New Articles

Why the Keys to Maintaining Data Security in a Remote Environment are Control and Visibility

data security

Why the Keys to Maintaining Data Security in a Remote Environment are Control and Visibility

Remote workforces are nothing new to most organizations. According to Buffer’s 2019 State of Remote Work report, 44% of respondents noted that at least part of their team was “full-time remote,” and 31% said that everyone on the team works remotely. Further, at the time of the report, 30% of respondents said that their entire company worked remotely. However, the COVID-19 pandemic accelerated the work-from-home model. By March 31, 2020, the percent of users working remotely had increased 15 percentage points since the start of the COVID-19 outbreak. With that in mind, organizations are assessing how they can maintain granular levels of control and visibility when business data is being accessed remotely.

Adopting Contextual Controls to Protect Data

Most organizations already leverage role-based access controls. These controls, which align data access privileges and job function resources, provide a baseline for data governance. However, they often lead to excessive levels of data access and, in turn, produce additional risks. Contextual controls enable an organization to dynamically control access to data during varying contexts of access, often aligning to least privilege best practices. Migrations to cloud applications are largely due to contextual controls being a business requirement, simply because the interconnected applications required a more dynamic approach.

With the move to a remote workforce, organizations need to create more detailed and more dynamic access controls. With attribute-based access controls (ABAC), a company can incorporate additional context such as geolocation, time of day, and IP address to both ensure the appropriate user is accessing the resources and prevent users from having more access than they need. For example, if the organization knows that an employee should be working from Connecticut, ABAC can prevent access to resources if the user’s location is suddenly California – or a foreign country.

Contextual controls provide both the prevention of access policy violations, along with alignment between business requirements and security protocols. Because the organization can limit access according to the principle of least privilege, it reduces the risk of data leakage and financial fraud. Meanwhile, by creating more granular, data-centric access privileges, an organization can ensure that users do not get too much or not enough access – limiting the potential negative effects of restricting access excessively.

User Activity Monitoring for Security and Managing Productivity

Monitoring user access to resources and tracking how users interact with data provides an additional benefit for many organizations as their workforces move towards a remote model. Most organizations recognize the benefit of monitoring user access – but not just instances of logging in and logging out of applications. Understanding data access and usage is now a key requirement when maintaining visibility over business data. Organizations are turning to analytics platforms that both include granular access details, along with a visualization element (for example, SIEM). Data is only as useful as the insights it provides, and rapid aggregation and visualization of user access data is a crucial requirement for data security.

Using “Virtual” Work Hours

Looking at a common security use case, many organizations leverage “virtual” work hours to detect anomalies. For example, an employee usually works between the hours of 8 AM and 6 PM but monitoring and alerting to activity around sensitive data at 3 AM, for instance, can be indicative of unauthorized behavior. This uncharacteristic behavior may be an anomaly, but the organization needs to monitor the user activity more closely. If the user denies accessing the information at 3 AM, then the organization needs to focus its monitoring and have the employee change their password. If the organization detects additional unusual activity, then it may need to review the employee’s activities or investigate a potential data breach.

Monitoring User Productivity

From a workforce management perspective, organizations can leverage these insights to review employee productivity. Two use cases present themselves. First, many organizations have contracts that stipulate late payments incur a late fee. If the organization knows that employees should be processing payments ten days prior to the payment date, then they can leverage these reports to ensure that employees meet their timelines, even from a remote location. Additionally, by tracking resource usage data, organizations can monitor whether workforce members are appropriately prioritizing their workdays. If the employees are only accessing a business application at the end of the month, then they are likely waiting until the last minute to input payment information. Preventing these potential revenue losses or rush projects in other areas by speaking with the employee enables the organization to stay on top of its financials.

Enabling Visibility for Business Applications Has Never Been More Critical

Creating trust within and across distributed workforces ensures productivity. However, continued status update meetings across multiple time zones decrease workforce member efficiency. Organizations already monitor user access to their systems, networks, and applications. As part of a robust security posture, organizations should apply protections at the new perimeter – user identity. Rather than micromanaging employees via emails or chats, managers can gain valuable insight into how users are accessing resources and prioritizing work schedules by reviewing data and resource usage.

In an unprecedented time, companies need to find ways to enable their levels of control and visibility over business data. Whether a business application is on-premise or in the cloud, enhancing these solutions should be a mission-critical objective.

Risks against an organization are prevalent in a remote environment, whether those risks are security-related or employee-related by fraud, theft, and error. The keys to maintaining data security ultimately lie in your ability to provide oversight for your data, and the time to act is now.

_______________________________________________________________

Piyush Pandey, CEO at Appsian (www.appsian.com ) is a technology executive with 18 years of global experience in strategy, sales, mergers & acquisitions, and operations within software companies. Over the last 10 years, he has worked with enterprise software companies including Oracle, Epicor, Concur, Citrix and Microsoft on various transactions. He has held various leadership positions at Procera, Deutsche Bank, Stifel, Wipro Technologies and a wireless startup.

vulnerabilities

Top 4 Teleworking Vulnerabilities (and How to Mitigate Them)

Between social distancing guidelines and stay-at-home orders, it’s clear that we’ll all be spending a lot of time at home.

While many of us might normally work from home a day or two out of each week, few firms are used to having all their staff work from home for weeks at a time. 

This means that many companies have not implemented security measures that are most appropriate for a fully remote team.

To help you make the adjustment, here are some big-ticket vulnerabilities along with recommendations on how to best mitigate them.

1 – Using personal devices

The laptops and desktops your firm owns are secure. They have up-to-date patching and anti-malware. They have simple but important polices like an automatic screen lock. They’re backed up and might even have hard drive encryption and remote wipe capabilities.

Do the personal devices accessing your data even have anti-virus beyond Windows Defender? Are any running Windows 7, which has been out of support for months?

If a vulnerable machine is accessing your firm data, that data becomes vulnerable.

Best practice is to only allow your people to work from firm-owned equipment. If you try purchasing new equipment today, though, you will probably run into significant delays with manufacturing. Your second-best option is to roll out workstation management software to these personal devices. Your IT team can help with this.

2 – Heightened scam activity

Scammers are having a field day with this pandemic. We’re anxious, we’re distracted, we’re working with new and unfamiliar technologies, and we’re accessing confidential data outside of our secure office network.

In a span of just seven hours, cybersecurity company ESET detected 2,500 infections from malicious emails that played on COVID-19 themes. Phishing emails that appear to come from legitimate sources like the World Health Organization offer links or attachments with information about the spread, face masks, a vaccine—anything that will tempt recipients into clicking and infecting their machines with spyware, ransomware, or otherwise.

And the massive success of these scams means that hackers will double-down.

Fortunately, we can avoid these scams by practicing the same awareness tactics you’ve heard before:

-Don’t click links or download attachments you weren’t expecting.

-Watch for poor grammar and generic greetings (sir/ma’am)

-Don’t offer up personal information unless you can verify the request (by calling the sender, logging directly into your Facebook account, etc.)

Regarding coronavirus specifically, be sure to stick to official websites (WHO, CDC) for the latest news on the outbreak.

3 – Not using multi-factor authentication

Multi-factor authentication keeps you protected even if you make a mistake—which, as I mentioned above, is a lot more likely in today’s landscape.

Say you fall for a phishing scam and enter your Office 365 credentials onto a fake web page. But, your Office 365 account is set to send a verification code to your cell phone. Even with your email address and password in-hand, the hacker still can’t access your account unless they’ve also managed to steal your cell phone.

In January 1.2 million Microsoft accounts were compromised. Microsoft has said “multi-factor authentication would have prevented the vast majority of those one-million compromised accounts.”

Work with your IT team to (forcibly) enable multi-factor authentication on as many applications as you can. This is often not labor-intensive, and it can do wonders to keep your accounts locked down.

4 – Sharing devices with others

If you live with roommates or family members, you may find them asking to borrow your machine for anything from their distance learning assignments to streaming movies.

Whether this machine is personal device or owned by the firm, letting others onto the same equipment being used to store and access client data puts that data at risk. It only takes one wrong click to put your threat detection and response software—assuming any is installed—to the test.

And in some cases, someone just seeing an open document on your machine is a compliance violation.

Your firm policy may already have guidelines against sharing devices, but keep in mind that this is new territory for all of us, and that some may need help finding an alternative.

_________________________________________________________________

Heinan Landa, CEO and Founder of Optimal Networks, a globally-ranked IT services firm, and author of The Modern Law Firm: How to Thrive in an Era of Rapid Technological Change.

trading market

Modern Tendencies of Global Trading Market

The world is now a global village. Hence, globalization is a concept that has affected every aspect of human existence. The exchange of goods and services across nations and individuals, regardless of geographical limitations, is becoming increasingly seamless.

A Brief History of Global Trading Market

If you take a trip down memory lane, you’ll notice that global trading has come a long way. The origin of international or global trading dates back to the 19th century after the French war. The trade relations among nations increased significantly from 1865 to 1913, just before World War I broke out.

When WWI broke out, global trading fell rapidly. There was a massive dip in the export market. As it is with war, arms sales enjoyed enormous proliferation.

After World War I, things began to fall back to normal. It took a while for global trade volumes to rise to the peak reached before 1914.

The most significant rise in global trading came after World War II. In 1947, the General Agreement on Tariffs and Trade (GATT) was signed in Geneva by 23 nations. It marked a new dawn for global trading markets.

However, to better understand the modern tendencies in the global trading market, we need to look at the industrial revolutions that have happened over time. We can then link them to how they affect the global market in recent times.

Global Industrial Revolutions

There is an age-long relationship that exists between industrialization and globalization. The global industrial revolution that started in the late 18th century ushered in an abundance of raw materials. Industrialization led to the creation of new products and markets.

The products and raw materials that came, as a result of industrialization, needed to reach consumers across the world. That’s what led to the expansion of global trading markets.

Products were made in Europe from American raw materials and exported to Asia for consumption. A consequence of this affair between industrialization and globalization was the creation of trade routes. These trade routes connected America to Europe, Europe to Asia, and other continents of the world that needed the products.

We can talk about the early days of global trading markets without the pros and cons of globalization. The good that happened to the world was that manufacturers had more markets to sell their products. On the flip side, it created the opening for Europe to colonize the world.

The Journey from Then to Now

At this point, it’s safe to look deeper into how the industrial revolutions changed the course of global trading markets.

The First Industrial Revolution (1760 to 1830)

This is the period when Britain dominated and monopolized the global market. At the time, they had control of machinery, manufacturing techniques, and skilled laborers. Knowing that they were ahead of the world in industrialization, they kept everything within the confines of the British territory.

The embargo on the exportation of the industrialization that gave Britain a huge advantage didn’t sit well with some British businessmen. These folks began to seek more significant market opportunities outside Britain.

In 1807, two Englishmen took the industrial revolution to Belgium. The revolution further expanded global markets at the time.

Though it took a while for other countries to get on the wagon, it eventually happened after almost over a decade of British Monopoly. European countries like France and Germany came on board the ship to industrialization.

When the United States came into the picture, they gave the Britons a good run for their money’s worth. America became an industrial giant in the late 19th century.

Other countries that joined the industrial revolution at the time were Japan, the defunct Soviet Union, China, and India.

The Second Industrial Revolution (1870 to 1914)

While the first phase of industrialization focused on machinery and skilled labor, the next step introduced the manufacturing of more natural and synthetic products. It was in this era that synthetic materials like plastics began to flood the global market. Global trading expanded as a consequence.

The expansion in marketable products demanded a more straightforward way of doing business. Hence, this era brought computers into the fold. These computers now gave rise to what was called automatic factories.

With the global market expanding, governments began to get more involved. Economic policies came into play to establish checks and balances. Hence, averting an impending global financial and market crisis due to laissez-faire ideas that were at play at the time.

World War I marked the end of the second industrial revolution. Global markets were on shutdown as trade routes were either closed or manned by warring nations.

The Third Industrial Revolution (1990 to Present)

The advent of the internet marked the beginning of the third industrial revolution. The global market has shifted from the exchanges that took place at country borders to a peer to peer market setting.

With the world dealing with a myriad of global issues like natural disasters in, overpopulation, and poverty in some of the most populated cities of the world, there was the need to make the world a global village.

Trade deals can go on from anywhere in the world. People now have access to computers and the internet. It doesn’t matter if you’re a college drop out or a graduate from some of the best universities in the world, you can be a part of the global trading market.

In the first and second industrial revolutions, skilled labor was an exclusive reserve of a few countries that dominated industrialization. Today, remote workers can come from anywhere in the world, thanks to the advent of the internet.

For instance, you can hire labor remotely over the internet. An example is getting content writers from content review websites like Pick The WriterWriting Judge, and so on. The global market has now become more internet and remote-based.

However, the third industrial revolution has its significant cons. One of which is cybersecurity. With a lot of data shared over the internet, there are concerns about the unauthorized use of personal information for fraudulent activities.

With small businesses increasing, the dependence on the internet of things is increasing, thereby posing further cybersecurity challenges in the global trading market.

Statistics available shows that 43% of cyber attacks are targeted at small businesses. Sadly, over 60% of these small businesses go out of business within six months of the attack.

What’s The Way Forward?

As we gradually move from the third into the fourth industrial revolution, we expect that some of these cybersecurity challenges will reduce. Each industrial era comes with its pros and cons. However, the higher we go, the better we get – and the global trading market isn’t left out.

Already, technological advancements like Artificial Intelligence (AI), are with us. We are getting ready for an industrial revolution that will completely alter the way we live and do business. Industries are shaping up for what is coming with this technological revolution.

One sure thing is that the global economy will improve and life will be better for many people all over the world. Most bottlenecks in living standards and business opportunities will disappear to a large extent.

We envisage an era where technology will make life a lot easier. Trading platforms like crypto will make massive inroads into the global market systems. It’s a progressive world, and all we can do is get ready for the imminent.

______________________________________________________

Anna is a specialist in different types of writing. She graduated from the Interpreters Department, but creative writing became her favorite type of work. Now she improves her skills while working as a freelance writer for Pick The Writer, Writing Judge to assist a lot of students all over the world and has free time for another work, as well. Always she does her best in the posts and articles. 

commerce

Commerce, Currency, and Credit —and What’s Next

The notions of commerce, currency, and credit are nothing new. For centuries, we’ve found ways to barter, borrow, and repay one another through the exchange of goods, services, or credit. Exchange aside, every form of currency has an assigned value agreed upon by the individuals or organizations participating in the transaction.

Need a house or a plot of land? Everything had a price. Back then, we offered what we had…like goats, cows, or crops. In modern times and with the development of currency, we have turned to coins, paper, plastic, and other forms of credit to define the values of our exchanges.

If we begin to think about the evolution of commerce in the context of innovation, we simultaneously begin to wonder, ‘What’s next?’

As the COO of a fast-moving fintech company, I look to innovation to answer this fundamental question. It will always be top-of-mind for me, in order to ensure that our business is at the forefront of innovation when it comes to contemplating the many ways Americans — particularly those in the small business community — think about and gain access to commerce, currency, and credit.

Today, small businesses are faced with an unfavorable choice when considering taking on additional capital: curb their instinct to innovate and grow, or encumber themselves with debt. While the growth of small businesses will help our economy thrive, we can’t increase our ability to provide funding to small businesses by maintaining the status quo. So how do we inject businesses with funds, without ultimately harming that growth and innovation?  I suggest several ways: decrease our industry’s approval time and simplify the process; provide customized offers and understand the uniqueness of each business through the implementation of artificial intelligence and advanced technology, and restore the innate integrity and trust from the nascent days of commerce.

Here are three topline factors that will drive commerce, currency, and credit — and what’s next:

Convenience

If we look at the transition in the consumer payments industry as a leading indicator, we think about the emergence of fast-pay apps like Zelle, Venmo, or Apple Pay, one thing is clear: convenience is king. Even if it costs the consumer a dollar or two, it beats the basic, but now outdated steps of writing a check, (purchasing and) putting a stamp on the envelope, putting it in the mail, and making sure the mail person gets it on time. Certainly, checks have a role to play in the exchange of money — and perhaps always will — but fast cash apps represent the shift.

If we examine the ways that small businesses have historically gained access to capital, what were once nothing more than hard-copy applications followed up by mountains of paperwork issued by traditional banks that required waiting weeks or even months to hear of an approval, is rapidly evolving into what is now a full-fledged industry dedicated to providing capital in mere days or even hours  —with companies in industries ranging from online retailers to credit card processors, and more, working to deliver working capital in the near speed it takes to complete an ATM transaction. Just as odd as dropping a goat off today to pay for a good or service would seem, so too will be the long timeframe to secure small business capital via a long arduous process.  We are quickly moving to a couple of button clicks on your cell phone and capital will be delivered into your business account.

Channels

When discussing my philosophy about our business, three words colleagues often hear me use are “channel of choice.” They refer to finding our customers by identifying who they are, where they are, and what is their preferred method of communication; and of course, delivering superior user experience.

Which “channel of choice” will appeal to the busy mom-and-pop shop owner who calls us from her landline in search of new ways to gain access to capital for a new storefront facade; or to the construction company that does most of its business and banking online and prefers to be reached via the web; or, to the 20-something app developer who likes to do his business with a simple click on his phone?

Our success is contingent upon creating an appropriate environment and successful strategy for each of our customers, all of whom have varying degrees of means and preferences to interact with us.  While mobile interactions will continue the trend to dominate in preference, there will likely always be a need to handle interactions with just a simple phone call.  And delivering an intentional experience with all of those channels in mind will become the new normal

Caution

Over the past few years, the vulnerability of data, privacy, and information security systems has been exposed. As we move into a more digital environment where every piece of data is at your finger times, it’s incumbent upon us in the alternative financial services industry to evaluate the ways we protect the vast information we hold in similar ways customers expected traditional banks to hold and secure their deposits. The phrase “data is the new currency” is quickly becoming reality and expectations of security from those who provide us that information will be just as high as dropping of a deposit to your local bank. As mountains of information continue to become available, it will become a focus for all to consider how we store that information just as a bank locks up its currency in a vault.

_____________________________________________________________________

Herk Christie is the Chief Operating Officer of Expansion Capital Group, a business dedicated to serving American small businesses, by providing access to capital and other resources, so they can grow and achieve their definition of success. Since its inception, ECG has provided approximately $400 million in capital to over 12,000 small businesses nationwide.

cybersecurity

A Cybersecurity and Artificial Intelligence Forecast for 2020

As a cybersecurity and artificial intelligence innovator, we are often asked about our predictions for the year to come. AI, in all its flavors, is a hot technology and it is being applied in many fascinating and powerful ways. Our focus, of course, is on using deep learning to advance the standards in malware detection (and we see a lot of good happening in that regard) so we bring a unique perspective to these two areas.

And not to brag, but when the question came up last year we provided a modest forecast that turned out to be fairly accurate. Here’s a quick recap:

-We said that AI would be a key component to the delivery and management of 5G wireless services, which is in-line with what the industry is now saying about its roll-out.

-Our bet was behind the emergence of AI-as-a-Service. It’s comforting to know that Microsoft CEO Satya Nadella agrees, and sees a $77 billion market by 2025, according to Motley Fool.

-Last year we predicted the emergence of more sophisticated learning techniques, advancing the capabilities and efficacy of machine learning and deep learning algorithms, and that has been happening.

-We’ll even take credit for our prediction that AI in all its forms would see greater commercialization and consumerization, even though that one was probably self-evident in hindsight. Development and improvement in products like smart assistants, smartphones, autonomous vehicles, medical devices and more will continue apace now that AI is mainstream.

So what can we expect for 2020? We’re going to keep our forecast in the realm of cybersecurity and AI this year, looking at both the threat landscape and the emergence of innovative defenses. Here are five trends we see developing in the new year.

Cybercrime will focus on ransomware and cryptojacking

The focus of the global hacker community will shift to emphasize ransomware and cryptojacking. Ransomware has proven to be a lucrative source of income for hackers, and as associated malware and delivery techniques become more effective, that is only going to embolden them. Most hackers launch attacks from locations beyond the reach of U.S. authorities, and they collect payments in the form of cryptocurrency to minimize the risk factor of their illicit endeavors. And as cryptocurrency becomes more mainstream, we foresee a sharp increase in attacks intended to hijack computing resources to power the computations necessary to “mine” coins. What we’re seeing in Blue Hexagon Labs research is that cryptojacking attacks appear to have an inverse relationship to ransomware attacks. This is likely driven by hacker motivations; as the value of cryptocurrency increases, it may be more lucrative (and easier) to focus on cryptojacking than ransomware.

Malware-as-a-Service becomes increasingly sophisticated

Criminal hackers are innovators and entrepreneurial (even if they are evil, self-centered, and destructive innovators and entrepreneurs). As such, they are keen on minimizing cost and risk, and one way they are doing that is by productizing their tools and skills. As a result, Malware-as-a-Service hacking groups are now selling kits and automated services on dark web marketplaces. In March of this year, we wrote about Gandcrab ransomware-as-a-service. We will see these services increase in sophistication in the coming year–for example, the ability to select customizations such as the type of obfuscation or evasion techniques, and the way the malware is delivered. This will make it easier for anyone to get in on the malware game, creating a force multiplier effect that will increase the number of threats enterprises will face in the years to come.

First malware using AI-Models to evade sandboxes will be born in 2020

Malware developers already use a variety of techniques to evade sandboxes. A recent article explained that “Cerber ransomware runs 28 processes to check if it is really running in a target environment, refusing to detonate if it finds debuggers installed to detect malware, the presence of virtual machines (a basic “tell” for traditional sandboxes), or loaded modules, file paths, etc., known to be used by different traditional sandboxing vendors.”

In 2020, we believe that new malware–using AI-models to evade sandboxes–will be born. This has already been investigated in academia. Instead of using rules to determine whether the “features” and “processes” indicate the sample is in a sandbox, malware authors will instead use AI, effectively creating malware that can more accurately analyze its environment to determine if it is running in a sandbox, making it more effective at evasion. As a result of these malware author innovations and existing limitations, the sandbox will become ineffective as a means to detect unknown malware.  Correspondingly, cybersecurity defenders’ adoption of AI-powered malware defenses will increase.

The rollout of 5G networks will bring new attack vectors

The infrastructure needed to roll out and manage new 5G networks requires a more complex, software-defined architecture than older communication networks. This new architecture means services will operate within a more complex environment with a broader attack surface that requires more security diligence on the part of the service providers. In addition, the advent of 5G networks will enable more endpoint devices that will require security at the network edge. Hackers, in particular, nation-state threat actors, will work hard to find and exploit weaknesses in this architecture to intercept traffic, disrupt services, and deliver payloads to endpoints and networks.

Privacy regulations drive more spending in cybersecurity

The European Union’s General Data Protection Regulation (GDPR) has inspired a number of privacy regulations, including the new California Consumer Privacy Act (CCPA). In the CCPA, California has created a combined privacy and breach disclosure law that goes into effect on January 1, 2020. The office of the California attorney general recommends NIST (800-53 or CSF) or ISO 27001 as their standards for implementation, and uses CIS Controls for security program guidance. That means an emphasis on malware detection and prevention, and with data breach violations reaching hundreds of millions of dollars in the EU and U.S., we predict CCPA and the recent history of enforcement will drive a significant increase in cybersecurity spending.

Even though the overall theme of these predictions suggests increasing threats and risks to the enterprise, we do see cause for optimism. Our experience with the application of deep learning to meet the challenges of threat detection and prevention give us hope that, as our efforts and those of other innovators continue and build momentum, we are confident that 2020 will be regarded as the year our industry finally turned the tide against hackers.

cybersecurity

Winter 2019 U.S.- China Cybersecurity Update

It is difficult to accurately speculate on the progress of U.S.-China trade negotiations, as media reports on the status of key policy proposals seemingly differ each day depending on the transparency and messaging agenda of the sources involved. However, what has been certain during the winter of 2019 is that major updates to U.S. and Chinese cybersecurity regulations are in the process of being implemented, and these developments stand to set key precedents for the intersection of applicable foreign investment and cybersecurity regulations in the U.S. and China.  

Building on our previous two articles regarding U.S. economic espionage concerns and updated U.S. foreign investment restrictions, this article will provide an overview of notable cybersecurity legislative and investigative developments that will likely dictate the near future of critical facets of U.S.-China relations in the 21st century, including (1) the implementation of China’s revised cybersecurity legislation known as the Multi-Level Protection Scheme (“MLPS 2.0”); (2) the Committee on Foreign Investment in the United States (“CFIUS”) reported investigation into the popular social media app TikTok; and (3) the race to implement 5G infrastructure and ongoing speculation regarding Huawei’s licensing status.

1. Implementation of China’s Multi-Level Protection Scheme (MLPS 2.0)

In 2017, China implemented comprehensive cybersecurity legislation commonly referred to as China’s Cybersecurity Law (“CCL”) in efforts to consolidate authority over and standardize regulation of the internet and cyberspace. The CCL includes strict prohibitions on how companies, particularly U.S. and other foreign companies, can store data and interact online.  For example, the CCL requires that network operators in China cooperate with and provide support to government agencies in support of safeguarding national security, and additional provisions have been passed in recent years under the CCL that provide broad authorizations for law enforcement agencies to inspect and monitor internet service providers and computer network data centers. Foreign companies and human rights organizations have criticized the CCL as regressive legislation that fosters state censorship and surveillance and lacks sufficient privacy protections.

Article 21 of the CCL codified China’s requirements for network operators to implement a cybersecurity “multi-level protection system” that includes mandates to implement and adopt certain technical measures and security protocols to monitor and record network activity. Article 37 imposes certain data localization requirements and requires “critical information infrastructure” operators to store personal information and important data gathered or produced within the mainland territory of China.

On December 1, 2019, MLPS 2.0 will take effect, and will impact how U.S. companies and other foreign companies can do business online and store electronic data in China. A draft of the new regulations was first released in June 2018, and the revised MLPS 2.0 incorporates three information security technology standards that in effect will broaden the Chinese government’s authority, particularly that of the Ministry of Public Security, to proactively supervise, manage, and enforce cybersecurity regulations and restrictions on companies operating in China.

The expanded monitoring and enforcement authorities that MLPS 2.0 provides the Chinese government has provoked increasing privacy concerns for foreign firms, particularly those handling sensitive data. The regulations provide stringent mandates on how foreign companies must secure their networks, utilize local sever systems, and cooperate with government authorities. As the new law enters into effect on December 1, 2019, it will be critical for U.S. companies operating in China to understand how the new laws will impact their operations. Companies that store and utilize sensitive personal data, U.S.-regulated technology or technological data, or proprietary intellectual property and trade secrets will have to ensure compliance with both U.S. and Chinese regulations governing privacy, export controls, and cybersecurity regulations. 

2. CFIUS Takes on TikTok

We previously provided an overview of the updated CFIUS regulations concerning foreign investment restrictions scheduled to take effect in the U.S. in February 2020. However, that does not mean that CFIUS, the inter-agency committee tasked with the authority to review, modify and reject certain types of foreign investment that could adversely impact U.S. national security, is dormant in terms of its current investigations. In fact, on November 1, 2019, Reuters reported that CFIUS has launched a national security review of the popular social media and video-streaming app TikTok, related to the acquisition of social media app Musical.ly (since rebranded as “TikTok”) by Beijing ByteDance Technology Co. in 2017 for $1 billion. TikTok earlier this year said that approximately 60% of its 26.5 million monthly active users are located in the United States.

U.S. lawmakers first raised national security concerns related to the TikTok platform, particularly its Chinese parent company’s collection of user data and purported censorship of user content.  For example, Senators Chuck Schumer and Tom Cotton sent a bi-partisan letter to the Acting Director of National Intelligence in October voicing concerns over TikTok’s data collection practices, highlighting Chinese laws that “compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party.” While it is unclear what the outcome of this particular review will be, it puts a spotlight on the types of industries and practices that CFIUS is currently scrutinizing and provides a useful case study for what types of mitigating measures we may see imposed by the Committee down the road.

The updated CFIUS regulations set to take effect in February 2020 expressly expand the jurisdiction of CFIUS to include reviews of non-controlling foreign investments in companies that store and have access to sensitive personal data of U.S. citizens. But the CFIUS review into TikTok is only the latest investigation by the Committee into burgeoning technology apps that store sensitive personal data. CFIUS has previously targeted the proposed acquisition by the Chinese Kunlun Group of the U.S. dating application “Grindr” for data privacy concerns regarding its individual users, and similarly forced the Chinese digital healthcare company iCarbonX to divest from it its investment in the U.S. healthcare startup “PatientsLikeMe.” 

These recent cases ultimately show that CFIUS is increasingly focused on the protection of the sensitive personal data of U.S. citizens in emerging technological applications, particularly when Chinese investment is involved.  All U.S. companies considering foreign investment will have to take heed of the current and soon-to-be updated CFIUS regulations and increase their due diligence efforts, particularly where Chinese investment is concerned.

3. 5G Supremacy: Timeline on Huawei Restrictions and Licensing Still Unclear

Finally, a critical ongoing area of U.S.-China cybersecurity relations is the debate over the role that China’s telecommunications leader Huawei will have in developing and implementing global 5G technology and data networks. Huawei was placed on the U.S. Department of Commerce “Entity List” over national security concerns in May 2019, which restricts U.S. companies from doing business with it, and a licensing regime was put into place for U.S. companies that seek to engage with Huawei and certain of its subsidiaries. While no such licenses have been issued to date, U.S. Secretary of Commerce Wilbur Ross recently indicated that at least some of the 260 license applications their office has received will be granted and issued shortly.  

U.S. critics believe that allowing Huawei to take the lead on 5G and similar data network equipment will potentially give the Chinese government the ability to collect data of the users of Huawei products. However, Huawei is a global leader in 5G technology, and despite pressure from the U.S. government, countries like Germany, Hungary, and Norway have decided against banning Huawei from their 5G networks. The inherent difficulties and concerns in having the global leader in 5G technology also be closely connected to the Chinese government is an issue that every country seeking to develop 5G infrastructure will have to address, and will likely be a focal point in the U.S.-China trade war as well as in global cybersecurity relations for years to come. 

If you have any questions about U.S.-China trade relations as it relates to CFIUS, cybersecurity regulatory compliance, or U.S.-imposed licensing restrictions, please contact a member of Baker Donelson’s Global Business Team below.

____________________________________________________________________
Joe D. Whitley is a shareholder at Baker Donelson and chairs the Firm’s Government Enforcement and Investigations Group. He can be reached at jwhitley@bakerdonelson.com. 

Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at aenslen@bakerdonelson.com. 

Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at jbodie@bakerdonelson.com. 

Frank Xue is an associate with Baker Donelson who assists Chinese clients with matters in the U.S. related to foreign direct investments, mergers and acquisitions, and private equity/venture capital. He can be reached at fxue@bakerdonelson.com. 

_______________________________________________________________________

1. CCL Translation: “Cyber-security Law of the People’s Republic of China,” Dezan Shira and Associates. https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html.

2. CCL Article 9; see also Laney Zhang, China: New Regulation on Police Cybersecurity Supervision and Inspection Powers Issued, Library of Congress (November 13, 2018) (discussing Measures of Internet Security Supervision and Inspection by the Public Security Organs, (Sept. 15, 2018, effective Nov. 1, 2018)) https://www.loc.gov/law/foreign-news/article/china-new-regulation-on-police-cybersecurity-supervision-and-inspection-powers-issued/.

3. See, e.g., China: Abusive Cybersecurity Law Set to be Passed, Human Rights Watch (November 6, 2016) https://www.hrw.org/news/2016/11/06/china-abusive-cybersecurity-law-set-be-passed; China adopts cyber security law in face of overseas opposition, Reuters (November 6, 2016) https://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049.

4. Draft Cybersecurity Classified Protection Regulations, China Ministry of Public Security (June 27, 2018) http://www.mps.gov.cn/n2254536/n4904355/c6159136/content.html?from=timeline&isappinstalled=0.

5. See, e.g. Simone McCarthy, Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?, South China Morning Post (October 13, 2019) https://www.scmp.com/news/china/diplomacy/article/3032649/will-chinas-revised-cybersecurity-law-put-foreign-firms-risk.

6. Greg Roumeliotis, Yingzhi Yang, Echo Wang, Alexandra Alper, Exclusive: U.S. opens national security investigation into TikTok, Reuters (November 1, 2019) https://www.reuters.com/article/us-tiktok-cfius-exclusive/exclusive-u-s-opens-national-security-investigation-into-tiktok-sources-idUSKBN1XB4IL.

7. Reuters,  How TikTok, Caught in U.S. Regulatory Crossfire, Rose to Global Video Stardom, The New York Times (November 4, 2019) https://www.nytimes.com/reuters/2019/11/04/business/04reuters-tiktok-cfius-factbox.html.

8. See, e.g. Senator Marco Rubio Letter to Secretary of Treasury Steven Mnuchin https://www.rubio.senate.gov/public/_cache/files/9ba023e4-2f4b-404a-a8c0 e87ea784f440/FCEFFE1F54F3899795B4E5F1F1804630.20191009-letter-to-secretary-mnuchin-re-tiktok.pdf

9. Senators Charles E. Schumer and Tom Cotton Senate Letter (October 23, 2019) https://www.democrats.senate.gov/imo/media/doc/10232019%20TikTok%20Letter%20-%20FINAL%20PDF.pdf.

10. See, e.g., Christiana Farr and Ari Levy, The Trump administration is forcing this health start-up that took Chinese money into a fire sale, CNBC (April 4,  2019) https://www.cnbc.com/2019/04/04/cfius-forces-patientslikeme-into-fire-sale-booting-chinese-investor.html; Echo Wang, China’s Kunlun Tech agrees to U.S. demand to sell Grindr gay dating app, Reuters (May 13, 2019) https://www.reuters.com/article/us-grindr-m-a-beijingkunlun/chinas-kunlun-tech-agrees-to-u-s-demand-to-sell-grindr-gay-dating-app-idUSKCN1SJ28N.

11. Huawei Entity List and Temporary General License Frequently Asked Questions, Department of Commerce (September 18, 2019) https://www.bis.doc.gov/index.php/documents/pdfs/2447-huawei-entity-listing-faqs/file

12. Philip Heijmans and Haslinda Amin, Ross Optimistic on China Deal, Trump Wants It Signed in U.S., Bloomberg (November 3, 2019) https://www.bloomberg.com/news/articles/2019-11-03/ross-optimistic-on-china-trade-deal-says-huawei-licenses-coming?srnd=premium.

13. See, e.g., Associated Press, Hungary Says Huawei to Help Build Its 5G Wireless Network, New York Times (November 5, 2019) https://www.nytimes.com/aponline/2019/11/05/business/bc-eu-hungary-huawei.html; Chloe Taylor, Germany set to allow Huawei into 5G networks, defying pressure from the US, CNBC (October 16, 2019) https://www.cnbc.com/2019/10/16/germany-to-allow-huawei-into-5g-networks-defying-pressure-from-the-us.html.

C-TPAT

C-TPAT DRIVES SUPPLY CHAIN SECURITY AND TRADE COMPLIANCE

In today’s ever-chaining business environment, organizations are faced with ongoing security challenges. It’s crucial for shippers to understand any potential risks to their supply chains and establish security plans to avoid disruption. One significant way for shippers to proactively protect their operations is by becoming a member of the Customs-Trade Partnership Against Terrorism (C-TPAT) program.

Established in 2001, as a direct result of the September 11 terror attacks, the C-TPAT program is part of the U.S. Customs and Border Protection’s (CBP) multi-layered cargo enforcement strategy. Through this voluntary program, the CBP works with the importers, shippers, carriers, brokers and logistics providers to implement best practices for ensuring a safe, secure and expeditious supply chain. Today, there are more than 11,400 certified C-TPAT partners in the program, and these companies account for more than 52 percent of the products imported into the U.S.

C-TPAT Member Benefits

In addition to promoting supply chain security, participating in the C-TPAT program can yield significant benefits for shippers and transportation providers, including:

Fewer customs inspections – C-TPAT certification offers companies the opportunity to decrease customs inspections and documentation reviews. According to the CBP, C-TPAT members are 3.5 times less likely to incur a security or compliance examination. 

Faster border crossings – Members have access to special Free and Secure Trade (FAST) lanes at border crossings, and can move to the front of the line during inspections. This can significantly expedite border crossings at many Canada/Mexico land border ports.

Quick response time – Following a national emergency, companies participating in the C-TPAT program are eligible to resume business first. 

Enhanced reputation – Participating in a national security program reflects a company’s ongoing commitment to safety. Some companies will only do business with importers that are C-TPAT certified–giving members a competitive edge. 

Cost avoidance – By decreasing potential supply chain disruptions, C-TPAT members can avoid costs associated with delayed shipments. Additionally, organizations penalized in any way is eligible to receive up to a 50 percent reduction on the imposed fine. 

Joining C-TPAT

While almost every organization that is involved in the import and export business can enroll in the C-TPAT program, eligibility requirements vary by business type. But to achieve certification, all companies are required to:

-Conduct a risk assessment

-Implement a supply chain security management system that complies with C-TPAT requirements

-Submit a detailed application

 -Meet with CBP representatives to verify security measures

In addition to obtaining their own certification, organizations can support the C-TPAT program by working with third-party logistics (3PL) providers that are also C-TPAT certified. C-TPAT-certified 3PLs act as an additional layer of protection against supply chain attacks, because they operate as an extension of the company’s established security procedures, essentially building a stronger company brand. 

A 3PL with active participation in the Mexican and Canadian markets also brings a portfolio of carriers and companies that are approved by C-TPAT, or that comply with minimum requirements for C-TPAT partners, essentially giving shippers a competitive advantage. 

Addressing Evolving Supply Chain Risks


As supply chain risk continues to evolve, so too do the C-TPAT requirements. In May, the CBP announced that it has added Minimum-Security Criteria (MSC) requirements to the C-TPAT guidelines to help further mitigate risks. Some of the areas that were incorporated and updated in the program’s new criteria included:

-Issues related to cyber security

-Protection of the supply chain from agricultural contaminants and pests

-Prevention of money laundering and terrorism financing

-The proper use and management of security technology, such as intrusion alarms and security camera systems

-Members are expected to implement the new criteria throughout the remainder of 2019, and validation of the new MSC will begin in early 2020.

Support Supply Chain Safety

With security risks threatening supply chains around the globe, it is important for companies to support initiatives that aim to tackle and prevent supply chain risks. By obtaining C-the certification, businesses have the unique opportunity to take an active role in supporting national security while improving their own supply chain operations. 

While there are no costs associated with joining the C-TPAT program, companies often have to invest in improving their practices to meet the minimum-security requirements and effectively maintain a compliant program. However, this investment goes a long way in helping companies mitigate risk, avoid supply chain disruptions and drive greater efficiencies for cross-border transport.  

______________________________________________________________

Linda Bravo is the Corporate Customs Broker at Transplace, where Sergio Flores is the Safety and Security Coordinator. Transplace is a 3PL provider offering logistics technology and transportation management services to manufacturers, retailers, chemical and consumer packaged goods companies. Learn more at Transplace.com.

automotive

Automotive Industry Cyber Attacks: Trends and Threats to Watch Out For

A report released from Upstream Security estimates the automotive industry is at risk for losing $24 billion within five years all due to cyber hacks. The company specializes in cloud-based security and took reported cases at a granular level to understand cyber threats and trends to combat in 2019.

The findings were confirmed through a study conducted that analyzes over 170 cyber cases reported between 2010-2018. The study also revealed different ways hackers attack including physical and long-range and wireless strategies.

“With every new service or connected entity, a new attack vector is born” said Oded Yarkoni, Head of Marketing at Upstream Security. “These attacks can be triggered from anywhere placing both drivers and passengers at risk.

“Issues range from safety critical vehicle systems, to data center hacks on back-end servers, to identity theft in car sharing, and even privacy issues. The risk is immense. Just one cyber-hack can cost an automaker $1.1 billion, while we are seeing that the cost for the industry as a whole could reach $24 billion by 2023.”

Key highlights from the report include:

-Back-end application servers are directly involved in 42 percent of automotive cyber security incidents

-Tier 1 suppliers, fleet operation, telematic service providers car sharing companies and public/private transportation providers are experiencing increased threat rates for cyber security issues.

-Multi-layered security tactics such as in-vehicle, automotive cloud security and network security are recommended to reduce risk.

-Fraud and and data privacy are primarily impacted by the two new cyber attack methods.

To read the full report, visit Upstream Security.

Source: Upstream Security

Sepio Systems, Tech Data & SHI Partner for Cybersecurity

Hardware-based attacks are at the center of the tri-partnership recently announced between Sepio Systems, Tech Data, and SHI International Corp.

Tech Data channel partners and SHI customers benefit from the partnership as they are granted the option to bundle Sepio’s solutions addressing issues in cybersecurity. In addition to providing simplified deployment options for Sepio Prime/Sepio Agent security management offerings, specific network threats within uncontrolled peripheral devices and accessories are focal points customers and partners benefit from.

“As part of our continuous effort to ease our customer’s process of complying with the NIST standards and guidelines for securing Information Systems, we are excited to team with Tech Data and SHI,” said Yossi Appleboum, CEO of Sepio Systems Inc.

“Packing Sepio’s deep visibility capabilities into devices and hardware assets together with a granular policy enforcement tool greatly reduces the cyber risk organizations are facing. For the first time, Tech Data customers and partners can deploy a simple and robust software solution that addresses more than 15 controls from the NIST 800-53 Special Publication,” Appleboum concluded.

Sepio Systems currently identifies hidden hardware attacks related to rogue peripherals, invisible network devices, and manipulated firmware. The software-only based solution, Sepio Prime, currently boasts a presence in the U.S., Brazil, Singapore, and Israel.

How To Ditch The Techie Jargon And Improve Your Organization’s Cybersecurity

An office memo that tosses around terms like DRM, botnet, FTP, spear phishing and worm could be a quick, easy read for the head of the IT department.

But for everyone else in the organization it may or may not be one big mass of confusion.

And with that bewilderment comes potential danger, says J. Eduardo Campos, co-founder with his wife, Erica, of Embedded-Knowledge Inc. (www.embedded-knowledge.com) and co-author with her of From Problem Solving to Solution Design: Turning Ideas into Actions.

“There’s a serious gap in communication skills between cybersecurity pros and their general audiences, and it’s essential for the people on the IT side to bridge it,” Campos says. “Increasingly complex security threats demand that cybersecurity professionals use plain language when they are communicating with those less familiar with tech talk.”

Otherwise, he says, an organization could be vulnerable to hackers even if the staff had been warned about what to look for, simply because the employees didn’t understand the language behind the warning.

After all, cyber threats aren’t just a technology problem – they are a people problem, says Campos, who worked on cyber threats as a former employee of Microsoft.

“People are the weakest link in computer security and many companies don’t promote a company philosophy of ‘computer security is everybody’s business, ” he says.

Campos suggests a few ways to improve communication between those in charge of cybersecurity and everyone else in the organization:

Incorporate this need into the hiring process. When hiring new staff for your IT and cybersecurity team, look for experts who have not only tech skills, but also the skills necessary to comfortably interact socially and clearly communicate in lay terms with all the stakeholders in the organization.

Focus on training. Cybersecurity teams can be trained to become solution designers who can connect the dots, Campos says. They can then capture, clarify, and address all stakeholders’ concerns, helping them to determine and keep their goals aligned. Such cybersecurity pros enable success by listening to everyone involved before sharing their own viewpoints.

Realize this is an ongoing process. It’s important to ensure that the improved communication is sustained over the long haul, and people don’t revert to old ways down the road, Campos says. “You will want to monitor the situation so that you can quickly spot and head off any problems,” he says. “You can create a feedback loop so that the employees are encouraged to let you know how things are working.”

“Data breaches, data ransom plots, and email hacks intimidate us all,” Campos says. “Cybersecurity teams themselves feel hard-pressed enough to prepare themselves for the onslaught of these gremlins, let alone to accomplish the challenging task of communicating to stakeholders about how to mitigate and deal with cybersecurity risks.”

“But for organizations to keep their information and systems safe, that communication needs to be done, and in a way everyone can understand.”

About J. Eduardo Campos

J. Eduardo Campos is co-author with his wife, Erica, of From Problem Solving to Solution Design: Turning Ideas into Actions. Campos spent 13 years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at the highest levels of government in the U.S. and abroad.  His consulting firm, Embedded Knowledge Inc. (www.embedded-knowledge.com), works with organizations and entrepreneurs developing customized business strategies and forming partnerships focused on designing creative solutions to complex problems.