Are Smartwatches the Next Target for CyberAttacks?

Posted by Nik • Sep. 29, 2015 • 0 Comments

The future of cyber security is almost never clear. New devices are popping up all the time, and making informed decisions on device security can be tricky. However, where smartwatches are concerned, the decision might not be so difficult for you and your business.cyber security consulting


Studied Vulnerabilities of the Wearable Device

A recent study on smartwatches by HP Fortify revealed that smartwatches, another device in the burgeoning Internet of Things, are actually a wide open book in terms of safety, security and confidentiality. Among 10 tested smartwatches, 100 percent had at least one major vulnerability, and there were outstanding categorical vulnerabilities across all 10. One category even hit the 70th percentile, meaning that 7 of the 10 tested watches possessed that security hole.


Business Problems With Vulnerable Wearables

With the advent of the Bring Your Own Device (BYOD) policy in the business world, user-end device security has become a more focused area of concern. Small business cyber security experts in and out of companies spend a lot of time refining policies and procedures where personal devices are concerned. It's much more difficult to monitor personal activities related to business as opposed to straightforward business activities. This is especially true for cybersecurity in the health care sector, since many wearables monitor personal health information, and keeping this information safe and secure is important.

The vulnerabilities found in smartwatches present a problem because these are wearable devices, which are small and easy to miss. If employees fail to report their personal devices to the proper parties, and are using these devices to access business resources and perform business duties, they could be jeopardizing everyone if their device is not accounted for and secure. You and your employees are encouraged to take initiative where brand new mobile devices are concerned, and constantly be on top of the subject by refining and polishing your cybersecurity policies.


Employee Actions Against Businesses Through Wearables

Corporate espionage could easily leave the realm of fantasy and become a real issue for many businesses with the rise of wearable personal devices. Because these new machines can receive photo and video data, it would be no big challenge to brush your sleeve and poke a button to record sensitive, confidential information for malicious purposes. Taking strides for the improvement of information security policies are an important aspect of your business, and keeping tight lines of communication and collaboration with your techs is a necessity to insure your business's future.

While involving personal devices is definitely a marked step toward better productivity, the movement needs to be carefully monitored. Confer with your inner circle regularly, and discuss the information security policies that are in place at this time, as well as what needs to be implemented sooner rather than later. If you're in need of assistance with your information security policies, contact Garland Heart to set up a consulting session as soon as possible.


Topics: Info Security, IT, cybersecurity, Security

What The Next Security Breach Means For Your Community Bank

Posted by Gaye Connell • Sep. 22, 2015 • 0 Comments

Recently, security breaches of major websites, companies and banks seem to be appearing in the headlines more and more frequently, and with increasingly more critical effects. If you're wondering how these events will affect you, you're not alone: in a recent survey, 97 percent of CFOs believe that cyberattacks are their biggest threat. Fortunately, the situation is not as frightening as it might first appear. Still, you need to do your utmost to ensure your financial network security. Keep reading to learn some essential steps that will help keep your banking institution and its data safe.cyber security consulting


Know Your Company

If hackers gain access to the sensitive financial information of your company or customers, they could use it for any number of nefarious purposes. To thwart this, keep a close eye on your security and financial statement reports, watching for any seemingly irregular activity. The better your bank is about analyzing and reporting key metrics, the more in-tune your company will be about anything that seems off. 


Don't Get Hooked by Phishing

Phishing, the act of electronically masquerading as a trustworthy organization or person to obtain sensitive information, has been a successful tactic for many hackers in the past, and will undoubtedly continue to be so for the foreseeable future. Sophisticated attackers can even customize their messages using information from their targets' presence online and in social media, perhaps pretending to be a person known and trusted by the recipient. If you get a suspicious email, be wary of any links it contains. The phishers may have constructed a fake website that looks like the real thing to trick you into entering your username, password or other information. 


Keep Track of the Security Landscape

The art of hacking is constantly evolving, as security flaws are discovered and patched and as breach tactics are invented and grow more sophisticated. If you're hoping to outsmart a hacker, you need to understand the risks you and your bank face and how you can best protect yourself against them. Sometimes the simplest attacks can have the most drastic effects on your financial network security. In addition, don't underestimate the power of social engineering, which can be just as devastating for your business as a cyberattack. 

Don’t lose sight of the fundamentals of security for your bank by getting caught up in the latest cybersecurity fads. Also, you should always implement layered controls in your security system to reduce the risk of having a single point of failure, which can lead to a catastrophic event.

If you're still hesitant about what are the right steps to take for your organization, you may wish to speak with a risk management consulting firm. Get in touch with Garland Heart today to learn about how we can help you and your bank.

Topics: Banks, Risk Assessment, Info Security, IT, Security

3 New Tips to Boost Email Security

Posted by Nik • Sep. 15, 2015 • 0 Comments

Email may be a convenient way to communicate with coworkers and clients, but it isn’t inherently secure. As such, there are security holes in email that you should be aware of and address when applicable to data security. Here are a few advanced email hacks that can help reduce the risk and help keep your information safer in or out of the workplace. Use these three tips to boost your email network security


  1. Use DNS Authentication

DNS stands for Domain Name System, which is a naming system for computers that are connected to the Internet. The National Institute of Standards and Technology (NSIT) recently released a draft of DANE, a DNS-based Authentication of Named Entities for email systems. DANE will enhance cyber security by encrypting email messages between mail servers. DANE will digitally encrypt outgoing messages and verify certificates to ensure incoming emails are genuine. DANE is available for Internet Explorer, Firefox, Chrome, Safari and Opera via a browser add-on.


  1. Identify Graymail and Get Rid of It Safely

Graymail isn’t quite the same as spam; it’s email that you have, at one time, opted into receiving. However, that doesn't always mean it is email you want to receive. While you can unsubscribe from the mailing list, that doesn’t necessarily solve the problem as your email address might be stored and sold for phishing attempts. You can use a new tool, Cisco Email Security Appliance, to identify graymail and safely unsubscribe from it.


  1. Use Self-Destructing Email with a Chrome Plugin

Google recently released a new Chrome plugin for Gmail that lets an email sender set a time limit on the existence of an email. After that time has passed, the email can no longer be read. The plugin works by using encryption, which the recipient of the email needs a key to decrypt. Once the plugin removes the key, the email can no longer be read by the recipient. This can be a useful way to control emails that contain sensitive information. However, it's important to remember that your recipient can still copy information from the email and store a copy of it. As such, while self-destructing email can be a useful part of an information security policy, you still need to think about the information you choose to share over email.


Protecting Your Email Security

Garland Heart can help you identify if your email communication is in line with industry best practices. Get in touch with us today to find out how we can help strengthen your information security program.

Phone us on (972) 429-8200, email us at, or use the contact form on our website to let us know how we can help you.

Topics: Risk Assessment, IT, cybersecurity, Security

Why Two-Factor Authentication is Important for Your Firm

Posted by Gaye Connell • Sep. 8, 2015 • 0 Comments

Passwords were never enough for strong security, even in a non-digital era. Ali Baba overheard "Open sesame!" and was able to steal a cave's worth of treasure. The Heartbleed bug announced last year put even encrypted passwords at risk. This year, Anthem reported a security breach caused by stolen passwords. Protecting your intellectual property and your customers' personal information has never been more challenging or more important than in today's information security environment, where risks abound and companies must maintain constant vigilance.two factor authentication


Two-Factor Authentication

Two-factor authentication is a critical security enhancement most companies should be investigating if not already implemented. Because passwords alone don’t prove the user should have access to the system, this method adds a second means of authentication to the login process. 

Two-factor authentication requires the user to both know something (the password), and to either have something (like a one-time key or token sent to a specific device) or to be someone (through matching fingerprints). Vulnerabilities like Heartbleed or theft of credentials through phishing only gets a hacker the password; they don't have the second element of the two-factor login process, and so can't gain access.


Ask Questions Before Implementing Two-Factor Authentication

There's no question two-factor authentication will add another layer of security to company networks. Before implementing it however, companies need to ask the right questions to make sure they get the benefits without spending more than necessary.

Ask yourself which systems really need two-factor authentication. Not all systems are equally vulnerable to hacking attempts, and not all systems contain equally sensitive information. The risk of unauthorized access to some applications and databases may be too low to merit a high level of security.

It's also important to think through the ways two-factor authentication can be implemented. First, realize that the security questions commonly used to retrieve lost passwords do not provide two-factor authentication. They are still just something the user knows, and at best are a second password.

Generating a unique token is often done by sending a one-time code to the user's cellphone. Tokens can also be generated through smartcard devices, though users often find it inconvenient to have to carry an additional device. It's also possible to block unauthorized computers, as well as unauthorized users, through use of digital certificates.


Make a Plan

The costs of a security breach can be significant, as the breach at Anthem may cost the company $100 million or more. Keeping malicious entities out requires more than just a firewall, and with today's technology, that means layered controls such as two-factor authentication.

Discuss your cyber security strategy with your information security team or a third-party security and compliance firm. Garland Heart offers a comprehensive security review that can help you determine the best way to use two-factor authentication and other modern cyber security tools to safeguard your systems.


Topics: Info Security, cybersecurity, Security

Is the Firewall Becoming Irrelevant? Here’s How to Move Forward

Posted by Nik • Aug. 27, 2015 • 0 Comments

Firewalls were created to protect and secure company data. Unfortunately, firewalls protect only company data well when it is kept within the confines of company networks. Today’s business data is rarely confined to the perimeters of a corporate network but is shared and transmitted widely through the cloud, presenting the firewall with some big security network security


Keep Up With the Cloud

The massive popularity of cloud computing is one of the biggest issues for the firewall. The use of cloud-sharing applications and syncing devices leads to company data being scattered in multiple places. It is difficult to ensure that added security measures are put in place, and the network firewall goes unused because it is impossible to track its efficacy. The use of the cloud is not likely to diminish because employees are increasingly doing their jobs quickly and conveniently through sharing programs like Dropbox and Google Drive.


Even Advanced Firewall Systems Are Not Advanced Enough

The newest firewalls might be helpful in preventing certain devices from accessing certain applications in the cloud and keeping well-known bugs at bay. This is a good start, but most employees can still access these applications by using their own devices. This exposes the apps to security breaches even when an advanced firewall is in place. It is important to find a security solution that works with the cloud, not against it or in spite of it.


Keep It as Simple as Possible

If a security solution is too clunky or inhibits the productivity and accessibility of the cloud — the reasons why we all love it — people will find a way around it. Frequent changing of passwords and other security measures are important, but you should not encumber an efficient system with a security measure that decreases productivity. Instead, enable application use that protects sensitive data while keeping processes simple and effective.


Control the Flow of Data

Firewalls tend to interrupt the flow of data rather than smooth it out. Having a security measure that encrypts from start to finish on all devices helps to prevent gaps in compliance that can be an issue with remote work in the cloud. You should be able to block access to certain data when you need to and prevent access to encrypted files when necessary in order to maintain a high level of security.


Companies that are still using the firewall as one of the primary lines of defense are experiencing security threats more than those that have adopted other information layered security measures. Contact us for security consulting in the formal software selection process to ensure that your company maintains a high degree of protection against security threats.

Topics: Info Security, Corporate

CFOs Now View Cybersecurity as a Top Threat

Posted by Gaye Connell • Aug. 20, 2015 • 0 Comments

According to a new report by Deloitte, CFOs regard cyberattacks as one of the most worrying disasters that threaten to affect an enterprise’s financial well-being. In response to the Deloitte survey, 97 percent of CFOs of large firms in North America said that cyberattacks are the biggest threat they face.

identity access management


The Significance of Cybersecurity

In light of the concern over cyberattacks, CFOs need to take a proactive approach to IT security measures. This must involve the establishment of a formal task force to identify weak points in the organization’s security systems and perform routine vulnerability assessments. It’s also important to have a third-party organization perform penetration tests to find out whether the security systems are vulnerable to outside hackers. Without this kind of testing, CFOs may remain blissfully unaware of weaknesses in their organization’s security, which could remain undetected up until they are exploited with devastating consequences. 

The Holistic Approach to Cybersecurity

Rather than fixating on individual cyber risks, CFOs need to recognize that their organizations actually face an entire “risk universe” of cyberthreats. Unfortunately, few CFOs currently demonstrate this level of understanding. According to the Deloitte report, 46 percent of executives think that a lack of understanding of risks and their potential impacts is the biggest obstacle to the development of an enterprise-wide cybersecurity strategy.


Weighing the Costs and Benefits of Cybersecurity Defense

Cybersecurity can be a major cost for a business but it also brings important financial benefits. Expanding your organization's IT budget doesn’t generate extra revenue, but it could save future costs as long as the money is spent wisely. Two security protocols that are almost certainly worth the investment are identity access management and authentication security.


Identity Access Management

Identity access management is an essential security technology for large and small businesses. It allows employees to securely access their data and devices by logging into a single centralized platform. Unfortunately, this kind of technology is only as secure as the password used to log in. The best identity access management systems require employees to use strong passwords, which include a mixture of letters, numbers and symbols. Some solutions even have secure systems for remembering the passwords on behalf of its users, which makes them easy to use.


Authentication Security

CFOs who recognize the need to go beyond using simple passwords to protect their organization’s data may consider using multi-factor authentication security technology. This uses not only a password, but also a second means of authentication to verify the identity of a user.


Help with Cybersecurity for CFOs

Need advice regarding cybersecurity for your organization? Get in touch with Garland Heart today to find out what kind of help is available to you.

Topics: Compliance, cybersecurity, Finance, Corporate

A Closer Look: How Secure Are Account Recovery Security Questions?

Posted by Nik • Aug. 14, 2015 • 0 Comments

While businesses attempt to protect private and sensitive information from cyber attack in many ways, one of the most common methods is passwords. Passwords are considered a good strategy for protecting information on devices and Internet-based accounts because they require specific knowledge to gain access. 

The drawback to using passwords for identity access management, however, is that they are often forgotten. Companies commonly deal with password recovery by using recovery questions that, when answered correctly, allow a user to obtain or change a forgotten password. But are account recovery questions secure?

While it might appear that security questions are a smart way to keep information safe, a recent Google report shows that most answers to access questions are very easy to guess, making them a vulnerability when protecting identity and information. Not only are they ineffective in adding a second layer of protection, they are not even an effective recovery strategy for people who forget their passwords.


 What Makes Security Questions Unsafe?

One of the main reasons security questions are not particularly safe is that the answers are remarkably easy to guess. According to Google's report, someone attempting to break into a password-protected account would have a 20 percent chance of correctly guessing that the average English-speaking user's favorite food is pizza and a 40 percent chance of guessing the birth city of a Korean user.


What If Users Choose Trickier Answers?

Many users believe that if they lie about their recovery answers — and about 37 percent of people admitted lying — the answers will be harder to guess. Unfortunately, just the opposite happens. When people lie to make answers harder, they do so in a very predictable way. Research shows that account recovery answers tend to either be very secure or very easy to remember — and rarely both — making them an inconvenient and clunky authentication method.


Does Adding Multiple Questions Help?

Some companies use a multi-question recovery process to further protect identity access. In reality, this strategy is quite helpful when it comes to protecting accounts. Again according to Google, while an attacker's chance of correctly guessing an answer to one question is 14.6 percent, the rate drops to about 1 percent when a second question must be answered. One drawback is that when there are two account recovery questions, users also have a harder time remembering both of their answers; the likelihood that they remember drops from 75 percent to 59 percent.

Passwords, if used thoughtfully, can be safe, but the smartest and most secure approach is using one-time codes to protect information and identity access from any of the growing number of cybersecurity risks. By sending codes via text message or email that can only be used once for a login, companies can ensure only legitimate users are logging into accounts and systems, and that no information ends up in the wrong hands.

Do you want more information about how to keep your company's information safe? Get in touch with us at Garland Heart, where we offer a wide range of clients and organizations IT security solutions to ensure their information remains confidential and protected.



Image courtesy of Google.

Topics: Info Security, cybersecurity, Security, Corporate

5 Critical Standards for Secure Data Encryption

Posted by Gaye Connell • Aug. 6, 2015 • 0 Comments

Data encryption is a crucial part of any organization’s security policy. In addition to putting the right technology in place, adhering to data encryption standards also means educating employees about the importance of data security. Use the following five critical standards for secure data encryption to keep your organization’s data safe at all network security


1. Stay Consistent with Corporate Security

Company guidelines regarding security are there for a reason. There are many situations in which encryption makes sense, such as the storage and transmission of sensitive information. Review your organization’s current security policy to find out what sensitive information exists, and then use the location and nature of that sensitive data to create a solid foundation for your encryption strategy. Throughout the design phase, keep in mind all compliance regulations in your industry, and don't forget about your client’s industry as well. This might be the most important (and overlooked) concept as it could lead to controls, gaps, and/or client-specific policies you have not put in place. If you provide services for clients in different regions, remember that compliance regulations can vary among countries and states.


2. Keep Humans in Mind

Remember that humans have to interact with your security systems, so avoid making your program so invasive that it interferes with how users interact with the network. If you have a Bring Your Own Device (BYOD) policy in your organization, highly invasive security policies could encourage users to bypass the corporate network entirely, which is bad news for the safety of your data. Many security breaches result from employees not abiding by company policy, so try to make your security systems as unintrusive and easy to use as possible. It also could be beneficial to remind employees why a control is needed in the first place through training or education. It might help relieve a little of the frustration.


3. Decide What Really Needs to Be Encrypted

How much of your internal data is truly sensitive? Encrypting everything on the network can impact productivity, reduce the functionality of internal systems and interfere in the coordination of tasks. It can even lead to a lax attitude toward security if employees start to see company policy as overly strict.


4. Address the Cloud

The amount of data stored in the cloud has increased tremendously over the last few years, posing challenges to organizations that are concerned about data encryption. When designing security policies for the cloud, remember that end users have certain expectations about the accessibility of cloud data. With this in mind, you should encrypt only the data in the cloud that really needs to be secure, as encryption of all cloud data would be time-consuming and result in a clunky user experience. You should also ensure the cloud service you are using has the appropriate controls and security best practices in place if you are going to utilize it for sensitive data. 



5. Adopt a Holistic Approach

Data encryption is not the only aspect of a solid security program. True security involves bringing users on board as assistants to the security program rather than regarding them as the enemy. As you design and develop your security policies, maintain an open dialogue with users regarding their needs.

Need help designing a security policy that balances the needs of users with secure data encryption? Get in touch with Garland Heart today. We can help you to develop a security policy that works for your organization.

Topics: cybersecurity, Security, Corporate

New Website Domain Name Could Improve Network Security Systems for Banks

Posted by Gaye Connell • Jul. 30, 2015 • 0 Comments

Pressures upon financial services organizations a

re rising today more than ever. Customer loyalty is more important to banks now than in the past, but with growing concerns over information security measures, it’s getting harder and harder to keep customers happy. Many banks are placing a lot of emphasis on modernizing their systems by updating how they utilize technology in big ways. One popular method involves changing their website domain name in order to make their sites more security systems


Extra Security Through Domain Name Switch

The risks of downtime and malicious attacks are typically much higher in the financial services industry than in others, and so banks must be constantly vigilant for any new, existing, or upcoming security threats. The .BANK is a new top-level domain that was introduced to help fight online scams and hacking. It’s available only to the banking community, and allows banks to change their domain name from to

Half of all Internet users receive one phishing email every day, and their bank account information is generally at the heart of these online scams. We need a solution for this problem, and using a .BANK domain is an important way to deliver a more secure internet experience. With so many domain endings available around the world, a .BANK domain can make it much easier for a customer to trust his or her banking information to be safe online.


Barclays Bank Domain Change

Barclays Bank is one of the largest banks to have recently made the shift from and to .barclays and .barclaycard. The bank will be able to set up websites using these addresses, thereby making it clear to the user that he or she is engaging with a genuine Barclay's site, and not a scamming or a phishing site.


Protecting Your Customers

It’s crucial to do as much as you can to make sure you protect your customers’ finances and their personal information in order to keep them safe, loyal and happy. This can certainly begin with considering a domain name change – which might be a new standard in the banking industry within the next year. But banks also have to be sure they are fulfilling enhanced security requirements, such as enabling DNSSEC on the new websites, publishing valid email authentication records, deploying enhanced encryption standards and more. Embracing these new improvements in network security is sure to help improve the customer experience and make a website more trusted, protected and secure. 

Contact Garland Heart to discuss our range of proactive compliance and security services that can help make your organization more compliant and secure. With some of our innovative solutions, you can rest assured that you or your customers won't fall prey to online scammers.

Topics: Banks, Info Security, Finance

Apple Improves Device Security iOS 9

Posted by Gaye Connell • Jul. 23, 2015 • 0 Comments

One of the best ways to ensure the security of your information is keeping your software up to date. Hackers are continuously looking for opportunities to get your data, so trying to outwit hackers requires continual alertness. Keeping systems current helps, because vendors issue patches to fix the latest known network security and risk management

Apple's new iOS 9 goes beyond patching known vulnerabilities. The new iOS adds features that provide important security enhancements for users who spend hours working online from their iPhones with iCloud and email.


Stronger Passwords

Although some devices are protected by fingerprints, most iOS devices are still unlocked by passcodes. A passcode of four digits yields 10,000 possible combinations. According to Intego, a Mac security firm, brute force attack (one that simply tries each possible combination) can break four-digit passcodes within 17 hours. 

With iOS 9, passcodes can now be six digits long. This means there are one million possible combinations instead of 10,000. While brute force attacks are still possible, the time to crack a password is proportionally increased as well.


Protect Cloud Access from Unknown Devices

Another computer-network security improvement in iOS 9 will protect your iCloud account from logins from an unknown device. The "new" enhancement, two-factor authentication, has been around for a while, but we are glad to see it adopted here. Now you can require a second means of proving identity in addition to just relying on your password.

In iOS 9, when someone tries to log into an Apple account from a device that's not associated with it, a verification code will be sent to a phone or device previously registered to that account. This lets the account owner confirm that the new device should be allowed to access the account. 

This function also provides an early warning system if someone is trying to break into your account. In that case, the verified owner who receives the confirmation code can block access from the unknown device.


Configure Devices for Security

All too often, we as humans are the weak link in online security. Users fall for phishing emails, lose their phones and fail to change default settings to enable stronger security. To make sure your iOS devices are as private as possible, make sure you review these settings on every device: 

  • Set passcodes to six digits.
  • Check each application's privacy settings to make sure you're not uploading data unnecessarily.
  • Set up Find My iPhone to help you recover a lost device.
  • Always require a password for app purchases.
  • Turn off location tracking for apps that don't need it.
  • Set a shorter expiration date on voice and video messages.
  • Strengthen your default Wi-Fi hotspot password.
  • Turn on biometric security to require a fingerprint to unlock your device.
  • Disable message preview on your lock screen.
  • Shorten the auto-lock time.


Get Help Keeping Up with Security

Companies need to stay focused on cybersecurity, but technology changes fast. To keep current with the changes that affect your online security, contact Garland Heart. Our experts can identify the best information security tools and software risk management practices for keeping you safe.

Topics: Security, Corporate

Subscribe to our Newsletter to receive Regulatory News and Company Updates: