Garland Heart obtains the Best Christian Workplace Institute award for the 3rd year in a row!

Posted by Brad Garland • Nov. 13, 2015 • 0 Comments

BCI_Certified_2016_Clear_2The importance of our culture and how we work is something that means a great deal to me. As a company, we choose to spend time debating and cultivating our workplace as we grow. We know there will be changes along the way, people that come and go, and different business problems we get to face every year. This is why we began using, three years ago, the Best Christian Workplace Institute’s survey of all our staff to have a measurement of where we are each year. We had all our employees take the survey again this year and are delighted to hear that we obtained the 2016 Best Christian Workplace Institute Award for great places to work. We are proud of this honor and look for ways to get better each time around. No culture is perfect (and ours is certainly not) but leveraging a tool like the BCWI to measure our success has been extremely helpful in creating an open, performance drive, and dare I say, fun place to work.

"Garland Heart has developed a remarkably flourishing employee culture placing them in the top 10% of product and service organizations in our survey database.  Staff communicate how much the leadership cares about its staff and clients.  Their employees indicated they feel highly involved in decisions that impact their work.  They are a great example an organization that lives its values.” - Al Lopus, President of BCWI

Why is the 80/20 Rule Important in Cyber Security Practices?

Posted by Nik • Oct. 29, 2015 • 0 Comments

Cyber security may be a newer, more complex field, but it actually shares many common rules with other industries. One of these is the "Pareto principle," which dictates that 80% of the effects come from a mere 20% of causes. In other words, this means that the distribution of cause and effect can be (and usually is) uneven, and learning your way around this can be vital for any business. cyber security consulting


The Pareto Principle and Cyber Security

You may be wondering how this relates to cyber security, or cyber security consulting. The answer is simple: not all threats in cyber security create the same amount of risk. Learning from the Pareto principle means understanding that your resources should be focused on fighting the attacks that can do the most damage before worrying about minor bugs and inconveniences. 

Many cyber security consulting firms attempt to cover all possible bases by using a one-size-fits-all approach. This can be very harmful, as it ends up treating low-level risks with the equivalent amount of attention as high-level ones, which can result in the more immediate issues not being dealt with properly due to misappropriated resources.


Assessing Incident Response Processes

In order to prevent these issues, you should start by analyzing your incident response processes. Try using the following steps: 

  1. Start by looking at the discovery, analysis, mitigation and closure phases of your incident response process. You'll want to know how many resources are being used by each step. Once you've learned that, move on.
  2. Next, you should work on shortening your discovery phase, and if using outsourced services, ensure you are working with qualified and experienced cyber security consulting firms that understand your environment and are going to implement processes that fit and will scale with your environment. Make sure that you have the right people with the right skill sets working on the right tasks, and ensure that you have ready the necessary resources for this collaboration.
  3. Improve the analysis and mitigation phases. By collaborating and sharing threat information and response tactics, you should be able to make these processes more efficient for regular usage.

Tip: don't forget to include your external security firm as they can help lend valuable experience and perspective. 

  1. Once you've reached closure phase, you have to learn to open up. Most companies prefer to sweep their bad days under the rug - what you should do instead is find ways to appropriately share those details, which will help others learn from your experience. This can be done anonymously or through an credible resource established to facilitate collaboration. Doing this can help prevent you be more proactive moving forward.

Tip: If possible, try to integrate these instances into your company-focused training - when done properly it can help strengthen the team. Just remember to not embarrass a team member or department in the process.  


Keeping Watch Over Infrastructure

Finally, you need to think deeply about your company's infrastructure. Try to avoid expensive and overly complex IT "solutions" just for the sake of technology. You need to ensure the solution addresses the risk and more importantly your staff and business has the expertise and time to support said solution. Instead shift your effort/risk ratio to be properly aligned with the Pareto principle. These steps, combined with smart investments in system upgrades system upgrades, hardware tracking, and maintenance, should provide you with what you need to maintain an enterprise wide Information Technology & Compliance Program - helping to mitigate the impact of potential breaches or failures.  

That aside, don't hesitate to ask us for help. If you want to ensure the safety of your IT systems with an experienced cyber security consulting company, look no further than Garland Heart.


How to address cybersecurity with examiners. Download now.

Topics: IT, cybersecurity, Security

Follow the Data - Debunking the Security Myths

Posted by Wade Clem • Oct. 28, 2015 • 0 Comments

For those wanting to gain more insight into probability studies or forward researching at what the hacking the community is going after, this is a great article to read. 
As discussed, Mobile device security is a huge plus in thwarting 41% of overall breaches, while malware and hacking breaches actually only make up 25%. Several myths discussed are based on what is of actual value, what data is in surplus and what is in high demand.
Some interesting graphs are also shown that just re-emphasize the need to protect credentials and give value to how important protecting network and domain administrator credentials truly are. 
It all truly leads back to three important questions.
1. Where is my critical data and who has access to it?
2. Is this data or system at risk or possibly vulnerable?
3. How much will it cost to safeguard this data or system? 

Topics: Security

A Helpful Guide to SOX Compliance for Financial Institutions

Posted by Nik • Oct. 26, 2015 • 0 Comments

The Sarbanes-Oxley (“SOX”) Act of 2002 is a crucial piece of legislation aimed at protecting the confidentiality, integrity, and availability of information that impacts a corporation's stakeholders.

Ensuring ongoing SOX compliance is a fundamental risk management task for any publicly-traded, or even privately-held, company in the United States. Transgressions of the SOX Act can involve hefty penalties at both a company and an individual level (for directors and board members). 

SOX requires organizations to establish security controls that prevent leaks of confidential data, and audit trails that are capable of detecting any form of data tampering. In this way, the Act helps organizations to reduce or eliminate fraud, build public trust, and protect data that is sensitive to stakeholders. 

At Garland Heart we advise that organizations establish IT security policies that will ensure regulatory compliance with SOX, as well as other related legislation. In a nutshell, organizations must implement an effective strategy for fraud prevention, detection and response - identifying vulnerabilities, establishing controls, selecting information security solutions, and ensuring accurate reporting.

For financial services companies, which deal with very sensitive customer and financial data, there are a number of important considerations relating to SOX compliance.


Overall architecture of your organization

By using an established framework for describing and architecting your organization, it becomes easier to control all the “moving parts” within the enterprise, and to ensure IT regulatory compliance. The Open Group Architecture Framework (TOGAF) is such a framework - giving the organization a guide to designing, planning, implementing, and governing an enterprise information technology architecture.


Securing and backing up your data

Implement a tiered data protection approach to preventing unauthorized access (as well as preventing accidental or intentional destruction, infection or corruption). Multiple layers of defense means that sectors of one’s data warehouses and cloud environments can be isolated - minimizing the impact of any breach.


Ensuring the confidentiality of your data

Using multi-factor, strong authentication methods - such as one-time passwords sent via text message - helps to protect access to data. This is combined with permissions-based access so that only the people who need to see and edit content are able to do so.


Detecting and reporting on breaches or vulnerabilities

SOX mandates that any vulnerabilities and breaches are reported in a timely manor to independent auditors. To facilitate this process and to ensure regulatory compliance, one’s security approach needs to incorporate automated and accurate reporting capabilities along with the details of remedial actions that have been taken to patch the problem.

As the pace of digitization accelerates, the nature of cyber-attacks is becoming increasingly sophisticated. Ensuring IT regulatory compliance in this ever-shifting landscape is no easy task.

With the right security consulting partners and information security solutions, organizations can keep one step ahead of the threats while ensuring SOX compliance and sound business governance. Do you know how airtight your current security structure is in your financial instituion? Check out our free assessment tool here. If you have any questions or concerns, feel free to contact us for more help.


Topics: Virtual Compliance, Compliance, Banks, Online Banking

5 Identity and Access Metrics for Effective Risk Management

Posted by Gaye Connell • Oct. 22, 2015 • 0 Comments

Your network security and risk management strategies have to account for a complex and constantly changing IT environment. Understanding the key identity and access metrics helps you incorporate effective identity access management throughout your organization. These metrics provide valuable insight into the devices connecting to the network, the amount of inactive user accounts, which users have high-level privileges, the frequency of password changes, and whether there are issues with account access. security metrics


1. Number of Devices Actually Connected to the Network

It's common for many workplaces to have bring your own device (BOYD) policies, or to have employees who choose to use personal devices with or without a BYOD policy. You need to know how many devices are actually connected to the network, as opposed to the company-approved number of devices. These figures don't always match up, and effective identity access management requires working from a complete set of network information. If you're trying to avoid a BYOD network due to the potential risk, this also reveals whether you need to put measures in place to cut down on unauthorized device access.


2. Administrator Privilege Metrics

Do too many people have access to account privileges they don't really need? Sometimes risk comes from users who have too many privileges, especially if these privileges aren't being tracked. This type of risk can also extend to vendor risk management, if third-party vendors need access to specific network privileges, so take this into account during risk assessment. Track privileged accounts and the amount of active accounts to mitigate the potential for insider threats. Pay attention to whether these accounts use the privileges given, as you may be better off with more user account levels with fewer permissions.


3. Frequency of Password Changes

Frequent password changes help you minimize potential account compromises occurring from data breaches. Track how often password changes occur within your organization, and consider implementing policies that increase the frequency of these changes. This type of policy meshes well with password-creation guidelines or requirements, such as a specific number of special characters in the passwords.


4. Number of Abandoned Accounts

Accounts associated with employees no longer with the organization, as well as temporary access accounts created for vendors and other third-parties, are vectors for potential unauthorized access. Track how many abandoned accounts exist on the network, and keep this number at a minimum.


5. Number of Invalid Login Attempts and Account Lockouts

Watch for invalid login attempts and account lockout numbers. This metric indicates one of two possibilities: either users need better training on account access and password management, or a possible hack attack is occurring.


Need professional risk management consulting to track network identity and access metrics? Contact Garland Heart to get the help you need to improve your risk management.

Topics: IT, Security, Corporate

6 Best Practices for Maintaining Data Security in Your Firm

Posted by Nik • Oct. 17, 2015 • 0 Comments

Defending your data from threats is a number one concern. Technology is fluid, but planning properly will help your company get the best protection for the present and for future growth. These six best practices will help you maintain data security in your business security best practices


Plan-do-check-act (PDCA) is the foundation of best practices in data security. First published in 2005 as a set of controls known as ISO 27001, network assessment and security has traditionally followed the protocols of PDCA as the go-to system for managing data safety. You can begin to incorporate PDCA into your firm’s IT policies by following this four-stage process: 

  • Plan: Identify and establish procedures to minimize risks to data.
  • Do: Integrate and implement the established procedures.
  • Check: Monitor the controls set in place for compliance with the procedures.
  • Act: Utilize preventive and corrective procedures to continually improve the system.


2. Hiring

Hiring employees and contracted workers can be tricky. You want the best people as a part of your organization; but the majority of security breaches occur through employees rather than an online attack. Because employees are your greatest ally and greatest risk, minimize risks to data by putting policies in place to properly guide potential employees and contractors.

Tip: Ensure that you establish regular training and education for your employees so they can better understand why the procedures are there and the risks you are working to mitigate.


3. Access Control

As mobility increases, the risk of a data breach increases. More than just usernames and passwords, your company needs a well-organized plan for determining who has access to which information. Whether your firm uses the cloud, a Virtual Private Network (VPN) or a combination of the two, identifying the accessible and restricted data and who can access it is key to securing all data on the go.


4. Auditing

Established and regular auditing practices should allow team members to have a process to follow when inconsistencies arise, when a breach occurs, and when problems are identified. Internal staff can be used based on the size and structure of you environment, but a focus on some independence should be established. If that can not be guaranteed, the skillet is not available, or when regulatory requirement dictates, hiring a trusted third party as an information security consultant or firm can also help ensure appropriate practices are established.


5. Scalability

When considering new software or equipment, scalability helps account for expansion of security protocols. Each new program, computer and piece of digital equipment should be able to accommodate the fluidity of the technological environment.

Tip: Ensure that your network is tested through a vulnerability assessment or penetration test after these changes occur. 


6. Physical Security

Sometimes it’s not the passwords that get hacked, but the lock on the door. In this increasingly digital and cloud-based world, don't forget to protect or limit access to sensitive paper documents, workstations, screens, and other sources of critical information in high traffic public areas. Restricting access to areas with servers and sensitive data in addition to protection from the elements and emergencies such as fires and floods needs to be a part of any business continuity plan.

For more information on ways to secure your firm’s data, contact Garland Heart at any time.


Topics: Info Security, IT, cybersecurity, Security, Corporate

3 Common Cybersecurity Structures in the Legal Industry: Which One Are You?

Posted by Brad Garland • Oct. 13, 2015 • 0 Comments

You’ve all seen the headlines - big company data breaches, foreign hackers, databases stolen. You can’t make it a day anymore without the next information security headline.cybersecurity legal industry
It can be scary to some, difficult to understand for many, and it’s the fastest moving target in the business world today.  So, what should a firm like yours do about it considering your size, staffing levels, and overall investment?
First off, you’re not alone in not knowing the answer. So we thought it would be useful to share our experience of what we hear from firms and what are the mindsets of some of the firms we talk to today:

1. The “Reactives"

These firms are usually small to midsize firms that think they are too small to need to worry about this stuff right now. They aren’t really getting client audits right now so they “invest” in their security awareness and cybersecurity strategy only when they need to. They might say, "Partners haven’t been pressuring me (or don’t care enough) about it so I should be able to use that money elsewhere. Right?!"
It’s been our experience that if the bad guys are anything, they are opportunistic. Why spend time trying to break into a harder network or firm when the small firm has just as valuable assets and their security is more lax? The mindset of the smaller firms, since they only have 1 or 2 technical staff, is to have hardware/software solutions fix the problem. We couldn’t disagree more! In any study you come across the biggest risk to an organization's security isn’t their technology, it’s their people. That’s why a small firm should focus on bringing up the intelligence of the firm around cybersecurity and compliance practices versus thinking they can band-aid the problem with more technology. Change is much easier to do with smaller firms versus larger, more spread out larger firms.

2. The "Middle of the Roaders"

These firms aren’t necessarily larger but certainly have more awareness around security practices. With that said, it doesn’t necessarily mean they are implementing them though. These are the firms that have limped along by fighting cybersecurity fires as they come along. We spoke to a firm recently that spent 60 hours completing a client audit for a big customer. The issue with this profile is they have the knowledge but haven’t developed the overall program and processes they need to begin managing cybersecurity instead of it managing them. They need more strategic thinking and consistent communication around this topic to begin to move the needle.

3. The “Proactives"

All of these firms that fit this profile have generally been in one or both of the profiles above but someone in the organization finally had the epiphany to say enough is enough. They spent too much time in fighting fires, getting client requests they weren’t ready to handle, and required a more overarching plan of training, testing, and ongoing development to really build an effective information security program and more importantly, culture. They utilize hardware/software tools to help mitigate risk but its only a part of their security investment. They also have buy-in and awareness from the partners of the importance of the issue and how it makes the whole firm more marketable if everyone handles cybersecurity in the same way. Lastly, they have a scalable, flexible strategy that utilizes resources (both internally and externally) to keep abreast of the every changing cybersecurity landscape. 
The fact of the matter is not if but when our firms get breached. The question is what is the right strategy for your firm to be ready to respond in a timely, confident, and intelligent way when it happens?
This post was originally published for one of our partners in the legal security industry, Traveling Coaches.

Topics: cybersecurity, Legal

Are Smartwatches the Next Target for CyberAttacks?

Posted by Nik • Sep. 29, 2015 • 0 Comments

The future of cyber security is almost never clear. New devices are popping up all the time, and making informed decisions on device security can be tricky. However, where smartwatches are concerned, the decision might not be so difficult for you and your business.cyber security consulting


Studied Vulnerabilities of the Wearable Device

A recent study on smartwatches by HP Fortify revealed that smartwatches, another device in the burgeoning Internet of Things, are actually a wide open book in terms of safety, security and confidentiality. Among 10 tested smartwatches, 100 percent had at least one major vulnerability, and there were outstanding categorical vulnerabilities across all 10. One category even hit the 70th percentile, meaning that 7 of the 10 tested watches possessed that security hole.


Business Problems With Vulnerable Wearables

With the advent of the Bring Your Own Device (BYOD) policy in the business world, user-end device security has become a more focused area of concern. Small business cyber security experts in and out of companies spend a lot of time refining policies and procedures where personal devices are concerned. It's much more difficult to monitor personal activities related to business as opposed to straightforward business activities. This is especially true for cybersecurity in the health care sector, since many wearables monitor personal health information, and keeping this information safe and secure is important.

The vulnerabilities found in smartwatches present a problem because these are wearable devices, which are small and easy to miss. If employees fail to report their personal devices to the proper parties, and are using these devices to access business resources and perform business duties, they could be jeopardizing everyone if their device is not accounted for and secure. You and your employees are encouraged to take initiative where brand new mobile devices are concerned, and constantly be on top of the subject by refining and polishing your cybersecurity policies.


Employee Actions Against Businesses Through Wearables

Corporate espionage could easily leave the realm of fantasy and become a real issue for many businesses with the rise of wearable personal devices. Because these new machines can receive photo and video data, it would be no big challenge to brush your sleeve and poke a button to record sensitive, confidential information for malicious purposes. Taking strides for the improvement of information security policies are an important aspect of your business, and keeping tight lines of communication and collaboration with your techs is a necessity to insure your business's future.

While involving personal devices is definitely a marked step toward better productivity, the movement needs to be carefully monitored. Confer with your inner circle regularly, and discuss the information security policies that are in place at this time, as well as what needs to be implemented sooner rather than later. If you're in need of assistance with your information security policies, contact Garland Heart to set up a consulting session as soon as possible.


Topics: Info Security, IT, cybersecurity, Security

What The Next Security Breach Means For Your Community Bank

Posted by Gaye Connell • Sep. 22, 2015 • 0 Comments

Recently, security breaches of major websites, companies and banks seem to be appearing in the headlines more and more frequently, and with increasingly more critical effects. If you're wondering how these events will affect you, you're not alone: in a recent survey, 97 percent of CFOs believe that cyberattacks are their biggest threat. Fortunately, the situation is not as frightening as it might first appear. Still, you need to do your utmost to ensure your financial network security. Keep reading to learn some essential steps that will help keep your banking institution and its data safe.cyber security consulting


Know Your Company

If hackers gain access to the sensitive financial information of your company or customers, they could use it for any number of nefarious purposes. To thwart this, keep a close eye on your security and financial statement reports, watching for any seemingly irregular activity. The better your bank is about analyzing and reporting key metrics, the more in-tune your company will be about anything that seems off. 


Don't Get Hooked by Phishing

Phishing, the act of electronically masquerading as a trustworthy organization or person to obtain sensitive information, has been a successful tactic for many hackers in the past, and will undoubtedly continue to be so for the foreseeable future. Sophisticated attackers can even customize their messages using information from their targets' presence online and in social media, perhaps pretending to be a person known and trusted by the recipient. If you get a suspicious email, be wary of any links it contains. The phishers may have constructed a fake website that looks like the real thing to trick you into entering your username, password or other information. 


Keep Track of the Security Landscape

The art of hacking is constantly evolving, as security flaws are discovered and patched and as breach tactics are invented and grow more sophisticated. If you're hoping to outsmart a hacker, you need to understand the risks you and your bank face and how you can best protect yourself against them. Sometimes the simplest attacks can have the most drastic effects on your financial network security. In addition, don't underestimate the power of social engineering, which can be just as devastating for your business as a cyberattack. 

Don’t lose sight of the fundamentals of security for your bank by getting caught up in the latest cybersecurity fads. Also, you should always implement layered controls in your security system to reduce the risk of having a single point of failure, which can lead to a catastrophic event.

If you're still hesitant about what are the right steps to take for your organization, you may wish to speak with a risk management consulting firm. Get in touch with Garland Heart today to learn about how we can help you and your bank.

Topics: Banks, Risk Assessment, Info Security, IT, Security

3 New Tips to Boost Email Security

Posted by Nik • Sep. 15, 2015 • 0 Comments

Email may be a convenient way to communicate with coworkers and clients, but it isn’t inherently secure. As such, there are security holes in email that you should be aware of and address when applicable to data security. Here are a few advanced email hacks that can help reduce the risk and help keep your information safer in or out of the workplace. Use these three tips to boost your email network security


  1. Use DNS Authentication

DNS stands for Domain Name System, which is a naming system for computers that are connected to the Internet. The National Institute of Standards and Technology (NSIT) recently released a draft of DANE, a DNS-based Authentication of Named Entities for email systems. DANE will enhance cyber security by encrypting email messages between mail servers. DANE will digitally encrypt outgoing messages and verify certificates to ensure incoming emails are genuine. DANE is available for Internet Explorer, Firefox, Chrome, Safari and Opera via a browser add-on.


  1. Identify Graymail and Get Rid of It Safely

Graymail isn’t quite the same as spam; it’s email that you have, at one time, opted into receiving. However, that doesn't always mean it is email you want to receive. While you can unsubscribe from the mailing list, that doesn’t necessarily solve the problem as your email address might be stored and sold for phishing attempts. You can use a new tool, Cisco Email Security Appliance, to identify graymail and safely unsubscribe from it.


  1. Use Self-Destructing Email with a Chrome Plugin

Google recently released a new Chrome plugin for Gmail that lets an email sender set a time limit on the existence of an email. After that time has passed, the email can no longer be read. The plugin works by using encryption, which the recipient of the email needs a key to decrypt. Once the plugin removes the key, the email can no longer be read by the recipient. This can be a useful way to control emails that contain sensitive information. However, it's important to remember that your recipient can still copy information from the email and store a copy of it. As such, while self-destructing email can be a useful part of an information security policy, you still need to think about the information you choose to share over email.


Protecting Your Email Security

Garland Heart can help you identify if your email communication is in line with industry best practices. Get in touch with us today to find out how we can help strengthen your information security program.

Phone us on (972) 429-8200, email us at, or use the contact form on our website to let us know how we can help you.

Topics: Risk Assessment, IT, cybersecurity, Security

Subscribe to our Newsletter to receive Regulatory News and Company Updates: