iO™ News & Updates
Big things are happening at Input Output! We’ve removed the paywall on our compliance section—because security knowledge should be free for all (but subscribers still get exclusive perks). Need compliance guidance? Our new Virtual CISO Business Hours will give you direct access to experts twice a week. And because hackers never rest, we’re rolling out new cybersecurity solutions, including security awareness training, privacy management, and enhanced password protection with Keeper Security. Stay tuned—there’s more to come! 🚀
Cybersecurity & Compliance News
With FinCEN’s BOI reporting deadline reinstated for March 21, 2025, businesses must act now to ensure compliance. Meanwhile, Microsoft, Apple, and Xerox have released critical security updates to address actively exploited vulnerabilities, and AWS environments face new risks from the "whoAMI" attack. Cybercriminals are also targeting Google Calendar, macOS users, and Mitel SIP devices with evolving malware and phishing scams. Stay informed, update your systems, and secure your data.
ISP Management & Updates
As the quarter wraps up, ensure your Information Security Program (ISP) meets all FTC Safeguards Rule requirements. Designate a Qualified Individual, conduct risk assessments, and implement a Written Information Security Program (WISP) with access controls, encryption, and incident response plans. Stay proactive—update policies, train employees, and audit security controls to avoid fines and compliance setbacks.
No More Paywalls—Compliance for Everyone!
Great news! We’ve removed the subscription requirement to access our compliance section. That’s right—compliance knowledge is now free for all because everyone deserves to stay informed without jumping through hoops (or paywalls).
But don’t worry, subscribers—you’re still VIPs. In fact, we’re enhancing our compliance offerings just for you, so you’ll be getting even more exclusive resources, tools, and expert insights. It’s like an all-you-can-eat compliance buffet—except with fewer carbs and more security.
Introducing Virtual CISO Business Hours—Your Compliance Lifeline
Have compliance questions? Need guidance on your security program? Want someone to tell you that you’re probably not getting hacked right now? We’ve got you covered. We’re launching Virtual CISO Business Hours—twice a week, our security experts will be available for live sessions where you can review your compliance program, ask questions, and get real-time advice.
This will be included free with our Written Information Security Program (WISP) or available as a standalone subscription. Think of it as office hours, but instead of a professor lecturing about ancient history, you get real-world security insights that can save your business.
New Cybersecurity Solutions—Because Hackers Never Take a Day Off
We’re leveling up our security solutions to keep you ahead of the threats. Coming soon:
✅ Security Awareness Training – Teach your team to spot phishing, smishing, and other shady tactics before they click on that "urgent" email from a Nigerian prince.
✅ Privacy & Cookie Management – Ensure your website stays compliant with data protection laws without drowning in legal jargon.
✅ Enhanced Password Management – Strengthening our partnership with Keeper Security so you can finally stop using "Password123."
Cybercriminals are getting smarter, but so are we. Stay tuned—big things are coming!
iO™ Podcast: Cash in the Cyber Sheets
Cash in the Cyber Sheets is your go-to podcast for transforming cybersecurity, compliance, and risk management into powerful tools that drive business success. Hosted by James Bowers II, CEO and Chief Security and Compliance Architect at Input Output, each episode delves into the latest trends, strategies, and best practices in the world of cybersecurity. Whether you're a business owner, IT professional, or industry expert, this podcast offers insightful discussions, expert interviews, and actionable advice on how to leverage security and compliance to boost productivity and profitability. Tune in to discover how to turn what many see as obstacles into opportunities for growth and efficiency in your business.
Watch 'Cash in the Cyber Sheets' on YouTube:
|
Cybersecurity & Compliance - News, Trends, & Updates
Stay ahead of the curve with the latest news, trends, and updates in cybersecurity and compliance. This section provides essential insights into emerging threats, regulatory changes, and best practices, helping you navigate the ever-evolving landscape of security and compliance with confidence.
BIG BYTES - Quick Hit Hot Topics
- FinCEN BOI is REQUIRED AGAIN - New Deadline: March 21st, 2025.
- Almost 60% of organization state geopolitical issues affect their risk mangagement and cybersecurity strategy.
- 54% of large organizations say supply chain issues introduce the biggest challenges to their cybersecurity efforts.
- Only 37% of organizations perform security assessments of AI tools before they are used (while 66% see AI as the biggest game changer).
FinCEN BOI Reporting Required Again - New Deadline is March 21st, 2025
BOI reporting is back. After a series of legal battles, FinCEN has reinstated the Beneficial Ownership Information (BOI) reporting requirements, with a new deadline of March 21, 2025. Businesses must determine if they qualify, gather required ownership details, and submit reports electronically. FinCEN may ease compliance burdens for small businesses, but proactive filing remains essential to avoid fines and penalties. Stay ahead of regulatory changes.
Read More - Available 03/06/2025
Microsoft's Latest Security Update Targets Actively Exploited Vulnerabilities
Microsoft’s February 2025 Patch Tuesday addresses 56 security vulnerabilities, including two actively exploited zero-day flaws. One, CVE-2025-21418, allows privilege escalation via a buffer overflow in WinSock, while CVE-2025-21391 enables attackers to delete files on targeted systems. Other critical fixes include an NTLMv2 hash-stealing flaw and a remote code execution risk in HPC Pack for Linux. Given the active exploitation of some vulnerabilities, prompt patching is essential to safeguard systems against cyber threats.
Recognizing and Avoiding Google Calendar Cyber Threats
Cybercriminals are exploiting Google Calendar to distribute phishing scams and malware through fraudulent invites and malicious links. Attackers use spoofed events, phishing links in descriptions, and malicious .ics files to trick users into revealing sensitive information. To stay protected, adjust your calendar settings, disable automatic event additions, and scrutinize suspicious links. Proactive security measures can help safeguard your digital workspace from these evolving threats.
Credential Exposure Risk in Xerox VersaLink C7025 Printers
Critical vulnerabilities in Xerox VersaLink C7025 MFPs (CVE-2024-12510 & CVE-2024-12511) could expose Windows Active Directory credentials through LDAP and SMB/FTP pass-back attacks. Exploiting these flaws, attackers could intercept authentication data, enabling credential theft and lateral movement within a network. Xerox has released firmware updates to mitigate these risks. Organizations should update firmware, secure configurations, and monitor network activity to stay protected.
New XCSSET Variant Targets macOS Users
A new variant of XCSSET malware is targeting macOS users and Xcode developers, using advanced evasion tactics and persistence mechanisms to steal sensitive data. This malware spreads via infected Xcode projects, compromising the software supply chain and injecting malicious code into applications. Developers and users should inspect projects, update macOS regularly, and use security solutions to mitigate risks. Staying vigilant is key to preventing compromise.
Mitigating the whoAMI Attack in AWS Environments
A newly identified "whoAMI" attack exploits misconfigured AWS IAM roles, allowing attackers to escalate privileges and execute remote code within AWS environments. This vulnerability highlights the risks of overly permissive IAM policies, which could compromise cloud security. Organizations should follow least privilege principles, monitor IAM activity, enforce MFA, and conduct regular audits to mitigate threats. Proactive security measures are essential to safeguard AWS accounts.
Newly Disclosed Exploits Target Apple iOS and Mitel SIP Devices
CISA has added critical Apple iOS, iPadOS, and Mitel SIP phone vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. CVE-2025-24200 allows attackers to bypass USB Restricted Mode on iPhones and iPads, while CVE-2024-41710 lets hackers exploit Mitel SIP phones for botnet attacks. Organizations and individuals should update to iOS 18.3.1 and install Mitel’s latest firmware to mitigate risks.
ISP Management - Information Security Program Updates & Requirements
Navigate the complexities of regulatory compliance and Information Security Program (ISP) requirements with confidence. This section covers essential topics to keep your ISP on track, reviews the latest tools and support resources, and offers insights for those utilizing iO™ WISP or other solutions to ensure your security framework remains robust and compliant.
IT'S TIME FOR - ISP Requirements
- Information Security Policies & Procedures Review
- Input Output WISP - Written Information Security Program
- Supplier Management - Assessments & Review
- Input Output ASL - Approved Supplier List (SVM-FM-002), and
- Input Output Supplier Assessment Form (SVM-FM-001)
- Internal Audit - ISP Control Audit (Review all implemented ISP controls)
- Input Output Audit Template (ALM-FM-001)
- Internal Audit - Technical Control Audit (Review all implemented technical controls)
- Input Output Audit Template (ALM-FM-001)
!!! This quarter is coming to an end. Be sure to complete all the requirements above to not get behind in your compliance program.
Designate a "Qualified Individual" for Your ISP
The FTC Safeguards Rule requires financial institutions to designate a Qualified Individual to oversee their Information Security Program (ISP). This individual ensures compliance, manages security risks, and protects sensitive customer data. Organizations can appoint an internal expert or use a vetted third-party provider, but senior management remains accountable. Learn how to select the right person and meet compliance requirements.
Ensure Your WISP Has What it Needs to be Compliant
CPA firms must implement a Written Information Security Program (WISP) to comply with the FTC Safeguards Rule and protect client data. A WISP includes access controls, encryption, incident response plans, and risk assessments to safeguard sensitive financial information. Firms should regularly update security policies, train employees, and conduct audits to stay compliant and mitigate cyber threats. Learn how to build an effective WISP for compliance.
Ensure Your Organization Meets the Requirements of the FTC Safeguards Rule
The FTC Safeguards Rule requires financial institutions to implement robust security programs to protect customer data. Key mandates include appointing a Qualified Individual, conducting risk assessments, enforcing security controls, and managing service providers. Non-compliance can lead to fines, lawsuits, and reputational damage. Organizations must treat compliance as an ongoing process to enhance security and build customer trust.
Responses