Posts

Financial Services IT Security For Business Growth

Too often we hear from new clients in the financial services sector they’ve suffered panic and disorganization in their security protection. In this post we’re going to outline outdated approaches as well our recommendations to thwart invasion.

Cyber threats are proliferating faster than most lending institutions can fully understand. It’s often best to approach delving into your security measures with a proven tactical plan. One that not only manages your risk but also pinpoints the best protocol to detect and recover.

Don’t forget your biggest security risk can also emerge as your competitive market advantage in regard to growing new business. But only if you develop a unified security proposition instilling trust and protection to consumers. Something many financial services companies struggle with is how to evolve their protection toward new trends in advanced security. One in particular we strongly suggest is developed by changing how your organization manages your threats in stages.

We refer to them as anticipate, protect, pinpoint, respond and recover. These stages are vital to developing a systematic plan to safeguard your customer data. Remember, cyber attacks are your responsibility and therefore can cause liability risk for your institution.

Anticipate

Although it’s a sizable dose of reality to anticipate all threats, one thing is for certain. The chances of your company being attacked are high no matter what level of security you currently have in place. Ideally, we recommend developing a full-scale anticipation plan whereby you monitor irregularities in user access to your networks.

The problem we see all too often with financial services institutions is they embrace a generalized security plan. Usually ones that are developed by unqualified IT security consultants who do not have the necessary background in financial security.

We recommend investing in cyber ‘fusion centers’ which provide a more robust security protocol based on the team concept. Instead of handing the keys to your security to a few IT technicians, the fusion center approach delivers real-time intelligence monitoring of your networks.

Active cyber threats exist from third-party vendors and in some cases, consultants with credentials to your network exposing your customer data to unsuspecting threats. We’ve seen some cases where third-party access was not monitored at all by systems managers. This type of risk is exponential and often goes undetected for years exposing your networks to invasion.

Protect

For decades financial security was based on building generalized gateways to protect your entire network. However, this style of protection is too limited in the new age of wireless banking. But why?

Defending your raw data as well as sensitive customer information now is best approached by integrating a ‘defense in depth’ risk approach. Specifically targeting high-risk/value data and developing a security plan which provides layers of both encryption and detection.

Pinpoint

With the development of smartphone easy-pay apps, your security is tested on a daily basis. Although electronic wireless payment products are ideal for marketing purposes, they come with additional threats.

A smart approach is to pinpoint both your wireless and wired gateways and create a risk plan which pinpoints sensitive data exposure. Often financial institutions employing full-time security analysts. However, what we’ve found is that they rely on outdated encryption protocols exposing your networks to threat.

Respond and Recover

Traditionally, financial companies have relied on local resources and employees to manage their IT security. Bad idea. At least in terms of analyzing threats to your networks which are exposing you to risk.

New trends in cyber-security are moving toward big data management. We advise our clients to invest in dynamic real-time monitoring, analytics and threat response for ideal detection, response and recovery.

Remember, your network and data is your largest asset waiting for intrusion.

 

 

 

 

IT Planning For Law Firms – why, and how

Apparently there is a growing threat of cyber attack of law firms. What’s surprising is the number of law firm intrusions which often go unreported.

In fact, since March of 2014, financial institutions and law firms have begun talks to establish a collective effort to share hacker threats. The Financial Services Information Sharing and Analysis Center (F.S.-I.S.A.C) is in development to thwart hackers through a threat management advisory council.

Having worked with many law firms over the years, we’ve seen some that suffered from data overload both in security as well as internal processing of client records. In these scenarios, these firms are decades behind their competition in managing their networks and data.

Growing your legal firm is a work in progress. Prospective clients contact you in various forms including email and by phone. However, we speak with many office managers who struggle with piecing together more robust systems to not only manage their network but also keeping records on pending client cases.

Successful law firms receive hundreds inquiries everyday. Perhaps you’re wondering what techniques they use to handle these amount of data. For starters, they don’t rely on closed data systems such as Microsoft Office and the like which are highly unsecured. Instead, thriving law firms have invested in developing a robust IT plans and security gateways to support their busy offices as well as protect sensitive client information.

Big data is a trend that you’ve probably read about in the news in the last few months. But how does big data management add value to your business?

Often we speak with law firm owners who tell us there’s very few hours left in their workday to worry about IT and security issues. However, the firms we consult with on a long-term basis see the time-savings by implementing a scaled approach to managing their networks.

Remember, scale is critical to your business. An IT network designed without plans to grow avoiding expensive upgrades offers the worst return-on-investment. But not only in costs. Actually, lost manpower time impacts whether your office staff can help your firm grow.

An IT network designed without plans to grow avoiding expensive upgrades offers the worst return-on-investment

One of the areas we see needing the most improvement in law firm IT is database management. Too many firms rely on task-oriented processing of traditional paper-based client records. The smarter approach is to convert your contact management software to a secure web-based product which allows your employees to pinpoint critical client information in seconds as well as providing better security measures.

A new trend we’ve witnessed by firms is their lack of security management of client records. Specifically by storing records on thumb drives, emailing private data across unsecure networks and even storing information on laptops and iPads. The problem with this type of data management is it’s highly unsecure if accessed across wireless networks.

Law firm IT support and security is critical to controlling your risk. With cyber threats growing more robust in recent months, it’s no longer a question of if you’re firm will be attacked, but when. The question on your mind if you’re reading this far is what types of security will protect your organization?

We recommend analyzing access gateways to your networks. Typically in hacker testing scenarios. Often these types of tests can pinpoint parts of your network which can be infiltrated with minimal effort. The most obvious invasions we see are poorly encrypted networks as well as outdated firewalls. However, these are only a few of the many ways hackers are invading law firm data.

Despite many major retailers experiencing cyber attack, law firm threats go unreported due to these organizations being privately held. But the risk and liability of breach is exponential based on the proliferation of cyber threats.

5 Tips To Better IT Security for SMB

If you haven’t followed the technology news lately, chances are good you missed the recent security breach news of Target and Blue Cross: Customers won a $10 million settlement against Target relating to the retailer’s Dec. 2013 data breach; in the meantime, nearly eleven million customers suffered exposure of their personal data with Premera Blue Cross.

Whether you’re a small firm or big blue chip company, data security threats have been on the rise. But why? Actually, the problem is often related to people rather than anti-virus software and gateways. Granted, new protocols to keep your network locked down are offered by some of the major security firms throughout the U.S. However, if your technicians are not updating your software, you may suffer invasion.

Plan Scheduled Updates

One of the most critical components of protecting your network can be done by simply scheduling your software updates at least twice per month or more. Again, it’s the people factor that causes companies to operate everyday while also exposing their systems to hackers. Your IT technicians should set a day at least twice per month to evaluate your current software and inquire about updates.

Amazingly, more and more companies are getting attacked through gateway breaches which should have thwarted malicious threats.

Code Script Trojans

Too often your network, website and private data was developed by outdated coding languages. Information leaks often occur in the following scenarios:

• Multiple cross-site scripting is an area where hackers look to invade. For example, the .Net coding language is prone to vulnerabilities.
• Another area to consider is if you run outdated versions of ColdFusion. Once considered the premier database management software, ColdFusion has since suffered SQL invasions as more companies invest in big data systems.

Unauthorized VPN Access

Another part of your network to review is your VPN permissions. Face it. Every company has vendors and customers who sometimes have administrative credentials to access parts of their networks. The problem for some are these types of exposures can become a threat.

Many companies leave the task of updating their access credentials to lower-level IT techs. Bad idea. Remember, your network is only protected if your doing regularly scheduled audits of your authorized users.

Management of Users

Do you know how many users can access your data? Chances are likely you don’t. The problem many companies face is the challenge of monitoring network access by un-authorized users. Remember, people are always going to attempt to infiltrate your data. How you monitor and react to intrusions is your best defense. We recommend you develop a master list of authorized users (employees, vendors and customers) and the permissions of their credentials.

It’s not enough to wonder who’s accessing what parts of your systems. Instead, smart IT security managers employ vigilant evaluations of all users.

Poor Password Strength

If there’s one area you need to assess, it’s your user passwords. Too many are often chosen for memorability rather than security strength. Although it’s simple to remember ‘1234’ or variations of memorable characters, your users need to embrace alpha-numeric complexities.

Your best defense is to meet with your network security administrators to develop a core set of robust password parameters every user should adhere to using. For example, a highly-complex password like ‘C^d!4dj~vyQa’ is far stronger despite the effort it takes to input.

If your company uses roaming profiles for your employees to use multiple work stations, we advise you to consider mandatory password updates at least once per month to protect your networks.

Looking

BYOD – An Essential Guide For SMB’s Executive Team

In today’s shifting world of technology and devices, SMB companies are supporting more mobile devices as a key initiative and according to Gartner, BYOD adoption will reach 90% this year. BYOD keeps many CEO’s up at night, but this is easier than you would think. CEO’s are faced with concerns of improper use of BYOD at the office and the impact these issues can cause their businesses. Developing an all-inclusive BYOD policy and technical guidelines for your employees will allow you to be secure. BYOD has many benefits and is worth considering if done properly. It’s a situation in which thinking about the sources from where data threats come from.

Create a BYOD Policy

There are various resources and information accessible such a guidance or templates on how to set up BYOD policies. Every company is different, so use resources as a starting point when creating your company BYOD policy.

Example BYOD Policy for SMB

  • Anti-virus and security application requirements.
  • Approved list of applications
  • Set up devices with locked screens
  • Approved access to data (files, intranet, calendar, email and apps)
  • Permissible access (VPN, LAN, Public Networks)
  • Approved devices (laptops, smart phones, tablets)
  • Password policies (8 character minimum, mix of numeric and alpha)
  • Stolen devices (Wiped remotely)
  • Secure data (Backup data created and saved locally on users personal machines)

When your employees are able to use personal devices for work related activity and systems, traditional network firewalls are no longer effective. You should consider Cloud technology services to protect your network in a BYOD environment by using measures like data loss prevention (DLP) or secure web gateways (SWG). DLP allows data to be transferred out of your network securely and SWG can stop threats like malware before it reaches an employee’s device or your network.

Cloud backup systems are very user-friendly and many SMB’s embrace them as a complete solution. One employee’s failure to follow best practices and procedures could create cracks or system weaknesses. Rest easy by having employees back up instead of saving data to an in-house system.  Once your system is in place, have a schedule to regularly test it to be sure that you’re capturing the data you’ve targeted. With research and planning a BYOD policy, you will gain the self-assurance you need to avoid losing sleep over the decision whether or not to embrace BYOD.

3

 

Back up and Disaster Recovery – Five Common Mistakes

Businesses are aware of the impact that a well-crafted backup and disaster recovery plan has on their organization. These plans are critical to avoid exorbitant downtime costs and to keep businesses running smoothly.

As your business grows and with regulations changing rapidly, your disaster recovery and backup plan needs to change. While no DR plan is 100% fail-safe, with careful planning you can develop one to fit your needs. The following are five common mistakes concerning back up and disaster recovery.

  1. A Plan

In most cases, the IT department creates the DR plan; however, recovery is a companywide responsibility. Best practice is to work with an outside recovery partner for plan revisions. An effective DR plan includes business leaders, frontline users, legal, and those who order data and mission-critical applications.

  1. People

While back up disaster and recovery contains IT equipment and data, it should also include communications, facilities and people. Employees should be trained on best practices to follow within your companies DR plan to ensure your business is up and running in no time.

  1. Testing / forget to test plan regular basis

A common mistake is controlling every phase a test is performed to a set of systems. A best practice is to let management know that a test is taking place. The goal is to mimic as close to failure as possible to assure the plan is sound as if a true disaster occurred.

  1. Local back up only

In this situation businesses are comforted that their back up is local. Local backup does solve the most common of data loss, accidentally deleting a folder or file – but is susceptible to natural disasters, fire and floods.

  1. No contingency plan

It is a good practice to have multiple plans in case what can go wrong. To assume everything will go as you planned for backup and DR, is a big mistake. Be sure to document a process that includes what should be done if the person responsible is unavailable. Share your plan with your IT provider as well as getting an outside opinion.

It is likely that any change to your business or IT systems will directly impact your back up and disaster recovery plan. Test your plan on a regular basis and review the results from the test. Be sure to update your DR plan based on the results of your test.

ERRegistration

5 Predictions in 2015 of Cloud IT And Why You Need to Know

Without a doubt, 2014 was a great year for cloud. I’d like to provide five predictions for the upcoming year and why you need to know. If you’re considering moving to the cloud, it’s a good time to be a customer with new services from AWS, Google and Microsoft.

  1. More demand in the market for cloud services.

Per a recent Gartner forecast, the Software as a Service (SaaS) market will grow at a yearly growth rate of 20.2%! With this type of estimated growth, it is easy to see why so many SMB’s are ready to move to the cloud.

  1. Data security overtakes device security.

BYOD is now a part of everyday work culture. Employers and employees want to work unrestricted and devices are being replaced quickly while the value of corporate data spreads longer and connected devices reduce the necessity for device-local data storage. Companies will turn their focus from securing endpoint devices to securing data on its way to and from the cloud and being stored in the cloud in order to guarantee a smooth user experience.

  1. Security, security and security…

Many web articles discuss concerns over the security of data in the cloud as a major factor of cloud adoption. Over time, most companies recognize it is near impossible to have foolproof on-premise (company owned servers or data centers) and that no cloud is. Once accurate expectations are made, companies need to focus on evaluating and mitigating risks intelligently.

  1. Increased hybrid cloud implementation.

As more companies adopt cloud, hybrid cloud implementation will be the norm. Why? As C level executives develop cloud strategies, organizations benefit from the convenience of the cloud business model and attain the performance of on-premises solutions. Due to the complexity of today’s environments, it would prove to be extremely difficult to move everything across-the-board to the cloud.

  1. Cost effective clouds.

The return on investment for computing projects ranges significantly.  After deployment, cloud value is easy to define. In other cases, cloud needs to be considered a long-term investment and aging hardware and servers can be factored as part of the value cloud computing will truly bring to your business.

3

7 Reasons why Financial Services Companies Need to Archive Email with A Hosted Service

Do you know the one word that will cause your financial services company a catastrophic disaster? “Just.” Often it’s used by IT managers suggesting, “Why don’t we just host our email on our own servers?”

It’s cost effective and makes sense right? Wrong.

Every CFO knows email communication is vital to their organization. Last month Home Depot suffered one of the largest email data breeches ever when 53 million email addresses were stolen from their systems.

Read the Wall Street Journal story. Hackers posing as HD vendors were able to bypass their onsite email servers accessing the database.

Security

Ask any financial services company about checks and balances. They’ll tell you it’s accounting 101 to separate your accounts receivables from your payables departments.

The same protection is a must for your archived email. Too many companies make the mistake of ignoring security safeguards protecting their email on a third party hosting provider.

The first benefit is obvious. Security. Imagine your in-house servers are hacked. While your IT team troubleshoots the gateway breech, your email is protected offsite. Hosting your email with an expert host provider ensures your data is safeguarded 24/7.

Litigation Protection

Financial services companies need to protect themselves from liability. Therefore, archiving all email offsite safeguards their communications for search and indexing. Don’t forget you’ll also be able to easily pull reports of user messages, attachments and timelines.

Regulatory Compliance

Financial compliance regulations require that all email communications must be safely stored in original form. Hosting your email locally puts your organization at risk if your servers suffer threat.

Disaster Recovery

We’ve all seen news reports of natural disasters. It’s no longer whether your community will suffer a tropical storm or power outage, it’s when.

Archived email hosting by an offsite third party provider gives you the ability to safeguard your email and maintain banking operations.

You’ll provide services to your customers virtually while your local branches await emergency services to deem your hometown safe and ready to open your doors for business again.

Auditability

Accessing your archived email communications for audits is a breeze when you use an email host. Due to litigation and compliance regulations, your organization must safeguard all email communications for up to seven years.

Storage Management

As your company grows, your email quotas will require more storage. We often see an increase of our client email data storage increase by as much as 25% per year. Plan on allocating at least 150-200 MB per user.

By archiving your email with an outsourced provider, you no longer need to invest capital in onsite servers.

Cost

Your onsite servers are best used for your users, core business products and services. The concept allocates your capital on profit generating revenues rather than expenses.

It’s far less expensive to archive your email communications with an offsite host taking advantage of their server space. It’s economical and as your storage quota grows, you’ll save thousands of dollars letting your provider invest in resources to service your needs.

 

What Can You Learn from JP Morgan’s Data Breach

On the heels of the Home Depot data breach comes another case of customer data being compromised, this time from the largest bank in the United States. JPMorgan Chase reported that information from more than 76 million households and 7 million small businesses may have been compromised when hackers gained access to its systems on an administrative level.

Account holder names, addresses, phone numbers, and email addresses are thought to have been revealed, as well as internal notes about those account holders. JPMorgan Chase asserts that there is no evidence that information like account numbers, passwords, birth-dates, or social security numbers was leaked in the breach.

What This Means for Business

As TechTarget pointed out, in both the Target and JPMorgan Chase data breach, no full-time Chief Information Security Officer (CISO) was overseeing operations. In the wake of these breaches, businesses are beginning to realize the important role risk management and security play in business today. In the coming years, businesses will likely see the CISO role become a very important specialty in the field of technology, attracting higher salaries and the best talent in the field. For small businesses, these duties will be entrusted to the provider, who will staff the best and brightest to oversee cloud servers for a large number of clients.

How to Protect Yourself

Without information like social security numbers and birth-dates the collected information isn’t enough in itself to risk identity theft, experts say. However, a JPMorgan spokesperson points out that consumers should always keep an eye on their accounts. The biggest problems may come from the email addresses that were compromised in the breach, with this information potentially being used to launch phishing attempts. Through these attempts, information such as social security numbers and account passwords could be obtained. Small businesses should remind users to never click on links or download attachments from unknown parties. When they receive an email about an existing account instead of clicking on the link on that email, users should always go to the site on their own and update any information there.

Safeguarding your business’s applications and systems is your business’s top priority, since securing your own customer data is an important part of your long-term success. By ensuring that your employees keep their own passwords as secure as possible by avoiding phishing attempts, you’ll be taking a vital first step. When working with a cloud provider, be sure to ask questions about the role they take in preventing hacking attempts and keeping your data safe.

Major Software Bug Could Affect Your Business

Shellshock

A vulnerability discovered in some Linux and Apple operating systems could put your business’s computers at risk. The bug was found in a software component called Bash, which is part of many instances of these operating systems. Once exploited, this vulnerability could be used by hackers to gain access to your individual systems.

About Shellshock

Going by the name Shellshock, the bug is found in Bash, a shell command line tool in Unix-based systems. Hackers have been able to remotely control users’ systems, with reports stating that exploits are currently under development to take advantage of the open access to so many systems. These exploits will allow hackers to gain user passwords and install DDoS bots.

While Windows-based PCs aren’t among the list of affected devices, businesses should be concerned about their servers, since many servers use Apache. Apache contains the Bash component. In total, experts estimate 500 million machines could be vulnerable to Shellshock.

What Can You Do?

If your machines are behind a firewall, you already have a major protection in place. Apple has assured its users that the vast majority are safe from the vulnerability, since OS X systems are safeguarded by default. Those users who have configured advanced UNIX servers may be vulnerable, however. Apple is working on a patch to safeguard those systems.

Experts are concerned that as users rush to patch affected systems, hackers will make the most of the short window of opportunity to wreak havoc on systems. The most vulnerable systems are likely those servers and applications that are running Bash without administrators being aware of it. For that reason, server administrators must take the extra effort to protect their servers.

Vendor Patches

The first thing a business can do is check with its vendors to see if a patch is available for their products. In the instances where data is stored with a third-party cloud service, businesses should be proactive in ensuring their data and devices are safe from attack. If you’d like to check to see if your computer is running Bash, this article should help.

As more information becomes available about Shellshock, businesses will be equipped to deal with the issues. For small businesses, turning server operations over to a highly-experienced cloud services provider can be a great way to ensure your systems are safe whenever vulnerabilities like Shellshock emerge. Because applications are often built by vendors, however, many businesses are often left uncertain about what technology their systems is actually running when news about vulnerabilities like this one emerges.

Don’t Get Caught in the Malnet!

The prefix mal comes from the Latin for bad.  Anything with mal in it is bad news, malcontents, malnutrition, Mal Reynolds.  Now there are malnets.  Malnets are complex systems of servers and domains that are continuously on the attack.

It is estimated that this year, the majority of all spam will come from these malnet systems.  For example, Rubol a known malnet was found to have 476 unique domain names.  That’s a lot of vectors of attack.  A malnet was found to be the culprit in the MySQL.com attack.

So what do you do?  How can you protect your businesses infrastructure against such an organized malware ecosystem?

Most malnets are actually nets, malicious traps.  Don’t fall into the trap.  Rubol’s 476 domain names were fronts, mainly offering deals or quick cash.  You might be thinking only a fool would fall for a something that’s too good to be true.  However, some of these sites disguise themselves as legitimate businesses offering good deals.

The next step is to really isolate your sensitive data from the Internet as much as possible.  The easiest way to do that is move customer data onto a removable storage device.

Keeping your security software up-to-date is also a boon to the safety of your data.  And last of all, when in doubt, don’t click on it.