May 2022 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Discover information to help improve or freshen up your third-party risk management program. Check out some informational articles below.

Recently Added Articles as of May 26

As we wrap up May, security researchers are seeing a new hacking technique called account pre-hijacking. SIM-based authentication might be the answer to prevent phishing attacks and the global food supply chain may be vulnerable to hackers. We also have some helpful tips on organizing your third parties and a how-to guide for managing third-party cyber risk. There’s also an interesting article on how to promote your company culture through third-party risk management. Read on to learn more…

Account pre-hijacking on the rise: A new hacking technique is making the rounds, enabling attackers to gain access even before the victim creates a new account. Security researchers discovered that malicious actors who are already in possession of an email address or phone number can deploy “account pre-hijacking," which takes place before the user creates an account. Five types of pre-hijacking attacks have been identified – classic-federated merge, unexpired session identifier, trojan identifier, unexpired email change and non-verifying identity provider (IdP). It’s again recommended that users secure their accounts with multi-factor authentication (MFA). Users should also periodically remove unverified accounts, implement a low window to confirm an email change and invalidate sessions during a password reset.

Can SIM-based authentication end phishing?: Phishing attacks continue to be successful verification plasters like MFA and one-time password (OTP) are still vulnerable to misuse. So, what’s the answer? Some experts believe we need to move away from knowledge-based credentials to possession-factor security and other verification methods like biometrics. SIM cards are also a strong possibility as they use the same cryptographic microchip technology that’s built into credit cards. It’s difficult to clone or tamper with SIM cards and every mobile phone user already has this hardware installed. As hackers continue to target organizations with sophisticated attacks, it might be worth considering how to use alternative defense methods.

Pwn2Own contest ends with Windows 11 hacking: It’s a relief to know that some hackers are using their skills for the benefit of mankind! Security researchers at the annual Pwn2Own hacking contest were able to successfully hack Windows 11 with zero-day exploits, earning an impressive $160,000 reward. The event also highlighted several other zero-day bugs found in Teams, Ubuntu Desktop, Apple Safari and Mozilla Firefox. The total payout for 17 competitors was over $1.1 million. As cyber threats continue to impact organizations worldwide, let’s hope that these financial rewards encourage more hackers to find and fix exploits before they get into the wrong hands.

Highlights of the HIPAA privacy rule: If you’re in healthcare, it might be time to refresh your memory on the HIPAA Privacy Rule. The main goal of this rule is to protect patient privacy while still enabling health information to flow easily where it needs to go. It also ensures that patients can receive copies of their own records or ask to transmit it to a third party. Entities that are covered by HIPAA can disclose patient information without authorization only in certain circumstances when it relates to their own healthcare operations or if the information is used for public interest. And, remember that compliance with HIPAA extends to your third parties if they’re in scope for this rule.

Global food supply chain vulnerable to hackers: Modern farming includes the use of “smart” machinery, which opens the door to malicious hackers. Experts warn that automatic crop sprayers and robotic harvesters could potentially be hacked and left inoperable, threatening global food supply chains. Just last year, meat processor JBS was victim to a ransomware attack and handed over $11 million to the attackers. One ethical hacker recently discovered weaknesses in John Deere’s software, allowing him to access machine data through websites. It’s clear that cybercriminals are looking for easy targets, regardless of industry. While it isn’t possible to completely eliminate all cybersecurity threats within your supply chain, it’s still important to maintain a practice of preventing, identifying and responding to incidents.

Tips for organizing your third parties: For many organizations, identifying their full inventory of third-party partners can be a daunting task. There’s no shortcut for this process, but there are a few tips that can make it more efficient. First, set aside your third parties that are involved in sales. Next, it may help to divide your vendors into two groups – indirect and direct. Direct vendors refer to those that provide raw materials, while indirect vendors supply services like customs logistics. After defining these categories, you can move on to identifying potential risks, such as operational, legal and cyber. It’s also important for your compliance team to examine any legal risks, such as money-laundering, antitrust and export controls.

How to manage third-party cyber risk: When partnering with a third-party vendor, there’s likely a level of trust between the two parties. Unfortunately, hackers exploit this trust to initiate damaging attacks. Organizations should understand their critical dependencies in their supply chains, but also realize that some threats can’t be mitigated. Third-party cyber risk management can ultimately be broken down into an easy-to-follow format. First, identify a current list of vendors, then prioritize them based on the level of access they have to your network and their criticality to your business. Assess the risk of each vendor and assign a score and use that information to act. You might decide to accept the risk as-is, work with the vendor to improve it or remove the third party altogether. It’s also important to measure progress, standardize an onboarding process and revise your program as necessary.

Benefits of SOC for Supply Chain: Back in 2020, the American Institute of Certified Public Accounts (AICPA) developed a new SOC report for supply chains. This gave organizations a framework to monitor risks from software vendors related to controls such as security, availability, processing integrity, confidentiality and privacy. The SOC for Supply Chain also includes description criteria for the type of goods produced and controls that meet the applicable Trust Services Criteria. The SOC report must also include incidents that can impact the vendor’s ability to meet its commitments and any controls that must be implemented by the user of the product. Keep in mind that before you can take mitigating steps, it’s important to understand your vulnerability, which can be achieved through this reporting framework.

Remote access and phishing remain top ransomware vectors: New research has shown that most ransomware attacks originate from poorly secured remote access connections and phishing emails. Forty-seven percent of attacks in 2021 were traced back to an external service, either remote desktop protocol (RDP) or VPN. Hackers are also continuing to thrive in the cybercrime-as-a-service economy. Another interesting finding from the research was that the most-used tool used by attackers was commercially available SoftPerfect Network Scanner. As third-party data breaches continue to be a top concern, it’s critical to continuously monitor your vendors’ cybersecurity posture.

Promoting company culture through third-party risk management: While it’s understood that third parties can create legal risks like bribery, sanctions and money laundering, they can also provide an opportunity to promote your organization’s company culture. To do this, organizations should identify expectations for how their third parties should conduct themselves in the marketplace. This can be achieved through a Vendor or Supplier Code of Conduct. The onboarding process for third parties is an ideal opportunity to communicate your organization’s ethics, corporate culture and values.

Cybersecurity risk increases with device ecosystem: The Internet of Medical Things (IoMT) can provide a lot of benefits in healthcare, but the risks are also important to consider. The American Hospital Association estimates that there are 10 to 15 connected medical devices per bed, and most providers aren’t equipped to protect this ecosystem from privacy and cybersecurity concerns. Legacy medical devices are especially vulnerable because they can’t be thoroughly protected against current threats. There are several different mitigation strategies that providers can take for their connected devices. Endpoint security, vulnerability disclosure programs and a software bill of materials are just a few recommendations. Vendor audits are another important mitigation strategy and hospitals should ensure that their vendors’ cybersecurity practices meet industry standards.

Real-world impacts from third-party risk: It’s no secret that organizations today are facing significant challenges. The ongoing pandemic, Ukraine war and climate change can all have real-world impacts to business operations and it’s important to consider how these challenges can affect your third-party population. These third-party relationships must be managed holistically, looking at risks outside of just legal and compliance. Operational concerns can threaten a third-party’s ability to produce goods and/or services, so organizations should be able to identify risks that are vulnerable to weather events. Increasing cyber risks are also a concern and compliance professionals should be leveraging their influence to highlight these risks within their organization.

The importance of vendor cybersecurity: Data breaches are a constant and costly threat for many organizations. Dealing with third-party vendors exposes organizations to even more cybersecurity risk, so it’s essential to implement a specific plan of action to protect against third-party breaches. Begin by taking preventative measures and establishing a basic cybersecurity procedure for your vendors to follow. Data protection is the most obvious need when working with vendors, but there’s often some disagreement about how this should be done. Some best practices to protect data include avoiding duplicate storage, unsecured networks and unnecessary password sharing. Also consider utilizing a managed security service provider (MSSP) if you lack in-house capabilities to vet and manage your vendors.

Recently Added Articles as of May 19

Cybersecurity is once again the main topic we’re seeing this week with a doctor accused of ransomware and banking trade groups responding to the SEC’s proposed rules on cybersecurity disclosures. Connecticut has officially enacted privacy legislation and CISA is warning against a recent Windows update. We also have an article on building trust between tech vendors and their customers. Read on for all of this week’s headlines!

Four elements to understand scope for MSSPs: Cybercrime is a very destructive and costly threat, but organizations shouldn’t feel as though they need to completely avoid using digital systems. Utilizing a managed security services partner (MSSP) is an effective strategy that can create a security baseline for an organization. These security services often include things like continuous firewall monitoring and protection against viruses and malware. Before choosing an MSSP, it’s important to understand the scope of your needs. This includes elements like your cyber risk exposure, identification of your valuable data and understanding which of your systems are most vulnerable. You should also perform an audit of your physical, logical and environmental assets. It’s best to avoid “scope creep” by ensuring both you and your vendor are on the same page from the beginning of the relationship.

Cardiologist accused of moonlighting as cybercriminal: It appears as though a French-Venezuelan doctor has broken one of the core principles of the Hippocratic Oath, causing harm not only to a patient, but in the cyber world. The Department of Justice issued a press release accusing Moises Luis Zagala Gonzalez of being the mastermind behind the Jigsaw v2 variant. He’s also accused of offering the Thanos strain as a ransomware-as-a-service in which one of his ransomware customers was able to infect 3,000 computers. The doctor has yet to be apprehended, but faces five years in prison if caught and convicted.

How tech vendors can build customer trust: Many organizations are planning to spend more on digital transformation in the aftermath of the massive shift to work-from-home environments. However, a corresponding increase in cyberattacks has led to a level of distrust between tech vendors and their customers. To address these concerns, vendors can take a few key steps. First, they should acknowledge that prioritization flexibility and customization within their solutions. Vendors should also focus on building a long-term relationship with their vendors rather than maintaining a transactional process. Finally, transparency on important issues is an absolute must. Vendors and customers need to align on their strategic business goals, especially concerning sustainability.

Learn the basics of C-SCRM: If you’ve been wanting to learn more about Cybersecurity Supply Chain Risk Management (C-SCRM), this is your chance. A primary goal of C-SCRM is to lessen the likelihood of a cybersecurity threat compromising a supply chain. This is achieved by improving the ability to detect, respond and recover from disruptions caused by C-SCRM compromises. Supply chain risk encompasses vulnerabilities caused by third-party cloud services as well as fourth-party risks. To effectively implement a C-SCRM strategy, begin by documenting your entire supply chain. Next, establish a formal governance plan for cybersecurity risk management and identify critical suppliers. Governance guidelines should also be updated continuously.

Cybersecurity risks affect more than just data: In the early days of cybercriminal activity, the biggest threats were data loss and maybe losing a large chunk of change to a ransom demand. However, cybercrime is increasingly affecting critical infrastructure like hospitals and public safety facilities, which can have a significant impact to human health and lives. Two notable examples include the attack on a water plant in Florida and another incident at the University of Vermont Medical Center, which shut down systems for almost a month. Cyber-warfare is also a real threat, as state actors are initiating attacks on other countries. Organizations can prepare for these challenges by identifying critical data sources that are capable of an ongoing attack. It’s also important to provide proper training for security analysts. And, remember that your vendors are also a source of cybersecurity risk, so it’s essential to ensure that they’re implementing an effective security strategy of their own.

iPhones at risk for malware through Bluetooth loophole: If you’re one of the one billion iPhone users out there, beware of a malware loophole. It turns out that your iPhone doesn’t need to be powered on for a malware attack. The iOS Find My function allows attackers to load malware onto a Bluetooth chip while in a Low Power Mode (LPM), bypassing the need for the device to be on. Researchers say that LPM support can’t be removed by changing software components because it’s built into the hardware, which poses a new threat model. They also point out that the design of LPM was likely prioritizing functionality and didn’t take into account other threats.

CISA says to avoid May Windows update: The Windows updates for May contained a security flaw that was removed by CISA. A zero-day known as CVE-2022-26925 was actively exploited and would’ve enabled attackers to gain control over the Windows domain. CISA stated that the issue only affected May 10 updates on servers used as domain controllers. They instead encouraged updates on non-domain controller Windows Servers. As cyber threats continue to be a top third-party risk, it’s important to stay on top of the software updates that are safe and those that cause harm.

Healthcare supply chain gets support in whitepaper: In response to the recent CISA alert for managed service providers, the Cloud Security Alliance has published a new whitepaper addressing cybersecurity risk management. The report includes best practices for healthcare providers to manage third-party vendors including food suppliers, pharmaceuticals and medical device vendors. A previous reports discovered that only 23% of providers have adequate security grades for their supply chains, proving that this continues to be a major blind spot for the healthcare industry. The whitepaper also includes details on assessments, treatments, monitoring and response needs. With so many headlines on healthcare data breaches, this whitepaper should be a valuable resource.

Connecticut signs data privacy legislation: The U.S. now has a total of five states with comprehensive data legislation, after Connecticut Governor, Ned Lamont, recently signed Senate Bill 6. The law goes into effect July 1, 2023 and contains many similarities to laws in California, Colorado, Utah and Virginia. A notable difference in Connecticut’s bill is the absence of an annual revenue threshold. In other words, an organization won’t be in scope of the law due to its annual revenues. Other exempted entities include state and local governments, nonprofits and higher education. As more states join the data privacy law bandwagon, it’s important to ensure both you and your organization remain in compliance.

Healthcare supply chain risks in spotlight after ransomware: A recent ransomware attack on a California-based medication management systems provider is a critical reminder of the cybersecurity threats facing healthcare. Omnicell disclosed to the SEC that it was the victim of ransomware which had affected its internal IT systems. The filing stated that Omnicell took immediate steps to respond to the incident and implemented its business continuity plans to ensure they could still operate. The healthcare provider also acknowledged the significant risk of cyber threats and data breaches within the supply chain while noting that cyber insurance cover is decreasing. A key takeaway from an incident like this is that healthcare providers and their suppliers need to remain vigilant against these attacks while also being prepared to intervene quickly.

Banking groups take issue with SEC cybersecurity rules: After the SEC announced its proposed rules on cybersecurity risk management in March, certain banking trade bodies are warning that they fall short of addressing other policy goals. The Bank Policy Institute, American Bankers Association and others are generally supportive of the proposals but believe that certain requirements related to incident disclosures were made “without sufficient regard” to security risks. The groups argue that periodic disclosures shouldn’t have to reveal details around remediation activities as this would be beneficial to threat actors. As third-party security incidents are one of the leading threats to organizations today, it should be interesting to see how this debate will play out. Read the full joint trades letter to learn more.

Recently Added Articles as of May 12

This week, the White House hired a former Microsoft executive and an ex-CIA leader to strengthen the country’s cybersecurity efforts. The UK’s critical infrastructure is seeing an increase in cyberattacks and a ransomware attack is to blame for the permanent closure of a historic school. NIST has also revised its guidance on supply chain cybersecurity. Read on for more of this week’s highlights.

Secure connectivity for third-party access: Did you know third parties are behind over half of all data breaches? It’s estimated that cybersecurity risk will soon be the deciding factor for many organizations when choosing third-party vendors. For vendors looking for a competitive advantage, they’ll need to implement technology that is effective in controlling, managing and securing connectivity into their customer networks. Third parties will also need to re-evaluate their security measures to stay on top of industry-wide threats. Organizations are no longer just looking for vendors to perform a job. They want a strategic business partner who is actively managing cybersecurity risks.

Cyberattacks rising among UK critical infrastructure: UK professionals in the transport and aviation sectors are voicing their growing concerns about the potential for cyber warfare. Since the beginning of Russia’s invasion of Ukraine, the UK’s critical national infrastructure (CNI) has faced more cyberattacks and many security professionals are worried about vulnerable systems. A recent survey found that one in ten security decision makers aren’t confident in their teams’ ability to handle a cyberattack. CNI operators are advised to collaborate with their peers and implement threat intelligence to strengthen their resilience strategy. We’ve seen how the Russia-Ukraine conflict continues to have a global impact, so it’s imperative to monitor these emerging threats that could potentially affect your organization.

Corporate compliance’s expansion into ESG: As ESG initiatives gain traction in today’s business environment, many are wondering where this responsibility lies. Corporate compliance professionals are likely the most prepared to manage ESG, but they still need proper guidance to effectively incorporate ESG efforts into their programs. The EU is leading the way when it comes to regulatory frameworks on ESG transparency, and many organizations are developing their own strategies to prepare for formal regulations. It’s important to remember that ESG isn’t just about an organization’s carbon footprint. It also extends to environmental and social issues within its third parties. Reputation risk is a concern if your third parties are engaged in unsavory practices, so it’s essential to understand your third-party ecosystem.

Microsoft and CIA alumni join White House cyber program: The Biden Administration is making good on its promise of protecting the country from cyber threats. The Office of the National Cyber Director is gaining a few high-level executives to strengthen cybersecurity in the United States. Former Microsoft executive, Kemba Eneas Walden, previously led a program to combat ransomware and will be the new principal deputy national cyber director. Neal Higgins, who previously served as a senior CIA official, brings a background of cybersecurity and open-source collection. With the addition of these new experts in the White House, let’s hope that we see a decrease in cybersecurity crises moving forward.

Malicious apps found on Google Play Store: Joker malware is still playing tricks on Android users as a new set of trojan-infected apps was discovered on Google Play. The malware allows hackers to steal texts, contact lists and other device information. The infected apps are often disguised as messaging, health tracking or PDF scanner applications. Experts warn that the joker malware proves that basic security and managing mobile devices simply aren’t enough to protect against these types of attacks. If you download an app from an official store, it’s important to read the reviews and verify the legitimacy of the developers. And, be selective when granting permissions, which should only be for performing intended functions. Due diligence best practices aren't only relevant to third-party risk management… they can also help keep you safe from harmful apps!

Microsoft Security Experts combine humans and machines: Microsoft is offering new, managed cybersecurity services that uses both machine learning and human skills. The goal of Security Experts is to help organizations achieve their goals around security, privacy and compliance. One new service named Defender Experts for XDR aims to detect, analyze, investigate and respond to threats within various apps like email and cloud. These new services arrive at a time when many organizations are facing a labor shortage in their cybersecurity teams. Machine learning may help fill in the gaps of cybersecurity programs, but it’s evident that humans are still an essential part of an organization’s strategy.

Ransomware attack permanently closes Lincoln College: A college in Illinois is shutting down after 157 years, thanks in part to a ransomware attack in December. The college had previously survived other crises throughout its history, such as a major fire, the Great Depression and the 2008 financial disaster. The ransomware attack impacted admissions activities and prevented the staff from accessing institutional data. Many schools have been victims of these types of attacks, but this marks the first time that a school will permanently close as a result. Tragic stories like these serve a valuable lesson in the importance of cybersecurity practices and effective business continuity and disaster recovery plans. Cyberattacks can happen to anyone, so it’s critical to know how to respond and recover.

Lessons learned from vendor incidents: Most organizations have at least a few critical vendors that have a significant impact on their operations. Keep in mind that these same vendors are also primary targets for threat actors who are seeking out sensitive data for extortion. It’s important to strengthen your defenses to protect against the damages of vendor incidents. Be aware that identification and notification timelines can vary. Make sure you’re aware of your vendors’ ransomware playbooks and the results of their tabletop exercises. The process and extent of information sharing will also vary among different vendors. Remember that initial and recurring due diligence is key to evaluating a vendor’s compliance with security requirements. Also, don’t forget that vendor incidents can potentially lead to regulatory inquiries and class actions for your organization.

Healthcare faces unique third-party risk challenges: The healthcare industry faces the highest average costs of data breaches, highlighting the fact that third-party risk management (TPRM) is an important area of focus. Healthcare organizations of all sizes are exposed to different areas of third-party risk, including strategic, financial, regulatory, environmental, cyber and human capital. This final risk relates to the impact that a vendor might have on a healthcare workforce, that has already faced significant pandemic-related stress. It’s important to consider how a vendor’s work will affect employee morale, recruitment and retention. Minimizing third-party risk begins with onboarding, but ongoing monitoring is just as essential. Building a strong TPRM foundation begins with understanding the right questions to ask your vendors and forming an alliance to properly assess risk.

Overlooked risks in third-party physical security: Cybersecurity risk usually gets all the attention when it comes to third parties, but the truth is that physical risks can’t be ignored. A 2022 study on third-party risk management found that 40% of organizations are focusing more on non-IT security risks such as modern slavery, anti-money laundering (AML) and corruption. These physical security risks can lead to compliance violations, fines and reputational damage. While cyber threats are certainly a concern, a strong third-party risk management program should be aware of all types of threats.

New NIST guidance for supply chain cybersecurity: The National Institute of Standards and Technology (NIST) has revised their publication on Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations which includes details on how to identify, assess and respond to risks throughout the supply chain. This revision comes in response to last year’s Executive Order. One highlight encourages security professionals to evaluate the vulnerabilities of a product’s components rather than just the finished product. The revised publication is primarily meant for acquirers and end users of software, products and services.

Recently Added Articles as of May 5

As we head into May, we have some interesting articles on how third-party risk impacts e-commerce sites and why cybercriminals are benefitting from remote work. Supply chain disruption continues to be a struggle, but there are a few tips to help improve relationships with suppliers. Cloud technology has increased the risk of supply chain attacks and vendor management systems can potentially ease labor shortages in healthcare. We also have an update on U.S. data privacy laws, so read on for all the details!

Preventing supply chain attacks in the cloud: A recent survey found that 36% of respondents are operating in multiple cloud platforms, a number expected to double over the next three years. Organizations have rapidly shifted to the cloud during the pandemic and attackers have followed in their footsteps. Vendor supply chain attacks in the cloud continue to be a threat, so organizations need to take an active approach in mitigating these risks. It’s essential to understand which vendors operate in a cloud environment and what privileges those vendors have. Organizations should also know what type of visibility they have into a vendor’s access and activity as well as the typical access chain for the identity. After establishing a baseline on a vendor’s access and activity, it’s easier to monitor for any deviations and detect anomalies. Security teams are then able to isolate the permissions if a vendor gets compromised.

E-commerce sites aren't immune to third-party risk: Highly regulated industries such as finance, healthcare and insurance are often the main players when it comes to third-party risk management, but e-commerce websites are just as vulnerable to third-party risk. According to a recent study of over two billion user sessions, 144,000 customer data records were at risk of leaking thanks to third-party services that were running on the e-commerce sites. This had the potential to lead to $1.6 million in damages. Third-party plugins are often used on sites to manage things like analytics and customer service, giving attackers multiple access points to steal sensitive data. Smaller sites hosting on open-source software can face different challenges and risks as they don’t always have access to vulnerability and remediation information. The findings from the survey also highlighted how quickly a third-party service can become infected with little to no awareness from the victim websites.

American Dental Association hit with ransomware: The American Dental Association (ADA) appears to be the latest victim of the Black Basta crime group who stated that it deployed a ransomware attack on the ADA’s systems. The criminals claimed to have leaked 30% of the data they stole, though the ADA has found no evidence that members' data was compromised. The same ransomware group was responsible for a cyberattack on a German wind turbine company in April. Researchers are suggesting that Black Basta may actually be a rebrand of the Conti group because of its use of double extortion ransomware techniques. As with any high-profile incident, this serves as a reminder to stay on guard against potential cyberattacks.

Europol warns of deepfake threats to cybersecurity: You may have seen deepfake technology making the rounds online with celebrity faces being superimposed on different bodies. This is often done for satire or gaming purposes, rather than nefarious goals. However, experts are warning that this technology could potentially be used by criminals to spread disinformation, execute phishing and business email compromise (BEC) attacks, falsify evidence and even manipulate financial markets. Deepfakes are often convincing enough that the human eye can’t detect a forgery, but new technology is merging to combat this issue. The European law enforcement agency Europol recommends that users rely on audio-visual authorization instead of audio only. Demanding live video connection is another strategy that can help avoid being deceived by deepfakes. Cyber threats will continue to evolve into more sophisticated methods, so it’s critical to be vigilant of risks that can ultimately impact your organization.

Millions of Aruba and Avaya devices contain bugs: Five critical vulnerabilities have been identified in Aruba and Avaya devices, some of which can be triggered without authentication or user interaction. About 10 million devices are affected and, if exploited, can allow lateral moves to other devices where corporate data can be stolen. Security researchers have stated that captive portals are at risk for these vulnerabilities and organizations that have affected Aruba devices should patch them immediately.

Outsourcing medical device manufacturing: Nearly every organization relies on outsourcing, either to reduce costs or access specialized capabilities. For those in the medical industry, outsourcing manufacturing capabilities requires special considerations. Outsourcing the production of medical devices is known as contract manufacturing and this practice can provide many benefits including streamlined logistics, decreased lead time and access to product experts. When selecting a contract manufacturer, business leaders should consider whether the vendor has experience with the specific device and whether they can provide all the necessary services. It’s also a good idea to assess the manufacturer’s reputation and evaluate long term business needs. While these suggestions are aimed towards the medical industry, these are best practices that can benefit nearly every organization.

Remote everything gives cybercriminals an edge: It’s no secret that many employees have embraced remote working. And, the same can be said for cybercriminals. Security researchers have discovered that cyber adversaries are optimizing remote work attack vectors to deploy various malware variants. Phishing lures or scripts are typically used to inject malicious code or redirect users to dangerous sites. Three broad distribution mechanisms have been identified as Microsoft office, PDF files and HTML and JS browser scripts. Remote environments are expanding the attack surface, but there are ways to address this security problem. Security teams need to implement solutions that follow, enable and protect users wherever they work. Endpoint security and zero trust network access are also valuable tools. In general, it’s a best practice to take a comprehensive approach that considers all work possibilities whether in the office or at home.

Six data breaches lead to personal health information (PHI) exposure: Hacked email accounts are to blame for six separate data breaches on HIPAA-regulated entities. A phishing attack was behind an incident at a Colorado-based provider as well as one at the Los Angeles County Department of Mental Health. Another incident in Iowa was linked to an employee who sent unauthorized emails to internal and external addresses. It’s evident that social engineering attacks continue to be a primary threat for many organizations, not to mention poor cybersecurity practices by employees. As healthcare data is a prime target for cybercriminals, it’s more important than ever to implement effective cybersecurity education and training.

The latest on U.S. data privacy laws: Until the U.S. establishes federal legislation for data privacy, business leaders need to stay on top of the various state laws that can impact their organization. State privacy laws are in place to protect users’ personal data from being mishandled or maliciously used. Some laws state that an organization needs explicit permission to handle data in a certain way while other laws allow users to ask for permanent deletion of their data. Existing federal data privacy laws apply to specific types of data and individuals, such as the Gramm-Leach-Bliley Act which governs financial institutions, and the Health Insurance Portability and Accountability Act which covers protected health information. At the state level, California and Virginia are leading the way in having the most comprehensive privacy laws to date. Colorado and Utah also have legislation, but there’s still a ways to go before we see the rest of the U.S. join in.

DDoS attacks target Ukrainian and Romanian authorities: Ukraine and its allies continue to be targeted in pro-Russian cyberattacks. One of the latest attacks was launched by the group Killnet which specializes in the Distributed-Denial-of-Service variety. Public and private Romanian organizations were impacted, including the Ministry of Defense and Romanian Railways. Killnet was also responsible for recent attacks on critical infrastructure in the Czech Republic though they failed to access private citizen data. Interestingly, the hacking group has stated that they don’t wish to harm people of other countries, but rather to “create maximum damage to the network info structure of enemy countries." Though your organization may not have a direct link to Ukraine, it's important to consider whether your vendors could be impacted by these attacks.

SEC’s proposed climate rules bring increased litigation risks: If the SEC’s recent proposed rule on climate disclosures are implemented, they'll inevitably increase enforcement and litigation risks related to environmental, social and governance (ESG) issues. Organizations should be aware of these risks and how they can extend to their third parties. There will likely be comparisons between an organization’s SEC disclosures and other public statements such as sustainability reports and website marketing. Business leaders should also expect greater scrutiny of public information on relevant operations within their organization and supply chain. The proposed disclosures mandate the exposure of an organization’s management and operations, leading to an increased likelihood of shareholder actions, proxy fights and board election battles. It’s recommended to maintain a strong and integrated risk assessment and compliance program to address the SEC’s proposed rules and mitigate risk.

Five strategies for supply chain disruption: It can sometimes feel as though supply chain disruptions will never end. Global events like the pandemic and Russia’s invasion of Ukraine have continued to highlight the need for organizations to improve vendor relationships so they can maintain supply. Managing suppliers can be improved with five simple strategies. First, it’s important to treat your suppliers like partners to achieve a win-win relationship. Second, create strategic long-term agreements to ensure uninterrupted supplies and open opportunities for sustainability and innovation. The third strategy is to create supplier performance scorecards as they're a valuable tool that creates clear expectations and enables you to provide immediate feedback if improvement is needed. Contract clauses should be carefully written to safeguard against legal disputes or risk events. Finally, it’s essential to regularly assess your supplier inventory based on business priorities.

Vendor management systems are at the center of a healthcare study: Are vendor management systems the answer to labor shortages in healthcare? This is the question Cross Country Healthcare is hoping to answer in a new study which will evaluate the use of vendor management systems to automate and streamline the hiring process. A centralized platform provides users with valuable data allowing for more informed hiring decisions. Cross Country Healthcare Chief Commercial Officer, Dan White, noted that government mandates and increased support for healthcare IT solutions have been a driving force behind the growth of this market. A study found that 40% of healthcare providers currently use vendor management systems with data security and improved processes being the top benefits.

Privilege escalation flaws found in Linux OS: Microsoft has identified two privilege vulnerabilities in Linux, named Nimbuspwn. The flaws can be used to gain root privileges and allow attackers to deploy payloads and perform other malicious activities. The defects have been tracked as CVE-2022-29799 and CVE-2022-29800 and Microsoft noted that they could ultimately be used to deploy ransomware. The increase in Linux vulnerabilities has emphasized the need for robust monitoring, and comprehensive and proactive vulnerability management. As most experts will agree, an effective cybersecurity strategy includes clearly defined details on how to prevent, detect and respond to incidents.