October 5, 2021

Good morning, everyone!

This week’s critical vulnerabilities: VMWare vCenter vulnerability is being actively exploited. Make sure you have applied the patch. QNAP has released patches for critical bugs in its QVR video surveillance solution. SonicWall has released patches for security problems with its Secure Mobile Access (SMA) 100 series appliances. Microsoft has published a guide on the safe use of RDP. The most recent ESET Threat Report shows that attacks on open RDP ports are again on the rise. Patch All the Things!

Say what you do, and do what you say

A couple weeks ago, the U.S. Securities Exchange Commission (SEC) reached settlement with App Annie for $10 million, for telling users it would use their data only in "aggregated and anonymized form" when it actually used their data also in a "non-aggregated and non-anonymized form." What does this mean for your organization?

Whether it’s a compliance checklist or cyber insurance application or the privacy policy on your website, it’s more important than ever to be truthful and accurate! Think about the consequences of scenarios like this:

• You overstate your security posture on a compliance checklist sent by a customer, and then the customer performs an audit and discovers the deception (or worse still, you actually have a data breach that shouldn’t have happened if you really had those controls in place)
• You don’t actually follow the (boilerplate?) privacy policy on your website
• You check “yes” on all those boxes on the questionnaire for your cyber liability policy, without knowing for sure (or understanding) whether you have those controls in place, then you have a cyber incident and the policy doesn’t cover you, because you provided false information in your application

My mama always told me “When in doubt, don’t!” So if you aren’t sure about the answers to those questions, seek professional help before checking boxes. You don't want to attest to something that you don't fully understand. Talk to your marketing people about your privacy policy, and make sure you are following it as stated. You honestly aren’t doing your organization any favors by overstating your position – any position. There are too many ways for the truth to come out.

Until next week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Talk to you again soon!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺