Tag: cyber security

Categories
Daily Compliance News

Daily Compliance News: September 30, 2024 – The My Law Firm Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Trump plans to make DOJ his personal law firm. (WSJ)
  • CA wants carbon accounting. (WSJ)
  • Tim Brown wants tougher cyber laws. (FT)
  • Elliot affiliate wins Citgo auction. (Reuters)

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Convergence of Cybersecurity and Internal Controls

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into a recent SEC enforcement action involving RR Donnelley, where a cyber breach was characterized as an internal control

In this episode, we discuss how criminal activities in cyberspace are outpacing regulatory measures and the law’s ability to keep up. The conversation touches on the idea that access controls for valuable corporate assets, whether financial data or sensitive information, are becoming indistinguishable in the eyes of cybercriminals. The discussion includes a thought-provoking perspective on merging cybersecurity and anti-money laundering functions, as both deal with improper electronic transactions. The core concern is not just the breach itself, but also the prevention of data exfiltration.

Key Highlights:

  • Corporate Jewels: Money vs. Data
  • Cybersecurity and Anti-Money Laundering
  • Improper Electronic Transactions
  • Focus on Data Exfiltration
  • Conclusion: Preventing Data Theft

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: December 14, 2023 – The Serious Misconduct Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. all from the Compliance Podcast Network. Each day we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • Former BP CEO docked $40M for ‘serious misconduct’. (WSJ)
  • Why culture outside the US matters. (FT)
  • Tesla has a 2MM car recall. (BBC)
  • Hackers target outdated servers. (Reuters)
Categories
Innovation in Compliance

Innovation in Compliance – Chris Lehman on Navigating the Wild West: Digital Compliance Strategies

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. One of those areas is telehealth and telemedicine. My guest in this episode is Chris Lehman, CEO at Safeguard Cyber who visits with me to discuss the challenges and importance of managing risk in digital compliance.

The conversation focuses on the shift in communication channels from email to platforms like Slack and social media, highlighting the human factor as the biggest risk in compliance strategies. Lehman emphasizes the need for companies to prioritize compliance and good corporate governance in these new communication channels. To manage risk, companies should treat digital compliance as a risk management process, gaining visibility into employee communication tools, establishing policies, training employees, and utilizing technology.

We also highlight the tension between compliance teams and line of business teams, emphasizing the need for compliance teams to be enablers and strategic partners. The conversation references recent SEC enforcement actions and the importance of taking action to enforce compliance. Overall, digital compliance and governance are crucial in the modern business landscape, and utilizing technologies like monitoring tools and natural language understanding can help businesses stay secure and compliant in the digital age.

Highlights Include:

·      Safeguard Cyber: Securing Digital Communications

·      Managing Risk in Digital Compliance

·      Managing Risk in Compliance

·      Digital Compliance and Governance

 Resources

Chris Lehman on LinkedIn

Safeguard Cyber

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: What is Driving Compliance Engagement at the Board?

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, going into the weeds to explore a subject more fully and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds!

In this episode, co-hosts Tom Fox and Matt Kelly dissect the Navex 2023 State of Risk and Compliance Report. Tom and Matt delve into Navex’s annual benchmarking report, which surveyed 1,300 compliance professionals. The report revealed that 53% of respondents described their compliance programs as mature. Matt and Tom question whether the board is driving the conversation or if compliance officers request updates due to potential liability. The report’s findings on cybersecurity and privacy concerns, survey results on where compliance should reside in a company, and the importance of having a mature anti-bribery anti-corruption compliance program are all discussed. Tune in to hear more about how compliance officers can address pressing concerns such as cybersecurity breaches and attacks.

Key Highlights:

  • Navex’s benchmark report on compliance programs
  • Board-Compliance Officer Relationship & Cybersecurity in Compliance
  • The necessity of Dedicated Compliance Committees
  • Survey Finds Diverse Views on Compliance Placement in Companies
  • The Importance of Anti-Bribery Compliance for Cybersecurity
  • Compliance Officer Reporting to CISO Dynamics

 Resources:

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: COSO Fraud Risk Management Framework

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, going into the weeds to explore a subject more fully and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds!

Get ready to dive into the fraud risk management and prevention world with Compliance into the Weeds, hosted by Tom Fox and Matt Kelly. In this episode, they break down the recently released fraud risk framework by COSO and the Association of Certified Fraud Examiners and how it’s necessary for today’s cyber-based fraud and cryptocurrency. They stress the importance of data analytics and internal hotlines to prevent fraud and that all employees need to be trained to detect and prevent fraud in their industry. The hosts also discuss how financial reporting controls may not always detect fraud and how anti-fraud controls are essential. With the rise of new types of fraud like ESG and greenwashing, the hosts recommend the fraud risk report for audit and compliance professionals to stay informed about risks swirling around corporations today. Take advantage of this informative and fascinating podcast. Tune in to Compliance into the Weeds now.

Key Highlights:

·      Fraud Risk Management: COSO Report 2nd Edition

·      Effective Fraud Prevention Training for Employees

·      Importance of Anti-Fraud Controls in Fighting Fraud

·      COSO Fraud Risk Guidance and the Fraud Pentagon

Notable Quotes:

“But when you think about it, we have a lot of external factors, such as the rise of cryptocurrency, which is riddled with fraud and corruption risk. New methods of cyber-based fraud, which didn’t exist, say, 2016, the 2010s before that. Rise of ransomware in particular, which wasn’t quite a big thing back then that it is all over the place now.”

“Most frauds, you the risk management function, you might never catch them. By looking for them, you’ll have to depend on somebody else coming to you from the enterprise, say, I think this person over here is doing something sketchy.”

“Fraud is having a moment. And fraud risk is on the forefront of many people’s minds from many different areas.”

“We need to do better at finding ways to assess and understand your fraud risk and then implementing new controls as necessary to push that risk down to acceptable levels.”

Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

The Role of Backup Systems in Cybersecurity Defense with Curtis Preston

According to Curtis Preston, Chief Technical Evangelist at Druva, cyberattacks are not a matter of “if,” but “when.” In this episode, Tom Fox. and Curtis dive into the importance of backup systems and cyber resilience to protect against ransomware and other types of cyberattacks. Curtis shares his insights on how to limit the blast radius of an attack, why you should assume a breach, and the need to have a playbook and a cyber response team in place. They also discuss the role of state-sponsored attacks in non-kinetic warfare and the need for increased cyber resilience as we approach 2030.

W. Curtis Preston has 30 years of experience in the backup and data protection industry. He started his career at MBNA, the second-largest credit card company in 1993, and has been specializing in backup servers ever since. He is currently the Chief Technical Evangelist at Druva, where he talks, writes, and hosts podcasts about data protection systems. Curtis is also known as ‘Mr. Backup’, a moniker that he adopted while writing his first book on backups.

You’ll hear Tom and Curtis discuss:

  • SaaS-based data protection systems are becoming increasingly important as more companies rely on SaaS infrastructures like Microsoft 365 and Google Workspace. Companies should not count on these providers to protect their data; they should consider using SaaS-based backup systems instead.
  • Curtis tells Tom, “There should be security interest, as well as technical and storage and network interest. All of those interests should be reflected in the implementation of such an important system as a data protection system.”
  • Ransomware attackers are now targeting backup systems directly, making it crucial for companies to modernize the security infrastructure of their backup systems. They can do this by using SaaS-based systems that come with modern security features such as multi-factor authentication, triggers and alerts, and the concept of least privilege.
  • The inefficiencies and difficulties of a typical on-premises backup infrastructure, such as overbuilding and overengineering, can be solved by using a SaaS-based system where companies only pay for what they are actually using.
  • Fire drills, or ransomware drills, can help companies develop “muscle memory” and test their incident response playbook before an actual attack occurs.
  • Role-based administration is important to limit the blast radius in case an administrator’s account is compromised. Each person involved in the backup process should have specific roles and responsibilities.
  • State-sponsored attacks on American businesses, especially from Russia, are increasing. It’s important to beef up defenses, assume breaches, and have a playbook ready to respond to ransomware attacks.
  • By 2030, cyber resilience and protection topics will increase as people become more aware of cyberattacks. Passwords will be a thing of the past, and people will have to live in a world of constant cyberattacks.
  • A robust backup plan in place with sufficient security protocols is essential to recover from a cyberattack. It’s important to have the backup system completely air-gapped from the primary network.
  • Druva is a SaaS provider that offers a backup system that is stored behind a different authentication and authorization system. The data and metadata are separated for security reasons and constantly monitored for security purposes.

KEY QUOTES:

“Today, I think the average user is so used to equipment that just works, they don’t really think as much about backup and recovery, I think, as we did back in the day.” – Curtis Preston

“By the way, I do think by 2030, passwords will be a thing of the past.” – Curtis Preston

“It’s also having a robust backup plan in place with sufficient security protocols and that when you are attacked, not if when you are attacked, they can’t take your star player out, and if it all does go down, you have a way to at least build back.” – Curtis Preston

Resources:

Curtis Preston on LinkedIn | Twitter

Backup Central | Druva

Categories
Compliance Into the Weeds

Cyber Security Failures Alleged in Mudge Whistleblower Compliant

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we mine the whistleblower allegations by Peiter Zatko, AKA “Mudge,” made against Twitter for lessons for the cyber-security professional and wide compliance discipline. Highlights and questions posed include:

·      The allegations made by Mudge.

·      Why does an organization need a CISO (or CCO or CECO)?

·      How did Twitter get hacked, its employees duped, and its controls bypassed?

·      What is pedestrian yet telling in this saga?

·      Why is data mapping mandatory if not critical?

·      Where were the external auditors?

·      Is there a Caremark claim here?

Resources

Matt in Radical Compliance

Categories
Compliance Into the Weeds

Internal Controls Lessons from Cyber Failures in Wisconsin

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we deep dive into recent failures detected in the state of Wisconsin regarding cyber security risks around election integrity. Highlights include:

  • The risks were uncovered.
  • What is a material risk?
  • Why Multi-Factor Authentication is important cyber security control.
  • What are the consequences of a single point of failure?
  • How and when should redefine a hazard?
  • What does CISA say about MFAs?

Resources

Matt in Radical Compliance

Categories
Never the Same

Cyber Security Will Never Be the Same

After the Russian invasion of Ukraine, the business world will never be the same again. Deputy Attorney General Lisa Monaco recently said that the world’s “geopolitical landscape is more challenging and complex than ever. The most prominent example is, of course, Russia’s invasion of Ukraine.” It is “nothing less than a fundamental challenge to international norms, sovereignty and the rule of law that underpins our society.” This is even more so in the current business climate. Over this five-part podcast series, I will consider how the business will never again be the same and how a confluence of events has changed business forever. I am joined in this exploration by Brandon Daniels, CEO of Exiger. We will explore the irrevocable changes in Supply Chain, trade and economic sanctions, anti-corruption, cyber-security and ESG. In Part 4, we look at the changes wrought in cyber-security. Highlights include:

·      Russian invasion made the nature of cyber-security risk explicit.

·      Now continuous non-kinetic warfare.

·      Cyber-security is interconnected to commerce.

·      Quadrant analysis for risk assessment.

·      Jurisdiction risk introduces the where equation.