Where a Breach Happens: Threats to Financial Institutions

Securing Financial Institutions

Every business has an asset that they can’t bear to lose, and for financial institutions, those assets include money, financial information about consumers, and consumers’ personal data. Financial institutions need personal data in order to verify financial information and protecting all of that data is a responsibility. In this white paper, we’ll discuss four major areas of concern that financial institutions must take into consideration when securing their sensitive assets: ATMs, mobile and web applications, employees, and buildings.

Threats to the Outside of Financial Institutions

ATMs, mobile applications, and web applications all pose major threats to financial institutions. ATMs are vulnerable by nature. They are physical, they are left unattended more often than not, they have what a hacker wants, and they’re connected to a network. Older machines or ones that are stand-alone are typically easier targets, as there are less eyes on them and security measures may not be up-to-date. Banks and ATM providers have come up with physical ways to protect against and detect card skimming, but there are still ample ways for an ATM to be attacked. In fact, we see hackers turning to malware for a more damaging attack vector.

Likewise, today’s technology allows for convenience when banking, trading, insuring, or seeking advice on wealth management. Consumers can typically access their financial information at any time through mobile and web applications. When using a mobile app, the device’s attack surface is huge: the browser, the system, the phone itself, and the apps could all be targeted. When using a mobile or wireless app, the network is susceptible to weak encryption, Man-in-the-Middle attacks, packet sniffing, and more.

No matter how secure you believe your mobile or web app is, it needs to follow the guidance of frameworks and regulations like ISO 27000, FFIEC, SEC NIST, and NY CRR 500. Implementing these industry-accepted best practices will help financial institutions to secure mobile and web apps across devices, networks, data, applications, and user access.

Want the full guide to threats to financial institutions?


Where a Breach Happens: Threats to the Hospitality Industry

Securing the Hospitality Industry

The success of a hotel, resort, or casino depends on guests feeling safe. That’s why, in the hospitality industry, cybersecurity and physical security go hand-in-hand. Any insecure access point, like security systems, power supply, security cameras, or HVAC systems, are fair game to a hacker.

A cybersecurity attack on your security systems can be a major downfall for your business. If a hacker has control of your automatic doors, is there a business continuity plan that establishes how guests and staff can get in and out of the property? How secure are your keycards and door locks? What is the protocol if your security cameras go dark? In this white paper, we’ll discuss three major areas of concern that those in the hospitality industry must take into consideration when securing their sensitive assets: the front desk, amenities, and rooms and suites.

The Front Desk: A Gateway for Breaches

The gateway to any hotel or resort is the front desk. There is always an employee ready to help guests with whatever they need. The front desk poses several major risk areas, including the computer system, the phone, the card readers, and the employees themselves. For example, think about the impact an attack on a hotel’s point-of-sale would cause. Attacks on POS systems are one of the most common among the hospitality industry, accounting for 90% of all breaches. Why? In a single hotel, there’s multiple POS terminals and no established best practices for protecting them. A resort, for example, not only has several front desks, but is also home to restaurants, gift shops, spas, bars, etc. Each of these amenities will have multiple POS terminals, giving hackers ample opportunity to infect the POS system with malware. Once they’re into that system, they can skim the data processed through that terminal or even gain access to a much larger database. But attacks on POS systems aren’t the point of entry malicious individuals use to gain access to sensitive information. Are you ready to learn how you can secure your business?

Get the full guide to threats in the hospitality industry.

6 Information Security Basics Your Organization Needs to Implement

What Should be Included in an Information Security Program?

Ensuring that sensitive information remains secure, available, and confidential is the most important goal when setting up an information security program, but knowing what you need to include to make that happen can be challenging. In today’s threat landscape, organizations must make it a priority to identify and mitigate any potential vulnerability in their information security system and that process begins when organizations first set up their information security program. In this guide, you’ll learn about six information security basics that your organization should implement to keep your organization’s sensitive assets secure.

The Basic Components of an Information Security Program

  1. Firewalls: Any device connected to the Internet is susceptible to falling victim to a cyberattack, which is why firewalls are deployed to filter out unwanted network traffic.
  2. Network Access Controls: Network access controls are used by organizations to mitigate the risks of unauthorized users gaining access to their information systems.
  3. Acceptable Uses for Technology: While the advancement of technology has allowed for the growth of many industries, maintaining old technology and introducing new technology into an organization’s environment can create new security vulnerabilities. This is why organizations must establish acceptable uses for technology.
  4. Password Best Practices: Although all passwords are capable of being compromised, there are a few tried and true password best practices that organizations should follow to ensure that their personnel and networks remain secure against the advancing threat landscape.
  5. Multi-Factor Authentication: Enabling two-factor authentication (2FA) and multi-factor authentication (MFA) are proactive ways that organizations can add an additional layer of security to their systems.
  6. Antivirus Software: Antivirus software is a program that is designed to prevent, detect, and remove software viruses.

Want the full guide on information security basics?

Privacy Policies Built for CCPA Compliance

Updating Your Privacy Policy for CCPA Compliance

If 2018 was the year spent anticipating the GDPR enforcement deadline, 2019 will be the year US states begin enforcing their own data privacy laws. While the California Consumer Protection Act (CCPA) isn’t the first US data privacy law to go into effect, it has certainly gained more attention than others. This could largely be in part because of its similarities to GDPR, but it could also be because it’s the strictest US data privacy law of our time. And though the CCPA doesn’t go into effect until January 1, 2020, provisions within the law require that businesses provide data collected from up to 12 months prior to the enforcement date, which means that organizations must begin their CCPA compliance efforts now. If you’re a US-based company or have clients located in California, you’ll need to update your privacy policy to ensure compliance with CCPA. Check out these 10 ways that you can accomplish this.

What Should a CCPA-Compliant Privacy Policy Include?

Many of the best practices that organizations are using to comply with GDPR will be effective when beginning to comply with CCPA, but there are some slight differences when meeting the CCPA’s privacy policy requirements. Section 1798.130(b) of the CCPA states the required information that should be provided when personal data is collected from California data subjects, which includes, but is not limited to:

  • A description of consumers’ rights under CCPA
  • A description of the purposes of processing personal information
  • A description of the categories of personal information to be collected
  • A definition of the process for requesting the personal information collected about individuals
  • A description of the right to deletion
  • A description of the right to disclosure

Want the full checklist?

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

Deciding to undergo an information security audit can be daunting for the sole reason that there are so many frameworks and regulations to learn about. SOC 1, SOC 2, SOC for Cybersecurity, PCI DSS, HIPAA/HITECH, HITRUST CSF, ISO 27001, GDPR, FISMA, and FERPA – what do they all mean? Which framework or regulation does your organization need to comply with? Which one best suits your organization’s needs? In this guide, you’ll learn about the 10 most common information security frameworks, who they apply to, and how they can benefit your organization.

Commonly Used Frameworks

Of the 10 commonly used information security frameworks included in this guide, the top three frameworks are SOC 1, SOC 2, and PCI DSS. So, what are they?

SOC 1: A SOC 1 audit is an audit that is performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). SOC 1 reports are designed to report on the controls at a service organization that could impact their clients’ financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

SOC 2: As a service provider, how do you validate the security of your services? A SOC 2 audit evaluates internal controls, policies, and procedures as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. These five established categories, known as the Trust Services Criteria, address the questions like: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?

PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a robust information security standard that encourages and enhances cardholder data security by providing industry-recognized data security measures. In other words, a PCI audit is an information security audit focused on the protection of credit card data. All PCI audits must be performed by a PCI Qualified Security Assessor (QSA) and are designed to test whether an organization is compliant with the 12 technical and operational requirements established to protect cardholder data.

Want to Learn About 7 More Frameworks?