Password Complexity – What Matters the Most?
The number of daily internet users is consistently increasing, which means the number of vulnerable passwords is increasing as well. As a result of users’ increased presence online, malicious attackers are looking to exploit the lack of complexity in user passwords. When creating a new account on a website, streaming service, etc., you often see specific password requirements for length and character complexity (certain length, special characters, capitalization, etc.). While sometimes this can seem overbearing and annoying, it is important to understand that a complex password is often a more secure one. To best explain how attackers look to exploit passwords, we have created a die scenario that we will walk through. Through this example, we will look at how the complexity and length of a “secret sequence”, can make it harder for a hacker to break into an account. The setup begins by selecting a sequence that we must keep secret; this secret sequence will be our password. For our example, our secret sequence will be “2145”. Using the dice shown (Image 1), it is impossible for someone rolling each one to come up with our secret sequence. No matter how many times the dice are rolled, there are simply not enough dice to match our sequence (there are 4 numbers in our secret sequence, therefore an attacker would need 4 die to guess our sequence). If our numbers were more limited, even by one die, an attacker would be able to guess our secret sequence with ease. In scenario 2 (Image 2), we have added 2 new dice to the sequence. Using the same secret sequence, “2145”, the number of dice now meets the length requirement to guess our secret sequence, but the highest number on the dice is only 4. So again, no matter how many times a person rolled this set of dice, they will never be able to guess our secret sequence. In scenario 3 (Image 3), we have increased the total number of dice to five and total number of sides on each die to six. This combination of the dice gives a person the chance to finally guess our secret sequence. With five dice with six sides each in total, someone randomly rolling the dice would eventually be able guess our secret sequence of “2145”. If you wanted to add more security to your number sequence, you would want to increase the length of the overall sequence and use more numbers than just 1-6. By making these easy and simple changes, you would increase the difficulty of guessing the secret sequence immensely. Now let’s take this example and apply it to passwords. Hackers regularly perform an attack known as a “Brute Force”, where they are attempting to guess account passwords. Hackers can use computer programs to automate this attack so they can attempt thousands of passwords in just seconds. These brute force attacks can be carried out where an attacker has the program randomly guess characters and numbers in a sequence until they obtain access to the account. Hackers frequently use a brute force method, known as a “Dictionary Attack”. This type of attack uses common words that one would find in a dictionary, to guess an account’s password. Hackers will include numbers and special characters with these words, so the chances of them guessing your password are increased. So, how exactly does one protect themselves from a hacker guessing their password or obtaining the password from a brute force attack? Just like in our example, we can increase the complexity of our passwords. By making simple changes to increase the complexity of your account passwords, such as using longer passwords, with more complexity in the characters (i.e. special characters, numbers, and a mixture of lower case and capitalized letters), you can reduce the risk of your account’s password being guessed by a hacker. This will protect your personal, business, or sensitive information from being stolen by hackers. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Kyle Rauschelbach with additional contributors Mike Harber, Brendan Kenney & Max Winterburn
Who Let the Hacker in the Front Door?
These days, it’s not enough to just have a well-secured system and network protecting your business in the world we live in. Equally as important, you need to ensure that your employees are not letting the bad guys in through your front door. It has been well documented by Law Enforcement agencies and many security professionals that over 90% of all Ransomware attacks can be attributed to actions taken by an employee. This is not to say they are a willing accomplice or that their acts were intentional. Simply by them clicking on a malicious email link, falling prey to a doctored-up email, or visiting an unfamiliar website can cause significant disruption and potentially jeopardize your business. Some recent trends you may not be aware of: (KnowBe4) Over the years, DataSure24 has worked on several incident response events where an attack was initiated almost immediately after an employee “clicked “on something they should not have. With each event, there was no Cybersecurity Incident Response plan in place, and the time to recovery was significantly impacted. Other attacks can vary where the bad guys embed themselves in your network and lie undetected for many months only to learn more about how to best inflict the most pain on your organization and to ensure their ransom will be paid, or your data will be removed. Some best practices that would improve your cybersecurity posture are: implementing a 24/7 Managed Detection and Response service, an ongoing Vulnerability Management program, and performing regular security assessments. One of the top seven things you can do in building a solid defense in depth strategy to protect yourself from a cyber-attack is developing a Security Awareness Training program (SAT). Keys to a Successful Security Awareness Training Program: To ensure your Security Awareness Training program’s success, it is recommended that you have early buy-in from senior management, including activeparticipation. Additionally, having someone with either a Security orTraining background (both would be a plus) within your organization to manage the program or contracting with an outside firm will help to ensure success. Not only do I believe strongly in the benefits of a good Security AwarenessProgram, but several prominent compliance organizations believe this as well. Manyorganizations have to comply with various compliance acts to increase protection and avoid violations and fees, as listed below: Implementing a Security Awareness Training Program for your employees is extremely important in order to reduce your exposure to potential threats. The DataSure24 team can assess your employees’ current cybersecurity awareness and develop a training solution that fits your organization and its culture. For more information, visit our Security Awareness Training page. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Peter Ronca
Introduction to Amazon Web Services (AWS)
AWS is the world’s most comprehensive and broadly adopted cloud platform, which offers services from data centers all around the world. As of 2020, around 50 percent of all corporate data is stored in the cloud. The amount of data stored in the cloud has increased by 20 percent in the past 5 years, and that percentage is exponentially increasing every day as companies seek improvements in security, reliability, and cost of their organization’s resources. If you work in the IT industry, you have most likely heard of Amazon’s cloud platform known as Amazon Web Services, or AWS. However, you might be wondering what it is, what you can use it for and how it can help your organization. AWS’s core infrastructure is built to satisfy security requirements for all industries including the government, global banking, and other highly sensitive industries. AWS supports 90 different security standards and compliance certifications, and is backed by a deep set of cloud security tools. AWS offers a pay as you go approach for pricing, which makes testing the waters or scaling your organization’s resources easy and affordable. AWS offers 200 fully featured services to cover everything from simple data storage (Amazon S3), to commanding and controlling satellites (AWS Ground Station). Although controlling satellites is not the most frequently used among everyday organizations, it goes to show that the abilities of AWS are massive. Some of the more commonly used services, from my experience, such as Amazon S3, AWS Lambda, Amazon EC2, Amazon RDS, and DynamoDB, give organizations the ability to remove the need for on-prem servers, increase reliability and security of their resources, while decreasing costs of storage and compute power. On average, migrating your organizations’ infrastructure to AWS has an infrastructure cost savings of 31%. Also, migrating reduces unplanned downtime of organizational resources by 69%, while reporting 43% fewer security incidents per year. AWS has endless knowledge-based articles for helping with almost any problem you encounter while using their services. They have designed services specifically for migration to the cloud, and offer solutions to migrate any workload such as applications, websites, databases, storage, physical and virtual servers or even entire data centers. Organizations of every type, size, and industry are using AWS for a wide variety of use cases. Cloud computing is the future of computing, and the benefits are undeniable. From the elasticity of resources, to being able to deploy globally in minutes. This blog entry is the first in a series we will be posting on the topic of Amazon Web services. We will be detailing different use cases for a number of Amazon Web Services, types of cloud computing, migration tutorials, web application hosting, and others. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Bryan Cowing
Understanding DoD Frameworks
The Department of Defense or DoD provides the United States of America military with forces that are needed to deter war and ensure the nation’s security. To accomplish this mission, the DoD is partnered with the Defense Industrial Base sector, which involves over 100,000 Defense Industrial Base companies and their subcontractors to provide essential materials and services to the DoD. This includes research and development, as well as designing, producing, delivering, and maintaining military weapons systems and components or parts. Within the last decade, the DoD has worked continuously with the Defense Industrial Base sector to enhance the protection of Controlled Unclassified Information (CUI) within unclassified networks that belong to organizations within the Defense Industrial Base sector. What exactly is CUI and why does it need to be protected? The DoD has defined CUI as: Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. To adequately safeguard CUI, the DoD has implemented several frameworks and contractual requirements that organizations within the Defense Industrial Base that handle CUI must comply with and implement. There are three main frameworks/contractual clauses that are currently being used to safeguard CUI or in the process of being implemented to safeguard CUI: The Defense Federal Acquisition Regulation Supplement also known as DFARS is the DoD’s Federal Acquisition Regulations (FAR) supplement that was published in December 2015. The primary objective of the DoD’s acquisition is to acquire quality supplies and services that satisfy users’ needs with measurable improvements and operational support at a fair and reasonable price. Within the DFARS clause there is a set of Cybersecurity requirements that DoD contractors must adhere to, to maintain or obtain a DoD contract. This requirement is in section 252.204-7012 of DFARS and is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The objective of this clause was to protect CUI and the flow of CUI on the contract holder’s information systems and networks. Within this clause, contractors within the Defense Industrial Base are required to provide adequate security on all covered contractor information systems. The DoD requires that the contractor’s information system and network implements the security requirements within NIST SP 800-171 which is titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” This publication that was developed by NIST is guidance for protecting the confidentiality of CUI when it resides on and flows through nonfederal organization’s information systems. Within NIST SP 800-171, there are 110 security controls that are spread out through 14 different control families or domains. These domains range from Access Control to System and Information Integrity. The implementation of the security controls from NIST SP 800-171 is recognized to be adequate security that protects against the loss, misuse, and unauthorized access to or modification of CUI. So, on top of the security controls from NIST SP 800-171, organizations also need to be compliant with additional requirements that were specific to DFARS section 252.204-7012. The main requirement is the Cyber Incident Reporting Requirement. This requirement in the clause states that when a contractor discovers a cyber related incident, the organization must conduct an investigation to determine the scope, impact, and results of the incident. The contractor must then submit a report of their findings to the DoD. To be compliant with the DFARS requirements, all it takes is for an organization to self-attest that they comply or will comply with the security controls and requirements within DFARS. There is no certification process for NIST 800-171 or DFARS, it is all based on the honor system. Therefore, it did not take the DoD long to realize that without a certification process, many organizations were performing self-assessments and were claiming to be DFARS compliant, without fully understanding the security controls and how to safeguard CUI within their information systems. This leads us to the creation of the CMMC. The CMMC was released on January 31st of 2020 and the intent of the CMMC is to incorporate a certification process into DFARS and use it as a requirement for contract award with the DoD. Much like DFARS, the purpose of the CMMC is to enhance the protection of CUI, within the Defense Industrial Base. CMMC measures cybersecurity maturity with 5 different levels. Each of these levels consists of a set of processes and security practices. There are a total of 171 security practices or controls throughout 17 different control families and 5 different processes within the CMMC model. Organizations within the Defense Industrial Base that handle CUI will be required to be at least CMMC level 3. CMMC level 3 consists of all 110 controls from NIST SP 800-171, as well as 20 other security practices specific to CMMC. Additionally, organizations will be required to implement 3 processes which are designed to mature the cybersecurity program. A major difference between CMMC and DFARS, is that CMMC requires assessments to be performed by 3rd party assessors only. Organizations are still responsible for implementing all of the cybersecurity requirements associated with the CMMC. However, there are no more self-assessments like there were with DFARS. All assessments must be performed by a CMMC-Accreditation Body (AB) approved assessor and then the assessment results will be sent to the CMMC-AB for review before a CMMC certification is awarded to the organization seeking certification. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Brendan Kenney
Cybersecurity: Where to Start (or Restart)
Every business, no matter the type or size, needs to take a proactive approach to cybersecurity. You do not want to find yourself questioning your business’s cybersecurity capabilities during a cyber incident or data breach. By having a strong cybersecurity program in place, not only will you be able to respond to a cyber incident quickly and effectively should one occur, but also mitigate the risk of becoming a target for a cyber-attack in the first place. To develop an effective cybersecurity program for your company (without requiring a lot of resources), here are some important initial steps to take: Here are some easy, but effective, actions you can take to protect your business’s sensitive data and core assets right now: 1. Harden Core Assets System hardening is the process of securing a system by reducing the amount of potential attack vectors, reducing the security risk. Some ways to secure your systems are limiting access to the system, regularly updating the system and its software, closing unused ports, removing unnecessary software, and collecting and reviewing audit logs. The Center for Internet Security (CIS) has published numerous benchmarks for different operating systems, software, network devices, mobile devices, and cloud providers. It is highly recommended that you start here for your system hardening needs. 2. Conduct Vulnerability ScansVulnerability scanning is the process of using automated tools to search for known vulnerabilities and provide details on what can occur if the vulnerability is exploited, and most importantly, how you can remediate the vulnerability. There are two types of vulnerability scanning: Internal vulnerability scanning consists of deploying a scanning device on your internal network to search for vulnerabilities on other devices on the network.External vulnerability scanning uses a special scanner which is outside your network and checks your public facing devices and websites for vulnerabilities. It is highly recommended that an organization perform internal vulnerability scans at least quarterly, and external vulnerability scans at least once annually. Once vulnerabilities are discovered, technical teams should work to follow the guidance from the scan results to remediate the vulnerabilities on your organization’s systems and network. (Nessus, OpenVAS, Qualys, and Nikto are just a few examples of free or cost-effective vulnerability scanning tools) 3. Establish Proactive Security Defenses Taking a proactive approach to cybersecurity has many advantages and is not as difficult as you may think. Here are some things you can do right now: 4. Adhere to a Cybersecurity Framework & Create Security Policy Documentation Your organization should have security policy documentation that details the organization’s security requirements. A good security policy will: The first step to creating effective security policy documentation is to identify and choose a cybersecurity framework that your organization wants to adhere to. There are many cybersecurity frameworks that your organization can adopt to provide guidance for protecting your sensitive data and core assets. We recommend the National Institute of Standards and Technology Special Publication 800-171 r2 (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf). The publication also provides guidance on how to implement these best practices, so you can protect your information and organization.
CMMC 2.0
In 2020, the manufacturing industry saw a 300% increase in cyberattacks, and moved from the 8th most targeted industry by cybercriminals to the 2nd, behind only finance and insurance. That is not surprising, as manufacturing businesses harbor a wealth of information that hackers can use to extort millions. With more than 250,000 Defense Industrial Base (DIB) companies and subcontractors involved in work related to the U.S. Government, a data breach presents a significant threat to sensitive federal and unclassified information, as well as to national security. Government agencies responded to the cyber threats by proposing stricter regulations for companies that protect sensitive data. In early 2020, the Cybersecurity Maturity Model Certification and the IoT Cybersecurity Act were both introduced to ensure minimum cybersecurity regulations for companies that work with government agencies. The CMMC defines levels of cybersecurity required for DoD contractors to bid on and complete projects for the DoD. This certification ensures all companies and subcontractors who supply DoD establish a specific framework for cybersecurity, to protect the data that the DoD entrusts them with. Not surprisingly, there have been changes to the program since CMMC 1.0’s introduction in 2020. CMMC 2.0 includes five key changes to the program: 1. The CMMC now defines 3 levels of cybersecurity required for DoD contractors to bid on and complete projects for the DoD. (The new CMMC 2.0 levels are based on the type of information DIB companies handle) 2. While CMMC 1.0 included 130 practices, CMMC 2.0, introduced in November 2021, is a 1:1 reflection of NIST SP 800-171, with 110 practices. The 20 practices added by the DoD have been removed. 3. CMMC 1.0 only let contractors and subcontractors pass with a perfect assessment score. Theres was no flexibility to remediate. CMMC 2.0 allows contractors and subcontractors to sign DoD contracts using the Plan of Actions and Milestones (POAM). Organizations who have not yet fully implemented NIST 800-171 can submit a solid plan for achieving full compliance, with specific dates and a timeline. This POAM is submitted before work begins and enables organizations to begin working for federal agencies whilst they simultaneously work towards full implementation of 800-171. 4. The maturity level is no longer based on processes and policies, but on practices used. 5. The maturation model was restructured from 5 levels to 3, to better reflect how mature and reliable a company’s cybersecurity infrastructure actually is. As threats grow, and companies address cybersecurity regulations enforced by NIST and outlined by recently introduced legislation, companies who fail to address cybersecurity will fall behind. Even worse, these unprepared organizations may become easy targets for cybercriminals. If you have any questions related to CMMC compliance, contact DataSure24 at info@datasure24.com.
The Safeguards Rule and its Impact on Financial Institutions
The Standards for Safeguarding Customer Information (Safeguards Rule) requires covered financial companies to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. Additional requirements, related to Section 314.4, are slated to go into effect June 9, 2023. Not all industries, or even all institutions within individual industries, are subject to regulatory compliance. That doesn’t mean, however, that cybersecurity should not be a business priority. More importantly, business leaders must not confuse regulatory compliance with security. While non-compliance by financial institutions can result in fines, the stakes for a proper security program are much higher. Unprepared organizations will become easy targets for cyberattacks. As mentioned in October’s Brainbytes, earlier this year the debt-collection company Professional Finance Company, Inc. reported a data breach which impacted 657 healthcare providers across the U.S., and 1.9 million patient records. Numerous high-profile data breaches and ransomware attacks have cost millions of dollars to American businesses and affected the data of millions of customers. What is PII? In just the past 20 years, national and international data breaches have affected hundreds of millions of individuals. In fact, according to UpGuard, together, 10 of the most impactful data breaches in the United State’s financial service history compromised Personally Identifiable Information (PII) of more than 485 million people and almost 800,000 businesses. The breached data varied by attack, but together included almost a dozen different types. Armed with this information, a wide range of cybercrime is possible, including identity theft, ransomware attacks and malware injection. This makes it crucial to put an appropriate cybersecurity program in place for your business. Again, when developing a program, it’s important to not confuse regulatory compliance with security. In addition to regulatory frameworks, organizations must implement additional cybersecurity systems that specifically address the vulnerabilities facilitating data breaches. The Proper Way to Build a Cybersecurity Program Ensure all of these steps are taken. And then checked, and rechecked. Think of this as the rinse and repeat steps in program development and implementation. The goals of your plan: Company decision makers, especially those with in-house IT department, will likely look to do this internally. And it’s certainly possible. However, compliance is essential, so companies who don’t have dedicated IT personnel or whose IT department lack the experience, training, or manpower to oversee this program need an alternative solution. Staff could do vulnerability scans and a qualified individual (I.e. lower tier cybersecurity personnel) could serve as the CISO. Again, it’s difficult for internal security teams to be vigilant for insider threats because they’re already exceeding their bandwidth with risk management tasks. Is it worth the risk for staff to take on program oversight as well? Learn from the Mistakes of Others Not sure what to include in your plan? Besides implementing a data protection solution specific to financial services, one of the best methods of mitigating data breaches is learning from the mistakes of others. In addition to security, software, and hardware updates, other important lessons to note are: In general, good practices for better security should always include, but are not limited to, the following: Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Katie Cassens
Incident Response Plans: A Tool in Your Arsenal Against Cyberattacks
Currently Being Edited – Check Back for Updates! Malware. Ransomware. Phishing. DDoS. Insider Threat. Zero-Day Exploit. The number of cybersecurity attack incidents continues to increase exponentially. During the third quarter of 2022, internet users worldwide saw approximately 15 million data breaches, up 167% compared to the previous quarter. Small to medium-sized businesses were the likely targets, as these companies are three times more likely to be attacked by cyber-criminals than large businesses and corporations. These attacks have the potential for costly disruptions to operations and the loss of critical information and data. A former executive at a U.S.-based manufacturing company hit by a ransomware attack equated it to being “punched in the stomach and losing all the air in your diaphragm, and about four weeks later, learning how to breath again.” The repercussions of an attack on a business can be strong, long-lasting and expensive. A quick and clean resolution is often unrealistic. Authorities discourage businesses from paying a ransom as it can encourage further hacks and enrich cybercriminals. But some companies opt to pay off their attackers to stay in business. In recent cases: Which Response is the Correct Response? The answer lies in the company’s Incident Response Plan. According to DataSure24’s Chief Technology Officer Mark Musone, there is a huge gap in the knowledge of what to do when an intrusion occurs. That’s why it’s important for companies to work with cybersecurity professionals like DataSure24 when developing and implementing an Incident Response Plan. These companies can help ensure you have “all your ducks in a row”. According to the National Institute of Standards and Technology, an Incident Response Plan: Incident response methodologies typically emphasize preparation—not only establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure. Although the incident response team is not typically responsible for incident prevention, it is fundamental to the success of incident response programs. An Incident Response Plan should address ALL possible scenarios in response to a successful cyberattack. For example: While it’s impossible to remove all security issues, an effective Incident Response Plan can mitigate the largest cybersecurity threats. Despite another record year of breaches—15 million data breaches between July–September 2022 alone—including Solar Winds, Colonial Pipeline and others, however, half of U.S. businesses still have not put a cybersecurity risk plan in place. Cybersecurity should always be a business priority. Unprepared organizations will become easy targets for cyberattacks. Now is the time to learn the potential cybersecurity risks for your business, and build a complete cybersecurity plan. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Katie Cassens
(The More Things Change), the More They Stay the Same
Over the past two years, companies shifted their business models from survival mode back toward pre-pandemic operations. With the world in constant flux, however, it’s difficult to know exactly what will happen in 2023. Over the past two years, companies shifted their business models from survival mode back toward pre-pandemic operations. With the world in constant flux, however, it’s difficult to know exactly what will happen in 2023. We believe, however, that cybersecurity will become a priority in business operations. After high-profile data breaches at Google, Twitter, Uber, LinkedIn, and Rockstar Games, among others, it seems like no company is immune to cybersecurity attacks. Cyberthieves are getting more sophisticated and cyberthreats are becoming more aggressive every day. Desperate for cash and resources, cyberthieves will continue to target small businesses who often don’t have sufficient cybersecurity systems in place. Don’t be fooled in false confidence, however. High profile businesses, with insufficient or lapses in their cybersecurity systems are also vulnerable. Going into 2023, businesses must take steps to develop security programming or evaluate their existing programming and make necessary changes. So, as you conduct year end analyses, make sure you factor in the state of your business’s cybersecurity programming. If it isn’t already, cyber protection should become a “must-have,” not a “nice-to-have,” component of your business plan. As technology evolves, so does cybersecurity’s ability to protect a business from cybersecurity attacks and threats. Company Leadership is Key In order to build a cybersecurity program, there must be a shift by business leaders, and in some cases, members of the Board of Directors, toward ownership or buy-in of the program. Decision makers must view cybersecurity as central to business operations and evolve and build current and future business models to reflect this. This is vital for a successful program. If members of leadership don’t support cybersecurity practices, there is little to no chance that employees will. Business leaders cannot protect their organization if they don’t know where the security lapses/gaps are and what is needed. It’s normal to compare your business operations with a competitor of similar size, location and assets. When it comes to cybersecurity, however, it’s important to develop and implement a plan based on the company’s individual security needs. Every organization is different, and will have different strengths, weaknesses, gaps, and areas in its cybersecurity programming requiring help. Think of cybersecurity as building a house. You must have a secure foundation in place before you build on top of it. Security should utilize multiple layers of prevention measures to safeguard assets. This includes defining policies and procedures, continuously testing them, educating staff, and measuring effectiveness for improved security operations. Building the correct foundation may mean going back to the basics. Questions to ask yourself: Note: Do NOT confuse regulatory compliance with security. In addition to regulatory frameworks, organizations must implement additional cybersecurity systems that specifically address the vulnerabilities facilitating data breaches. Along with a solid foundation, good policies and procedures help ensure that security programming is not only up-to-date, using the latest technologies where needed, but effective in safeguarding data and minimizing cyberthreats. Make sure those policies and procedures include, among other practices: These regular practices, when built on top of a solid foundation, will make for a strong security program. It all comes back to cybersecurity. The more things change, the more they stay the same. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Katie Cassens
FTC Safeguards Rule
The deadline for complying with the FTC’s Safeguards Rule is June 9. That’s only 4 months away! Get all of your compliance ducks in a row ahead of the deadline: perform a risk assessment now, so you can prioritize the remediation and other requirements well before June 9. DataSure24 provides a variety of FTC compliance services, including: Call us at 716.600.3724 or email info@datasure24.com with any questions and/or to schedule a date and time to talk more about how DataSure24 can help your business comply with the FTC Safeguards Rule. For more on the FTC’s Safeguards Rule, go to DataSure24’s Compliance Page.