Category Archives: Security

Immediate Vault Immediate Access

Only 18% of IT Pros Confident in Current Password Risk Management

Posted on by

Many are having trouble maintaining the security of their employees’ log-in information, resulting in serious risks to their networks and private information. According to a recent LastPass and VansonBourne survey of 750 IT and security professionals in the United States, United Kingdom, France, Germany, Australia and Singapore, only 18% feel their company’s current access security is “fully secure and does not require improvement.” Risk management professionals have a significant role to play in determining how their organizations handle these risks and protect their data.

Some of the biggest ways that employees’ poor password management creates potential security threats to organizations’ data, according to the security professionals surveyed, are password reuse (according to 67%), weak passwords (65%), and not changing default passwords (36%), according to the security professionals surveyed. Nearly all respondents (95%) said that the risks that come along with using passwords create threats to the organization.

Given the importance of strong login information, companies often attempt to implement password rules to reduce security risks, such as requiring employees to choose complex passwords and change them frequently. However, these issues can lead to frustrations for both IT staff and employees. According to the LastPass/VansonBourne survey, the top frustrations for IT are employees reusing passwords for multiple applications, forgetting their passwords, and the time it takes to manage the company’s passwords. Employees are frustrated by having to regularly change their passwords, remember multiple passwords, and type long and complicated passwords.

The rapid increase in the number of employees working from home due to the COVID-19 pandemic has also exacerbated the risks, given a corresponding surge in cyberattacks on remote workers since March. Many employees are now working on home networks that may not have the protections that office networks offer, their passwords may not follow the stringent guidelines their companies would normally require, and they may store their passwords in less secure ways. In fact, Entrust Datacard released a survey showing that 42% of employees working from home kept passwords by physically writing them down, while 34% saved them in their phones and 27% kept them on their computers. The survey also found that almost 20% of employees reused passwords across multiple systems, which could make it easier for malicious actors to compromise those systems.

Maintaining Secure Logins

There are ways for risk professionals to help protect their companies’ systems and data. Experts recommend mandatory cybersecurity training for all employees, including instructions on how to choose adequate passwords, how often to change them and how to avoid cyber threats like phishing and malware.

There are also technological ways that risk managers can help secure their organizations’ passwords. As a first step, the National Institute for Standards and Technology (NIST) recommends that organizations ensure that employees’ passwords do not match those exposed in previous data breaches.

buy cipro online healthdirectionsinc.com/flash/swf/cipro.html no prescription pharmacy

There are publicly available services online that allow users to check whether email addresses and passwords have been compromised in breaches.

Additionally, the NIST recommends that employers restrict passwords to those that are not dictionary words, are not made up of repeated or sequential characters (such as 11111 or 12345 or qwerty), and do not contain specifics like the company’s name or the user’s name. NIST also suggests using multi-factor authentication (MFA), which would require employees to provide their login and password as well as a second piece of information, biometric data, or a physical device like a security key to verify their identity and log in.

With so many passwords to remember, a password manager—a program that stores and creates multiple complex passwords—may also be a good choice for organizations to protect their systems.

buy hydroxychloroquine online healthdirectionsinc.com/flash/swf/hydroxychloroquine.html no prescription pharmacy

Like all security precautions, password managers are not perfect. While still recommending their use, the Electronic Frontier Foundation warns that “using a password manager creates a single point of failure,” “password managers are an obvious target for adversaries” and “research suggests that many password managers have vulnerabilities.
buy tretiva online healthdirectionsinc.com/flash/swf/tretiva.html no prescription pharmacy

While a password manager or single sign-on technology can have benefits like faster authentication and letting employees remember fewer passwords, they also have downsides. The IT professionals surveyed by LastPass cited “the initial financial investment required to migrate to such solution,” “the regulations around the storage of the data required,” and “the initial time required to migrate to new types of methods” as the biggest challenges about using this technology. Additionally, 74% surveyed said that they thought employees at their companies would likely prefer to continue using passwords over passwordless methods because it was more familiar.

Reducing Risk Exposure Through Sanctions Screening

Posted on by

International sanctions have increased in recent years and discrepancies still exist between how financial institutions and non-banking financial institutions in different countries and regions handle them. This has led to ongoing international tensions where politicians use asset-freezing, confiscation and other sanctions as tools to forward personal agendas, producing an increased stream of sanctions. It also leads to headaches for the compliance industry as it attempts to assess their level of risk.

For example, there is a great sanction application difference between the United States and the European Union/United Kingdom as a result of the United States leaving the Joint Comprehensive Plan of Action (JPCOA) agreement and re-implementing sanctions against Iran progressively in 2018. In a post-Brexit world, it is likely that a divergence between European Union and United Kingdom sanctions will occur over time.

Increasing challenges add to complexity for compliance professionals conducting sanctions and transactions screenings in accordance with regulations and institutions’ policies. The rapid transition to an increasingly digital world amidst COVID-19 begs the question: Do financial institutions truly understand the identities moving within their digital networks?

The Wolfsberg Group recently published detailed guidance for financial institutions regarding sanctions screening. The guidance highlights the importance of account and transaction screenings, but does not propose fundamental changes to the processes that financial institutions should follow already. Compliance officers need to rely on robust sanctions screening systems, high data quality and up-to-date policies to drive a successful long-term sanctions screening program.

Compliance departments should continue to conduct basic functions such as documented controls and procedures. They should also require a clear understanding of sanctions risk and how essential it is to take a risk-based approach to customer onboarding. Further, the compliance team should consider improving the following:

  1. Sanctions List Management: List data can be incomplete and decay over time. Active list management is essential for compliance personnel to ensure complete, accurate and up-to-date data.
  2. Screening Technology: Screening engines vary in capability. Platforms should meet business needs on a basic level and be able to:
    • Manage requisite screening record volumes
    • Configure to reflect the differing risk profile lists
    • Efficiently remediate alerts through fully functioning workflow tools
    • Ingest a variety of external lists
    • Integrate APIs into enterprise systems
  3. Sanctions Data: Not all externally provided sanctions lists are created equal. Financial institutions should conduct thorough due diligence and compare data from different sources. Some issues to consider:
    • How the data is synthesized from original issuing bodies
    • The quality controls within the research process
    • The extent that the provider enriches the data to maximize secondary identifiers of sanctioned individuals
    • How complete the data set is, given the many official bodies globally and whether the system is configurable to select those relevant to the institution in question
    • Whether the data provided facilitates consolidation of entities appearing on multiple sanctions lists to lower duplicate alerts and minimize analysts’ efforts

Sanctions screening is a vital but complex process and a continuously trained compliance staff helps ensure that the financial institution is consistently screening against the most relevant and up-to-date sanctions lists. Sanctions authorities require increasingly strict compliance and this involves employing intelligent augmentation through a combination of human efforts and new technologies such as big data, data analytics, machine learning and artificial intelligence.

Organizations can best reduce risk exposure by using all the compliance tools in a responsible and efficient way. Only then can a financial institution be sure that it is navigating the increasingly complex and rigorously enforced regulatory landscape.

3 Tips for CCPA Enforcement During COVID-19

Posted on by

As we move into the second half of 2020 and the California Consumer Privacy Act (CCPA) is officially enforced, we are also in the midst of a global crisis that was not properly on the radar when the regulation was enacted in January. Organizations are now being tasked with CCPA compliance in an unexpected remote work environment, with more personal data available online than ever before. And some organizations have the added privacy challenge of contact tracing practices or applications being used internally to monitor employee health.

Even in the remote work environment, relevant companies must ensure that they are informing customers and staff about what data they are collecting, options for which personal details are being gathered, the right to say no and opt out of data collection, the right to request deletion of their information, and equal pricing despite their privacy selections.

Many businesses are still struggling to implement these guidelines and are attempting to avoid significant penalties, all while meeting uptime demands. Below are some tips from security and technology industry experts for the best ways to implement CCPA compliance:

Rely on Data Privacy Regulation Experts 

There is increasing uncertainty around many businesses’ futures, and therefore, it is critical to turn to data privacy regulation experts for advice, guidance and technological support. 

“With exponential amounts of enterprise data only increasing, ensuring data privacy involves layered, complex challenges for any business. From a cloud hosting perspective, meeting evolving compliance and privacy regulations, such as the CCPA law which is just beginning to be enforced, is one of those layers. One of the most important steps organizations can take to guarantee they are on the right path towards compliance is to rely on hosting providers that have teams experienced with privacy law regulations,” said Lex Boost, CEO of Leaseweb USA.  

While it may be tempting to rely on internal teams during the economic downturn, employee burnout in already resource-strapped IT and security teams could cost the companies more in talent loss and potential breaches/fines. Thus, companies should evaluate external providers.

Boost also said, “These providers can guide the process needed to guarantee data is managed within current and upcoming privacy regulations, allowing organizations to focus on maximizing data usage and the experience for their customers.”

Have the Right Cybersecurity Measures in Place 

Proper cybersecurity measures are often major components for achieving compliance with a variety of regulations, but especially the CCPA, which is focused on protecting sensitive data and users’ privacy rights. With major hacks making recent headlines at companies like Twitter, and ransomware attacks that threaten to exfiltrate and leak private data on the rise, companies should be on high alert.

“Nobody is safe from an attack leaking personal information, and it’s absolutely essential that correct cyber measures are in place to secure privileged accounts, in particular, as thoroughly as possible. With more information online and spread out than ever before, hackers not only have the ability to scam people, but also undoubtedly have access to private messages, security information, and other personal data,” said Torsten George, cybersecurity evangelist at Centrify.  

On top of increasing breach risks, many companies’ distributed workforces are making security preparedness even more complex. But there are solutions, according to George: “To protect organizations during this transitional remote working phase and the implementation of CCPA, it’s imperative to provide your IT administration teams, outsourced IT, and third-party vendors with secure, granular access to critical infrastructure resources regardless of location and without the hassles of a virtual private network (VPN). Privileged access management solutions can both maintain compliance and enable secure remote access to on-premises and cloud-based infrastructures, securing all administrative access with risk-aware, multi-factor authentication (MFA), and maintaining the level of compliance CCPA requires.”

Look Toward the Future 

The CCPA currently protects Californian’s privacy rights, but many legal and security experts think this could inspire a similar regulation at the federal level if it is successful.

“The CCPA is the first law of its kind in the United States, and it could set a precedent for other states. And because it applies to most companies who do business with individuals residing in California, the sweeping new law promises to have a major impact on the privacy landscape not only in California, but the entire country. The passage of a cohesive U.S. federal privacy law, one that will preempt state laws, is gaining momentum. It has strong bipartisan congressional support, and several large companies from a variety of industry sectors have come out in favor of it, some even releasing their own proposals. There are draft bills in circulation,” said Wendy Foote, senior contracts manager at WhiteHat Security.

Foote also advised, “With a new class of representatives sworn into Congress in 2019 and the CCPA effectively putting a deadline on the debate and officially being enforced in July, there may finally be a national resolution to the U.S. consumer data privacy problem. However, the likelihood of it passing in the very near future is slim. A single privacy framework must include flexibility and scalability to accommodate differences in size, complexity, and data needs of companies that will be subject to the law.”

It will take several months of negotiation for lawmakers to agree upon how the federal law would be implemented. While companies wait for the passage of a national privacy law and for it to take effect, they must continue to monitor developments in both state and federal privacy law and adapt as necessary.

Consumer privacy will continue to evolve, particularly in the time of COVID-19. Because of this, newer laws and regulations, like the European Union’s GDPR and the CCPA, must be flexible and evolve over time too.

Spending Risks Shift as the Pandemic Continues

Posted on by

When Twitter offered permanent work-from-home status to all of its 4,600 employees in response to the COVID-19 pandemic, it did so with a $1,000 stipend per employee to furnish and set up functional home office spaces.

For many organizations, such a sweeping move would carry higher risk as more employees, especially those not trained in company spending policy, would be expensing items. During COVID-19, enterprises of all sizes contend with the changing financial implications of adjusting business practices.

Data scientists at Oversight—a global leader in spending management technology—saw out-of-pocket spending increase 17% from April to May and expected this number to rise further in June as more employees without a corporate card make COVID-related expenses. These findings are published in the company’s Spend Insights Report, which analyzed information derived from customer interviews, market observations and Oversight data.  

Several Oversight clients reported finding big-screen TVs and soundbars on expense reports for work-from-home setups. Any of these could ultimately be for personal use or resold for personal gain. One client found that one of its employees spent $7,000 in corporate funds to set up a new home office space.

The months since COVID-19 forced employers everywhere to pivot their office strategies and open expensing capabilities to a broader subset of the employee base. As a result, the fundamental assumptions about spending and risk management in finance operations no longer apply.

New patterns of risk are emerging from these new transactions. However, finance operations teams that take the time to analyze these patterns can develop best practices.

Five key lessons enterprises should understand about spending risk in the 2020 business environment are:

1. Good and Bad Spending Have Reversed Roles

When the rapid shutdown of normal business operations forced the global workforce to shelter in place, travel discontinued abruptly. Airline and transportation activity plummeted in both March and April, as did hotel spending. But purchasing activity was higher than expected in the high-risk categories of mail/phone orders and miscellaneous stores (including merchants such as Amazon, Best Buy and Apple), while out-of-pocket expenditures in the name of business continuity increased dramatically. The result was a business scenario in which much of the historically “good” spending, like travel expenses, was suddenly deemed wasteful to the organization. In contrast, much of the traditionally categorized “bad spending” was now necessary.

2. The Pattern of Risk is Shifting, As is Mitigation Collaboration

Because the risk looks significantly different than it did before the pandemic, finance operations teams are applying more scrutiny to employee spending, and collaborating more. Operations teams are engaging more than ever with counterparts in forecasting, tax and audit to navigate the nuances of risk during the crisis, creating a new best practice that makes identifying and mitigating spending risk easier.

3. Rising Miscellaneous and Out-of-Pocket Costs Cause Payment Platform Risk

Third-party payments increased 40% year-over-year in April according to the Spend Insights Report, as the pandemic drove a significant increase in online shopping activity. That shift to online—as reflected in rising miscellaneous and out-of-pocket spending—was often processed using third-party payment platforms like PayPal and Stripe. When employees spend using these platforms, organizations are exposed to greater risk due to limited visibility into transaction and vendor data.

4. New People Spending is New Risk

Regardless of COVID-19’s impact on an organization, one good rule is that risk is a function of people. According to Oversight data, 70% of employees are good stewards of corporate funds. An additional 25% may make errors or act out-of-policy in certain circumstances, but these individuals are not intentionally involved in waste or fraud. The remaining 5% of employees could use opportunities like COVID-19 to spend maliciously or otherwise act outside of corporate compliance guidelines. Every organization’s goal should be to engender visibility into the 5% of bad actors, while simultaneously seeking to better inform the remaining 25% about the steps they can take to adhere to policy. 

5. Align your Teams and Tools to Ensure Visibility into Spending

By quickly understanding as an organization what employees are spending on today, and at what frequency, leaders will be better suited to manage and mitigate risk. While the profile may be different than before the pandemic, the same tools that guided visibility into spending and risk are available to help organizations understand and analyze spend in the new business climate.

The situation at most organizations is fluid. The essential take-away is to develop a framework and process for near-real-time awareness of employee spending and the associated risks. By recalibrating your sense of the necessary expenditures now, organizations can ultimately ensure continuous control over risks as they emerge.