Tag Archives: byod

Immediate Vault Immediate Access

Six Considerations Impacting Strategic Regulatory Change Management

Posted on by

Regulatory change management (RCM) is one of the most important risk and compliance related domains in 2021, thanks to two key drivers. First, the shift from Republican deregulation to Democratic control and an expected uptick in regulatory requirements. Second, similar to the 2008 crash, the pandemic-induced economy and focus on Paycheck Protection Program (PPP) loans caused many banks to relax their regulatory exams and requirements, while regulators gave companies extra runway for transitioning processes and policies for remote/work-from-home models.

Sometimes regulatory changes are significant enough to change business strategy. In 2021, chief risk officers must be prepared to quickly adapt and react to a historically volatile risk management environment.

buy advair online dentalhacks.com/wp-content/uploads/2023/10/jpg/advair.html no prescription pharmacy

When thinking about an updated, strategic regulatory change management program, here are six considerations for chief risk officers:

1. Lax compliance during the pandemic in 2020 may have introduced hidden risk for activities that normally would have had deeper oversight. 
Sometimes rule changes can also introduce new risks or eliminate a previous risk that needed to be managed, such as potential new default rates around extensions, forfeiture and other things. For example, historically low interest rates present a vexing risk for banks dealing with less profit but just as many loans to process.

buy xenical online dentalhacks.com/wp-content/uploads/2023/10/jpg/xenical.html no prescription pharmacy

What kind of new risk may be found within those loans?

2. When communicating change across the enterprise, establish responsibility to manage it.
Once you understand which regulations have changed, prioritize those that present the most risk, identify what department’s products and processes are impacted, and determine who is responsible for managing those policies. Having a secure central repository for communicating, storing and managing compliance documentation, versus relying on employees storing information on devices outside corporate servers, is ideal.
buy proscar online dentalhacks.com/wp-content/uploads/2023/10/jpg/proscar.html no prescription pharmacy

 

3. If conducting quarterly testing of compliance requirements, it may be challenging to identify key areas in advance that could slip, such as controls around IT/cybersecurity.
When the risk portfolio changes, the controls to manage those risks must be updated accordingly. Firms that may now be less dependent on management oversight and more dependent on confirmations that processes are being followed should put automated controls in place to verify those activities.

4. Companies should shift to best practice or common checklists that can be standardized and shared across the enterprise. 
Assessment checklists are a great way to ensure that all requirements are being met for a wide variety of business processes. Once checklists have been updated, cloud-based software systems can track who has access and can also notify when changes happen. 

5. Historically done manually in-house by visible teams, monitoring and testing for compliance purposes will be conducted remotely. 
The visibility of those tests presents significant challenges, and it is critical to determine how errors and issues will progress and be communicated to the remote testing teams, management, and the organization at large. 

6. Verifying and certifying online training for remote employees can be daunting. 
Creating courses formalized for online training represents a major compliance and process change, particularly for companies in industries with limited work-from-home models, such as financial services. Training materials will need to be updated for new employees, while previously trained employees will need to be retrained. 

67% of Hotel Websites Expose Guest Data, Study Finds

Posted on by

According to new research from cybersecurity company Symantec, 67% of hotel websites are leaking customer reservation details and other personal information. Candid Wueest, the company’s principal threat researcher, tested more than 1,500 hotels in 54 countries, including low-cost to high-cost hotels, as well as both chain and independent hotels.

buy tobradex online desiredsmiles.com/wp-content/uploads/2023/10/tobradex.html no prescription pharmacy

symantec hotel data exposureWhen a customer uses a hotel’s website to book a room, the site usually creates and sends them a link so that the customer can directly access  and manage their reservation.

buy desyrel online desiredsmiles.com/wp-content/uploads/2023/10/desyrel.html no prescription pharmacy

According to Symantec, part of the problem is that third-party advertisers on hotels’ booking websites and web analytics companies (which track web traffic) can access customers’ bookings because they also get those links. This means that advertisers and analytic companies – including any potential malicious actors among their employees – could access and steal the information that the customer entered when booking a room, and even change or cancel the reservation.

Symantec also found that more than a quarter of the hotel websites examined do not send secure, encrypted links in their confirmation emails. Encrypted links prevent anyone trying to hijack a customer’s data from being able to see that data. If a customer received a confirmation email while using an unprotected WiFi (a public network in a café or an airport, for example), a cybercriminal could intercept that customer’s emails and use the unencrypted hotel booking link to access the customer’s booking. Some of these automatically generated links also contain details like customers’ email addresses in the web address, which makes accessing their information even easier for cybercriminals.

Additionally, many hotel websites are vulnerable to a type of cyberattack called “brute forcing,” where an attacker can use the customer’s email address and guess their booking number to gain access to the reservation and personal information. In some cases, Symantec found that hotel websites did not even require an email address to access customers’ reservation information via brute forcing. Though this method would not be useful to gain access to large amounts of customer data, attackers could use it to target individuals, like a specific CEO or conference attendee.

Wueest noted that hotels have thus far been slow to respond to these data exposure risks, and some have not responded at all. When he alerted the hotels’ data privacy officers to the problems in their sites, 75% responded, and those who did took an average of 10 days. Hotels and their information security staff should promptly assess their booking processes to ensure they are minimizing the risk of potential data leaks and breaches.

buy elavil online desiredsmiles.com/wp-content/uploads/2023/10/elavil.html no prescription pharmacy

By leaving these gaps in their websites’ security, they are endangering their customers and opening themselves up to risk, including potential liabilities and reputational damage.

Symantec recommends that hotels use encrypted links, and ensure that the automatic links generated do not include information like customers’ email addresses. It also recommends that customers use Virtual Private Networks (VPNs, services that protects users’ internet traffic) when booking or accessing their reservations using public WiFi to prevent any cyberattacker from intercepting any information that would provide a way in.

The report should also serve as a reminder that corporate employees’ personal devices and personal information are popular targets for cybercriminals and can be especially vulnerable to risks while traveling. Any time an employee exposes their devices to unprotected networks or, in this case, insufficiently protected websites, it leaves both the employee and their employer at risk. Even if an employee is using their own device to conduct business, it still endangers their employer because it may expose valuable business information. Cybercriminals have particularly used the hospitality industry as a hunting ground for such attacks, for example, targeting individuals using hotel WiFi, tricking them into downloading malicious software and stealing their information or spying on their internet activity.

BYOD: Three Lessons for Mitigating Network Security Risks in 2015

Posted on by

Not too long ago, organizations fell into one of two camps when it came to personal mobile devices in the workplace – these devices were either connected to their networks or they weren’t.

But times have changed. Mobile devices have become so ubiquitous that every business has to acknowledge that employees will connect their personal devices to the corporate network, whether there’s a bring-your-own-device (BYOD) policy in place or not. So really, those two camps we mentioned earlier have evolved – the devices are a given, and now, it’s just a question of whether or not you choose to regulate them.

This decision has significant implications for network security. If you aren’t regulating the use of these devices, you could be putting the integrity of your entire network at risk. As data protection specialist Vinod Banerjee told CNBC, “You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.” What’s worse, this has the potential to happen on a wide scale – Gartner predicted that, by 2018, more than half of all mobile users will turn first to their phone or tablet to complete online tasks. The potential for substantial remote access vulnerabilities is high.

So what can risk practitioners within IT departments do to regain control over company-related information stored on employees’ personal devices? Here are three steps to improve network security:

1. Focus on the Increasing Number of Endpoints, Not New Types

Employees are expected to have returned from holiday time off with all sorts of new gadgets they received as gifts, from fitness trackers to smart cameras and other connected devices.

Although these personal connected devices do pose some network security risk if they’re used in the workplace, securing different network-enabled mobile endpoints is really nothing special for an IT security professional. It doesn’t matter if it’s a smartphone, a tablet or a smart toilet that connects to the network – in the end, all of these devices are computers and enterprises will treat them as such.

The real problem for IT departments involves the number of new network-enabled endpoints. With each additional endpoint comes more network traffic and, subsequently, more risk. Together, a high number of endpoints has the potential to create more severe remote access vulnerabilities within corporate networks.

To mitigate the risk that accompanies these endpoints, IT departments will rely on centralized authentication and authorization functions to ensure user access control and network policy adherence. Appropriate filtering of all the traffic, data and information that is sent into the network by users is also very important. Just as drivers create environmental waste every time they get behind the wheel, network users constantly send waste – in this case, private web and data traffic, as well as malicious software – into the network through their personal devices. Enterprises need to prepare their networks for this onslaught.

2. Raise the Base Level of Security

Another way that new endpoints could chip away at a network security infrastructure is if risk practitioners fall into a trap where they focus so much on securing new endpoints, such as phones and tablets, that they lose focus on securing devices like laptops and desktops that have been in use for much longer.

It’s not difficult to see how this could happen – information security professionals know that attackers constantly change their modus operandi as they look for security vulnerabilities, often through new, potentially unprotected devices. So, in response, IT departments pour more resources into protecting these devices. In a worst-case scenario, enterprises could find themselves lacking the resources to both pivot and mitigate new vulnerabilities, while still adequately protecting remote endpoints that have been attached to the corporate network for years.

To offset this concern, IT departments need to maintain a heightened level of security across the entire network. It’s not enough to address devices ad hoc. It’s about raising the floor of network security, to protect all devices – regardless of their shape or operating system.

3. Link IT and HR When Deprovisioning Users

Another area of concern around mobile devices involves ex-employees. Employee termination procedures now need to account for BYOD and remote access, in order to prevent former employees from accessing the corporate network after their last day on the job. This is particularly important because IT staff have minimal visibility over ex-employees who could be abusing their remote access capabilities.

As IT departments know, generally the best approach to network security is to adopt policies that are centrally managed and strictly enforced. In this case, by connecting the human resources database with the user deprovisioning process, a company ensures all access to corporate systems is denied from devices, across-the-board, as soon as the employee is marked “terminated” in the HR database. This eliminates any likelihood of remote access vulnerabilities.

Similarly, there also needs to be a process for removing all company data from an ex-employee’s personal mobile device. By implementing a mobile device management or container solution, which creates a distinct work environment on the device, you’ll have an easy-to-administer method of deleting all traces of corporate data whenever an employee leaves the company. This approach is doubly effective, as it also neatly handles situations when a device is lost or stolen.

New Risks, New Resolutions

As the network security landscape continues to shift, the BYOD and remote access policies and processes of yesterday will no longer be sufficient for IT departments to manage the personal devices of employees. The New Year brings with it new challenges, and risk practitioners need new approaches to keep their networks safe and secure.

 

33% of Employees Fail to Meet Minimum Security Standards for BYOD

Posted on by

Bring Your Own Devices

By 2017, half of employers will require employees to provide their own mobile devices for work use, Gartner reports. There are many benefits to BYOD policies, from greater productivity on devices users are more comfortable with to lower corporate costs when businesses do not have to purchase mobile equipment or service plans. But securing these devices poses tremendous risk that may not be worth the reward.

According to data security firm Bitdefender, 33% of U.S. employees who use their own devices for work do not meet minimum security standards for protecting company data. In fact, 40% do not even activate the most basic layer of protection: activating lock-screen features. Further, while the majority of workers could access their employer’s secure network connection, only half do so.

Bitdefender reports that there are 5 core security functionalities a strong BYOD policy should check:

  • Data encryption, for data residing on the employee’s device and for data transiting different channels.
  • Application access control, using port knocking, whitelists and intrusion prevention systems, for enterprise apps communicating with company servers.
  • Mobile malware detection and removal, to ensure clean devices enter the company and to keep them malware-free throughout their use.

  • Real-time app and website scanning, to make sure the device does not get infected by malicious apps or websites when the employee wants to download/access them.

  • App permission management, to allow employees to see exactly what types of information does an application require permission to access and share with the application vendor.

Check out more of the study’s findings below:

Bitdefender BYOD infographic