Blog

Blog

Is the Firewall Becoming Irrelevant? Here’s How to Move Forward

Posted by Nik • Aug. 27, 2015 • 0 Comments

Firewalls were created to protect and secure company data. Unfortunately, firewalls protect only company data well when it is kept within the confines of company networks. Today’s business data is rarely confined to the perimeters of a corporate network but is shared and transmitted widely through the cloud, presenting the firewall with some big security issues.computer network security

 

Keep Up With the Cloud

The massive popularity of cloud computing is one of the biggest issues for the firewall. The use of cloud-sharing applications and syncing devices leads to company data being scattered in multiple places. It is difficult to ensure that added security measures are put in place, and the network firewall goes unused because it is impossible to track its efficacy. The use of the cloud is not likely to diminish because employees are increasingly doing their jobs quickly and conveniently through sharing programs like Dropbox and Google Drive.

 

Even Advanced Firewall Systems Are Not Advanced Enough

The newest firewalls might be helpful in preventing certain devices from accessing certain applications in the cloud and keeping well-known bugs at bay. This is a good start, but most employees can still access these applications by using their own devices. This exposes the apps to security breaches even when an advanced firewall is in place. It is important to find a security solution that works with the cloud, not against it or in spite of it.

 

Keep It as Simple as Possible

If a security solution is too clunky or inhibits the productivity and accessibility of the cloud — the reasons why we all love it — people will find a way around it. Frequent changing of passwords and other security measures are important, but you should not encumber an efficient system with a security measure that decreases productivity. Instead, enable application use that protects sensitive data while keeping processes simple and effective.

 

Control the Flow of Data

Firewalls tend to interrupt the flow of data rather than smooth it out. Having a security measure that encrypts from start to finish on all devices helps to prevent gaps in compliance that can be an issue with remote work in the cloud. You should be able to block access to certain data when you need to and prevent access to encrypted files when necessary in order to maintain a high level of security.

 

Companies that are still using the firewall as one of the primary lines of defense are experiencing security threats more than those that have adopted other information layered security measures. Contact us for security consulting in the formal software selection process to ensure that your company maintains a high degree of protection against security threats.

CFOs Now View Cybersecurity as a Top Threat

Posted by Gaye Connell • Aug. 20, 2015 • 0 Comments

According to a new report by Deloitte, CFOs regard cyberattacks as one of the most worrying disasters that threaten to affect an enterprise’s financial well-being. In response to the Deloitte survey, 97 percent of CFOs of large firms in North America said that cyberattacks are the biggest threat they face.

identity access management

 

The Significance of Cybersecurity

In light of the concern over cyberattacks, CFOs need to take a proactive approach to IT security measures. This must involve the establishment of a formal task force to identify weak points in the organization’s security systems and perform routine vulnerability assessments. It’s also important to have a third-party organization perform penetration tests to find out whether the security systems are vulnerable to outside hackers. Without this kind of testing, CFOs may remain blissfully unaware of weaknesses in their organization’s security, which could remain undetected up until they are exploited with devastating consequences. 

The Holistic Approach to Cybersecurity

Rather than fixating on individual cyber risks, CFOs need to recognize that their organizations actually face an entire “risk universe” of cyberthreats. Unfortunately, few CFOs currently demonstrate this level of understanding. According to the Deloitte report, 46 percent of executives think that a lack of understanding of risks and their potential impacts is the biggest obstacle to the development of an enterprise-wide cybersecurity strategy.

 

Weighing the Costs and Benefits of Cybersecurity Defense

Cybersecurity can be a major cost for a business but it also brings important financial benefits. Expanding your organization's IT budget doesn’t generate extra revenue, but it could save future costs as long as the money is spent wisely. Two security protocols that are almost certainly worth the investment are identity access management and authentication security.

 

Identity Access Management

Identity access management is an essential security technology for large and small businesses. It allows employees to securely access their data and devices by logging into a single centralized platform. Unfortunately, this kind of technology is only as secure as the password used to log in. The best identity access management systems require employees to use strong passwords, which include a mixture of letters, numbers and symbols. Some solutions even have secure systems for remembering the passwords on behalf of its users, which makes them easy to use.

 

Authentication Security

CFOs who recognize the need to go beyond using simple passwords to protect their organization’s data may consider using multi-factor authentication security technology. This uses not only a password, but also a second means of authentication to verify the identity of a user.

 

Help with Cybersecurity for CFOs

Need advice regarding cybersecurity for your organization? Get in touch with Garland Heart today to find out what kind of help is available to you.

A Closer Look: How Secure Are Account Recovery Security Questions?

Posted by Nik • Aug. 14, 2015 • 0 Comments

While businesses attempt to protect private and sensitive information from cyber attack in many ways, one of the most common methods is passwords. Passwords are considered a good strategy for protecting information on devices and Internet-based accounts because they require specific knowledge to gain access. 

The drawback to using passwords for identity access management, however, is that they are often forgotten. Companies commonly deal with password recovery by using recovery questions that, when answered correctly, allow a user to obtain or change a forgotten password. But are account recovery questions secure?

While it might appear that security questions are a smart way to keep information safe, a recent Google report shows that most answers to access questions are very easy to guess, making them a vulnerability when protecting identity and information. Not only are they ineffective in adding a second layer of protection, they are not even an effective recovery strategy for people who forget their passwords.

 Secret-questions-graphic

 What Makes Security Questions Unsafe?

One of the main reasons security questions are not particularly safe is that the answers are remarkably easy to guess. According to Google's report, someone attempting to break into a password-protected account would have a 20 percent chance of correctly guessing that the average English-speaking user's favorite food is pizza and a 40 percent chance of guessing the birth city of a Korean user.

 

What If Users Choose Trickier Answers?

Many users believe that if they lie about their recovery answers — and about 37 percent of people admitted lying — the answers will be harder to guess. Unfortunately, just the opposite happens. When people lie to make answers harder, they do so in a very predictable way. Research shows that account recovery answers tend to either be very secure or very easy to remember — and rarely both — making them an inconvenient and clunky authentication method.

 

Does Adding Multiple Questions Help?

Some companies use a multi-question recovery process to further protect identity access. In reality, this strategy is quite helpful when it comes to protecting accounts. Again according to Google, while an attacker's chance of correctly guessing an answer to one question is 14.6 percent, the rate drops to about 1 percent when a second question must be answered. One drawback is that when there are two account recovery questions, users also have a harder time remembering both of their answers; the likelihood that they remember drops from 75 percent to 59 percent.

Passwords, if used thoughtfully, can be safe, but the smartest and most secure approach is using one-time codes to protect information and identity access from any of the growing number of cybersecurity risks. By sending codes via text message or email that can only be used once for a login, companies can ensure only legitimate users are logging into accounts and systems, and that no information ends up in the wrong hands.

Do you want more information about how to keep your company's information safe? Get in touch with us at Garland Heart, where we offer a wide range of clients and organizations IT security solutions to ensure their information remains confidential and protected.

 

 

Image courtesy of Google.

5 Critical Standards for Secure Data Encryption

Posted by Gaye Connell • Aug. 6, 2015 • 0 Comments

Data encryption is a crucial part of any organization’s security policy. In addition to putting the right technology in place, adhering to data encryption standards also means educating employees about the importance of data security. Use the following five critical standards for secure data encryption to keep your organization’s data safe at all times.computer network security

 

1. Stay Consistent with Corporate Security

Company guidelines regarding security are there for a reason. There are many situations in which encryption makes sense, such as the storage and transmission of sensitive information. Review your organization’s current security policy to find out what sensitive information exists, and then use the location and nature of that sensitive data to create a solid foundation for your encryption strategy. Throughout the design phase, keep in mind all compliance regulations in your industry, and don't forget about your client’s industry as well. This might be the most important (and overlooked) concept as it could lead to controls, gaps, and/or client-specific policies you have not put in place. If you provide services for clients in different regions, remember that compliance regulations can vary among countries and states.

 

2. Keep Humans in Mind

Remember that humans have to interact with your security systems, so avoid making your program so invasive that it interferes with how users interact with the network. If you have a Bring Your Own Device (BYOD) policy in your organization, highly invasive security policies could encourage users to bypass the corporate network entirely, which is bad news for the safety of your data. Many security breaches result from employees not abiding by company policy, so try to make your security systems as unintrusive and easy to use as possible. It also could be beneficial to remind employees why a control is needed in the first place through training or education. It might help relieve a little of the frustration.

 

3. Decide What Really Needs to Be Encrypted

How much of your internal data is truly sensitive? Encrypting everything on the network can impact productivity, reduce the functionality of internal systems and interfere in the coordination of tasks. It can even lead to a lax attitude toward security if employees start to see company policy as overly strict.

 

4. Address the Cloud

The amount of data stored in the cloud has increased tremendously over the last few years, posing challenges to organizations that are concerned about data encryption. When designing security policies for the cloud, remember that end users have certain expectations about the accessibility of cloud data. With this in mind, you should encrypt only the data in the cloud that really needs to be secure, as encryption of all cloud data would be time-consuming and result in a clunky user experience. You should also ensure the cloud service you are using has the appropriate controls and security best practices in place if you are going to utilize it for sensitive data. 

 

 

5. Adopt a Holistic Approach

Data encryption is not the only aspect of a solid security program. True security involves bringing users on board as assistants to the security program rather than regarding them as the enemy. As you design and develop your security policies, maintain an open dialogue with users regarding their needs.

Need help designing a security policy that balances the needs of users with secure data encryption? Get in touch with Garland Heart today. We can help you to develop a security policy that works for your organization.

Topics: cybersecurity, Security, Corporate

New Website Domain Name Could Improve Network Security Systems for Banks

Posted by Gaye Connell • Jul. 30, 2015 • 0 Comments

Pressures upon financial services organizations a

re rising today more than ever. Customer loyalty is more important to banks now than in the past, but with growing concerns over information security measures, it’s getting harder and harder to keep customers happy. Many banks are placing a lot of emphasis on modernizing their systems by updating how they utilize technology in big ways. One popular method involves changing their website domain name in order to make their sites more secure.network security systems

 

Extra Security Through Domain Name Switch

The risks of downtime and malicious attacks are typically much higher in the financial services industry than in others, and so banks must be constantly vigilant for any new, existing, or upcoming security threats. The .BANK is a new top-level domain that was introduced to help fight online scams and hacking. It’s available only to the banking community, and allows banks to change their domain name from CommunityBank.com to CommunityBank.bank.

Half of all Internet users receive one phishing email every day, and their bank account information is generally at the heart of these online scams. We need a solution for this problem, and using a .BANK domain is an important way to deliver a more secure internet experience. With so many domain endings available around the world, a .BANK domain can make it much easier for a customer to trust his or her banking information to be safe online.

 

Barclays Bank Domain Change

Barclays Bank is one of the largest banks to have recently made the shift from Barclays.com and Barclaycard.com to .barclays and .barclaycard. The bank will be able to set up websites using these addresses, thereby making it clear to the user that he or she is engaging with a genuine Barclay's site, and not a scamming or a phishing site.

 

Protecting Your Customers

It’s crucial to do as much as you can to make sure you protect your customers’ finances and their personal information in order to keep them safe, loyal and happy. This can certainly begin with considering a domain name change – which might be a new standard in the banking industry within the next year. But banks also have to be sure they are fulfilling enhanced security requirements, such as enabling DNSSEC on the new websites, publishing valid email authentication records, deploying enhanced encryption standards and more. Embracing these new improvements in network security is sure to help improve the customer experience and make a website more trusted, protected and secure. 

Contact Garland Heart to discuss our range of proactive compliance and security services that can help make your organization more compliant and secure. With some of our innovative solutions, you can rest assured that you or your customers won't fall prey to online scammers.

Topics: Banks, Info Security, Finance

Apple Improves Device Security iOS 9

Posted by Gaye Connell • Jul. 23, 2015 • 0 Comments

One of the best ways to ensure the security of your information is keeping your software up to date. Hackers are continuously looking for opportunities to get your data, so trying to outwit hackers requires continual alertness. Keeping systems current helps, because vendors issue patches to fix the latest known bugs.computer network security and risk management

Apple's new iOS 9 goes beyond patching known vulnerabilities. The new iOS adds features that provide important security enhancements for users who spend hours working online from their iPhones with iCloud and email.

 

Stronger Passwords

Although some devices are protected by fingerprints, most iOS devices are still unlocked by passcodes. A passcode of four digits yields 10,000 possible combinations. According to Intego, a Mac security firm, brute force attack (one that simply tries each possible combination) can break four-digit passcodes within 17 hours. 

With iOS 9, passcodes can now be six digits long. This means there are one million possible combinations instead of 10,000. While brute force attacks are still possible, the time to crack a password is proportionally increased as well.

 

Protect Cloud Access from Unknown Devices

Another computer-network security improvement in iOS 9 will protect your iCloud account from logins from an unknown device. The "new" enhancement, two-factor authentication, has been around for a while, but we are glad to see it adopted here. Now you can require a second means of proving identity in addition to just relying on your password.

In iOS 9, when someone tries to log into an Apple account from a device that's not associated with it, a verification code will be sent to a phone or device previously registered to that account. This lets the account owner confirm that the new device should be allowed to access the account. 

This function also provides an early warning system if someone is trying to break into your account. In that case, the verified owner who receives the confirmation code can block access from the unknown device.

 

Configure Devices for Security

All too often, we as humans are the weak link in online security. Users fall for phishing emails, lose their phones and fail to change default settings to enable stronger security. To make sure your iOS devices are as private as possible, make sure you review these settings on every device: 

  • Set passcodes to six digits.
  • Check each application's privacy settings to make sure you're not uploading data unnecessarily.
  • Set up Find My iPhone to help you recover a lost device.
  • Always require a password for app purchases.
  • Turn off location tracking for apps that don't need it.
  • Set a shorter expiration date on voice and video messages.
  • Strengthen your default Wi-Fi hotspot password.
  • Turn on biometric security to require a fingerprint to unlock your device.
  • Disable message preview on your lock screen.
  • Shorten the auto-lock time.

  

Get Help Keeping Up with Security

Companies need to stay focused on cybersecurity, but technology changes fast. To keep current with the changes that affect your online security, contact Garland Heart. Our experts can identify the best information security tools and software risk management practices for keeping you safe.

Topics: Security, Corporate

How to Build a Stronger Compliance Management Program in Your Bank

Posted by Nik • Jul. 16, 2015 • 0 Comments

While a successful and robust compliance management program in banks has a few basic components, there are no “one size fits all” rules. However, here are the vital elements that make up the backbone of an effective compliance management program.bank

  1. Internal Control – Such control is two-pronged. It evaluates whether compliance management solutions accomplish the expected goal and checks whether the procedures are being regularly enforced.
  2. Training – Learning keeps employees up-to-date on consumer protection rules and regulations, and your bank’s products and services. Regulatory compliance should become a habit, not something implemented just before an audit.
  3. Policies and Procedures – Sometimes, your bank may be required to follow multiple compliance standards – some of which may oppose each other. In such instances, it is important to have set guidelines as to which standard to follow and who makes the final call.
  4. Information System - An enterprise-wide, centralized, and standardized solution can help ensure that key players in your bank to better manage and track the relevant data regarding compliance: internal audit results, steps taken to tackle policy and compliance issues, etc.

The level of importance of each of these elements may differ, depending on your bank's specific requirements. It can also vary based on particular requisites during a specific time frame and the risk level. For instance, training will become the number one priority if your bank has a continuous string of new products and services to offer.

 

Tailor the Compliance Management Program to Your Bank

Evaluate your current compliance management program. See how your bank copes with the latest trends in the market place. Integrate new legislation into your bank’s regulatory compliance policy. Assess the risks in your bank’s main activities.

Compliance should be part of your bank’s strategic plan – work it into all your business decisions. You should appoint a compliance officer with the authority and qualifications to make decisions, with the understanding that accountability for such decision is a major part of the job description. If the experience is not there, then ensure the compliance officer has additional support and/or gets the training needed to ensure the bank isn't left exposed.

Make a compliance risk management program a part your bank’s daily operations. Keep it strong but flexible enough to accommodate changes. It is important to understand that there are instances when compliance standards may have to be overlooked, but in such cases, that decision should be made only after a thorough risk assessment study has been done.

 

Test and Review

It is difficult to stay focused on compliance every single day; the trouble is, this can soon become an unhealthy habit. Regular quality control checks and internal audits will help curb such an attitude. Conduct a critical study of the findings of internal audits. Ask your auditor and your compliance officer if they can identify the causes behind their findings. Their insights can be very helpful in both pinpointing the root cause and troubleshooting as you move forward in creating a culture of compliance. Armed with this information, take immediate steps to address the issue. If you need help finding the right compliance support for your bank, Garland Heart can help.

Topics: Compliance, Banks, Finance

Wearables in Health Care: How to Ensure Cloud Information Security

Posted by Gaye Connell • Jul. 9, 2015 • 0 Comments

As you must with any new technology, your health-care practice needs to consider information security issues when moving to wearable health-care monitors.

original_1-1

Using cloud computing, these devices connect patients with your practice, which comes with network and information security risks that must be addressed. Risk management can help you take advantage of the benefits wearable health monitors offer, while protecting your practice and patient data.

 

Ubiquitous Health-Care Wearable Devices

Wearable devices that monitor health care are popping up everywhere. Great for managing treatment, these devices can monitor things like blood pressure, heart rate, exercise and much more. Benefits of using these devices include reducing costs in monitoring health and improving diagnoses. Some of this wearable health-care technology is even built right into the new Apple iOS software and smartwatch.

 

Cloud Integration Convenience Versus Security

While it is important for health-care professionals to have access to the information collected by wearable devices, it's equally important to keep this data secure. Patient health-care data is some of the most private information you hold.

The issues of highest concern include:

  • Violations of privacy – When patient data is mishandled, it can cause information-security violations. This can result in civil and criminal penalties resulting from failure to comply with HIPAA and other regulations.
  • Disruptions in syncing to the cloud – Since these wearable devices are transmitting important medical data to health-care providers, any problems syncing to the cloud can become very dangerous. If your phone does not sync your photos to the cloud, you can just wait until tomorrow. However, if your health monitor doesn't send its data to your doctor, it can be a matter of life and death.
  • Valuable medical information can be sold for insurance fraud – Another growing problem is the misuse of medical data for insurance fraud. For this purpose, criminals break into medical offices and hack databases to steal medical information. With the growing use of wearable health-care monitors, there is the possibility of devices intercepting transmissions to acquire medical data.

 

Maintaining Security while Retaining Advantages

There are a few things we can do to ensure security while taking full advantage of the benefits offered by health-care wearables. First, be sure to purchase wearable health monitors that are designed for security. Second, share best practices of software risk management among other health-care professionals. Third, collaborate with designers and manufacturers of wearables and health-care software to improve security of patient data. It's important to be able to openly discuss any security issues as well as the transmission of health data. Finally, ensure that you have appropriate physical and data security controls in place that align with current best practices. This will help your office stay ahead of data breaches and keep patient information as safe as possible.

Wearable health-care devices offer a number of benefits that can greatly improve patient care. It's essential to consider information security when bringing wearable health devices into your practice, and Garland Heart can help.

Topics: Info Security, Healthcare

3 Key Compliance Management Trends for Community Banks

Posted by Nik • Jun. 26, 2015 • 0 Comments

Community banks can improve their compliance management processes in three simple ways. Begin by reviewing and strengthening existing corporate compliance program policies. Then move on to building a culture of compliance within your organization. These tasks will require some effort from managers and board members, but don't cost very much money. Compliance management tools are the one component that can require an outlay of funds, but the cost is minimal when compared with alternatives that are prone to errors and difficulties.

presentation-drag-3-1 

1. Creation or strengthening of a corporate compliance program

It is very important for banks to have consistent enterprise-wide compliance processes in all areas of the company. To ensure your bank has a good corporate compliance program, go through each area of your regulatory compliance structure. This includes procedures, policies, reporting, monitoring, and assessment. Checking that each of these areas has consistent processes in place can not only help your bank avoid enforcement actions, it can also correct weaknesses and reduce risk before it becomes an enforcement issue.

While enterprise-wide compliance software can be very helpful, it's important to begin by identifying potential problems in order to determine the best solution for your company or enterprise as a whole. You will need to consider time, experience, perspective, and budget constraints, as well as adequate staffing and current job expectations. Your people are key.

It's very common for enterprises using compliance software to bring in external experts to manage the system or provide additional information. Typically, a person inside your company will not have the time, resources, and information that an external consultant can bring to the program.

 

2. Fostering a "culture" of compliance

It's important to get away from the “project” mentality that most banks and other companies bring to corporate compliance programs. Instead, a "culture" of compliance helps to move away from the one-off mentality that goes with projects and toward an ongoing process view of compliance. 

The landscape is shifting toward a focus on higher security and compliance regulations. This makes it clear that banks must be prepared to provide tight compliance at any time. Rather than implementing compliance tasks in an inconsistent and reactive manner, there needs to be a shift toward uniform processes and more well-rounded policies.

The board of directors at your bank must have compliance management at the forefront of their policies in order to signal their importance to employees. Additionally, you must reward employees for staying on top of compliance goals. The whole organization needs to continually look for areas to improve.

 

3. Simple compliance management solutions

It might become harder for banks to manage regulatory compliance manually with the changing regulatory landscape. Having lots of paper and humans involved in the process leaves the possibility for many errors and difficulties. Moving toward an outsourced compliance management process can alleviate these problems.

Using a compliance management regulatory expert (offered by Garland Heart) or an outside security consultant, employees won't have to learn multiple programs. This will benefit your bank in terms of saved training costs and risks associated with errors.

It is very important to keep the process simple. An automated system can sometimes make it even more complicated when multiple programs are used and required to interface with each other. If you need any help selecting the right compliance management support for your bank, Garland Heart can help.

Topics: Compliance, Banks, Finance

Change Could Be Coming in the Legal Landscape for Cybersecurity Risk

Posted by Gaye Connell • Jun. 18, 2015 • 0 Comments

Bills that are being passed by The House of Representatives, recent data breaches at major companies, and cybersecurity are all becoming a main focus of the SEC. This suggests that the federal government may be prepared to change the legal landscape for cybersecurity risk. Even the President's 2015 State of The Union address featured cybersecurity proposals that signal how big a focus this is becoming for the executive branch.cybersecurity risk legal change

 

The SEC may increase cybersecurity regulations soon

The federal government is poised to expand their regulations for companies with regard to cybersecurity risk. This is no surprise after the huge cyber attacks of 2014. Just look at the recent data breaches at Target, Sony, and Home Depot. The signs that suggest this change is coming include:

  • Recent bills passed by The House of Representatives
  • The way these bills will impact companies
  • An increased focus on cybersecurity by the SEC

 

Bills passed by The House of Representatives

Just this past April, two new bills were passed by the House which will further encourage companies to disclose cybersecurity related information with the government. One of the benefits these bills promise for companies that open up their cybersecurity logs is protection against liability – provided the company continually checks their network for cybersecurity threats. Both of these bills are headed for the Senate, and they have a very good chance of passing there as well. These bills will setup a framework for companies to communicate information about security measures taken against cyber attacks with government agencies and other corporations.

 

How do these bills affect my company?

By allowing companies to share information directly with civilian federal agencies or the Department of Homeland Security, many more businesses will be involved in cybersecurity risk and information security. These bills are very likely to pass in the Senate. Legislators are feeling pressure to take action after the recent cyber attacks and these bills offer a way to address those concerns. If you aren't already involved with cybersecurity risk and information security in your company, get ready. As these changes go into effect, your company will need legal guidance with regard to which documents can be shared, how, and with whom. Opening up this information can be very helpful when addressing cybersecurity concerns, but there are always legal concerns when this much information is shared with people outside your company.

 

More of a focus on cybersecurity from the SEC

In March 2014, the SEC had a round table discussion to help them gather information and consider the next steps to address cyber threats. This past January, reports suggested that the SEC is now considering additional regulations which will require public companies to disclose information about cybersecurity threats and vulnerabilities.

 

As you can see, from The House of Representatives to The Senate and even the Securities and Exchange Commission – the federal government is getting ready for some major legislative changes with regard to cybersecurity. You can contact us at any time to discuss the changing legal landscape for cybersecurity risk.

Topics: cybersecurity, Corporate

Subscribe to our Newsletter to receive Regulatory News and Company Updates: