Steps to Strengthen Data Security

The 𝗔𝗜 𝗗𝗮𝘁𝗮 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 guidance from 𝗗𝗛𝗦/𝗡𝗦𝗔/𝗙𝗕𝗜 outlines best practices for securing data used in AI systems. Federal CISOs should focus on implementing a comprehensive data security framework that aligns with these recommendations. Below are the suggested steps to take, along with a schedule for implementation. 𝗠𝗮𝗷𝗼𝗿 𝗦𝘁𝗲𝗽𝘀 𝗳𝗼𝗿 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 1. Establish Governance Framework     - Define AI security policies based on DHS/CISA guidance.     - Assign roles for AI data governance and conduct risk assessments.  2. Enhance Data Integrity     - Track data provenance using cryptographically signed logs.     - Verify AI training and operational data sources.     - Implement quantum-resistant digital signatures for authentication.  3. Secure Storage & Transmission     - Apply AES-256 encryption for data security.     - Ensure compliance with NIST FIPS 140-3 standards.     - Implement Zero Trust architecture for access control.  4. Mitigate Data Poisoning Risks     - Require certification from data providers and audit datasets.     - Deploy anomaly detection to identify adversarial threats.  5. Monitor Data Drift & Security Validation     - Establish automated monitoring systems.     - Conduct ongoing AI risk assessments.     - Implement retraining processes to counter data drift.  𝗦𝗰𝗵𝗲𝗱𝘂𝗹𝗲 𝗳𝗼𝗿 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻  Phase 1 (Month 1-3): Governance & Risk Assessment   • Define policies, assign roles, and initiate compliance tracking.   Phase 2 (Month 4-6): Secure Infrastructure   • Deploy encryption and access controls.   • Conduct security audits on AI models. Phase 3 (Month 7-9): Active Threat Monitoring • Implement continuous monitoring for AI data integrity.   • Set up automated alerts for security breaches.   Phase 4 (Month 10-12): Ongoing Assessment & Compliance   • Conduct quarterly audits and risk assessments.   • Validate security effectiveness using industry frameworks.  𝗞𝗲𝘆 𝗦𝘂𝗰𝗰𝗲𝘀𝘀 𝗙𝗮𝗰𝘁𝗼𝗿𝘀   • Collaboration: Align with Federal AI security teams.   • Training: Conduct AI cybersecurity education.   • Incident Response: Develop breach handling protocols.   • Regulatory Compliance: Adapt security measures to evolving policies.  

The Federal Trade Commission recently announced a #datasecurity and #marketing consent decree with a B2B security company. Here's 4 areas to focus on for your org's security, marketing, and vendor management ⬇️ The FTC alleged the company had inadequate security practices to protect business customer data, and did email marketing that violated CAN-SPAM. It also alleged the company made false claims about security practices and compliance with HIPAA and Privacy Shield. The complaint details how it suffered multiple threat actor intrusions into its network resulting in the threat actor accessing live video feeds on its business customer sites, and exfiltrating gigabytes of customer data, including site foorplans, camera image and audio recordings, employee details, and wi-fi credentials. It also claims the threat actor was able to do #facialrecognition searches, potentially on people at customer offices and sites. The company agreed to pay a $2.95M penalty, and to 20 years of remedial obligations for its data security and marketing practices.    To help protect your organization, focus on these areas:   1️⃣ Security Program. Confirm your organization's security program uses the types of security controls at issue in this case: 🔹access management controls (unique & complex passwords, role-based access controls, & MFA); 🔹data loss protection; 🔹logging and alerting; 🔹vulnerability management protocols (product security testing, risk assessments, vulnerability scans, and pen testing); 🔹network security controls (disabling unused ports/protocols; properly configuring firewalls); 🔹encrypting customer data in transit and at rest; and 🔹appropriate information security policies and procedures that are followed and trained on enterprise-wide. 2️⃣ Email Marketing. Have working email unsubscribe functionality and required CAN-SPAM disclosures even in B2B emails. 3️⃣ Vendor Selection and Contracting. Confirm vendor selection and contracting process would catch vendors like this one and require appropriate security obligations, breach reporting, and accountability for damages. 🔹Consider whether spend amounts or assumptions the vendor wouldn't deal with customer data would skip these reviews or contract provisions. 🔹The action didn't focus on whether business customers were told their video cameras were accessed and sensitive corporate data was stolen; validate your organization's vendor contracts would require this. 4️⃣ Vendor Assurance. Would your organization's vendor risk management approach have verified this vendor actually had the security practices it touted? Consider whether criteria for validating vendor commitments need to be adjusted--such as to require and review independent audit results, or to conduct your organization's own assessment or audit. 🔹If the allegations are credible, it sounds like the vendor made false security commitments that weren't implemented, so its contractual commitments may have been illusory.

This article highlights a St. Louis federal court indicted 14 North Korean nationals for allegedly using false identities to secure remote IT jobs at U.S. companies and nonprofits. Working through DPRK-controlled firms in China and Russia, the suspects are accused of violating U.S. sanctions and committing crimes such as wire fraud, money laundering, and identity theft. Their actions involved masking their true nationalities and locations to gain unauthorized access and financial benefits. To prevent similar schemes from affecting you businesses, we recommend a multi-layered approach to security, recruitment, and compliance practices. Below are key measures: 1. Enhanced Recruitment and Background Verification - Identity Verification: Implement strict verification procedures, including checking legal identification and performing background and reference checks. Geolocation Monitoring: Use tools to verify candidates’ actual geographic locations. Require in-person interviews for critical roles. - Portfolio Validation: Request verifiable references and cross-check submitted credentials or work samples with previous employers. - Deepfake Detection Tools: Analyze video interviews for signs of deepfake manipulation, such as unnatural facial movements, mismatched audio-visual syncing, or artifacts in the video. - Vendor Assessments: Conduct due diligence on contractors, especially in IT services, to ensure they comply with sanctions and security requirements. 2. Cybersecurity and Fraud Prevention - Access Control: Limit access to sensitive data and systems based on job roles and implement zero-trust security principles. - Network Monitoring: Monitor for suspicious activity, such as access from IPs associated with VPNs or high-risk countries. - Two-Factor Authentication (2FA): Enforce 2FA for all employee accounts to secure logins and prevent unauthorized access. - Device Management: Require company-issued devices with endpoint protection for remote work to prevent external control. - AI and Behavioral Analytics: Monitor employee behavior for anomalies such as unusual working hours, repeated access to restricted data, or large data downloads. 3. Employee Training and Incident Response - Cybersecurity Awareness: Regularly train employees on recognizing phishing, social engineering, and fraud attempts, using simulations to enhance awareness of emerging threats like deepfakes. - Incident Management and Reporting: Develop a clear plan to handle cybersecurity or fraud incidents, including internal investigations and containment protocols. - Cross-Functional Drills and Communication: Conduct company-wide simulations to test response plans and promote a culture of security through leadership-driven initiatives. #Cybersecurity #HumanResources #Deepfake #Recruiting #InsiderThreats

The National Security Agency (NSA) has released critical guidance on enhancing Zero Trust maturity within the application and workload pillar. We must take action to safeguard our organizations against increasingly sophisticated threats. Key Takeaways: • Transition from static, network-centric access to dynamic, identity, and data-centric access control • Prioritize capabilities such as application inventory management, secure software development (DevSecOps), software risk management, resource authorization, and continuous monitoring • Implement practical security measures, including strong authentication, granular access based on least privilege, encryption, micro-segmentation, and container security best practices Action Items: 1. Conduct a comprehensive inventory and categorization of all applications and workloads 2. Assess current authentication and access control measures; implement necessary improvements 3. Evaluate software development processes; integrate security throughout the DevSecOps lifecycle 4. Establish continuous monitoring capabilities to detect anomalous behavior and regularly assess security posture By taking proactive steps to mature our Zero Trust architectures, we can significantly enhance the protection of our critical applications and sensitive data. #ZeroTrust #Cybersecurity #ApplicationSecurity #DataProtection #NSAGuidance

𝐓𝐡𝐞 𝐑𝐢𝐬𝐤 𝐨𝐟 𝐈𝐧𝐚𝐜𝐭𝐢𝐨𝐧: 𝐋𝐞𝐚𝐫𝐧 𝐇𝐨𝐰 𝐓𝐨 𝐏𝐫𝐨𝐭𝐞𝐜𝐭 𝐘𝐨𝐮𝐫 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐀𝐬𝐬𝐞𝐭𝐬 𝐍𝐨𝐰 🔐 Are you worried that your current cybersecurity strategy might not be protecting your valuable digital assets, IP, and more? As leaders in finance and operations, it's often daunting to have to answer for the budgets, processes, policies, and more that are so critical for protecting your company’s sensitive data. 📊 However, neglecting this issue could expose your organization to grave risks such as severe data breaches, loss of trust with customers, financial penalties, and reputation damage. Take the lead in securing your sensitive information by implementing a robust data protection strategy: 🌐 Identify and rate your most sensitive and valuable information. 🌐 Utilize data encryption to safeguard sensitive information. 🌐 Perform regular backups to ensure data availability and proper recovery options. 🌐 Establish secure access controls to limit unauthorized and unwanted access. 🌐 Consult industry experts to evaluate and enhance your security measures. 🌐 Stay updated on the latest cybersecurity trends to stay ahead of potential threats. 🌐 Educate your staff about potential threats and the best practices to foster a security-conscious culture. Addressing these aspects not only reestablishes your confidence but also gives you peace of mind, knowing your digital assets are more secure. 💡 By protecting crucial data, you reduce risks, enhance trust among customers, and boost stakeholder confidence. 🤔 Have you faced similar challenges within your organization? Share your strategies and experiences below! #innovation #technology #cybersecurity #automation #dataprotection #riskmanagement

60% of companies reported a data breach within the last two years, and 74% had at least three API-related breaches. This shows the importance of enhanced API security because it exposes the business logic and data to an external system. Hackers love APIs because they're everywhere, and in many cases, they lack security while containing valuable data. Here is some advice on how to secure the design of your API: ▪️ First, you must know how many APIs are running in your ecosystem. You can use automated discovery tools to inventory them. ▪️ Authorization and authentication are crucial. Implement strong authentication and authorization mechanisms: one public key(access key) + one private key (secret key). ▪️ Signature Generation. Verify the authenticity and integrity of API requests. A critical step in this process is using HTTPS, a secure communication protocol, to encrypt data transmitted over your API. This ensures that the data is protected from unauthorized access during transmission. ▪️ For comprehensive security, HTTP requests should include the following parameters: authentication credentials to verify the user's identity, a timestamp to prevent replay attacks, request-specific data to specify the action to be performed, and nonce to avoid duplication requests. ▪️ Remember versioning. Not updated or outdated components make your applications vulnerable. ▪️ Security must be part of your team's awareness. Every member should be trained on the best practices for API security. ▪️ Implement monitoring and behavioral analysis tools, looking for anomalies in API traffic patterns. ▪️ Don't forget to adapt regular penetration testing to fix uncovered issues. Your API security cannot be an issue at the end of the SDLC but must be part of the API's design. Each stage of the cycle, as well as each component and functionality, poses a risk. The greater the complexity, the greater the threats. Image Credit: Munaim Naeem #Technology #APISecurity #DevOps

I’ve got 5 ways you can make your data more resilient to ransomware and cyber threats. For enterprises, ransomware and security breaches are no longer “if” but “when” situations. That’s why Data Security Posture Management (DSPM) is essential. It’s not just about finding and categorizing sensitive data but actually keeping it secure across every system you use. Without DSPM, your data isn’t just exposed; it’s a risk to your business continuity and customer trust. Now, let’s talk actionable steps: 1. Set Clear DSPM Goals: Start by identifying your organization’s most pressing security needs. Are you looking to prevent data breaches, support GenAI deployments, or both? Your DSPM goals should align with the most critical risks to your data. 2. Integrate DSPM with Data Protection: DSPM shouldn’t be a standalone initiative. Integrate it with your broader data protection and governance strategies to create a seamless approach to data security. 3. Prioritize Data Discovery and Categorization: Proactive data discovery is the backbone of any effective DSPM program. Ensure your team can locate and classify sensitive data across every environment, so protection is targeted and efficient. 4. Develop an Incident Response Plan: Your DSPM setup should include a clear response strategy in case of a security event. This ensures your team can act fast to secure data and minimize damage. 5. Stay Updated with DSPM Market Innovations: With new acquisitions and tech advances in DSPM, keeping up with the latest tools and practices is crucial for staying one step ahead of potential threats. Think of DSPM as your foundation for data resilience and peace of mind. When you build a proactive, integrated approach to data security, you’re not just protecting your information—you’re strengthening your entire business. Follow me for more tips on staying ahead in data resilience and cybersecurity! ➡ Be sure to follow Incorta to learn how we provide decision-ready data faster, simpler, and at scale. #digitaltransformation #finance #cfo #data #businessanalytics #generativeai

𝗗𝗮𝘆 𝟭𝟬: 𝗣𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 We know the cost of response can be 100 times the cost of prevention, but when unprepared, the consequences are astronomical. A key prevention measure is a 𝗽𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗱𝗲𝗳𝗲𝗻𝘀𝗲 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝘆 to anticipate and neutralize threats before they cause harm. Many enterprises struggled during crises like 𝗟𝗼𝗴𝟰𝗷 or 𝗠𝗢𝗩𝗘𝗶𝘁 due to limited visibility into their IT estate. Proactive threat management combines 𝗮𝘀𝘀𝗲𝘁 𝘃𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆, 𝘁𝗵𝗿𝗲𝗮𝘁 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻, 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, and 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝘁 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲. Here are few practices to address proactively: 1. 𝗔𝘀𝘀𝗲𝘁 𝗩𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 Having a strong understanding of your assets and dependencies is foundational to security. Maintain 𝗦𝗕𝗢𝗠𝘀 to track software components and vulnerabilities. Use an updated 𝗖𝗠𝗗𝗕 for hardware, software, and cloud assets. 2. 𝗣𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 Identify vulnerabilities and threats before escalation. • Leverage 𝗦𝗜𝗘𝗠/𝗫𝗗𝗥 for real-time monitoring and log analysis. • Use AI/ML tools to detect anomalies indicative of lateral movement, insider threat, privilege escalations or unusual traffic. • Regularly hunt for unpatched systems leveraging SBOM and threat intel. 3. 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆 𝗮𝗻𝗱 𝗥𝗲𝗱 𝗧𝗲𝗮𝗺𝗶𝗻𝗴 Uncover vulnerabilities before attackers do. • Implement bug bounty programs to identify and remediate exploitable vulnerabilities. • Use red teams to simulate adversary tactics and test defensive responses. • Conduct 𝗽𝘂𝗿𝗽𝗹𝗲 𝘁𝗲𝗮𝗺 exercises to share insights and enhance security controls. 4. 𝗜𝗺𝗺𝘂𝘁𝗮𝗯𝗹𝗲 𝗕𝗮𝗰𝗸𝘂𝗽𝘀 Protect data from ransomware and disruptions with robust backups. • Use immutable storage to prevent tampering (e.g., WORM storage). • Maintain offline immutable backups to guard against ransomware. • Regularly test backup restoration for reliability. 5. 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝗣𝗿𝗼𝗴𝗿𝗮𝗺𝘀 Stay ahead of adversaries with robust intelligence. • Simulate attack techniques based on known adversaries like Scatter Spider • Share intelligence within industry groups like FS-ISAC to track emerging threats. 6. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆-𝗙𝗶𝗿𝘀𝘁 𝗖𝘂𝗹𝘁𝘂𝗿𝗲 Employees are the first line of defense. • Train employees to identify phishing and social engineering. • Adopt a “𝗦𝗲𝗲 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴, 𝗦𝗮𝘆 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴” approach to foster vigilance. • Provide clear channels for reporting incidents or suspicious activity. Effectively managing 𝗰𝘆𝗯𝗲𝗿 𝗿𝗶𝘀𝗸 requires a 𝗰𝘂𝗹𝘁𝘂𝗿𝗲 𝗼𝗳 𝗽𝗲𝘀𝘀𝗶𝗺𝗶𝘀𝗺 𝗮𝗻𝗱 𝘃𝗶𝗴𝗶𝗹𝗮𝗻𝗰𝗲, investment in tools and talent, and alignment with a defense-in-depth strategy. Regular testing, automation, and a culture of continuous improvement are essential to maintaining a strong security posture. #VISA #Cybersecurity #IncidentResponse #PaymentSecurity #12DaysOfCybersecurityChristmas

7 security and governance steps I recommend for AI-powered health-tech startups to avoid hacks and fines: 1. Pick a framework -> The Health Insurance Portability and Accountability Act (HIPAA) is non-negotiable if you handle protected health information (PHI). Look at the security, privacy, and data breach notification rule requirements. -> If you want a certification (incl. addressing HIPAA requirements), HITRUST is a good place to start due to origins in healthcare. The AI security certification gives you solid controls for these types of systems. -> If you are looking to cover responsible AI as well as security/privacy, ISO 42001 is a good option. Consider adding HIPAA requirements as additional Annex A controls. 2. Publish policies Longer != better. Use prescriptive statements like "Employees must XYZ." If there are detailed steps, delegate responsibility for creating a procedure to the relevant person. Note that ISO 42001 requires an "AI Policy." 3. Classify data Focus on handling requirements rather than sensitivity. Here are the classifications I use: -> Public: self-explanatory -> Public-Personal Data: still regulated by GDPR/CCPA -> Confidential-Internal: business plans, IP, etc. -> Confidential-External: under NDA with other party -> Confidential-Personal Data: SSNs, addresses, etc. -> Confidential-PHI: regulated by HIPAA, needs BAA 4. Assign owners Every type of data - and system processing it - needs a single accountable person. Assigning names clarifies roles and responsibilities. Never accept "shared accountability." 5. Apply basic internal controls This starts with: -> Asset inventory -> Basic logging and monitoring -> Multi-factor authentication (MFA) -> Vulnerability scanning and patching -> Rate limiting on externally-facing chatbots Focus on the 20% of controls than manage 80% of risk. 6. Manage 3rd party risk This includes both vendors and open source software. Measures include: -> Check terms/conditions (do they train on your data?) -> Software composition analysis (SCA) -> Service level agreements (SLA) 7. Prepare for incidents If your plan to deal with an imminent or actual breach is "start a Slack channel," you're going to have a hard time. At a minimum, determine in advance: -> What starts/ends an incident and who is in charge -> Types of incidents you'll communicate about -> Timelines & methods for disclosure -> Which (if any) authorities to notify -> Root cause analysis procedure TL;DR - here are 7 basic security and governance controls for AI-powered healthcare companies: 1. Pick a framework 2. Publish policies 3. Classify data 4. Assign owners 5. Apply basic controls 6. Manage 3rd party risk 7. Prepare for incidents What else?

If everyone's a super-admin in your HubSpot, you're one disgruntled employee away from disaster. 𝘛𝘩𝘦 𝘙𝘪𝘱𝘱𝘭𝘪𝘯𝘨/𝘋𝘦𝘦𝘭 𝘭𝘢𝘸𝘴𝘶𝘪𝘵 𝘪𝘴 𝘮𝘢𝘬𝘪𝘯𝘨 𝘸𝘢𝘷𝘦𝘴: 𝘢𝘯 𝘢𝘭𝘭𝘦𝘨𝘦𝘥 𝘪𝘯𝘴𝘪𝘥𝘦𝘳 𝘵𝘩𝘳𝘦𝘢𝘵 𝘸𝘩𝘦𝘳𝘦 𝘢𝘯 𝘦𝘮𝘱𝘭𝘰𝘺𝘦𝘦 𝘴𝘦𝘢𝘳𝘤𝘩𝘦𝘥 𝘧𝘰𝘳 𝘢 𝘤𝘰𝘮𝘱𝘦𝘵𝘪𝘵𝘰𝘳'𝘴 𝘯𝘢𝘮𝘦 23 𝘵𝘪𝘮𝘦𝘴 𝘗𝘌𝘙 𝘋𝘈𝘠 𝘪𝘯 𝘙𝘪𝘱𝘱𝘭𝘪𝘯𝘨'𝘴 𝘊𝘙𝘔 𝘵𝘰 𝘴𝘱𝘺 𝘰𝘯 𝘤𝘶𝘴𝘵𝘰𝘮𝘦𝘳𝘴 𝘤𝘰𝘯𝘴𝘪𝘥𝘦𝘳𝘪𝘯𝘨 𝘴𝘸𝘪𝘵𝘤𝘩𝘪𝘯𝘨 𝘱𝘭𝘢𝘵𝘧𝘰𝘳𝘮𝘴. This isn't just B2B drama (okay, a little) - more than that, it's a wake-up call to start treating your CRM like the revenue-generating asset it is. Think about what's in your HubSpot instance right now: • Every sales opportunity and its value • Competitive intel from prospect conversations • Customer churn risk indicators • Strategic account expansion plans • Internal notes about pricing negotiations Yet I see the same security mistakes with nearly every client I onboard: • Everyone has admin access, "just in case." • No audit trails enabled for sensitive data • Zero user permission reviews • Deal data visible to the entire company • Former employee accounts are still active months/years later The truth is that your CRM security isn't just about external hackers. It's also about appropriate internal access controls. If someone wanted competitive intelligence on your business, your CRM is literally the first place they'd look. But with proper HubSpot governance, you can prevent these issues without sacrificing usability. Three immediate steps to take: • Check out the HubSpot's Security Health Checkup (yes, it exists) • Implement proper role-based permissions • Establish a quarterly access review process • Configure audit logging to track who's viewing what It will be hard to catch an insider threat, but there's no reason your CRM should be so exposed. #CRMSecurity #HubSpot #DataGovernance #RevOps