th, 9:30am-10:30amEST

LadyDrinks Virtual Workshop. hosted by LadyDrinks, Managing Cybersecurity and Data Risk, March 31st, 12pm-1pmEST

The Consciously Secure Parent: What cybersecurity concerns should you address when homeschooling your children? April 7th 7pmEST

Cybersecurity and IP Lightning Series: Zoom, Webinar Security and Protecting Your IP, Tuesday, April 11th 11am

The New Normal: Cybersecurity, IT, Business Continuity, and the First Four Weeks of the US Working From Home and Global Work From Home Initiatives and Impacts, Friday, April 17th, 11am

More to be added

Videos: 

3/19/2020 – 4 Steps to Business Continuity and Response

3/23/2020  – Interview of Jessica by Bill Baylis, Controlled Profitable Growth Expert at the Business Development Machine

3/25/2020 – 3 Guideposts for Creating a Consciously Secure Life

4/3/2020 – 3 Guideposts for Creating a Consciously Secure Life Part 2

More to be added

 

 

As C-level leaders, is your team prepared to work remotely SECURELY?

The Coronavirus (COVID-19) has impacted communities, events, travel, and the economy. It’s also impacting data and cybersecurity in your business! It’s one thing for an employee to work from home two days a week. It’s another thing for ALL employees to work from home for an extended period of time. The question you have to answer as a C-level leader is whether your company can withstand remote working indefinitely AND still maintain the confidentiality, integrity, privacy and availability of data?

Here are the top three considerations for C-level leaders to NOT let the Coronavirus impact data and cybersecurity in their businesses.

1.      The Importance of a Business Continuity Plan:

  • Do you have a full Business Continuity Plan in place today? Perhaps, you have a Disaster Recovery Plan for your information systems? When was the last time that Plan was reviewed and updated? Like with cybersecurity, C-level leaders have a tendency to wait to implement these Plans until there is a pressing matter that requires them to do so. For example, a cybersecurity incident, a regulation, a natural disaster, or even a pandemic!
  • Do you have an employee who works with a company critical system that is out and not able to perform their daily functions? If that occurred who is their back up and how will your company continue to operate?
  • Taking steps now to document what challenges are occurring, to update or create your Plan, is a way to prevent these same challenges in the future. The good news is you can start today.

2.      Teleworking securely: Are we ALL actually able to do this SECURELY?

  • This is a difficult time to realize that you have a legacy finance system that makes it hard for an account payable employee to do their job while working remotely for an extended period of time.
  • How is your VPN – virtual private network? Is your team able to connect to your intranet securely? Are they able to access company or client data in the most secure way?
  • What if your employee needs to print confidential data?  How do they do that remotely?
  • Are you all communicating quickly and efficiently with the communication tools in place? For small companies a secure text may work, but what about 50+ employee organizations? Having a secure messaging system that can communicate with employees efficiently, and consistently, with the ability to receive responses is critical.
  • Authentication: Is there multi-factor authentication for ALL systems? These are all things that need to be considered and enabled.
  • BYOD – Bring Your Own Device: Are your employees working on their personal devices with confidential company documents or client data?

 

3.      Should we wait until this virus settles before we do more on cybersecurity?

  • There are “already” so many things to do, so why add cybersecurity or continue to execute cybersecurity best practices if it “makes our job harder?” I am sure no company will get a “pass” by a regulator or client, if they have a cyber breach and the company says “Yeah, but our employees had to work from home because of the coronavirus,” or “Did we really have to meet the deadline for the NY Department of Financial Services regulation or NY SHIELD Act during the pandemic?”  This type of thinking will only keep you in fantasyland. The truth is…this is hard, the hackers don’t stop. For C-level leaders, this is what it means to run a business in 2020 and beyond.

The sad truth is there is not a “one size fits all” approach to cybersecurity when suddenly ALL employees are working from home during an unexpected event. Though there are similarities in securing systems and data a tailored approach is needed.

As a C-level leader, you don’t want to make your Compliance leader or HR leader’s job harder than what it needs to be. Putting the team first during this time means making their job easier, which means making your job easier. Neglecting cybersecurity or data protection during this time is a recipe for failure and, other than a sick employee, the last outcome you want as a result of this pandemic is a data breach.

Jessica Robinson, CEO of PurePoint International, and works as a Virtual/Outsourced CISO to middle market business in financial services and insurance. You can reach her at jessica@purepoint-international.com.

 

Coronavirus: Taking Care of Your Team

Wanted to send a few updates in response to the first quarantine in the NYC metro area of the coronavirus and I wanted to be sure you were included. Learn more here: https://www.bloomberg.com/amp/news/articles/2020-03-10/new-york-to-close-gathering-places-in-suburb-hit-by-coronavirus

Here are some immediate next step suggestions:

  • Take inventory of who on your staff, vendors, contractors (critical business partners) that can be impacted (even by a travel commute).
  • Business continuity: If your staff works remotely for the rest of the week can all business critical process be conducted remotely and securely? (Finance, accounts payable, accounts receivable, HR, security etc.
  • Security and Privacy: Is your team able to work remotely and STILL maintain the confidentiality, integrity, privacy and availability of systems data? (Not sure – give Jessica a call and she can take you though a quick check list. 929-800–1184).

Good information shared from one of our PurePoint Community Members:

Regarding any in person meetings (no matter how critical):

  • If someone is not feeling well, it is recommended they stay home and rest.
  • Carry tissues to cough or sneeze into, and have a little “trash bag” to put those used tissues into once finished.
  • Wash hands as soon as staff arrive anywhere after traveling. Avoid touching backs of chairs and handles of doors/shopping carts, etc directly – use a tissue or sanitizing wipe before grabbing.
  • Use hand sanitizer or a sanitizing wipe to clean hands after contact with “life”.
  • Bump elbows when greeting each other.
  • Avoid touching your face.
  • If you have a mask, it’s not about filtering out the germs – the sole purpose of a mask is keeping hands away from mouth and nose.

The other “tip” is get Zinc lozenges. Take one every 2-3 hours (follow package instructions). There has been a memo from a doctor going around where he says Zinc works like a charm for blocking cold and flu viruses, including the corona virus.

The last piece I’d like to share are thoughts  known to help our bodies strengthen its immune system and create an optimized environment in the body so it can do its job:

  • Double up on your nutritional regimen (of course, consult a nutritional/wellness practitioner about double dosing protocol on each item you take).
  • Take an option to lessen alcohol intake for the month of March for extra support to your immune system.
  • Get an ideal night’s sleep. It’s that simple.
  • What we focus on expands. Health and mind-state are linked. Our job is to keep our mind free of fear. Fear suppresses our immune system. So the practice is this: if you catch team/staff dwelling on fear (disappointment/upset/breakdown), as leaders help shift the focus to what is working great, what is amazing, by focusing your attention on gratitude or what’s going well (I.e., thankful our team is healthy).
  • Eat a clean diet – at least for the month of March! (Then go back to your favorite processed foods.) Wherever we can, try cutting out processed foods. We are brilliant machines designed to override invasion to the body. Optimizing our well being makes a difference.

We are here to serve you. Please let me know if you have any questions.

Jessica Robinson, CEO of PurePoint International, and works as a Virtual/Outsourced CISO to middle market business in financial services and insurance. You can reach her at jessica@purepoint-international.com.

Coronavirus or Not: The NY SHIELD Act and What All Businesses in NY State Need to Know

As we enter into this new decade of 2020 thinking about what the long-term impacts will be regarding cybersecurity and privacy over the next ten years, there are very immediate challenges executives are navigating today in the state of NY. The regulatory environment continues to strengthen globally and NY state continues to lead the way setting expectations for businesses handling personal information for NY residents.

In 2018, we saw the European Union pass the General Data Protection Regulation (GDPR) with an emphasis on the protection of data for European residents including a number of requirements to protect the privacy and security of European resident’s data.  January 1, 2020 the California Consumer Privacy Act (CCPA) went into effect which impacts companies collecting data, mainly targeted for digital advertising purposes, on Californian residents.  Now, in the state of NY there is a new law that can have a significant impact on businesses especially if a company has a breach and comprised the personal information of NY residents negligently.

The NY Department of Financial Services annual cybersecurity filing deadline has been moved from April 15th to June 1st. This can give some of you some good relief, but the expectation remains of keeping data and systems secure through this COVID-19 pandemic. Especially with the NY SHIELD Act, it would be a dangerous risk to allow this extended deadline to be perceived as permission to not take the proper actions to control cyber and data risk at this time while staff are transiting to working remotely.

What is the NY SHIELD Act?

The new NY SHIELD (Stop Hacks and Improve Electronic Data Security) Act goes into effect March 21, 2020.  This Act requires safeguards for the personal information for NY state residents. The SHIELD Act requires employers in possession (owns or licenses electronic data) of New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”  Companies required to abide by HIPPA, NY DFS Cybersecurity Regulation, or GLBA most likely are already following these new requirements.

What are new requirements of the NY SHIELD Act?

The SHIELD Act does not mandate specific safeguards, but instead provides that a business will “be deemed to be in compliance with” this standard if it implements a “data security program” that includes all of the elements enumerated in the SHIELD Act. This data, or cybersecurity program, includes mandates for administrative, technical and physical safeguards:

Administrative safeguards include: The business (i) designates one or more employees to coordinate the Cybersecurity Program; (ii) assesses internal and external data security-related risks and the sufficiency of safeguards in place to control the identified risks; (iii) trains employees on cybersecurity  (iv) selects vendors who meet cybersecurity standards; and (v) amends the Cybersecurity Program to meet the new requirements.

Technical safeguards include: The business (i) assesses data security-related risks of network and software design and information processing, transmission and storage; (ii) detects, prevents and responds to attacks or system failures; and (iii) tests and monitors the effectively of controls, systems and procedures.

Physical safeguards include: The business (i) assesses risks of information storage and disposal; (ii) detects, prevents and responds to intrusions; (iii) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (iv) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

What is defined as personal information?

Though this received a lot attention initially it seems to have gone under that radar for a lot of businesses in NY, especially businesses not officed in NY but collecting data on NY residents. All businesses are impacted by this law if they collect data on any NY residents. For example, if a company has an employee that is a NY resident, they are subject to this Act because of the scope of data likely collected during the hiring process.

The Act covers not only “personal information” currently defined in GBL §899-aa(1)(a) as: “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person…” but also “private information” which is now defined as either personal information in combination with any one or more of the following data elements that were not encrypted, or was encrypted with an encryption key but was accessed or acquired:

  1. Social Security number
  2. Driver’s license number
  3. Credit or debit card number,
  4. Financial account number (with or without security code, as long as an unauthorized person could gain access to the account)
  5. Biometric information
  6. Username or e-mail address with a password, or security question, that permits access to an online account.

What industries are impacted?

This becomes even more difficult for small businesses. Those small businesses with fewer than 50 employees or less than $3 million in gross annual revenue—need only ensure that their data security safeguards are appropriate for the size and complexity of the small business, the nature and scope of the small businesses’ activities, and the sensitivity of the personal information the small business handles. Therefore, requirements still need to be in place.

As mentioned, the less impacted companies those that are regulated by the New York Department of Financial Services (NY DFS) Cybersecurity regulation in banking, insurance and financial services. However, for companies under $10M in total assets, under 10 employees, or under $5M in total revenue three years in a row, hoping to file for exemption for the upcoming April 15, 2020 certification deadline, they will want to validate that is still an option under this new Act. Yet, many companies will find, they may have limited exemption, but not full exemption under the NY SHIELD Act.

The biggest impact is to non-regulated industries. Real estate and retail not only hold employee information, but client or tenant information. Manufacturing, law and accounting firms, fashion companies and other service industries are also subject to comply.

How does this impact companies outside of the state of NY?

The Act applies to “any person or business which […] owns or licenses computerized data which includes private information.” This means that if your business or organization has employees or customers who live in New York, this legislation may apply to you.

Updated data beach requirements:

The data breach requirements for NY state were also amended. As of October 23, 2019, the SHIELD Act required the recording of data breaches. If the incident were to involve the private information of more than 500 New York residents, the employer would be required to submit the documentation to the state’s attorney general within 10 days of that determination. The penalty enforced by the attorney general is $20 per failed notification with a maximum penalty of $250,000.

 

Jessica Robinson, is CEO of PurePoint International, and works as a Virtual/Outsourced CISO to middle market businesses in financial services and insurance. You can reach her at jessica@purepoint-international.com.