HIPAA Compliance Training: Empowering Healthcare Staff with Cybersecurity Awareness

HIPAA Compliance Training: Empowering Healthcare Staff with Cybersecurity Awareness

by | Jul 3, 2024 | Compliance, Email Security

Addressing the human factor in healthcare cybersecurity, this post explores the importance of ongoing training and education for healthcare personnel to mitigate risks and uphold HIPAA compliance standards. It aims to spark thoughts on ways to improve the effectiveness of current procedures, create new ones, and protect your patients’ privacy.

The Weak Link in HIPAA Compliance: Humans

The technology world has no shortage of vendors and experts that work tirelessly to strengthen compliance in processes and products. Hornetsecurity’s 365 Permissions Manager product serves as a powerful example. However, we must always remember one standout word in the HIPAA acronym: “Accountability”. This applies to people, not technology.

Technological HIPAA solutions can work wonders for the “Portability” bit of the acronym. They also facilitate the vital “privacy” component of the law. Software can prevent unauthorized users from viewing sensitive information. A program can require all its communications to use encrypted channels. Unfortunately, nothing can prevent all accidental, negligent, or malicious activity.

The previous paragraph deliberately sorted “malicious” after “accidental” and “negligent”. Attackers draw everyone’s attention with mass havoc, but smaller HIPAA leaks with no ill intent occur almost constantly. As a patient leaves the building, a receptionist may exclaim, “I hope that rash clears up quickly, Susan!” loudly enough for everyone in the waiting room to hear. A provider might leave their appointment calendar open on a screen within a patient’s line of sight. A harried office worker might place a printed document with protected information where anyone standing at the front desk can view it. A group of doctors might discuss an interesting patient case using the patient’s name – in a crowded restaurant. You have no doubt witnessed multiple HIPAA violations that went unnoticed and unaddressed.

Technology will never stop those small leaks. It also can’t help when someone triggers HIPAA’s “Accountability” provisions. To ward that off, healthcare organizations must focus on staff training.

Why HIPAA Violations Occur So Frequently

The following criteria were used to score the Olympic federations and committees, and build our rankings:

  • Has Email Security Gateway: Having an email security gateway is crucial because it acts as a barrier against various email-borne threats such as impersonation attempt, phishing, malware, etc… and can ensure the continuity of email services.
  • Has SPF record: An SPF record is important because it helps prevent email spoofing and protects against phishing attacks by specifying which mail servers are authorized to send emails on behalf of a domain.
  • SPF record is good: Here, we’re considering SPF records effectiveness, for instance whether they are configured with a “softfail” option, which is weak.
  • Has DMARC record: DMARC is crucial for preventing email spoofing and phishing by authenticating emails and specifying how to handle those that fail authentication, ensuring only legitimate emails reach recipients.
  • DMARC record is good: We consider DMARC records to be good when they receive a positive mark on a scan, such as from https://tools.sendmarc.com/.
  • Immune to bypass: Email security bypass is an old trick, but it is still working these days. This means that an organization has not restricted access to their email server, and as such, an attack can completely bypass their email security solution and directly reach their email server.  A recent paper on the topic: https://sumanthvrao.github.io/papers/rao-www-2024.pdf

Using the above criteria we created a very simple grading system. We built two different scales,  one for countries which had an email security gateway, one for those who did not, and attributed different weightings of the scoring criteria depending on our assessment of the respective contribution to email security.

Your People Mean Well

Many HIPAA violations happen simply because people don’t associate their actions with privacy breaches. People are helpful and trusting. It seems logical to expect that the average person that chose a career in healthcare has an even more helpful and trusting personality than the average person in another line of work. They know their patients and feel comfortable with them; why would they worry about that open file? A good provider would never dream of exploiting personal health information for their own gain; why would they suspect any regular person of it? To get the best help for a patient, a doctor might need the counsel of other doctors; why would anyone eavesdrop? The office won’t flow well if nurses don’t deliver information as quickly as possible; who would ever take advantage of an uncovered paper document? The idea of attackers as shady looking characters has pervaded the public consciousness to the point that few of us see threats in people that look “normal”. That’s especially true when those people are also our customers and patients.

Your People Have a LOT to Do

We must also remember that healthcare workers are busy people. Regulations and training place an additional burden on them. No one wants to take the extra moment to cover or uncover a document when they have dozens or more to handle along with all their other high priority duties. Insisting otherwise or trying to shame people into changing their behavior doesn’t help.

HIPAA Compliance Sounds Complicated

The overwork problem goes beyond daily activity. Healthcare workers also deal with substantial requirements for periodic credential renewals. Adding in HIPAA training can feel like another time-consuming annoyance of buzzword-filled box-checking busywork. Acronyms and the word “compliance” only make it all worse.

Viewers and readers struggle to absorb material that does not capture interest, content that does not make things easier, and activities that they do not feel use their time in a valuable way. HIPAA training that does not take this into account will have little effect on preventing breaches.

Account for Human Nature in Training Material

You cannot build an effective HIPAA training program that does not take these factors into account. Acknowledge that people frequently do not understand that a particular action qualifies as a HIPAA violation. Realize that the attitude of “I’m too busy, it will be OK just this once,” infects everyone.

Ways to Improve HIPAA Training Effectiveness

Fundamentally, you can make the most improvements to training procedures by understanding the barriers to learning. The preceding sections looked at those, and you likely have ideas of your own. Next, you must face the challenge of implementation. The following subsections outline a few suggestions to augment your plans.

Keep It Short and Simple

I believe that “Keep It Short and Simple” has become the modern, inoffensive expansion of the age-old “KISS” principle. Whatever words you prefer, the basic meaning holds. You know that people don’t want to sit in training. You know that they don’t like acronyms and buzzwords. Prepare accordingly. Avoid long-winded explanations. Don’t show blocks of legal text.

You might develop some sort of short saying, such as “Protect Patient Data the Way You Protect Patient Lives.” Of course, people often react to pithy mantras with eye rolls and exasperated sighs, but they still remember them. If the knowledge sticks, the training worked.

Instead of trying to “teach HIPAA compliance”, envision what you want people to understand and embody, and explain that. A few examples (some restatements of the same ideas):

  • No one other than the patient and their care team should know anything about the patient
  • The patient’s business is nobody else’s business
  • No release form, no information
  • What happens in the exam room stays in the exam room
  • The bad guys are always listening

Remember to address this topic from the angle that healthcare workers want to help.

Connect Arcane Data to Relatable Points

Healthcare workers work in healthcare, not the law. Don’t dazzle them with legalese. They do need to know the basics of what HIPAA means. They must also understand common acronyms, like PHI (personal health information). When you introduce such terms, immediately link them to something that anyone can understand.

  • For HIPAA, you might include a statement along the lines of, “if we lose control of patient information, we lose patient trust”.
  • With PHI, you can include something like, “Jill does not want everyone in town knowing that she was treated for hemorrhoids”.

While you have a legal obligation to obey HIPAA, it happens to align with most people’s morality about private information.

Give It Entertainment Value

Corporate and professional training does not need to follow sterilized tradition. Elements that perk up the presentation help to grab and maintain interest. You don’t need Hollywood-grade production value to make an impact.

However, if you have access to product design resources, use them. You might have talented individuals in your marketing department that can help. Numerous online and college courses exist to help with modern business communication. You can use these tools for much more than a HIPAA class.

Two things help: humor and shock. Both require awareness and finesse (drab corporate presentations arose from failure to employ these intelligently and respectfully). Humor can involve a mascot figure delivering your sayings. Shock can come from examples of HIPAA fines and violations. Since not everyone understands that a seemingly innocuous activity could lead to a breach, you should have little trouble finding ample material. Again, lean on internal and external resources with experience for help.

Reinforce Training with Reminders

Your technological toolbelt contains more than prepackaged, purpose-built applications. You likely have control over the lock screens and screensavers of office systems. You might also have overhead monitors for information presentation. Use these to rotate in HIPAA reminders. A few examples:

  • The first rule of PHI is that we do not talk about PHI.
  • Your patient can’t see this, can they?
  • Has anyone other than you seen your calendar?
  • Did you remember to turn that document face down?
  • Who overhead that diagnosis?

Many offices have routine internal communications, such as newsletters. Use all delivery methods at your disposal to disseminate small reminders.

Foster a HIPAA-Compliant Culture

Because compliance depends so greatly on moment-to-moment behavior, it may require a shift in “normal” behavior. Changing that requires more than an hour in a training room. Small, frequent, pervasive reminders help. Recruiting informal “HIPAA Ambassadors” to model behavior works in some environments. Periodic recognition for activities such as avoiding or correcting HIPAA violations create positive incentive. Avoid responses that shame as they typically cause more resentment and rebellion than positive change.

You can leverage the “Accountability” component with most people. Legally, it primarily means that violations can result in fines. However, the word also means that healthcare workers have a duty to patients to keep personal health information private. This gives a “shared and individual responsibility” aspect that resonates with most people.

Don’t Forget Those Bad Guys

Throughout all your HIPAA training and culture modification efforts, remember that the “bad guys” are real. If patient information wasn’t valuable, no one would be trying to steal it. You want staff to remember that they can’t recognize an information thief through everyday interactions. This hearkens back to things already discussed, such as reminders of, “No release form, no information.” The knowledge that someone out there might have nefarious reasons to ask too many questions or listen a bit too closely can put enough of an edge on those reminders to help staff retain them.

Therefore, it’s time to take it seriously, as your organization could face a situation similar to that of Change Healthcare.

Like humor and shock, this topic needs mindful presentation. You do not want to build an environment of constant fear and mutual distrust. Most people in a healthcare setting want to help others get better or receive treatment.

What the Change Healthcare Cyber Attack Means for the US Healthcare Industry 2

Shake It Up

As the proverb goes: “Familiarity breeds contempt.” Repeatedly presenting the same material, no matter how well made, will eventually cause staff to stop taking it seriously. Don’t create a bit of material and consider the task finished. Start with something simple. Refine it continually. Reword phrases. Replace sayings for a time and reintroduce them later.

If you can build a solid HIPAA-compliant culture, this becomes somewhat less important. People will always need reminders and refreshers, of course.

Keep Sight of the Goal

While we all wish for a single, magical HIPAA training course that we can deliver once to everyone and they retain forever, that will not happen. Accept that you will need to create and maintain material that keeps up with people in a way that they can understand.

Most importantly, remember that effective HIPAA training depends on simple and relatable presentation. Appeal to what your healthcare employees do best: care for the patient.

How 365 Permission Manager Can Help Streamline Compliance

365 Permission Manager is a powerful tool that can streamline HIPAA compliance and make it easier for healthcare organizations to manage permissions and protect patient data. It offers automated permission management with simplified access control, ensuring only authorized personnel can view patient data, thereby reducing the risk of unauthorized access. Furthermore, regular audits keep permissions updated for ongoing HIPAA compliance. 365 Permission Manager’s intuitive dashboard makes it easy for staff to manage access levels, while real-time alerts notify administrators of unusual access attempts.

Enhanced security features protect patient data, preventing data breaches and ensuring confidentiality, in line with the principle, “Protect Patient Data the Way You Protect Patient Lives.”

To ensure HIPAA compliance and safeguard your healthcare environment, utilize Hornetsecurity’s Security Awareness Service to educate your employees on securing critical data. Additionally, the 365 Permission Manager is a powerful tool that streamlines HIPAA compliance, making it easier for healthcare organizations to manage permissions and protect patient data.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.

FAQ

Why is HIPAA compliance important for healthcare staff?

HIPAA compliance is crucial to protect patients’ personal health information (PHI) from unauthorized access, ensuring privacy and trust. Violations can lead to severe legal penalties and damage to the organization’s reputation.

How can healthcare staff prevent accidental HIPAA violations?

Healthcare staff can prevent accidental HIPAA violations by receiving regular training, being aware of their surroundings, covering documents containing PHI, and ensuring conversations about patients are private.

What role does Hornetsecurity play in enhancing HIPAA compliance?

Hornetsecurity offers solutions like 365 Permissions Manager, which help manage and secure email communications, ensuring that unauthorized users cannot access sensitive information, thereby supporting HIPAA compliance.

NIS2 Directive: Decoding its Significance and Implications

NIS2 Directive: Decoding its Significance and Implications

by | Jun 27, 2024 | Compliance

We all have been witnessing the growing threats associated with increasing digitalization and the number of cyberattacks.

As early as 2016, the European Union recognized that this was a major challenge for organizations and citizens and introduced NIS (Network and Information Security) security measures.

The idea was to improve the cybersecurity capabilities of networks and infrastructure systems in seven sectors, including energy, transport, banking, financial markets, healthcare, drinking water, and digital infrastructure.

As cybersecurity continues evolving, NIS EU legislation has had to be improved and security measures increased. For example, the Hornetsecurity Security Report, shows that phishing retains its top spot, accounting for 43.3% of email-based attacks.

In 2023, the European Union adopted the second version of the Network and Information Systems Directive (NIS2) and improved the security measures.

This article is about NIS2, what the regulation requires, a high-level overview of steps you should take now in your organization, and how Hornetsecurity’s various products can help you.

NIS vs NIS2

The main difference between NIS and NIS2 lies in the expanded industry sectors that are covered by NIS2, the adding of “teeth” in the form of sizeable fines, as well as the size of businesses that are in scope (see below).

NIS is aimed at essential services and providers of digital services. Essential services include the three sectors; water, transport, and energy, and digital services include cloud computing, marketplaces, and search engines.

With NIS2 legislation, the European Union expanded the scope and categorized it into essential entities and important service entities. Essential entities were already part of NIS, but NIS2 has expanded the scope of the sectors covered.

This means that more organizations in the European Union are subject to NIS2 requirements.

New in NIS2 are important service entities that cover additional areas.

Some of the industries that will now be affected by NIS2 as important service entities are healthcare, transport, finance, water supply, waste management, energy, digital infrastructure, and service providers, public electronic communications service providers, food industry, aerospace, postal and courier services, and public administration.

Visual explanation of NIS and NIS2 entities

Visual explanation of NIS and NIS2 entities

*Essential entities will be supervised pro-actively AND re-actively

*Important entities will only be supervised re-actively

**NIS2 sectors include both sectors already covered in NIS plus new added sectors

NIS2 legislation updates and modernizes the older framework and improves required resilience and incident response for private and public entities.

What is the difference between essential and important?

In addition to the extended sector, there are two other differences. Essential entities must meet the requirements of the supervisory authority, while important entities must meet the requirements of the ex-post supervisory authority.

The ex-post supervisory authority means that action will only be taken if the supervisory authority receives evidence of non-compliance.

Who is Affected by NIS2?

The NIS2 concerns organizations of very different sizes. In NIS, only medium-sized and large organizations were affected; in the NIS2, smaller organizations are now in scope.

This means that smaller organizations with a turnover of over €10 million+ or 50 employees+ must now also comply with the regulations.

Even smaller organizations are affected by NIS2 directive

Even smaller organizations are affected by NIS2 directive

NIS2: Four Key Areas

There are four key areas addressed in the NIS2 legislation. These include reporting obligations, risk management, management obligations and governance, and enforcement and sanctions.

Step one for you, however, is to carefully read the NIS2 Directive (which will be implemented as law in your EU country by October 2024) to ascertain whether your organization is covered by the expanded set of industries or not. If your business is in scope, you must start taking steps today to become compliant, and Hornetsecurity can help.

Second, like with any compliance regulation, start by:

  • Identify risk factors to your ongoing operation.
  • Document each of the risk factors.
  • Plan mitigations for each risk.
  • Gather proof for how these mitigations are implemented and verified.

Let’s look at each of the four key areas of NIS2.

Reporting Obligations

If a company suspects a serious security incident, such as a data breach, unauthorized access, supply chain attack, and the like, it must report it within 24 hours. Then, within 72 hours, the company must provide a detailed assessment to the supervisory authority of the impact on its infrastructure and data.

The story doesn’t end there, however.

Reporting obligations

Reporting obligations

After the initial report is submitted within the first 24 hours, the company has one month to submit a final report to the supervisory authority. The final report should include full details of how the incident occurred, the impact it had on the company, and the actions taken by the organization.

If you have had any experience with Incident Response (IR) in a cyber security situation, you know that 24 hours is a very challenging deadline. In the first few hours / days of a major breach, there’s a lot of heightened emotions and stress as you work to identify exactly what systems have been affected, where the initial foothold was established, if any sensitive personal or business data has been stolen, recover systems and start formulating a plan to evict the attackers. Especially for smaller organizations that may not have had experience with this, this will be a very challenging time.

One way to ensure compliance is to review your incident response plan, and make sure you have all lines of communication established.

Since you need to report to your supervisory authority, make sure to include how to do this in your incident response plan. If you’re a smaller organization where you may not have a dedicated incident response team, or even a cyber security team, make sure to establish commercial relationships with at least one incident response company, so that you can call on them quickly. You don’t want to be Googling who to call when the breach is in progress.

Don’t forget the additional details that are due within 72 hours, and the details needed for it – again prepare your organization with templates so that you’re ready for it.

Hornetsecurity’s 365 Total Protection Enterprise will help you here if the initial attack vector was email borne (which is the most common way), if it didn’t stop the attack, it can provide immutable retention of all emails in Archiving and email header analysis in Control Panel.

Taken this mention out here, as we go into details further down.

Risk Management

Risk management is a second area within the NIS2 legislation.

Risk management is the process of identifying, assessing, preventing, and mitigating potential risks that an organization may face. Article 21 of NIS2 legislation defines risk management measures to strengthen the security posture of the business.

They include the following:

Policies and procedures regarding the use of cryptography and, where appropriate, encryption. The use of cryptography and encryption helps to ensure the Confidentiality, Integrity, and Authenticity (CIA) of  data. Hornetsecurity offers powerful, easy to use email encryption.

Policies and procedures to assess the effectiveness of cybersecurity risk-management measures. These policies and procedures help organizations follow a structured approach and manage improvements over time.

Incident handling covers the detection and prevention of cybersecurity incidents.

Business continuity means proper backup management, disaster recovery, and crisis management. This is obviously one of the main focuses of NIS2, ensuring that your organization can continue to provide service during a cyber security incident. Hornetsecurity offers an Email Continuity Service if an outage has impacted Exchange Online and our 365 Total Backup is a world class backup solution for Microsoft 365 workloads. VM Backup for on-premises workloads (Hyper-V and VMware) includes support for immutable storage (ensuring no one, neither attacker nor a malicious insider can tamper with your backups). Having a comprehensive, tested business continuity plan, supported by strong backup and recovery technology is the best way to ensure cyber resiliency – the ability to continue operating during an attack.

Supply chain security, including security aspects related to the relationships between each company and its direct suppliers or service providers. Do you remember the incidents in the SolarWinds supply chain attack? As recent breaches (Change Healthcare in the US for example) have shown us, the modern business landscape is a complex system of interconnectedness, and a small impact to a particular supplier can have a very large influence on the whole system if not properly planned for.

IT Security in network and information systems.

Cybersecurity training to train employees how to deal with various attacks that come via phishing and social engineering. Trained employees are one of the best cyber security measures. Our powerful Security Awareness Service educates your staff on cyber security risks on an ongoing basis, with very little management overhead for the IT department, all the while tracking employee behavior, only assigning follow up simulated phishing emails and training videos for staff who demonstrate , such as clicking on suspicious links, downloading and opening unauthorized attachments, or failing to recognize phishing and social engineering attempts.

Human Resources Security defines the protection of personal employee data.

Secured communication via voice, video, and text, but also secure communication in an emergency. You must assume during a breach that your normal communications channels may be compromised, and plan for alternatives. As you determine the scope of the compromise, if it looks like your source of identity (Active Directory / Entra ID / third-party) has been completely taken over, assume that any tool you normally use to communicate (on-premises phone system, Email, Teams, Slack, Zoom etc.) that rely on those identities is also compromised, and plan to use a different tool.

Authentication with multi-factor authentication and SSO (Single-Sign-On).

Access control helps to define least privilege permissions and the right RBAC (Role Based Access Control) to protect different resources.

Asset management is a structured and secure approach to acquiring, tracking, maintaining, upgrading, and disposing of defective or no longer-needed physical assets (e.g. End-Of-Life devices) within an organization.

Use Hornetsecurity’s 365 Total Protection Compliance & Awareness for stronger supply chain security, relying on full support for SPF, DKIM and DMARC, along with our unique AI recipient validation to check that you’re really communicating with the right person. For network security our Advanced Threat Protection catches email attacks that others miss, we have MFA controls for accessing our Control Panel, and we have a powerful but easy to use Email Encryption service for secure email.

Most importantly, a huge risk in most Microsoft 365 environments is ungoverned SharePoint / OneDrive for Business / Teams document sharing. Our unique product, 365 Permission Manager lets you take back control over both internal and external sharing and ensure ongoing compliance with your policies, while still supporting collaboration and productivity.

Management Duties & Governance

Article 31 of the NIS2 Directive defines the responsibility of senior management and governance. They are responsible for assessing and monitoring risk management measures.

Furthermore, it is also the responsibility of senior management to enforce security best practices within the organization and provide regular security awareness training.

One powerful product from Hornetsecurity that really helps in this area is Security Awareness Service which not only regularly reminds staff of cyber security risks, but also is up to date with the very latest threats as our Security Lab identifies them, along with powerful reporting for the senior leadership.

Enforcement & Sanctions

According to Article 32 or the NIS2 directive, the supervisory authority can act if you do not follow or comply with the NIS2 regulations.

This includes conducting their own tests and investigations based on the evidence the organization provided after a cybersecurity incident. These tests include onsite inspections, random checks, regular audits, ad hoc audits, and others.

The supervisory authority may also request and inspect any data, documents, information, or potential evidence.

In case of non-compliance with NIS2 or failure to provide up-to-date information, the authorities may issue public warnings, monitor your activities, set deadlines, and withdraw your operating license or certification so that your company can no longer operate.

ISO 27001 and NIS2

ISO 27001 is an international standard for the management of information security in organizations. NIS2 defines cybersecurity measures to protect the private and public sectors. One of the common questions we receive is whether NIS2 is included in the ISO 27001 certification.

While there is a great deal of overlap between the two standards (as indeed there is with most cyber security regulations), compliance with one still means you have work to do to satisfy the other one.

NIS2 Implementation Deadline

The European Union has done its part. It has defined the NIS2 requirements and now it is up to the EU Member States to adopt and publish the measures. The deadline to make NIS2 measures applicable is October 17, 2024.

Furthermore, by the 17th of April 2025, EU Member States shall establish a list of essential and important entities. EU Member States shall keep the list of entities updated.

Understanding Penalties for Non-Compliance

Compliance with the NIS2 legislation is not optional but mandatory for the companies concerned. If companies do not comply with NIS2, there are three types of sanctions, including non-monetary remedies, administrative fines, and criminal sanctions. The supervisory authority is authorized to enforce any of these measures based on their evaluation of your organization.

Non-monetary remedies

Non-monetary remedies include compliance orders, security audit implementation orders, binding instructions, and notifications of threats to the companies’ customers. The same applies to essential and important businesses.

Administrative fines

Administrative fines distinguish between essential and important entities. For essential entities, the fine is 10 million EUR or 2% of global annual revenue. For important entities, the fine is a bit lower, 7 million EUR or 1,4% of global annual revenue.

criminal sanctions

NIS2 enables EU member states to hold top management personally accountable for negligence in the event of security incidents. In this way, top management is subject to criminal sanctions. The EU member states can order that the cause and the person responsible be made public in the event of breaches, and they can prevent top management from working in management positions in the future.

Conclusion

In 2016, the European Union created NIS to increase cybersecurity and protect organizations from security incidents. 7 years later, in 2023, they adapted and increased the security measures and introduced NIS2.

Now, with NIS2, more organizations are subject to NIS2 requirements. There are four key areas covered by NIS2 including reporting, risk management, management and duties governance, and enforcement and sanctions. They define everything from policy, implementation, and responsibility to sanctions in the event of a breach.

If the NIS2 guidelines are not or only partially complied with, the EU member states are authorized to impose non-monetary, administrative fines, and criminal sanctions.

As we’ve shown in this article Hornetsecurity has a range of services and products to help your organization with compliance with many of the NIS2 requirements. Good luck on your compliance journey and if you need help – please reach out to our team:

Get in touch!

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • This field is for validation purposes and should be left unchanged.

Security Concerns of Hidden Permissions in SharePoint

Security Concerns of Hidden Permissions in SharePoint

by | May 21, 2024 | Compliance, Microsoft 365

SharePoint is a stalwart of collaboration and file sharing in Microsoft 365 which started its life as SharePoint server back in 2001. Most organizations use SharePoint online as hosted by Microsoft and it’s become a “plumbing” technology – something that’s fundamental, sits in the background and most people don’t take any notice of it, until it stops working properly.

This is even more evident in how SharePoint is used in Microsoft 365, you probably have SharePoint sites for various teams, departments, or countries, but SharePoint sites are also used as the backend file storage for everyone’s OneDrive for Business file storage. And when you share files and folders in Teams – guess what, that storage is also backed by SharePoint. So, not only do you need to govern the data stored in SharePoint sites, but also in these other locations, and as we’ll show you – governing data access in SharePoint is hard to do.

The heritage has a downside, starting life as on-premises piece of software and now running as a hosted service brings with it some serious security baggage. In this article we’ll show you the lack of permission visibility that can lead to security risks, and how hidden groups and hidden users make this situation even worse. Furthermore, custom permission levels can have disastrous consequences when it comes to assigning rights, and the manual management of user access is a recipe for security mistakes. Finally – custom document libraries can be an attackers’ hidden haven.

In other words – your SharePoint environment might already be infiltrated by an attacker, and you wouldn’t know it. At the very least, your permissions are likely not aligned with “least privilege”, one of the tenets of Zero Trust.

Most CISOs and security professionals are focused on the “loud” threats such as ransomware, but it’s important to be aware that there are many other avenues attackers take, and an attacker who’s been able to compromise a single user account might quietly watch the vendor invoice document folder in SharePoint for example. Gathering these documents, they may be able to change payment details in a classic Business Email Compromise attack (in this case without the email vector).

The Visibility Gap

We’ll focus most of this article on the Documents folder in your SharePoint sites – this is what most sites are used for – file sharing.

A fundamental difference, compared to traditional file shares, is that there’s no folder tree hierarchy that you can see. You can create subfolders in subfolders and so forth, and put files into any of the folders, but there’s no easy way to visualize the hierarchy, and you must click into each folder to see what’s stored in there.

To actually see which user accounts, groups or external guest users have been granted permissions to each folder (and each file, as they can have different permissions) means you must click on the object – then go to Manage Access to see who has access.

Manage Access Permissions for each individual folder and file

Manage Access Permissions for each individual folder and file

The second challenge is that while you can see the names of the groups that have been granted permissions on a particular folder, you can’t see the user accounts that are members of those groups in the Manage Access dialog. Clicking on a group name doesn’t bring up the members, in fact it does nothing.

List of groups that have been granted permissions

List of groups that have been granted permissions

To determine the user accounts in a group requires a visit to either the Microsoft 365 admin center (https://admin.microsoft.com) or the Entra ID portal (https://entra.microsoft.com). Administrators will have access to these portals but if you’re a department manager, who is the owner of a SharePoint Team site, trying to ascertain who’s got access to what document folders in a SharePoint team site means you can’t complete this task without contacting the IT department.

Even more troubling (thanks to the SharePoint server heritage mentioned above) is that there is a group type in SharePoint itself, that is not visible in the Microsoft 365 admin center or the Entra ID portal, only in the SharePoint admin center (again, which ordinary users don’t have access to). If there are nested groups inside one of these groups you might have to track down those groups in one of the three mentioned admin centers. Finally, if you grant permissions to a group which has one user and one group inside of it, it’ll tell you that you’re granting permissions to two people, when in fact there could be hundreds of user accounts inside the nested group.

Hornetsecurity’s 365 Permission Manager thoroughly fixes these visibility problems, showing you all the users that have permissions to a site, folder, or file, as well as if those permissions are inherited from the site, or are unique to that object. It also surfaces external sharing, either where it has been shared with specific people outside your organization, or where an anonymous link has been created.

Another innovative feature is the ability to see SharePoint / OneDrive for Business sites “through the eyes” of a selected user – exactly which sites / folders / documents does this user account have access to? This is useful during a forensic investigation (what data did the attacker who compromised this account have access to?), insider risk cases (what’s the blast radius of this malicious employee?), and data governance (do our permissions match our data access policies?).

Permission Levels

SharePoint Online provides four levels of access permissions to folders and files: Owner, Can edit, Can View and Can’t Download (=view but not save files locally). However, SharePoint Server had and still has a more comprehensive model – with multiple built-in permissions levels, as well as the ability to create custom permission levels.

The first issue that this leads to is that when you check permissions granted on an object, the UI will “round off” to the closest permission level granted, Design for example is a legacy level that grants more permissions than Edit, but this is shown as Edit in the UI.

Much scarier, however, is the ability to create custom permission levels with the same name as a built in one – such as “read”. This level could be granted every available permission (definitely not just read). Not only does that lead to the situation where a casual check of permissions granted would lead you to assume that a group or user only has read access but if you do decide to investigate why there are two permission levels called read / Read, it turns out that the UI will show you the built-in permission level, not your custom one. If a custom permissions level has the same name as a built in one, the URL in SharePoint isn’t case sensitive, and thus will show you the built in one.

365 Permission Manager will surface these custom permission levels, bringing visibility and governance to your entire SharePoint Online estate, it also allows you to use built-in or create customized policies that you can apply across different types of sites. This then shows you where sites are deviating from your policy intent and allows you to remediate permissions with a single click.

Site vs Document Library Permissions

Another risk is that you can set custom permissions on the Document library, that are different to the overall Site permissions.

Once granted, when an audit is done, these permissions are visible, but can’t be changed in the UI.

Example user whose permissions can't be changed

Example user whose permissions can’t be changed

Again, 365 Permission Manager will find these discrepancies, surface them as deviations from your policies, and prioritize their remediation in the handy To Do list.

Hidden Document Libraries

Normally a SharePoint site has a single Documents folder, but you can create other ones. Furthermore, you can hide it from the site’s navigation (so no one else knows it is there), and you can remove everyone else’s permissions from it, only granting yourself access. This will in effect create an exfiltration channel, where the attacker can copy sensitive documents from the site into their custom Document library, perhaps even returning on a regular basis to capture the latest versions of files, and then downloading them to their machine.

Hidden Document library - only visible to the attacker

Hidden Document library – only visible to the attacker

This is a huge risk in a compromised SharePoint site and of course 365 Permission Manager will surface custom, hidden, Document libraries, and their permissions for you to remediate.

There’s another very useful feature – the ability to revoke all access to SharePoint / OneDrive for Business data for an account. If you know that an account is compromised, manually revoking access across every location is extremely time consuming – 365 Permission Manager gives you a single button to do it.

To effortlessly manage Microsoft 365 permissions, enforce compliance policies, and monitor violations with ease, utilize Hornetsecurity’s 365 Permission Manager. Protect your Microsoft 365 environment and make admin tasks a breeze.

Conclusion

As with many Microsoft technologies, the focus on backwards compatibility has proven to be a strength when it comes to enterprises for decades. Imagine an organization with a large investment in SharePoint Server on-premises, with thousands of busy sites and Terabytes of data, migrating this to SharePoint online – this compatibility is a requirement.

However, it also has scary security implications – the reality today is that many businesses might be compromised, with bad actors exfiltrating data at will from your most precious intellectual property, with very little chance of discovery.

This is why any CISO who wants to apply comprehensive data governance to their SharePoint estate needs 365 Permission Manager.

 

I’ve been hacked! WHAT SHOULD I DO?

With Hornetsecurity’s 365 Permission Manager you can regain control of your SharePoint environment and protect your business immediately.

 

  • Remove User Access Feature: With a single click, the Offboarding feature in 365 Permission Manager allows you to revoke access and stop a hacker immediately. This immediate action can prevent further unauthorized access and potential data breaches.
  • The View as feature: Gain insight into what files a compromised user could access with the View as feature in 365 Permission Manager. This feature allows you to see SharePoint through a user’s eyes, helping you identify potential areas of unauthorized access and take corrective action.
  • Generate Reports for Forensics: Understanding the extent of a security breach is crucial for effective remediation and compliance. With 365 Permission Manager, you can generate detailed reports for forensics, showing exactly what files a user had access to and the full permissions inside all SharePoint sites and OneDrive for Business locations. This information is invaluable for identifying the scope of the breach, assessing the damage, and implementing necessary security measures to prevent future incidents.

FAQ

What are the primary security concerns associated with hidden permissions in SharePoint?

Hidden permissions in SharePoint pose significant security risks because they can allow unauthorized access without the knowledge of administrators or users. Key issues include:

  • Lack of Visibility: SharePoint’s permission settings can be complex and opaque, making it difficult to see who has access to what. This includes hidden groups and users whose permissions are not easily visible.
  • Custom Permission Levels: Custom permissions can be misleading. For example, a permission level named “read” might actually have full access rights, leading to potential security breaches if not properly managed.
  • Hidden Document Libraries: Attackers can create hidden document libraries with exclusive access, enabling them to exfiltrate data without detection. These hidden libraries are not easily visible in the SharePoint navigation, making them a significant risk.

How can 365 Permission Manager help mitigate the security risks in SharePoint?

365 Permission Manager provides several features to enhance security and governance in SharePoint:

  • Visibility Enhancement: It displays all users, groups, and permissions for sites, folders, and files, including inherited and unique permissions. This comprehensive visibility helps in identifying and addressing hidden access issues.
  • Permission Management: It surfaces custom permission levels and discrepancies, allowing administrators to standardize permissions according to policy. This reduces the risk of misconfigured access rights.
  • Access Control: The tool offers the ability to revoke all access for a compromised account with a single click, ensuring quick response to security incidents and preventing further unauthorized access.

How can Hornetsecurity help secure my SharePoint environment?

Hornetsecurity’s 365 Permission Manager enhances security by providing comprehensive visibility into all user permissions, managing and standardizing custom permission levels, and allowing for immediate revocation of access for compromised accounts. This ensures robust data governance and quick response to security incidents.

Cyber Kill Chain vs. MITRE ATT&CK: An Insightful Comparison

Cyber Kill Chain vs. MITRE ATT&CK: An Insightful Comparison

by | Apr 8, 2024 | Compliance, Security Awareness

There are two challenges we in cybersecurity face when it comes to communicating what we do the rest of the business (and the rest of the world). For many people, computers, networks, and Information Technology in general are opaque, and most businesspeople know how to use tech to get their job done, but not how it works “under the hood”. Hacking that technology to subvert it for malicious purposes is another level of mystery.

Hollywood doesn’t help much either, with most on-screen depiction of hacking in movies and TV shows being radically different from reality (with the exception perhaps of Mr Robot).

The first challenge is communicating the technology and basic understanding of how it works to then show how it can be misused. But the second challenge is then imparting how the criminals carry out their attacks. Most people think a hack is just a single “thing” that happened – “we got hacked” and then all the bad stuff happened, when it’s actually a set of steps.

In this article we’ll look at two different frameworks that are used to communicate hacking processes, both to the wider business and within the cyber security community – the Cyber Kill Chain, and the MITRE ATT&CK framework. We’ll look at the advantages and challenges of each of them, how they compare and how you can use them to fortify your organization’s cyber defenses.

Meet the Cyber Kill Chain

This is the older of the two approaches, having its roots in military kill chains such as the Four F’s from the US military during World War II: Find the Enemy, Fix the enemy, Fight the enemy and Finish the enemy. A more modern version is F2T2EA: Find, Fix, Track, Target, Engage and Assess; it’s called a chain because an interruption at any step can stop the whole process.

Kill Chain Attack

Cyber Kill Chain

Not surprisingly, it was Lockheed Martin, a large military manufacturer in the US that took this chain approach and transformed it into the Cyber Kill Chain, with seven steps (and a very different result at the end compared to the literal kill chains mentioned above).

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control (often shortened to C2)
  7. Actions on objectives

As a communication tool for showing business leaders that there are steps in an attack, and that you want budget to interrupt or make each layer more difficult for the criminals, this is a good approach.

Cyber security after all always comes down to business risk. When you put it those terms, the CEO, CFO, and the board are more likely to pay attention. If you start talking about technical details, you’ll soon lose them, but business risk is something they’re used to dealing with, and cyber-attacks is just one of the many risks businesses faces.

Be aware that attackers may not perform every step, depending on their goals, their target, and any changes along the way, and that “attackers” might refer to different sets of people, where the early steps might be performed by an Initial Access Broker (IAB), who then sells the access to another group to actually run the ransomware and negotiate the payment.

In step one the attackers will gather information about your company and any employees of interest. This could be cursory, if they’re simply after a company with enough turnover to pay the ransom they might look at your financials, and who to target with their spear phishing emails.

It could also be more in-depth, when the scattered spider group went after the helpdesk at the MGM casino, they knew a great deal about the staff they were impersonating to ensure that the helpdesk would help them reset their credentials.

Phase two is taking advantage of the reconnaissance, to start exploiting a found weakness or packaging a payload, whereas step three is delivering the malicious bundle to the victims, via email, web etc.

Once the initial foothold has been established (someone clicked the link in a malicious email for example), step four starts the exploit to run code on the victims system, which may then continue with step five, further installations on other systems. This is often called lateral movement, as the attackers continue exploiting systems in your networks, to gain full Domain access.

They’ll also establish persistence (so they can come back in if you’re trying to expel them from your environment) and Command and Control (C2) in step six for covert communication with their external control systems. The final step, seven, involves the attackers springing their trap and encrypting all your files, after having corrupted your backup systems or perhaps exfiltrating all your sensitive data (or both).

The ”other side” of the cyber kill chain are the defensive actions your organization should take to deal with each phase:

  1. Detect – having sensors throughout your environment that trip when an attacker is present.
  2. Deny – control access and prevent information leakage.
  3. Disrupt – malicious processes and outgoing traffic to the attacker’s infrastructure.
  4. Degrade – means counter attacking the attackers C2 systems.
  5. Deceive – is about interfering with the C2 infrastructure.
  6. Contain – using network segmentation so that a single breached system or identity doesn’t have full access to every other system on the network.

This approach does have its detractors but as a conversation to start looking at different phases of an attack, whether your organization has security controls in place to detect it, disrupt it and contain it, it’s a good start. It also leads neatly in the modern approach of Zero Trust:

  1. Assume breach – work on the assumption that attackers will gain access and work on detecting it, containing it, and disrupting it.
  2. Verify explicitly – authenticate and authorize both human and workload identities at each access point in the infrastructure.
  3. Use least-privilege access – only grant identities access to the systems, data, and applications they need to do their job.

The challenges with the cyber kill chain is that it doesn’t work well for insider risks, the first couple of steps happen outside of the defenders control (unless you stop all staff from having LinkedIn profiles and posting anything, anywhere online) and it’s also quite focused on malware, some attackers now use Living Off the Land methods, only using built in administrative utilities in the systems, thereby often avoiding detection.

The MITRE ATT&CK Framework

MITRE is a not-for-profit company that works for the common good in the areas of security writ large, but for this conversation we’ll focus on their enterprise matrix (there’s also one for Mobile and one for Industrial Control Systems, ICS). The weird acronym comes from Adversarial Tactics, Techniques and Common Knowledge and it was initially released in 2013.

ATT&CK framework matrix

ATT&CK framework matrix

There are 14 tactics (the “why” of the attack):

  1. Reconnaissance
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lateral Movement
  11. Collection
  12. Command and Control
  13. Exfiltration
  14. Impact

And each of them has Techniques (and sub-techniques), the “how” of an adversary, so while you can see some overlap with the simpler cyber kill chain in the list above, this is much more comprehensive. I like to think of it as a common language we in the cyber security industry can use to communicate about different attack techniques. There’s also tracking of 143 threat groups and which Tactics, Techniques and Procedures (TTPs) they use.

As you can appreciate the matrix encapsulates all the different techniques, making this a tool to ensure that you’ve got coverage “across the board” in your cyber security strategy. Here’s an example from one client, using the Microsoft Sentinel SIEM, and the analytics rule detection coverage across the techniques.

MITRE ATT&CK Technique Detection Coverage in a SIEM

MITRE ATT&CK Technique Detection Coverage in a SIEM

Each Technique is described in detail, here’s T1563, Remote Service Session Hijacking, in the Lateral Movement Tactic, which has two sub-techniques (SSH Hijacking and RDP Hijacking) as an example. It has four mitigations that you can implement, and four detections that you can use to alert you if this is happening on your network. Most techniques also list Procedures which are the actual technical tasks applying that technique to a specific application or operating system.

Technique T1563 Remote Service Session Hijacking

Technique T1563 Remote Service Session Hijacking

While the matrix is very useful, it can be overwhelming with so many techniques and procedures. It’s also important to avoid thinking of the matrix as a long list of mitigations / detections – even if you have a “tick in every box”, for every technique you can still be compromised. Remember – “Attackers think in graphs, defenders think in lists” (John Lambert), so just implementing long lists of security controls isn’t the right approach, instead use MITRE ATT&CK with the context of your business priorities and unique network environment to build cyber resilience.

Comparing the Cyber Kill Chain and MITRE ATT&CK

The two are related in that they describe the steps in different cyber-attacks, but they have different aims. The cyber kill chain is more generic and is an excellent introduction to the idea of hacking occurring in stages, and it’s a chain that you can interrupt with security controls. I find it very useful when communicating with non-IT and non-security people in business to get that basic understanding of the phases and how it works.

The ATT&CK matrix on the other hand is overwhelming for a non-technical audience (there are over 200 techniques) but is an excellent tool for understanding the technical steps attackers can take during a breach. And it can be used as a tool for evaluating coverage across the entire spectrum – “do we have detections for every technique in every tactic”, whilst not losing sight of the fact that even if you do, you may still be compromised.

It’s also interesting to see how these two fit into the larger landscape of regulatory framework that mandate certain cyber security controls, and other approaches such as the Center for Internet Security (CIS) benchmarks. CIS offers benchmarks for different operating systems, SaaS cloud services (including Microsoft 365) and IaaS / PaaS cloud platforms, and much more, for free.

These cover all the controls that you should implement as a baseline for security controls for that particular technology. Microsoft offers CIS benchmarks for both Azure and Microsoft 365 in their Compliance Manager app. And the upside is that if you implement all these controls you’ll have covered most, if not all, of the MITRE ATT&CK techniques.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Conclusion

For beginners in cyber security, I recommend studying the MITRE ATT&CK framework, it’s like a common language for talking about different types of attacks.

I warmly recommend the free courses offered by AttackIQ, they’ve got one on Threat-Informed Defense which goes in detail on the MITRE ATT&CK framework. And use the Cyber Kill Chain phases when talking to the rest of the business.

Both have their place and are useful in their own right in helping you build a more cyber-resilient business.

FAQ

What is the main difference between MITRE ATT&CK and Cyber Kill Chain?

The Cyber Kill Chain in a useful communications tool when conveying cyber security concepts to non-technical people, and a basis for an overall IT security strategy for a business. MITRE ATT&CK on the other hand exhaustively lists every attack technique, grouped by tactics, and mapped to different threat actors, allowing an organization to identify detection gaps.

What are the types of a cyber kill chain?

There are a few different versions of the Cyber Kill Chain, FireEye (now part of Mandiant, which is now part of Google) proposed their variant which also has seven steps but which focuses more on the persistence of threats, whereas the Unified Kill Chain has 18 unique phases and attempts to marry the best of the original Cyber Kill Chain and MITRE ATT&CK.

What are the types of MITRE frameworks?

Generally, when people mention MITRE ATT&CK they’re referring to the enterprise matrix, but there’s also one for Mobile and one for ICS. Furthermore, there’s the D3FEND matrix of cybersecurity countermeasures which is sort of the other side of the attack techniques, all the different controls that an organization can implement to mitigate the attacks outlined in ATT&CK.

Microsoft 365 Permissions and Copilot Security – a ticking time bomb for Security and Compliance

Microsoft 365 Permissions and Copilot Security – a ticking time bomb for Security and Compliance

by | Mar 12, 2024 | Compliance, Microsoft 365

File sharing in business is one of those technologies that mostly happens “under the radar”. New SharePoint sites are spun up for projects or groups, or new Teams are created with lots of files shared.

This sharing can be both with internal users and external users. And mostly, no one thinks twice about it, until sensitive documents and data end up in the wrong hands.

In this article, we’ll look at the challenge of data governance, document sharing in Microsoft 365 and how it applies to compliance regulations and getting your business ready for Copilot for Microsoft 365 – all with the help of Hornetsecurity’s 365 Permission Manager.

The Dangers of Unmanaged File Permissions

As CISOs and IT admins know – file sharing, both with internal groups and external collaborators is designed to be as easy and frictionless as possible to cater for the reality of the modern, mobile, collaborative digital workplace.

From a compliance point of view however, this approach can be a ticking time bomb, plus there’s a new player on the scene that might accelerate the timer on that bomb – Copilot. Microsoft is keen to push the value of Copilot security for Microsoft 365 (at $360 USD per user, per year, you can’t pay per month) and here’s the rub – Copilot has access to the same documents as the user has.

Remember Delve? That was Microsoft’s earlier tech for suggesting documents to you, created by people you collaborated with that you might find valuable. Except sometimes business got a shock when they realized which documents were shared with different groups of people.

The Copilot situation is worse, because you won’t necessarily know which documents it has accessed to answer your prompt or create a new draft of a document for you.

Easy Sharing

Teams file sharing is possibly one of the most easily misunderstood avenues – when you share a file in a Teams channel, it’s actually stored in the team’s site in SharePoint. Whereas if you upload a file to a one-on-one or group chat, it’s stored in the Microsoft Teams Chat Files folder in your OneDrive for Business (which is actually a SharePoint site underneath the hood).

If you have a private channel, it gets its own, separate SharePoint site with a document library that only the members of the private channel have access to. So, the documents are all stored in various SharePoint sites, rather than in Teams itself.

And if you share a file with an external collaborator, depending on the settings your IT department has set in SharePoint online, this might send them an email with an invitation to create a guest account in your tenant.

YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

If you’re a CISO, you’re probably concerned at this point. Business data is easily shared internally, possibly with staff that shouldn’t have access to it, and you have limited control over this sharing.

It’s also (likely) shared with external collaborators, and you don’t have a lot of insight into this sharing either. But you must thread carefully, a knee jerk reaction of locking down file sharing completely, with no external sharing and default tight permissions for internal sharing will just lead to users looking for an alternative way to get their job done.

Sensitive documents might then be shared via third party cloud storage, where you have even less visibility into the risks.

On the other hand, if you’re an IT admin, tasked with managing file sharing (on top of all your other duties) this can seem like an overwhelming challenge.

Where do you even begin? Even if you can produce reports on permissions granted, and files shared externally, you don’t know what’s oversharing and what’s legitimate business. You’ll have to work with various business departments to identify this, on a site-by-site basis.

Finally, if you’re an end user, understanding what control you have over sharing documents internally and externally (which will depend on the tenants configuration), and how you can inventory your own role in oversharing is near impossible to do with the built in tools.

Data Governance

Getting a handle on your current file sharing situation (in most businesses this is something that’s been part of the landscape for so long, that no one has the full overview to see just how bad it is), using the built in tools is challenging.

Auditing hundreds of sites manually is impossible, and even scripting PowerShell reports to gather the data is difficult.

Certainly, take a look at your current settings and the options you have in the SharePoint admin center which we covered in this article. But even if you tighten those settings today (they’re tenant wide), they only apply to new sharing, not existing shared sites, and files.

Remember that one of the tenets of Zero Trust (and it has been around long before that) is least privilege access. In other words, only give users access to the data they need to do their job, no more. And keep this up to date as they change roles in the organization or are promoted.

This rarely happens, instead people keep existing access and just accumulate more permissions. And inventorying exactly who’s got access to what documents is hard to do with the built-in tools.

Different regulations that you might have to comply with have varying approaches to controls around file sharing, in ISO 27001:2022, “Information security, cybersecurity and privacy protection” there’s A.8.12 Prevent the sharing of sensitive information within business communication platforms and under A.8.3 there’s Block access to files for specific users and Create and manage access reviews.

In HIPAA, the Health Insurance Portability and Accountability Act in the US, under § 164.308(a)(4) Standard: Access control you have Review user groups and applications with access to ePHI for example.

In the US, organizations doing business with the Department of Defense need to comply with CMMC, Cybersecurity Maturity Model Certification with a new version v2.0 in the works, here for example, SC.L2-3.13.16 has controls for Data at rest, and AU.L2-3.3.1 has System auditing.

As a last example, the CCPA, California Consumer Privacy Act, control 1798.150(a)(1) Data Security Breaches involves audit logging and Data Loss Prevention policies.

These are just a few examples, depending on where your business is located, and what vertical you’re in and the type of data you store and process, different regulations will apply.

What’s common across many of them is that you not only must control access to data with least privilege access, and audit access, often with regular access reviews – you must also be able to demonstrate to an auditor that you’re doing so. It’s not enough to say you are, you must collect and present evidence for how you’re doing it.

365 Permission Manager

What’s needed is a scalable tool that can span large tenants with thousands of SharePoint sites, which is easy to use and gives you a centralized management interface to apply policies, find deviations from those and remediate over permissioned access in bulk.

We looked at the basics of how 365 Permission Manager works here and this great video animation shows it visually. Instead of having to visit several different portals in Microsoft’s native tools, an IT administrator has a single console, and a single most important page – the To Do list.

This lists all the violations of the policies applied to every SharePoint Online site and let’s you remediate in bulk, as well as provide exceptions when there’s a business justification.

To do list - the IT administrators best friend

To do list – the IT administrators best friend

There are a number of built in compliance policies that you can apply to SharePoint sites, and you can also create your own customized ones.

This is a fundamental difference between the native approach and 365 Permission Manager, instead of having a single tenant wide default for all sites, that you must then further customize for each site, you apply a policy to each site, out of a library that you have adapted to your business.

The concerned CISO we mentioned above, he’s going to love the three reports that’ll show Full Site Permissions, User & Group Access and External Access.

And end users are also involved, receiving regular emails if their sites are violating policy, with links to 365 Permission Manager to remedy issues.

End user email notification

End user email notification

365 Permission Manager was initially built at Hornetsecurity to manage our own SharePoint file sharing challenges, and our CISO, Olaf Petry, loves having such a powerful tool, saying:

It is critical for a CISO to effectively oversee the company’s strategy and programs to ensure adequate protection of information assets and technologies, and yet this process can be very complicated. My peers often discuss what a great pain point it is for them. Hornetsecurity’s new 365 Permission Manager will set CISO’s minds at rest by enabling security and compliance managers and administrators to efficiently and easily control Microsoft 365 permissions, and help prevent critical data from getting into the wrong hands.

The ability to enter a username and see exactly what sites and documents a user has access to also really helps with preparing for an audit.

YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

To effortlessly manage Microsoft 365 permissions, enforce compliance policies, and monitor violations with ease, utilize Hornetsecurity’s 365 Permission Manager. Protect your Microsoft 365 environment and make admin tasks a breeze.

Conclusion

Whether you’re working towards compliance with a regulation, preparing your business for users with Copilot for Microsoft 365 or just want to make sure sensitive data isn’t shared too widely, the answer is simple – 365 Permission Manager.

FAQ

What are the risks associated with unmanaged file permissions in Microsoft 365?

Unmanaged file permissions pose a significant risk to data security and compliance. While file sharing is designed to facilitate collaboration, it can lead to sensitive documents ending up in the wrong hands. With the introduction of Copilot for Microsoft 365, the risks are further exacerbated, as it has access to the same documents as users, potentially compromising data privacy.

How does Teams file sharing contribute to data governance challenges?

Teams file sharing, although convenient, adds complexity to data governance efforts. Files shared in Teams channels are stored in SharePoint sites, while those uploaded to chats are stored in OneDrive for Business. Managing permissions for these shared files, especially when collaborating with external users, can be daunting for IT administrators, leading to oversight and potential data breaches.

How can businesses address data governance and compliance issues related to file sharing?

To address data governance and compliance challenges, businesses need effective tools like Hornetsecurity’s 365 Permission Manager. This tool offers centralized management of SharePoint permissions, allowing administrators to apply policies, identify violations, and remediate over-permissioned access. It provides customizable compliance policies, comprehensive reports, and end-user notifications to ensure data security and regulatory compliance.

Cyber Insurance: A Shield for Your Business in the Digital Age

Cyber Insurance: A Shield for Your Business in the Digital Age

by | Jan 22, 2024 | Compliance

In an increasingly interconnected world, where businesses rely heavily on technology, the risk of cyberattacks is ever-present.

As cybercriminals continue to evolve and become more sophisticated, the need for robust cybersecurity measures is greater than ever. Cyber insurance has emerged as a vital tool to protect your company from the financial and reputational fallout of a cyber incident.

In this article, we’ll explore why companies should consider taking out cyber insurance and how 365 Total Protection can make this process even more advantageous.

The Evolving Cyber Threat Landscape

The digital age has brought about a myriad of opportunities for businesses, but it has also given rise to new and constantly evolving risks. Cyberattacks, including data breaches, ransomware attacks, and phishing scams, are becoming more prevalent, targeting organizations of all sizes.

As a result, companies face the risk of financial loss, legal liability, and damage to their reputation.

The Case for Cyber Insurance

Here are compelling reasons why your company should strongly consider cyber insurance as part of its risk management strategy:

  1. Financial Protection: Cyber insurance covers the financial costs associated with a cyber incident, including expenses for investigating and mitigating the breach, notifying affected parties, and recovering lost data.
  2. Legal Liability: In the event of a data breach, your business may be liable to customers, suppliers, and partners due to data protection law violations. Cyber insurance can help cover legal expenses and compensation.
  3. Business Continuity: A cyber incident can disrupt your business operations, resulting in revenue loss. Cyber insurance can provide financial compensation to help your company maintain its stability during and after an attack.
  4. Assistance Services: Many cyber insurance policies offer assistance services, such as access to IT security experts, crisis PR specialists, and data protection lawyers. These professionals act as an extension of your team in navigating the complex aftermath of an attack.
  5. Data Protection: Cyber insurance can also cover the costs associated with the loss, misuse, or compromise of physical and electronic data, ensuring that your valuable information is safeguarded.

The Challenges of Cyber Insurance

While the benefits of cyber insurance are evident, it’s essential to acknowledge the challenges that come with it. To give some perspective: The global cyber insurance market reached $7.8 billion in 2020 and is expected to grow to $20 billion by 2025.

In recent years, the cyber insurance landscape has seen premiums rise globally by an average of 20% per year, driven by the increasing frequency and severity of cyberattacks. Insurers are also imposing higher minimum IT security requirements on policyholders. These changes can be particularly burdensome for small and medium-sized businesses.

The 365 Total Protection Advantage

To help our customers overcome these challenges and secure comprehensive cyber insurance on favorable terms, we’ve partnered with Hiscox, a leading cyber insurance company in Germany. This partnership offers special conditions exclusively for Hornetsecurity customers using 365 Total Protection or any of its components. The special conditions include:

  • Discount on Premiums: Enjoy a discounted insurance premium, ensuring cost-effective coverage for your business.
  • Reduced Deductible: Benefit from a lower deductible, making it more manageable in the event of a claim.
  • Higher Indemnity Limit: Receive a higher indemnity limit to cover potential losses during a business interruption.
  • Simplified Application Process: We’ve streamlined the application process for our customers. All you need is proof that you are using 365 Total Protection or just one of its included services, making the process hassle-free.

Conclusion

As the digital landscape continues to evolve, the importance of protecting your business from cyber threats cannot be overstated.

Cyber insurance is a critical tool that provides financial protection, legal assistance, and peace of mind in the face of cyber incidents.

With our partnership with Hiscox, 365 Total Protection customers can enjoy special conditions, making the process of obtaining cyber insurance more advantageous than ever before.

Don’t wait until a cyber incident threatens your business – take proactive steps to safeguard your digital assets and secure comprehensive cyber insurance.

Reach out to us today to learn more about the exclusive benefits of our cooperative agreement with Hiscox and how 365 Total Protection can help you protect your company in the digital age.

Learn more about 365 Total Protection and request a free trial: https://www.hornetsecurity.com/en/services/365-total-protection-compliance-and-awareness/

FAQ

What is cyber insurance, and why do businesses need it?

Cyber insurance is a type of insurance that helps protect businesses from financial losses resulting from cyberattacks and data breaches. It can cover costs associated with data recovery, legal fees, and reputation management. As cyber threats continue to evolve, businesses need this insurance to mitigate the financial impact of potential cyber incidents.

What types of cyber threats does cyber insurance typically cover?

Cyber insurance policies can vary, but they often cover a wide range of cyber threats, including data breaches, ransomware attacks, DDoS attacks, social engineering, and insider threats. Some policies, like Hiscox’s, may also cover third-party liability, such as claims from affected customers or partners.

What factors influence the cost of cyber insurance?

The cost of cyber insurance can vary based on several factors, including the size and industry of the business, its cybersecurity practices, the amount of coverage needed, and the location of the company. Companies with strong cybersecurity measures in place may pay lower premiums than those with weaker protections.

Does cyber insurance cover the full cost of a cyberattack?

Cyber insurance policies typically do not cover the full cost of a cyberattack. They provide coverage up to the policy limit, and there may be deductibles or waiting periods before coverage kicks in. It’s essential for businesses to carefully review their policy terms and limits to ensure they have adequate coverage.

Can small businesses benefit from cyber insurance?

Yes, cyber insurance is not limited to large corporations. Small businesses are often more vulnerable to cyber threats due to limited resources for cybersecurity. Cyber insurance can help them recover from the financial impact of an attack and provide peace of mind. Many insurance providers offer policies tailored to the specific needs of small businesses.