JHA_HeaderImage_Blog_v2.png

Security in the Financial Services Industry

Posted by Stephen Gilmour

Oct 12, 2016 10:15:00 AM

Have you heard of Sutton’s Law?

It’s the principle of focusing on the obvious answer to a problem. You might recognize it better from its source, the convicted bank robber Willie Sutton, who is alleged to have answered, “Because that’s where the money is,” when asked why he robbed banks. In his autobiography, Sutton says that while he probably would have said it if asked, he actually robbed banks because he enjoyed it, loved it even. Well, that’s where the money still is – in financial institutions – and it stands to reason that the attackers targeting them enjoy what they do and find it profitable. The methods used by the attackers may have moved on, with cybercrimes rising at an alarming rate, but the end result is the same: financial loss. So what is security in the financial services industry? More to the point, how do you know if you’re being effective with your approach to security?

Read More

Topics: Information Security, Cybersecurity

Identifying Gaps in your Cyber Resilience Strategy

Posted by Jackie Marshall

Oct 5, 2016 10:30:00 AM

According to the 11th Annual Global information Security Survey conducted by PWC and CSO, 84% of CEOs, 82% of CIOs and 78% of CISOs are confident in their organization’s formal cybersecurity program. However, the number of organizations reporting losses of more than $10 million per incident is up 75% since 2012. Why do these C-level members believe their cybersecurity programs are doing more than an adequate job? Perhaps it’s because their organizations are most likely spending more of their annual budget on cybersecurity defenses and applying more internal resources to manage cybersecurity controls.

Read More

Topics: Information Security, Cybersecurity

Improving Your Institution’s Readiness and Your Next IT Exam Results with One Simple Strategy

Posted by Eric Flick

Sep 28, 2016 10:15:00 AM

Sounds too good to be true, doesn’t it? I promise, this isn’t one of those teaser or click-bait headlines just to draw you to something not really related to the topic. And, for those that know me, know that I deplore that strategy. In the case of this article, the title seemed very appropriate, both from a descriptive standpoint, and in an effort to entice both IT managers and executives to check out this simple strategy.

Ladies and gentlemen, I give you two words that could change your life: progressive testing. That is not intended to sound over dramatic, but for many of us, it is a dramatic shift in the way we approach our annual business continuity and disaster recovery testing.

Read More

Topics: Cybersecurity, Business Continuity

Am I Really Expected to Remember My Password - N@mE61520?

Posted by Hayley Turpen

Jun 8, 2016 10:00:00 AM

It has been reported that the average internet user has approximately 20 passwords. I must not be average, because when I sat down to try to count mine I came up with 75... and I probably forgot a few! That is a lot of passwords to remember. I can’t even fathom a guess as to what the password was for half of these sites. So when I try to login, I will cycle through the passwords that I “think” I used. If none of them work, then I will click the link stating I forgot my password.

Read More

Topics: Information Security, Cybersecurity

Get a Head Start with Education on Pending Social Media Guidance

Posted by Karen Crumbley

Aug 28, 2015 4:26:54 PM


 “Hey, look here…” as Uncle Si from the Duck Dynasty TV show would say, “I live by my own rules (reviewed, revised and approved by my wife)…but still my own.” 

Si’s quote reminds me of Social Media: Consumer Compliance Risk Management Guidance: Proposed Interagency Guidance, an OCC bulletin released in January of 2013 that outlines proposed guidelines for Financial Institutions (FIs) communicating via social media channels.  Similar to Si’s comment, FI personnel will soon be required to follow social media communication standards that are reviewed, revised and approved by FI management. The OCC bulletin [Docket No. FFIEC-2013-0001] provides straightforward insight for managing risks related to social media.  However, even with the detail provided there is still much to learn about this guidance.  For example:

Read More

Topics: Risk Mitigation, Cybersecurity

April 2014: A Busy Month for Fraud Alerts!

Posted by Jennifer Roland-Vlach

Aug 13, 2015 9:10:46 AM


Here we are at the end of April and my Inbox has had quite a few email alerts from various regulatory entities. These alerts have covered an array of topics with the most prevalent being an apparent current uptick in cyber-related risk. So, in case you may have missed one of these, among the multitude of emails you probably receive each day, I thought I would use this opportunity to provide a brief overview of this recent flurry of activity plus suggested steps to address outlined objectives.

Read More

Topics: Information Security, Cybersecurity

Social Engineering, Phishing, Vishing: 3 Common Elements & How to Combat Them

Posted by Tammy Bangs

Aug 11, 2015 12:59:49 PM

 

 

Phishing and social engineering accounted for 15 percent of cyber-crime costs incurred by U.S. companies in 2014, according to Statista.comFurthermore, 44% of U.S. companies responding to a recent survey stated that they were targets of social engineering or phishing schemes (Statista).

Social engineering, phishing and vishing are everywhere you look these days.  Fake IRS telephone scammers, recent large financial institution (FI) breaches via email scams, penetration testing failures, executive level breaches, you name it – it has happened. 

Have you been lucky enough to receive a telephone call from the ‘Department of the IRS’ this year?  No?  I actually received two. Being the risk mitigation geek that I am, I couldn’t resist baiting the fraudster just a bit, asking as many questions as I could muster, keeping him on the line with me for as long as possible.  It was a fascinating glimpse into the not-so-sexy world of the vishing scheme. They were probably armed with little more than a search engine and a telephone. They didn’t even know enough about the Internal Revenue Service to use proper nomenclature. 

Read More

Topics: Risk Mitigation, Cybersecurity

Incident Response Plans & Vendor Mgmt: Lost in the Cybersecurity Mix

Posted by Jennifer Roland-Vlach

Aug 11, 2015 12:45:20 PM

 

If you find yourself in need of a stark reminder on how quickly time passes by, consider this: May marks one year since the FFIEC officially announced their focus on cybersecurity for financial institutions. Even though official guidance is still pending, the FFIEC has been using the past year to continue underscoring the importance of cybersecurity. In addition to periodic updates being provided by the FFIEC, there have been a multitude of articles on the topic of cybersecurity. While there has been an emphasis on areas such as C-Suite training and information sharing, I have noticed two items in particular that seem to be getting lost in the mix of cybersecurity discussions. Those items are Incident Response Plans (including testing plans) and critical vendor management. Let’s look at Incident Response Plans first.

Read More

Topics: Cybersecurity

The Four C’s - Cybersecurity, C-Suite, Clarity, and Collaboration

Posted by Karen Crumbley

Aug 11, 2015 9:46:57 AM

 

CYBERSECURITY:
During the final quarter of 2014, the “FFIEC Cybersecurity Assessment General Observations” and the “Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement” documents were released. This documentation included findings from the Cybersecurity Examination Work Program – a survey that came from more than 500 community financial institutions (FIs) where they were evaluated by the FFIEC for preparedness to mitigate cybersecurity risks. As a result, other FIs are able to benefit from valuable insight in terms of forthcoming expectations regarding cybersecurity guidance.

Read More

Topics: Cybersecurity

Humans Can’t Do Passwords: 3 Tips to Help FIs and Homo Sapiens

Posted by Lee Wetherington

Aug 11, 2015 9:41:19 AM

Read More

Topics: Risk Mitigation, Cybersecurity

Subscribe to Email Updates

Untitled Document Untitled Document