SOCLY.io – Compliance-as-a-service

Get Started
Categories
Uncategorized

Cybersecurity compliance: A necessity for your business

No business is entirely immune to cyberattacks in this era of digitisation. At least 30,000 websites are hacked daily worldwide, with over half of cybercrimes committed against small to mid-size businesses. While 51% of SMEs do not have cybersecurity measures in place, thinking they are “too small” to get hacked, the average ransom paid by mid-sized organisations in 2021 was $170,404.

Complying with cybersecurity standards has become paramount in determining an organisation’s ability to protect data, prevent financial penalties, build consumer trust, and develop a security culture. The Covid-19 pandemic-related remote working witnessed a 75% spike in daily cybercrime. The pandemic impacted 55% of data exfiltration, 51% of phishing emails, and 35% of ransomware attacks. Consequently, small and medium-sized businesses (SMBs) are increasingly vulnerable to cyber threats due to their laxity in adopting security policies in the pandemic aftermath. Breaches of Personally Identifiable Information (PII), financial information, or Protected Health Information (PHI) can cost the organisation’s reputation and financial loss. Thus, adhering to regulatory standards and protecting the Confidentiality, Integrity, and Availability (CIA) of information is necessary.

Benefits of Cybersecurity Compliance for your business

Cybersecurity compliance involves aligning an organisational risk management framework with pre-defined security measures to implement a systematic risk governance approach and rule out potential vulnerabilities that may affect the company, customers, and stakeholders. Meeting data security standards of SOC2, ISO 27001, PCI-DSS, HIPAA, CCPA and other major regulatory frameworks help your business identify, interpret, and combat cyber threats and protect your intellectual property, garnering consumer confidence and loyalty. The multi-faceted benefits of developing a resilience-focused “prescriptive” security posture for your organisation are as follows.

Improves data management capabilities

Businesses should plan to store sensitive client information on secured digital platforms to promote privacy. Data stored at the organisation’s existing software infrastructure or cloud-based solutions must be accessible only to authorised administrators. Integrating data management capabilities with cybersecurity tools helps prevent unauthorised access, malware attacks, and data breaches while ensuring confidentiality and integrity in the industry landscape.

Promotes operational efficiency

Organisations using security technologies can manage excess data, expose privacy loopholes, identify wasted assets, implement new resources to improve operational efficiency, and reduce unnecessary data usage by eliminating noise and focusing on the core. Investing in cybersecurity programs strengthens the overall organisational infrastructure and helps combat vulnerabilities that allure hostile actors.

Facilitates industry-standard practices

Adopting security practice standards helps your organisation’s IT team, compliance officers, and supervisors assess risks, diminish errors within the processes, avoid misinterpretations, and make relevant decisions with a simplified and optimised workflow. Such unified cybersecurity policies make B2B and B2C service transactions more customer-centric and fulfil user expectations while saving valuable resources.

Prevents fines and penalties

Failure to comply with appropriate security regulations can incur hefty financial penalties for businesses. Almost all regulatory authorities charge costly compensation for organisations that do not strategise strict corporate governance and consumer protection policies. HIPAA charges $100 to $50,000 per violation of security norms, while Payment Card Industry Data Security Standard (PCI-DSS) penalises the organisation with fines between $5,000 and $100,000 per month.

Builds security culture

A Verizon 2022 report says 85% of data breaches in organisations involve a human element. While external cloud assets encounter the most malicious invasions, passwords and credentials are the most sought-after data types in cyberattacks. Thus, developing a security culture across departments and workflow management systems helps employees to indulge in safe digital practices and refrain from risky behaviour. Organisations having a robust security framework train their employees with relevant skills and knowledge to identify safety breaches and follow appropriate measures to protect sensitive data.

Develops consumer trust and brand reputation

The cost of the threat posed by cyberattacks and data breaches is not limited to business interruption and financial loss. The lack of efficient cybersecurity protocols irreversibly damages your brand reputation and repels consumers. 78% of consumers stop engaging digitally with a brand that suffered data breaches, while 36% turn away entirely. Consumers prefer to put their trust in businesses that nurture cybersecurity compliance and maintain confidentiality effectively. Strong security governance portrays your business as trustworthy and builds consumer confidence and brand image.

The bottom line

It would be best to watch out for tech support fraud, identity theft attempts, social engineering attacks, and other sophisticated threats besides malware, ransomware, and phishing attacks. The digital world witnesses a cyberattack every 44 seconds that impairs business performance and incurs a financial loss. Thus, developing a comprehensive cybersecurity foundation that complies with the standard regulatory protocols is necessary to promote operational efficiency, prevent fines and penalties, protect confidential data, and gain consumer trust.

Times of India: https://timesofindia.indiatimes.com/blogs/voices/cybersecurity-compliance-a-necessity-for-your-business/

 

Categories
Uncategorized

Facebook Parent Meta Fined $276 Million in Europe for Data-Scraping Leak

Another leak, another hefty fine. Meta has been in news for many things in recent times but this news about the leakage of more than half a billion users’ phone numbers and other information is horrific! Become compliant now, avoid being fined, and worse, lose the trust of your clients! 

A top European regulator fined Facebook owner Meta META -2.36%decrease; red down pointing triangle Platforms Inc. 265 million euros, equivalent to about $276 million, for not better safeguarding more than half a billion users’ phone numbers and other information from so-called data scrapers.

The fine issued Monday by Ireland’s Data Protection Commission, Meta’s main privacy regulator in the European Union, is the latest indication of how authorities in the region are becoming more aggressive in applying the bloc’s privacy law to large technology companies.

Monday’s decision is the third time Ireland has fined Meta and its subsidiaries, including WhatsApp and Instagram, in a privacy case over the past 15 months, bringing the combined financial penalties to the equivalent of more than $900 million. The other cases relate to Instagram’s handling of children’s data and WhatsApp’s transparency about how it handles user information. Meta is appealing those decisions.

A Meta spokesman said the company will review Monday’s decision and hasn’t yet decided whether it intends to appeal. “Unauthorized data scraping is unacceptable and against our rules,” he said.

Monday’s fine stems from disclosures in the spring of 2021 that a hacker had published personal phone numbers and other profile information of more than 530 million Facebook users. In response, Meta said the information stemmed from mass “scraping” of public profiles that it said it had discovered and halted in 2019. 

The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users. On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019.

In its action Monday, Ireland’s Data Protection Commission—which leads enforcement of the EU’s privacy law for Meta because the company has its regional headquarters in Dublin—said the company hadn’t taken sufficient technical and organizational steps to prevent such a leak. In addition to the fine, the regulator ordered Meta to change its systems to make such a leak less likely. For instance, default settings should be changed so a user’s personal information can’t potentially be shared with an unlimited number of people, the regulator said.

Meta says it has since made multiple changes to better safeguard users’ data.

The EU is tightening regulation of big tech companies. The bloc has passed, and is starting to apply, two new laws to big tech companies—one aimed at limiting potentially anticompetitive conduct, and another that requires them to show they have robust content-moderation systems.

Tech companies are currently in talks with the European Commission, the EU’s executive arm, to determine which provisions of each new law will apply to the specific services they operate, the companies and EU officials say. Elements of the new laws are due to start being enforced in the middle of next year.

The bloc’s privacy law, the General Data Protection Regulation, or GDPR, has been enforced for nearly five years but is only now generating a series of decisions with big fines or significant business implications.

Ireland’s privacy regulator says it has several dozen more ongoing cases involving multiple big tech companies. They include one looking at whether Meta can force users to accept ads targeting them based on their behavior as a condition of using the service, and another about whether some of the standard plumbing of digital-ad auctions complies with EU law.

Categories
Uncategorized

SOCLY.io for Singapore – Presenting at Cyber Security World, Asia, Marina Bay Sands this October 12-13.

Cyber Security World, Singapore, Asia’s most exciting cybersecurity event on 12th – 13th October 2022 for its 8th edition at Marina Bay Sands, Singapore.

The award-winning event connects cybersecurity professionals and business leaders with experts, solutions, and services to help accelerate digital transformation plans.

SOCLY.io is excited to announce “SOCLY.io for Singapore” at the event. We shall be presenting at stall E-4 for 2 days. Our Captain Manoj Kumar Shastrula is also a distinguished speaker at the event on “Business Value of Security without Attestations is ZERO”.

The CyberSec event is a great place to look at 500+ innovative solutions. And we, with one of the most unique solutions at the event, are sure to be a show-stopper. Come, learn about Security and Data Compliance and how can we help you. Tech Week in Singapore is live with one of the biggest events happening at Marina Bay Sands this October 12-13. It’s a culmination of 7 events namely ” write the list”Looking forward to seeing you there.

 

Categories
Uncategorized

SOCLY.io is named “Tech Startup of the Year-Security” by the prestigious The Entrepreneur.

SOCLY.io is named as “Tech Startup of the Year-Security” at the prestigious  Entrepreneur Awards 2022 held at J.W. Mariott, Aerocity, Delhi.

For a 14-month old startup, this is a big feather to have in its cap so early in its journey.

This award is a testament to our underlying passion to disrupt the entire compliance industry and build a brand that stands on accuracy on real time – as we aspire to become mavericks of automated Security Compliance in years to come.

Shout out to the entire team of SOCLY.io for their relentless passion. This is for everyone who played a part in our journey.

Categories
Uncategorized

Entrepreneur Annual Conclave 2022

Entrepreneur Annual Conclave 2022 is the flagship annual event of Entrepreneur Media which will be held on 20th-21st September. It is the final destination for entrepreneurs, investors, disruptors and innovators where they discuss, debate and dissect what the future holds in a vibrant atmosphere. In its Ninth Edition, Entrepreneur Media brings together the Movers and Shakers of India and Asia Pacific.

Entrepreneur India is a monthly business magazine targeted at Indian business owners and entrepreneurial enthusiasts. It is published by Entrepreneur India Media Pvt. Ltd., a joint venture between Entrepreneur Media, USA’s business magazine for entrepreneurs, and Franchise India, an Indian company providing integrated franchise solutions since 1999 in various Asian countries. Entrepreneur India Media publishes the Entrepreneur magazine in India, as well as hosting the Entrepreneur website in the country.

The magazine was relaunched in India in July 2015 by Entrepreneur India Media for Indian readers interested in business and entrepreneurial stories and information.

Below are the major publications of Entrepreneur India Magazine

Catch up with the team of SOCLY.io at the stall No(E6)

Route Map –

Categories
Uncategorized

Beneath the surface of a cyberattack: Collision avoidance

The business application of cyber risk quantification

Figure 1.

Fourteen cyber breach impact factors Above the surface better-known cyber incident costs Technical investigation Citizen or customer breach notification Post-breach citizen or customer protection Regulatory compliance Public relations Attorney fees and litigation Cybersecurity improvements Insurance premium increases Increased cost to raise debt Impact of operational disruption or destruction Lost value of customer relationships Value of lost contract revenue Devaluation of trade name Loss of intellectual property National security / impact to the economy1

Categories
Uncategorized

Instagram fined €405m over children’s data privacy

The long-running complaint concerned children’s data – particularly their phone numbers and email addresses.

Some reportedly upgraded to business accounts to access analytics tools such as profile visits, without realising this made more of their data public.

Instagram’s owner, Meta, said it planned to appeal against the decision. It is the third fine handed to the company by the regulator.

“We adopted our final decision last Friday and it does contain a fine of €405m [£349m],” Ireland’s Data Protection Commissioner (DPC) said.

‘Engaged fully’

A Meta official told BBC News: “This inquiry focused on old settings that we updated over a year ago and we’ve since released many new features to help keep teens safe and their information private.

 

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post and adults can’t message teens who don’t follow them.

“While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.

“We’re continuing to carefully review the rest of the decision.”

‘Major breach’

The DPC regulates large technology companies with European headquarters in the Republic of Ireland.

It has never given such a large fine for a breach of the European Union’s General Data Protection Regulation.

But last year, it fined WhatsApp €225m, while Luxembourg’s data authority fined Amazon a record €746m.

 

National Society for the Prevention of Cruelty to Children (NSPCC) child-safety-online policy head Andy Burrows said of Instagram’s fine: “This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram.

“The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online.

“It’s now over to the new prime minister to keep the promise to give children the strongest possible protections by delivering the Online Safety Bill in full and without delay.”

Categories
Uncategorized

Incident Report: Employee and Customer Account Compromise

Twilio believes that the security of our customers’ data is of paramount importance, and when an incident occurs that might threaten that security, we communicate what happened in a transparent manner. To that end, we are providing an overview of this incident impacting customer information and our response.

What happened?

On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data. We continue to notify and are working directly with customers who were affected by this incident. We are still early in our investigation, which is ongoing.

More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.

Sample SMS phishing messages:

example phishing message 1example phishing message

We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs. Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks.

Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions. We have not yet identified the specific threat actors at work here, but have liaised with law enforcement in our efforts. Socially engineered attacks are — by their very nature — complex, advanced, and built to challenge even the most advanced defenses.

What have we done?

Once Twilio confirmed the incident, our security team revoked access to the compromised employee accounts to mitigate the attack. A leading forensics firm was engaged to aid our ongoing investigation.

We have reemphasized our security training to ensure employees are on high alert for social engineering attacks, and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago. We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses.

As the threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details. If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack.

Trust is paramount at Twilio, and, we know the security of our systems is an important part of earning and keeping your trust. We sincerely apologize that this happened. While we maintain a well-staffed security team using modern and sophisticated threat detection and deterrence measures, it pains us to have to write this note. We will of course perform an extensive post-mortem on this incident and begin instituting betterments to address the root causes of the compromise immediately. We thank you for your business, and are here to help impacted customers in every way possible.

Next steps

The Twilio Security Incident Response Team will post additional updates here if there are any changes. Also note that Twilio will never ask for your password or ask you to provide two-factor authentication information anywhere other than through the twilio.com portal.

 


 

 

Status Update – August 10, 2022

As a follow-up to our communication regarding the ongoing social-engineering phishing scam that has targeted numerous companies recently, Twilio is continuing its investigation. Security and trust are our top priority as we gather more information. At this time, we can share the following updates:

  • We have identified approximately 125 Twilio customers whose data was accessed by malicious actors for a limited period of time, and we have notified all of them
  • There is no evidence that customer passwords, authentication tokens, or API keys were accessed without authorization

Our information security team has been working diligently to share details about the attack with impacted customers. If a customer has not been contacted by Twilio, then it means that there is no evidence that their account was impacted by this attack. Our investigation is still ongoing, and if we identify any additional customers that were impacted, our information security team will reach out to them directly. Due to the ongoing and sensitive nature of the investigation, we are not providing further details publicly.

The malicious actors continue to launch social-engineering attacks. However, we have instituted a number of additional measures internally to protect against these attacks, including hardening our security controls at multiple layers.

We are very disappointed and frustrated about this incident. Trust is paramount at Twilio, and we recognize that the security of our systems and network is an important part of earning and keeping our customers’ trust. We are committed to learning from this incident and continuing to improve our processes.

We will maintain continuous communication with impacted customers as we move forward with our investigation.

 


 

 

Status Update – August 24, 2022

As we are continuing our investigation and gathering more information, we can share the following update:

After having instituted a number of targeted security enhancements internally, we have not observed any additional instances of unauthorized access to accounts since our last update.

To date, our investigation has identified 163 Twilio customers – out of a total customer base of over 270,000 – whose data was accessed without authorization for a limited period of time, and we have notified all of them.

In addition, to date, our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users – out of a total of approximately 75 million users – and registered additional devices to their accounts. We have since identified and removed unauthorized devices from these Authy accounts. Twilio purchased Authy in 2015 and various elements of Twilio’s platform support the functionality of Authy.

We have contacted the 93 Authy users and provided them with additional guidance to protect their account, based on industry-accepted practices:

  • Review any linked account(s) for suspicious activity and work with their account provider(s) if they have any concerns.
  • Review all devices tied to their Authy account and remove any additional devices they don’t recognize.
  • To prevent the addition of unauthorized devices, we recommend that users add a backup device and disable “Allow Multi-device” in the Authy application. Users can re-enable “Allow Multi-device” to add new devices at any time. Specific steps can be found here.

Trust is paramount at Twilio, and we recognize that the security of our systems and network is an important part of earning and keeping our customers’ trust. As we continue our investigation, we are communicating with impacted customers to share information and assist in their own investigations. We will update this blog with more information as it becomes available.

We use cookies (and other similar technologies) to improve your experience on our site. By using this website you agree to our Cookie Policy. View more
Cookies settings
Accept
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active

Privacy Policy

Last updated: 8 November 2022This privacy policy (“Policy”) explains how Socly Solutions Private Limited or any of its affiliates or subsidiaries (hereby collectively referred to as (“SOCLY.io”, “We”, “Us”, “Our”) Processes Personal Data collected from You. This Privacy policy applies to all the clients and employees of the organization.

Personal data collected by us

You directly provide Us with most of the data We collect. We collect Personal Data from You directly when You subscribe for any of Our Service(s) by agreeing to the Terms of Service, We collect sign-up and account information including Your name,phone number and e-mail address. We may also receive Your Personal Data indirectly as follows:From third party sources like marketing lists, databases and social media but only where We have checked that these third parties either have Your consent or are otherwise legally permitted or required to disclose Your Personal Data to Us.

Purposes for which personal data will be processed

We Process Your Personal Data to:
  1. Facilitate Your access to the Website(s) and Service(s);
  2. Provide customer service and support;
  3. Send You communication on Your use of the Service(s), updates on Our Terms of Service or other policies;
  4. Send You communication on new features in the Service(s) or new service offerings;

Purposes for which personal data will be processed

We Process Your Personal Data to:
  1. Facilitate Your access to the Website(s) and Service(s);
  2. Provide customer service and support;
  3. Send You communication on Your use of the Service(s), updates on Our Terms of Service or other policies;
  4. Send You communication on new features in the Service(s) or new service offerings;

Sharing of personal data

We do not share personal information.

Retention of personal data

We retain personal information till such time your company has subscribed to our services.

Security of personal data

We use appropriate technical and organizational measures to protect the Personal Data that We collect and Process. The measures We use are designed to provide a level of security appropriate to the risk of Processing Your Personal Data. If You have questions about the security of Your Personal Data, please contact Us immediately as described in this Policy.

Your rights

You are entitled to the following rights:
  1. You can request Us for access, correction, update of Your Personal Data.
  2. You can object to the Processing of Your Personal Data, ask Us to restrict/ stop processing of Your Personal but that can only be done if you stop using our compliance portal

Contact Information

You may contact us if You have any inquiries or feedback on Our personal data protection policies and procedures, or if You wish to make any request, in the following manner: Kind Attention: Privacy Team Email Address: hello@socly.io or You can use the Contact us section in our portal
Save settings
Cookies settings
Get started with SOCLY.io
Automate your compliance