Blog

Blog

Why Aren’t Corporations Focusing More on Cybersecurity?

Posted by Gaye Connell • May. 20, 2015 • 0 Comments

With all of the recent news around cybersecurity vulnerabilities at large corporations, it's surprising that companies aren't putting more focus on preventing these incidents. Recently, many corporations -- including Target, Home Depot and Sony -- have suffered significant data breaches. Experts say that the frequency of these attacks is likely to increase because the technology to prevent a breach costs more than the breach itself. This may be true in monetary terms, but the damage to customer relations could be immeasurable.

Your digital information is clearly and inherently vulnerable to hackers. Improving security practices and plugging holes in security systems seems like the obvious solution; preventing identity theft and financial loss should be easier than trying to fix the damage after the fact.

However, your organization's perimeter has too many access points. This exposure occurs because not every access point can be easily identified, which makes it difficult for you to monitor all of them.

Dollarphotoclub_65304532So why aren't companies doing more to protect themselves?

 

Why Security Isn't Airtight

Corporations suffer great losses in the case of a breach, but these losses are often minuscule compared to their overall revenue. It's easier for companies to write off the losses than it is to spend significant resources establishing complex defense systems. 

According to Target’s 2014 financial release, when the company lost 40 million debit and credit card numbers plus an additional 70 million customer records, the cost incurred was $105 million after insurance coverage and tax deductions. Although this certainly seems like a substantial sum, it only represented 0.1% of the company's 2014 revenue. Similarly, the 2014 Home Depot cybersecurity breach only cost the company 0.01% of their annual revenue.

 

What About Other Costs?

Breaches in cybersecurity also have more intangible implications. In particular, the opinions and buying decisions of these companies' customers seem likely to be affected by the news of the vulnerability and any inconveniences experienced by the customer -- for example, having to replace credit cards or having to sign up for identity theft monitoring. 

However, the impact of these costs on large companies are difficult to ascertain. Ultimately, if the number of cyber attacks continues to increase, consumers may start to expect that all corporations are inherently vulnerable. If that's the case, then the strength of a large company's cybersecurity defenses may not have a noticeable effect on buying decisions. 

Smaller companies, on the other hand, need to be more wary and implement excellent measures to mitigate cybersecurity risk. If a company's revenue stream is limited, its ability to absorb the financial impact of these sorts of vulnerabilities is considerably restricted. Moreover, a smaller company may suffer more if a certain percentage of its customer base stops using its services or products -- especially if those customers happen to be from the highest-spending tier. The bright side of smaller companies like community banks, however, is that cybersecurity is typically stronger, as they aren’t on the front pages of newspapers and they are more in tune with their data points, exposures and environment. In many cases, smaller companies have actually implemented more best practices than other industries because of the inherent regulatory process.

 

The best way to protect your company is to do a thorough audit of your network and restrict perimeter connections as much as possible. Although this can be a consuming process, the benefits to your business are immeasurable. If you're not sure where to start, getting advice from an experienced IT security consulting professional may be a great first step.

What are your thoughts on the recent wave of cybersecurity breaches and their impact on companies? Share your perspective in the comments below. Also, feel free to download our free eBook for more information on reducing cybersecurity risk in your institution.

How to Outsmart a Hacker

Posted by Gaye Connell • May. 12, 2015 • 0 Comments

Every time new IT security solutions are devised, hackers find new ways to break into systems. Traditional cryptographic and protocol approaches to security are no longer providing companies with sufficient protection. This is evident in the frequency of recent data breaches. It is also clear that consumers are routinely given a lot of outdated and inadequate advice. 

Although it's true that long and unique passwords can provide a certain amount of protection, as can updating your local software and installing secure firewalls and anti virus programs, there is still much more you can do to fend off hackers.original

 

Always Assume You Are Vulnerable

Assuming you are vulnerable to hackers keeps you on your toes. Companies can’t realistically prevent every employee from clicking on email attachments or opening legitimate looking files sent with the intention of phishing. Without this type of control, companies have to assume a certain amount of vulnerability. This doesn't mean your system can or will be hacked, but you should take an active role in keeping your data as safe as possible. 

 

Don't Focus on Secrecy

Don’t put all of your focus on keeping your data secret. Even tightly guarded secrets are hard to keep. It is much safer to make the stolen information useless to the hacker. By using codes or double encryptions, it's harder to abuse the information collected. When you focus more on making the information difficult to misuse instead of keeping it secret, it won't matter who has access to your data.

Keep in mind that at some point the human element could take over. This could be an innocent mistake or a misunderstanding, but it could happen. Be prepared for this situation by continually training and educating your staff on company IT policies and security protocol. Every person in your organization needs to play their part in ensuring the security of company data.

 

Use Advanced Security Methods

Advanced security methods can be surprisingly simple to implement, but if you have any trouble putting these methods in place, get help. The team of experts at information security companies can train you and your employees to implement advanced security methods, or install them for you.

Although all of your confidential data is important, the most sensitive information and programs should always use dual-factor authentication methods. Also, look at how software accounts and employee accounts are linked. Consider having a penetration test or a vulnerability assessment to ensure some savvy hacker isn't able to use unidentified vulnerabilities within your external and/or internal network as a back door exploit to your data.

 

Most importantly, train employees, clients, and customers in understanding what sensitive or important information is. That way they have a better understanding of what not to disclose. Please feel free to contact us for more information about how to outsmart a hacker and stay secure! Also, check out our free webinar on how to protect your company against social engineering!

3 Innovative Security Strategy Tips for Healthcare Organizations

Posted by Gaye Connell • May. 5, 2015 • 0 Comments

As you can see from recent security breaches, any organization can fall victim to a hacker. Keeping sensitive information safe takes careful planning and constant updating. You need to assess your organization's risk level and use the latest encryption technology to store data and transfer data among various facilities. Healthcare organizations are as vulnerable to hackers as any other company. IT security solutions can minimize these risks and keep your sensitive data safe from potential hackers.

 Dollarphotoclub_49945628

1. Be Prepared for Upcoming Audits

Recent updates to HIPAA Rules, which are designed to protect the privacy of individuals, include a mandatory audit. Familiarize yourself with what an audit entails so that you can present the information required. Generally, these audits will include the records of everyone involved with your organization such as medical billing companies, software vendors, and other business associates. Make sure your records are accurate and up-to-date.

Ensure you are properly prepared for a compliance audit at all times by establishing and assessing the policies and procedures required. This includes having a well thought out incident response plan. Healthcare organizations need a comprehensive incident response plan in place to avoid accidents like misplaced private data, which could lead to security breaches. 

 

2. Assess Your Security Risk

Assess your security risk by analyzing what has been done within your healthcare organization so far. Determine how and where data has been stored, shared, and transferred. Also, find out how the system is set up. Once you understand the system and how it works, you will be able to identify existing and potential holes in security, and fix them before they become a problem. 

If this sounds too overwhelming, contact Garland Heart for advice and assistance with strategic security consulting. An experienced IT consultant can help assess potential risks and find simple solutions to plug any holes.

 

3. Utilize Security Services and Technology Used for Encryption

Private healthcare information might be shared with medical researchers, pharmacies, and other healthcare organizations. By sharing information, patients can have prescriptions filled or renewed at different pharmacies, researchers can monitor the effectiveness of treatments, and other healthcare organizations can access a patient's records to check for allergies or underlying medical conditions. Although the practice of sharing information is beneficial to the patient, it should be limited to as few outside parties as possible.

With the implementation of each new healthcare technology, it’s important for you to reassess security policies. This includes how information is encrypted, where it is stored, and how it is transferred to outside parties. Optimize your security services to identify risks and protect electronic health information.

Feel free to contact us for more information, advice, or cybersecurity solutions! To learn more about different types of information security, check out our free webinar on social engineering.

Maintaining Security in the Era of Digital Currency

Posted by Gaye Connell • Apr. 28, 2015 • 0 Comments

Digital currency services allow for low-cost and efficient money transfers through highly secure channels. This technology helps transform the way people make online purchases, share money, and conduct e-commerce. Although you take advantage of numerous benefits, it is still important to protect yourself and your business. The following article will inform you of digital currency service developments and how to utilize this technology in the safest manner possible.security in digital currency bitcoin

Digital Currency Platforms Gaining in Popularity

Services like Venmo, Paypal, and Facebook have expanded the popularity of digital currency transfers and led to their widespread use. This technology offers you the following:

  • No merchant fees, helping to increase a company’s bottom line
  • No intermediaries, which means there are fewer chances for fraud
  • No disclosure of personal financial data at time of purchase, making it safer for you to use

It is important, however, to know the difference between the currency transferred via those popularized services and the currency of Bitcoin. Bitcoin is a digital crypto-currency whose value is determined by how much people are willing to use it, similar to many currencies in the real world. But unlike currencies exchanged using Paypal and Venmo, it is unregulated by a central bank.

 

Understanding the Benefits Versus the Risks

Digital currency transfers have evolved into a highly secure method for your online business transactions. At the March 2015 Florida International Bankers Association’s Anti-Money Laundering Compliance Conference, Gene Truono, chief compliance officer at PayPal, noted that digital currency is similar to paying with cash. He discussed that while there are risks to you with this transaction form, these risks are comparable to the ones associated with any currency.

Furthermore, digital money transfers allow for anonymity, timeliness, and extremely low currency costs, making digital money transfers an attractive option for your cross-border commerce.

However, risks are inevitable, particularly in the online black marketplace. While most digital currency security breaches deal with Bitcoin, such as the recent $20 million heist involved with drug marketplace Evolution Market’s exit from the darknet, conscious consideration of risk is necessary with any digital currency transfer.

At TechMecca, an annual financial institution technology conference and expo in Dallas, several keynote speakers explained risks involved with digital currency and the potential downfalls of digital exchange tools. Despite the benefits, these services can take away revenue from traditional banks and move them further away from their customers.

 

Be Smart and Stay Secure

The first step to ensuring your security is to keep your money offline. This step basically means turning off your device when not in use and storing your digital currency apps in a password-protected hard drive. This is the equivalent of not leaving your money hanging out of your wallet or purse, and it helps add a layer of security.

When using digital money transfer services, keep your log in credentials and passwords secure and complex. Select difficult-to-guess passwords, and try to make each password unique for each service you use.

Furthermore, it is important to ensure that news reports and skeptics don’t deter you from experiencing the benefits of digital currency. These services are well-established, and they continue to provide convenient and low-cost transaction methods for millions of people and businesses worldwide. Keep your wits about you, and treat digital currency the same way you treat any other currency. This focus will ensure you continue to have a positive experience with digital currency transactions.

Digital currency technology is expected to advance further, opening up opportunities to make purchases from mobile phones, personal computers, and even tech wearable devices like smart watches. Businesses and individuals, embracing this technology as it develops, will be poised to gain from these advances in the future.

If you have any questions or would like to know more about secure digital currency, please feel free to contact us -- we would love to chat with you. 

Good reminder for Vendor Risk Management

Posted by Wade Clem • Apr. 23, 2015 • 0 Comments

reminder-glickman

Although this article in Consumer Compliance Outlook is a little dated, it comes as a good reminder regarding your vendor risk management.  Over the last couple of years we have noticed a continued effort by examiners to increase their own due diligence towards financial institution's understanding and management of their vendor programs. A direct quote that stands out to me is....

"...bank management should always conduct due diligence with every vendor prior to entering into a third-party relationship, develop a risk assessment of the proposed vendor processes, and understand the vendor activities. Bank management must fully consider the compliance implications associated with these new products and services." 
 
While in some enforcement cases, fines and MRA's are associated with penalties, others recently have been given cease and desist orders in light of a lacking Risk Management Program and must provide quarterly updates to the FDIC and the OCC respectively. 

Topics: Vendor Management

What You Need to Know About OpenSSL’s Security Updates

Posted by Gaye Connell • Apr. 21, 2015 • 0 Comments

The latest round of security fixes to OpenSSL’s software was released on March 19th, and addresses a variety of issues. Here’s what you need to know about the updates:

What’s Included in the Updates?GST_NAT_294-38

The fixes are spread across 12 security patches and address several security flaws that the OpenSSL Foundation — the software's non-profit developers — rates as “high severity.” Only one of those flaws is a recent discovery, with the rest having been at least partially addressed in previous updates.

The software’s development team has also continued to ensure that previous fixes in place for the Heartbleed bug and more recent FREAK flaw remain effective, though most of the actual software updates have been in place for several months already.

Who Do These Updates Affect?

The OpenSSL software has a remarkably high use-rate across the world, due chiefly to its ease of implementation and open-source nature. If you spend any time on the internet, as both a consumer and a business, you’re undoubtedly in frequent contact with OpenSSL, even if you don’t use it for your own website.

Additional high profile users of the software include Facebook, Google, Yahoo, and a significant portion of state and federal government departments.

Why Does It Matter?

In April of 2014, the computer security industry was rocked by the discovery of the Heartbleed bug, a major vulnerability in OpenSSL that could have allowed attackers to break encryption protocols and gain access to secured systems.

After discovery of the Heartbleed bug in OpenSSL’s architecture, experts were shocked at the severity of the flaw, and asked why it had taken so long to detect the problem. In reply, OpenSSL Foundation founder Steve Marquess posted a blog explaining that the team responsible for the software is small, and operating on an even smaller budget. At the time, only four employees were responsible for the entire codebase. As Marquess pointed out, “…the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.”

In response to his call for funding, the Foundation has received increased financial support from within the tech industry, allowing it to more aggressively track down security concerns. It has vowed to put the funding to good use, and seeks to repair any damage to its reputation caused by the events of the last year. This includes the more recently discovered FREAK flaw, which could have allowed encrypted data to be eavesdropped on.

Looking to the Future

Industry experts have largely approved of OpenSSL’s recent efforts, so it appears that the increased funding has improved the situation. You can expect a continued uptick in security updates from the Foundation, so it’s important to develop a good routine for applying those patches to your systems, if you haven’t already. A great way to validate your current security on OpenSSL is a penetration test, which is engineered to analyze your online presence through a thorough review and documentation of all of your institution’s information on the Internet. It characterizes your network and firewall, and identifies potential online security weaknesses. Contact Garland Heart today for more information on a penetration test to ensure the highest level of security possible!

Why Your Small Business Needs Identity Access Management

Posted by Gaye Connell • Apr. 17, 2015 • 0 Comments

Identity Access Management is a transformative security technology with a centralized system to keep employees and devices on your network private and secure while also ensuring that passwords are optimized for efficiency. That’s why Identity Access Management is becoming prevalent in small businesses as a low-cost, long-term solution to many major security issues present in today’s web environment. If you’re a small business owner, it’s time you became familiar with the benefits of this technology to decide if it’s right for your own company.Dollarphotoclub_79607083

Small Business Security Challenges

Small businesses are often growing and regularly adding applications, data storage and new devices. Unfortunately, each new device or application added can raise the risk of data leaks or security breaches. Devices and passwords can be stolen or compromised, leading to further security breaches throughout a network. This is especially the case with Bring Your Own Device (BYOD) workplaces, which often have disparate devices across multiple platforms. Incorporating these devices into a secure format appropriate for the workplace can be daunting without a strong security system in place.

To limit your exposure, Identity Access Management from a third party can help you keep all your data together in one place and ensure that your employees access data and devices from one centralized platform. This makes it easier to set up new accounts or audit employees and their devices. It also allows for administrators to instantly add or remove privileges for employees based on their status within a company.

Secure Data when Employees Leave

Identity Access Management is not only about offering security. It also provides an increased level of convenience, allowing your business to seamlessly integrate new devices, applications and even new employees without having disparate account information and numerous passwords written on sticky notes across your office. A cloud-based SSO system ensures that each person only has one password to remember. This single password is then applied to numerous devices, applications and web-based services.

It’s a straightforward process to remove a user from your system when he or she leaves the company. Essentially, an Identity Access Management system provides an easy-to-use interface that helps monitor employee account information from the beginning to the end of their involvement in the company.

Effective Deterrence Against Simple Passwords

Unfortunately, when it comes to security, people all too often default to using passwords that are easy to remember. Identity access management helps resolve this problem by requiring employees to have more complex passwords and pass phrases, and the best part is they don’t even have to remember every single one. Identity Access Management helps facilitate and automate electronic identities throughout a network, and it increases compliance with existing security policies.

 

Ultimately, Identity Access Management can help small businesses keep track of their employees, help their security needs scale with their business and allows them to streamline passwords and login credentials as a company grows. For more information on implementing Identity Access Management, contact us today! We would be happy to answer any questions you may have. 

How to Protect Against Employee Data Exposure in Your Legal Firm

Posted by Gaye Connell • Apr. 7, 2015 • 0 Comments

Employee data exposure in the legal industry can leave employees vulnerable, lead to identify theft, and jeopardize the integrity of a legal office. That’s why it’s important for you to take the necessary steps to protect against data exposure as well as understand the techniques hackers use in order to implement successful countermeasures. This article will explore what you need to know about employee data theft and the best methods defenses to implement in your own law office.Dollarphotoclub_59211085

 

The Danger of Social Engineering

Often, the most common reason employees data is exposed in the legal industry is due to user errors. Hackers know how to exploit this, and often employ social engineering techniques to obtain employee data.

One of the most highly effective social engineering methods is known as pretexting, which involves a hacker using deception or lies to appear as someone who should have legitimate access to confidential information. In some cases, this might mean they impersonate a law office staff member or a legal authority that should have access to the information.

Another method is baiting, which involves leaving a flash drive or other repository of information infected with viruses or malware in a public area where an employee might try to access its contents on their own work computer, such as a nearby coffee shop or in a break room. The virus or malware enters the computer and starts stealing data or infecting a system.

Although rudimentary, shoulder surfing also happens to be highly effective. Hackers can use crowded areas like an airport or coffee shop to steal information from a target. The data thief will literally look over someone’s shoulder to view confidential information or even steal passwords. It’s also possible that they might take the outright step of stealing a flash drive or personal computer.

 

Ensure Security in BYOD

Bring Your Own Device, known as BYOD, is common in many law offices. However, it’s important to ask yourself if you own legal office has a BYOD policy and if so, then what are the guidelines involved. That means ensuring you have security measures in place that are up-to-date and sufficient to protect against potential threats.

Since employees may be leaving your premise with sensitive data, outline which data is acceptable to have on a personal device and which data isn’t. Also be sure to have an IT team or computer specialist examine the basic safeguards on your employees’ personal devices, such as password strength and anti-theft measures.

It’s also important to have a remote wipe option that allows you to erase data from a computer even if you don’t have it physically present. This means a computer or device has all data related to a legal office erased once it’s reported lost or stolen, or once an employee stops working at a legal office. This won’t only protect employees, but also other sensitive data you might have due to legal work saved in your legal office or elsewhere. Just ensure that your employees explicitly agree to this remote wiping in your Acceptable Use or BYOD policy.

 

Building a Solid Defense

One of the most important steps you can take to protect your legal office is to increase employee awareness. Ensure employees are trained regarding social engineering techniques with a training course or at the very least an office-wide e-mail. Encourage employees to question a source and ask specifically why the person they’re speaking with needs the information they’re requesting. Also let employees to know that they shouldn’t be afraid to double-check someone’s credentials or ask politely to prove someone is who they say they are.

It’s also important for your legal office to consider implementing a cloud policy. That means restricting the amount of sensitive data that can identify employees stored in a cloud, which is often vulnerable to hacking. It also means installing strong password protections to cloud platforms and limiting access to cloud storage to only those who need it.

Finally, it’s important to have an incident-response plan in the case of a data breach. That means installing a system for informing employees when a data breach occurs, providing them useful information if their personal information was stolen, and measures you can take to protect employees further, such as quick reporting to the authorities.

Ultimately, strategies such as educating employees, upholding a strict BYOD policy, and using cloud data storage the smart way can go a long way to keep your employees data safe. If you'd like more information on protecting against data exposure, please feel free to contact us!

3 Common Misconceptions About Information Security Compliance

Posted by Gaye Connell • Mar. 26, 2015 • 0 Comments

Your business generates massive volumes of data that demand smart and secure management. However, confusion and misconceptions run rampant when it comes to information security and compliance with big data. Looking beyond the three most common misconceptions about information security compliance can help you ensure that your data and systems are secure.Dollarphotoclub_75253882

Misconception #1: It’s All About Data

While data is definitely an important part of compliance management, it's the entire approach to safeguarding information that actually demands more attention. A business should be equally concerned about the type and health of the systems where the data resides and where it's likely to be used, secured and authorized network access, and suitable encryption protocols for sensitive information, among other things.

Misconception #2: It’s All about Confidentiality

Confidentiality is just one of the three key factors required for sufficient security, but it’s the most obvious. Information security solutions in an organization are based on three crucial elements known as the CIA, or AIC triad, namely:

1. Confidentiality

2. Integrity

3. Availability

Confidentiality means the data is protected from unauthorized access. Integrity implies the data is reliable and correct. Availability guarantees authorized and secure access to information.

All of these factors are a part of a holistic approach to IT regulatory compliance management for big data. It's crucial to efficiently identify and segregate sensitive data, apply necessary security protocols to store and access data safely, and restrict access accordingly to ensure confidentiality.

Misconception #3: It Has to Be Perfect

Security measures adopted to protect data are hardly perfect, given the fact that most traditional defense mechanisms are bound to be compromised by innovative extraction-mining techniques and ever-evolving attack strategies. Many people believe any breach means liability issues for the business, but this isn't true.

The best course of action is to keep your security measures appropriate and robust enough to safeguard valuable information. It's important to proactively assess potential threats and data protection requirements and adopt suitable strategies to secure information, rather than opt for damage control once a breach has occurred. When you do that, compliance liability issues are unlikely to surface.

Having a comprehensive threat prevention and mitigation plan in place not only prevents breaches or attacks, but also helps identify and limit the damage and speed the recovery.

 

Information security compliance management is a matter of prime concern, but it may not be as daunting or complex as it seems. Liability usually only happens when the business hasn’t even tried to address data security. It can be avoided by adopting proactive security measures to comprehensively address the specific requirements of the business space. It is, however, an ongoing process that demands regular updates. Check out our free webinar for more information on maintaining sufficient security measures. 

The FREAK Vulnerability

Posted by Wade Clem • Mar. 19, 2015 • 0 Comments

freak-ssl-tls-vulnerability

It's recently come to our attention that another new SSL/TLS vulnerability has been uncovered named FREAK.

http://thehackernews.com/2015/03/freak-openssl-vulnerability.html

For over a decade, the vulnerability has left Millions of users of Apple and Android devices vulnerable to man-in-the-middle attacks on encrypted traffic when they visited supposedly 'secured' websites. The article states that "A scan of more than 14 million websites that support the SSL/TLS protocols found that more than 36% of them were vulnerable to the decryption attacks that support RSA export cipher suites."

There is currently an Online SSL FREAK Testing Tool to check whether a website is vulnerable or not. Google and Apple have already reported a fix for the Vulnerability, and are requesting that all websites disable support for export certificates. 

Topics: cybersecurity

Subscribe to our Newsletter to receive Regulatory News and Company Updates: