Risk Reduction: #1 Concern of Bank Boards

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

11DIt’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

  • 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
  • 63 percent said that a separate risk committee on the board oversaw risks.
  • 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren’t doing this.
  • 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
  • Of this 30 percent, less than half actually use it to supply limits to the board and management.
  • The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren’t getting fully used.
  • And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
  • 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
  • 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
  • 53 percent want more understanding of newer risks like cyber security issues.
  • Senior execs want the board to have more training in overseeing the risk appetite and related issues.
  • 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
  • Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How to safely and securely recycles Devices

Don’t just throw out your old devices; take measures to protect your personal information.

13DBack Up

Before ridding your device, back up everything on it—everything. Use an automated PC service and/or a flash drive. For the iOS and Android, activate Apple’s iCloud or the Google Auto Backup service.

Wipe

Wiping refers to removing all your data. Simply hitting “delete” or reformatting the hard drive won’t do. I purchased 30 used computers off Craigslist, scoured their hard drives with a forensics expert, and discovered that half of the devices—that had been reformatted—still had personal information.

To wipe Windows PCs, you can use Active KillDisk. For Macs, use the OS X Disk Utility or WipeDrive. “A factory reset should be enough to secure most recent smartphones, provided that you remove any SIM cards that could contain personal info. To be super safe, use Blancco Mobile to wipe the iOS or Android.

Destroy

If you can’t wipe the device, destroy it if you don’t plan on donating or reselling. For example, I recently recycled a laptop that was missing its power supply, so there was no way to turn it on and wipe the disc. Instead I removed the hard drive with a screwdriver, and then took a sledgehammer to it. (Aside from protecting my personal data, it was also a lot of fun.)

Recycle
Ask the recycling company just who does the downstream recycling so that your e-waste doesn’t find its way into a foreign landfill. Make sure the company is part of R2 (Responsible Recycling) or e-Stewards certification programs.

Keep Records

Make sure you document donations with a receipt so that the IRS can give you a little return.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Be your Family’s Chief Security Officer

Schlage is all about safety and security. But you need not be in the profession of security analyst to be vigilant about your home and family’s security. And when it comes to security, this doesn’t just mean protection from home invasions and burglaries, but anything and everything, such as online security and guarding against viruses, hackers and other fraudulent invasive cyber crimes that can really mess things up for you or a family member.

1HBe your family and home’s Chief Security Officer, even if your job outside the home is unrelated to security measures. Make sure everything is safe and sound inside your home. This includes child-proofing the house; senior-proofing if there are elderly occupants; and just in general, making the environment safe—e.g., cleaning up spills on the floor to prevent a disastrous fall.

I won’t lie: This kind of vigilance requires a lot of thought to get it rolling. It’s not second nature to many people, but they can work on that element and improve over time so that it’s automatic to put the alarm system on when going to bed.

You must be fierce so that fires don’t start in your home, and so that you don’t end up in the news as a victim of a crime.

Sometimes, a person’s greatest enemy is themselves. So you have all the windows penetration-proofed, triple bolts on all the doors, maybe a protection dog and an extensive video surveillance system…but one second…you get lazy and don’t lock your doors and after you leave and you took the dog with you, then some bad guy chooses your home simply because he saw you leave. Locking your doors, that little extra effort might have saved all kinds of heartache.

So it takes a little extra time to create a safety system, and then stick with it, to prevent bad things from happening. If you can’t make time for safety and security, you’ll have to make time for catastrophe. When you make security a habit, it really doesn’t require that much effort after a while. Lead your family and home as its Chief Security Officer.

Robert Siciliano home security expert to Schlage discussing home security and identity theft on TBS Movie and a Makeover. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Top Security Techniques That Work For The Masters

Banks know security just about better than anyone. Find out what they can teach you about safeguarding your small business.

8DSecurity is a journey, not a destination. This is a security industry axiom that means we can strive for security, and by making this effort, we can put ourselves on a path to security. But while we may achieve a relative degree of security, our businesses will never be 100 percent secure—the destination we all strive for. Even Fort Knox, the White House and the New York Stock Exchange are vulnerable.

But that doesn’t mean we shouldn’t strive to reach our destination. In order to protect our businesses, we can apply strategies that significantly reduce our risk level. One of the best security techniques is layering. Layers of security make a criminal’s job more difficult, as they are forced to address all the vulnerabilities in our business.

Helen Keller once said, “Security is an illusion; life is either a daring adventure or nothing at all.” Her quote has significance, although it’s not entirely accurate. That’s because security is part illusion and part theater. The illusion, like a magic act, seems believable in many cases.

Security theater, on the other hand, refers to security intended to provide a sense of security while not entirely improving it. The theater gives the illusion of impact. Both play a role in deterring criminals, but neither can provide 100 percent security, as complete security is unattainable. Hence, security is a journey, not a destination.

Banks know security, both the illusion and the theater. They have to, because robbers target these buildings daily. Because banks want to promote a friendly and inviting environment, consumers are mostly oblivious to the various layers of security that financial institutions utilize to protect their bank accounts. And that’s not a bad model to follow.

What Banks Know About Security

Banks have multiple layers of security. The perimeter of most banks are often designed to include large windows, so passersby and law enforcement can easily see any problems occurring inside. The bank’s doors also have locks. There is, of course, an alarm system, which includes panic buttons, glass-break detectors and motion sensors. These are all layers, as are the security cameras, bulletproof glass and armed guards. Ideally, the tellers and members of management should have robbery-response training. Many banks also use dye packs or GPS devices to track stolen cash.

All banks have safes, because banks know that a well-constructed safe is the ultimate layer of security. A safe not only makes it extremely difficult for a bank robber to steal the bank’s money, but it also protects the cash in the event of a fire.

And then there are the multiple layers of computer security. The basics include antivirus, antispyware, antiphishing and firewalls. However, there are numerous additional layers of protection that monitor who is accessing data and why, and numerous detectors that look for red flags which indicate possible identity theft.

Banks also recognize that a simple username/password is insufficient, so they require their clients to adopt multifactor authentication. Multifactor authentication is generally something the user knows, such as a password or answers to knowledge-based questions, plus something the user has, such as a smart card, token or additional SMS password, and/or something the user is, such as identification through a biometric fingerprint, facial recognition, hand geometry or iris scan. In its simplest forms, multifactor authentication occurs when a website asks for a four-digit security code from a credit card or installs a cookie on your machine, or when a bank requires a client to add a second password to his or her account. Some institutions also offer or require a key fob that provides a changeable second password (a one-time password) to access accounts, or it might require a reply to a text message in order to approve a transaction.

Every layer of protection the bank adds is designed to make it harder for a criminal to get paid.

Consider a layered approach for your small-business security plan. Think about the current layers of business protection you have in place, and then consider how many more layers you might want to install to ensure a seamless customer experience and a security-minded culture.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

11 Tips to Hotel Safety and Security

Can you name 11 tips for hotel safety and security? How about just five?

4HHave you ever walked down the hallway of a hotel and passed by rooms with doors left wide-open by cleaning staff? Ever thought of how easy it would be to enter and pretend the room is yours? Imagine what you could steal.

This is why a hotel that takes security seriously will be very strict about whom is issued an electronic key to rooms, and will issue regulations regarding housekeeping tasks. In more remote hotels or those in less developed countries, the hotel staff itself may be the thieves.

Nevertheless, whether you’re in the ritziest hotel or the shoddiest dump, Schlage locks wants you to know there’s a baseline of precautions you should take.

#1. Never leave valuables in your room unless you’re present. If you must, use the hotel safe and be sure to get a receipt.

#2. When in the room, keep the door locked, including the chain feature.

#3. Always use the peephole before opening the door.

#4. If you anticipate the door won’t have a lock (such as in a foreign country), bring along a traveler’s door lock, a motion detector that you hang on the knob that sounds when the door opens, and/or a doorstop alarm—it wedges against the door’s base.

#5. Don’t open the door to strangers.

#6. If the “stranger” claims to be a hotel service person, call the front desk for verification first.

#7. Consider have all food deliveries made to the lobby. This isn’t convenient, but it’s safer. You never know if the delivery person is actually a predator looking for a target. Men should also practice this procedure; men can be targeted for violent crimes too. The delivery person may also case you as a potential target later on.

#8. Be mindful of what you leave outside your door. E.g., what appears to be leftovers from one person’s meal, indicates you’re alone.

#9. Before going to bed, double check all possible entry points.

#10. Make people think you’re there when you’re not: Place the “do not disturb” sign on the door—after you put the TV on loud. But first make sure this won’t coincide with maid service.

#11. If your hotel wants you to turn your key in when you go out, keep the key so that nobody knows you’re out.

Robert Siciliano home security expert to Schlage discussinghome security and identity theft on TBS Movie and a Makeover. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Windows XP not dead yet—but users Beware

Would you reasonably expect success when attempting to drive cross country in a 1975 Pinto with balled tires, no brakes, dried cracked belts and with already 250k on the motor? You might if you didn’t stop and think about things.

winxpThe same is true of an individual or a business who’s still using a Windows XP operating system on devices that have even 1 megabyte of sensitive data. You cannot reasonably expect security with one of the most hacked operating systems in existence.

But I digress. Fret not, there’s temporary hope yet for Windows XP procrastinators: Microsoft is extending support into 2015. It was previously believed that April 8, 2014 was the end of the world for support towards MS Security Essentials, System Center Endpoint Protection, Forefront Endpoint Protection and Forefront Client Security.

This meant that on that date, new malware signatures plus engine updates to XP users would cease, even though updates for the same software that was running on Windows Vista would continue to be provided.

However, a recent blog post by Microsoft’s Malware Protection Center notes that XP users will continue receiving support—but it won’t last long: July 14, 2015 will be here before business owners know it.

With hackers swarming in like killer bees, knowing that XP’s support’s days are limited, XP users must stay in heavyweight mode for any attacks. Thieves can even use new security updates for Windows Vista (and later) as a guide to hacking into systems running on XP.

Anti-malware solutions aren’t very effective on operating systems that lack support, and hackers know this. But more alarming is that fewer users, including business owners, are ready to accept this or even have a clue about it.

After all, it’s estimated that almost 30 percent of all the personal computers across the world are using Windows XP. Business owners and other decision makers of organizations need to overestimate just how risky it is to cling onto an old favorite rather than promptly switch to a new system that has stronger support.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tightening up Security is Everyone’s Responsibility

Most information technology (IT) experts are very much unnerved by cyber criminals, says the biggest study involving surveys of IT professionals in mid-sized businesses.3D

  • 87% send data to cloud accounts or personal e-mail.
  • 58% have sent data to the wrong individual.
  • Over 50% have confessed to taking company data with them upon leaving a post.
  • 60% rated their company a “C” or worse for preparation to fight a cyber threat.

Here is an executive summary and a full report of the survey’s results.

second study as well revealed high anxiety among mid-size business IT professionals.

  • Over 50% of those surveyed expressed serious concern over employees bringing malware into an organization: 56% for personal webmail and 58% for web browsing.
  • 74% noted that their organization’s networks had been infiltrated by malware that was brought in by web surfing; and 64 percent via e-mail—all in the past 12 months.

The above study is supported by this study.

  • 60% of respondents believed that the greatest risk was employee carelessness.
  • 44% cited low priority given to security issues in the form of junior IT managers being given responsibility for security decisions.

The first (biggest) study above showed that about 50% of C-level management actually admitted that it was their responsibility to take the helm of improving security.

And about half of lower level employees believed that IT security staff should take the responsibility—and that they themselves, along with higher management, should be exempt.

The survey size in these studies was rather small. How a question is worded can also influence the appearance of findings. Nevertheless, a common thread seems to have surfaced: universal concern, and universal passing the buck. It’s kind of like littering the workplace but then thinking, “Oh, no problem, the custodian will mop it up.”

  • People are failing to appreciate the risk of leaving personal data on work systems.
  • They aren’t getting the memo that bringing sensitive data home to personal devices is risky.
  • Web browsing, social sharing and e-mail activities aren’t being done judiciously enough—giving rise to phishing-based invasions.

IT professionals are only as good as their weakest link: the rest of the employees who refuse to play a role in company security will bring down the ship.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Cloud Computing 101

A public cloud service can bring on five risks to a business. Here they are, and their solutions.

3DThe three A’s: authentication, authorization, access control. Here are some questions to ponder about a cloud service:

  • How often does it clean up dormant accounts?
  • What kind of authentication is necessary for a privileged user?
  • Who can access or even see your data?
  • Where is it physically stored?
  • Does your organization share a common namespace with the service (something that greatly increases risks)?
  • Are private keys shared among tenants if a data encryption is used?
  • Ask your cloud vendor these questions. Get answers.

Multiple tenants

There’s always that concern of data inadvertently slipping out to tenants who share the cloud service with you. One little error can expose your data and set you up even for identity theft. Breaches that can occur include: accessing data from other tenants from supposedly new storage space; and peering into other tenants’ IP address and memory space.

Virtual exploits

There are four chief kinds of virtual exploit risks: 1) server host only, 2) host to guest, 3) guest to host, and 4) guest to guest. Many cloud customers are in the dark about virtual exploits and are clueless about the vendor’s virtualization tools. Ask the vendor:

  • What virtualization products do you have running?
  • What’s the version currently?
  • Who is patching the virtualization host?
  • How often?
  • Who’s able to log into any virtualization host and guest?

Ownership

Here’s a surprise: Quite a few cloud vendors state in their contracts that the customer’s data belongs to the vendor, not the customer. Vendors like ownership because they get to have more legal protection should a mishap occur. They can also do other things with the data that can bring more profit.

  • Find out if the contract contains language referring to vendor ownership of data.
  • Learn what the cloud provider can do with it if indeed, they get ownership.

Fallibility

Even the biggest and best cloud services can become dismantled due to service interruptions, attacks or some miscellaneous issue with the vendor.

Funny, because a cloud provider typically insists it has superior, super-protected data backups in place. Be aware that even when a provider claims a guarantee for data backup, data can indeed get lost, even permanently.

  • Back up your data!
  • Require some language in the contract that entitles you to damages should your data become permanently lost.

Cloud services haven’t been around long enough for analysts to have come up with a predictable, clear model of all the possible risks, how likely they are, likeliness of security failures and how much, if at all, risks will negatively impact customers. And that’s just in general. Figuring this out for a particular vendor is even more vexing.

  • There are many unknowns, but at least you can work on minimizing them.
  • Obtain a copy of the vendor’s last relevant, successful audit report.
  • Seek out information from the vendor about prior incidents of tenant data problems.
  • Ask the vendor about its policy of reporting data compromises to customers.
  • Grind out just what the provider’s responsibility really is.

Robert Siciliano is an Identity Theft Expert an is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

You’re Not a Cop or Firefighter…but You Still May Be in a High-risk Profession

One of my audiences is real estate agents. I present programs on personal security and how they can avoid and remove themselves from dangerous situations. You see, as crazy as it seems, real estate agents are targeted by criminals every day. Rape, robbery and murder are some of the issues they face.

1SLeighvalleylive reports that a man approached a model home asking if he could see it. The agent, a woman, quickly felt odd in this man’s company and told him to go inside by himself. The man returned 45 minutes later and said the home had a water leak and insisted the agent come with him to look at it, but she chose not to. When the agent’s male coworker entered the room where they were talking, the man abruptly left. When the saleswoman went into the home, she could not find a leak—but she did notice the bedroom’s curtains had been shut and the lights turned off.

The police were called. They researched the man’s truck registration, found the truck and, they report, uncovered a knapsack containing matches, duct tape, two handguns, ammunition, rope, a ski mask, metal chains and padlocks, among other items.

Scary.

It’s not just real estate agents: cab drivers, late-night store clerks and other professionals are considered at risk, too. When dealing with the public, it can lead to troublesome behaviors by select weirdoes.

If you are in a high-risk profession, you need to think about security both on and off the job.

On the job, always be suspect of everyone you encounter. Trust your gut, ask inquisitive questions and seek out their motivations. If something seems wrong, it is wrong. Due to the nature of your job, there will be situations unique to you. Investigate what the proper safety/security procedures are, and exercise them daily. Always stay on your toes and never let your guard down.

Off the job, your home is your haven and should be treated as such. Invest in a home security system and sleep peacefully after a crazy day dealing with the public.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

10 Holiday Security Tips

Christmas trees, mistletoe, candy canes, turkey and stuffing bring out scammers, phishers, burglars and identity thieves. I’m not purposefully trying to be a Grinch here, but I’m just reminding you that good times, unfortunately, bring out the worst in bad people. This time of the year is prime season for criminals to seek out victims and separate them from their money and stuff.

Stay merry. Here’s how:

  1. Lock up. No matter how long you are gone, lock your home’s doors and use quality locks from Schlage.
  2. Don’t forget car locks. Don’t leave your keys in the ignition; lock your car doors, even when you are at the gas station and filling up.
  3. Be aware. When in parking lots or garages, at malls or festivals, watch your back, be aware of your surroundings and look for red flags.
  4. Free up your hands. Don’t weigh yourself down with lots of bags and packages. Use a carriage.
  5. Get delivery notices. Package theft is big. Most shippers offer email notifications for tracking packages, so you have the tools with which to become acutely aware of when your stuff is supposed to arrive and be there to accept it.
  6. Set up security cameras. Inside and outside your home, you should have cameras to allow you to peek in on all home activity. They also act as a deterrent to burglars and thieves.
  7. Put your jewels away. When home or away, and even when you are entertaining, lock up your stuff in a bolted safe.
  8. Update your browser. Viruses often end up on a PC because the browser is out of date.
  9. Update your operating system. It’s not enough to have antivirus; you must also update the critical security patches in your computer’s operating system.

10. Check your statements. Every week around the holidays, pay close(r) attention to your credit card statements and reconcile your charges.

Robert Siciliano home security expert to Schlage discussing home security and identity theft on TBS Movie and a Makeover. Disclosures. For Robert’s FREE eBook text- SECURE Your@emailaddress -to 411247.