Category: Security

05 Apr 2017
5 Steps Community Banks Can Take

5 Steps to Building a Strong Security Culture

5 Steps Community Banks Can Take

Financial institutions face increasing pressure to provide enhanced consumer protection against phishing, sophisticated malware and fraudulent activities. Smaller organizations are the prime targets for calculated, malicious attacks, due to the sensitive financial data banks are responsible for.

Investing in technology resources is necessary to protect community banks from security breaches and attacks, but it is equally important to instill a strong security culture within the bank to help all departments and personnel adequately combat these threats. IT security is integral to running a successful institution, and banks should begin to educate and train their employees on the proper way to tackle security-related issues and safeguard customer information.


08 Feb 2017
3 Top Challenges Community Banks Will Face in 2017

3 Top Challenges Community Banks Will Face in 2017

3 Top Challenges Community Banks Will Face in 2017

To get a better understanding of financial institutions’ current IT situation, we surveyed approximately 100 bankers to identify their top IT priorities, IT challenges, security concerns and compliance issues, as well as what technologies and investments they plan to leverage in the coming year. We recently published the findings in our white paper, “2017 Community Bank Information Technology Outlook,” to provide community banks with valuable peer data that can provide guidance for key IT, compliance and security decisions in 2017 and beyond. Here are some highlighted trends from the results:

White Paper Download

2018 Community Bank Information Technology Outlook

Primary Research and Analysis of Your IT Priorities
in 2018
White Paper Download

  1. Increasing Technology
  2. Mountain TopIn today’s banking environment, community banks recognize and embrace the use of technology and remain committed to investing in new technologies and services moving forward. In fact, nearly 77% of respondents claim they are spending more on technology today than they have in the past. However, the challenge often lies in trying to keep pace with the rapid rate of change that is influencing their business. Community banks are continuing to explore ways to enhance and augment their IT departments, as many institutions struggle to maintain adequate personnel needed to manage the complex activities required of the IT department. To counter this, 71% of respondents have turned to outsourcing their network management and 63% have outsourced their IT support.

  3. Cybersecurity is the Greatest Security Challenge for 2017
  4. According to the survey, 94% of respondents foresee cybersecurity as their greatest security challenge in the coming year. No doubt this is in response to a seemingly constant stream of news about security breaches and the possible enforcement of the Cybersecurity Assessment Tool (CAT). Community banks must have procedures in place to secure customer and confidential data and recover critical business processes regardless of the source or nature of the threat. Having a thorough understanding of the CAT and how to properly complete it will help banks to improve their cybersecurity processes and better meet examiner expectations.

  5. Compliance Concerns
  6. Compliance issues are top-of-mind as many community banks are challenged to keep up with constantly changing regulatory requirements. This is reflected in the approximately 40% of respondents that have chosen to outsource their compliance needs. This number is on the rise and is likely to continue to increase as respondents indicate that regulators have been more aggressive as of late and examiners’ expectations and demands continue to increase. Approximately 59% of participants say they now spend more on their IT compliance needs as a result.

Other areas including vendor management, business continuity planning, information security, cloud, and email continue to provide financial institutions with room for improvement. To achieve this, community banks are increasingly turning to their peer groups when seeking recommendations to help guide their decisions regarding new technology and services. The majority, approximately 90% of the survey respondents, consistently leverage their peer network when researching a new solution or vendor.

To gain more insights into the key challenges, goals and opportunities facing community banks today, please download the full report here.

30 Nov 2016
ISO Threat

Why Board Involvement Should Be a Key Part of Your Bank’s Information Security Program

Information Security Threat

The Board of Directors plays a critical role in overseeing all affairs of the bank. While the board typically delegates the day-to-day operational responsibilities of conducting the bank’s business to its officers and employees, it cannot delegate its responsibility for the consequences of unsound or imprudent policies and practices, whether they involve lending, investing, cybersecurity and IT practices, or any other banking activity.

Board engagement has become more important than ever. Both the FFIEC Management Handbook updated in 2015, and the Information Security Handbook just updated in September focus specifically on the responsibility and accountability of the Board as it relates to information technology oversight. Boards that do not adhere to these new standards run the risk of penalties, lowered CAMELS Scores and audit rankings, and in extreme circumstances, individual director financial accountability. From January 1, 2009, through October 20, 2016, the FDIC has authorized suits in connection with 151 failed institutions against 1,213 individuals for Director and Officer liability.

Understanding the Regulatory Responsibilities of Officers and Directors

The FDIC states that they will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation. The key to proper deliberation is that Board members be fully informed, and that requires accurate, timely and relevant information. Not just data, but actionable information, and this is where the ISO plays a critical role.

The Role of the Information Security Officer

A bank cannot just add the title ISO to an IT administrator or employee. The ISO must be a separate role. In fact, the guidance clearly states that it cannot be a production resource assigned to the IT department. Banks that do not have a separation of roles will be cited with what is known as a “Concentration of Duties” finding, which must be resolved in a specified timeframe to avoid a downgraded score or additional penalties.

The ISO is responsible for overseeing the IT budget, performance management, professional development and training, participating in planning activities and ensuring the bank is in compliance with and adhering to government regulations. This reporting role, to ensure independence, should report to the Board and not to IT operations management. While this separation of duties can pose a challenge for smaller community banks that have limited staff and resources, banks need to keep in mind that while cost and benefit decisions must always be considered, this is not the place for cost reductions. The overall IT and compliance issues and decisions of a bank are of the utmost importance.

According to the guidance, the Information Security Officer (ISO) is required to provide an information security update to the Board at least annually. Presenting information in a manner the Board will truly understand is the key to successful Board engagement. The ISO must present information in a manner whereby the Board is able to consume, digest, and take action on it. A simple summary report of what the bank did this year is not sufficient to engage the Board or give them the kind of information they need to make the right decisions for the institution. The pace of change in technology requires a more frequent reporting schedule.

“Credible Challenge”

The Board is expected to provide a “credible challenge” to management in the oversight of IT initiatives. Too often, when management brings something to the Board, they approve it without discussion. However, examiners are now expecting the Board to ask probing questions, understanding not only what they are approving, but also why, making sure it is the right strategic decision for the bank, and comprehending the consequences and risks of not taking action. Responses to questions such as: “Why are we doing this?,” “What are we doing?,” “What’s the significance of this?,” “What’s the risk?,” “What if we do it the wrong way?,” “What if we don’t do it”, and “What if it fails?,” should all be asked, answered, and documented.

The ISO needs to ensure that the Board truly understands the “why” behind the bank’s actions. The Board of Directors must get information they can digest and make sense of, and it is the responsibility of the ISO to provide such information. If the Board shows a lack of understanding, the consequences could range from a Matter Requiring Board Attention (MRBA) finding in an examination report, to an informal enforcement action; such as a Board resolution or Memorandum of Understanding, to a formal action; up to and including a Cease and Desist order and civil money penalties. In 2015, 36 percent of examinations of satisfactorily rated (CAMELS 1 or 2) institutions resulted in MRBAs.

Increasingly, community banks are being stretched to gather more and more information and develop detailed reports and summaries in order to remain compliant. Working with an outsourced service provider, such as Safe Systems, can help streamline this process. With the reports and comprehensive information Safe Systems provides banks, the ISO is able to more efficiently communicate with the Board, helping them to make the right decision for the bank. For more than 20 years, Safe Systems has successfully helped financial institutions improve their CAMELS Score, avoid (and remedy) enforcement orders, and fill in cybersecurity gaps to ensure IT audits and exams go smoothly, and all regulators expectations are met.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

Get a Copy

14 Nov 2016

What Community Banks Should Budget for in 2017

What Community Banks Should Budget for in 2017

Many financial institutions are entering their 2017 budget season. Creating a budget is essential in helping you execute your strategy and plan for the future, however, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, Security and Compliance budget items that are often overlooked. Since we work with more than 300 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints, and offer some points for consideration in your budgeting for 2017.

In 2016, regulatory agencies have seemed to be more aggressive. We are consistently hearing from institutions that traditionally pass exams with ease that they have now been cited for new issues or have been asked to go above and beyond their normal remediation steps. We are now seeing that it is not uncommon for institutions to be cited for their handling of Cybersecurity Assessments, Business Continuity Planning and/or Vendor Management. 2016 was also the year of malware, and examiners are now focusing more attention on it as a pervasive problem in the industry. In addition, multiple institutions have been encouraged, if not “required,” to have a forensic analysis performed if the institution did not do a thorough job of performing their incident response procedures during a malware outbreak.

Often, once regulators cite an institution for one item, they dig deeper into other processes as well. Rarely have we seen an institution written up for one issue. The shift to a more proactive approach, including better preparation for and addressing of concerns or potential regulatory issues prior to an exam, is a much more efficient course of action and one that more financial institutions are adopting.

Community Bank Budgeting Money

With these ideas in mind, here are some areas financial institutions should consider when budgeting for 2017:

  • Malware/Ransomware Layers:  $1,500 – $5,000

    While the price will depend on the layers you choose and how many you choose to add, you should really consider taking a more aggressive step in your fight against malware. If 2016 taught us anything, it is that malware, and specifically Ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past. Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers. It’s now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

    Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.

  • Cybersecurity Policy and Incident Response Testing:  $4,000 – $7,500

    Cybersecurity has come under increased regulatory focus, and with the latest Cybersecurity Assessment Tool being released this year, it promises to be a hot topic for the foreseeable future. You need to make sure you keep your security, business continuity and vendor management policies and procedures up to date.

  • Business Continuity Planning and Testing:  $3,000 – $8,000

    Community Banker Budgeting Money
    You must ensure that your business continuity policies, procedures and practices are in compliance with constantly changing regulations. A business continuity plan (BCP) should be a living, functional document that keeps pace with any changes in your infrastructure, strategy, technology and human resources. Be sure to budget for the following:

    • BCP updated to meet current regulations
    • Annual plan testing to validate
    • Training for gaps found during test or updates to the plan
  • Robust Vendor Management Solution:  $2,500 – $5,000

    With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this.

  • New and Replacement Technology:  $500 – $10,000

    Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:

    • Windows® Server 2003
    • VMWare ESX nodes 5.1 or lower (end of support August 24, 2016)
    • SQL 2005 or earlier instances (end of support April 12, 2016)
    • Domain replication from FRS to DFSR
    • Extending warranties on hardware more than 3 years old
    • VEEAM Backup & Recovery version to 8 or higher
  • Training:  $500 – $1,500

    Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.

  • Vendor and User Conferences:  $1,000 – $1,800

    It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

    Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.

Free White Paper

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

05 Oct 2016

Building Success in the Banking World – Safe Systems’ 2016 NetConnect Conference Recap

Building Success in the Banking World - Safe Systems' 2016 NetConnect Conference Recap

Safe Systems hosted its 2016 NetConnect Customer Success Summit on September 13th in Athens, Georgia. The theme of the three-day conference was focused on customer success. Safe Systems brought together 73 financial institutions from around the country to hear inspiring key note speakers, attend informative educational sessions, and obtain key banking industry insights designed to help them build the best financial institutions for their communities.

A key goal of this year’s conference was to provide our banking clients with the necessary tools and guidance to build successful institutions and meet stringent regulatory demands. Safe Systems presented a short tongue-in-cheek skit that began with an FDIC examiner knocking on the front door of a bank, ready to do a full analysis. The bank felt confident that it would meet the examiner’s expectations, but ended up with less than satisfactory results. The examiner emphasized the need for the senior management and board’s involvement in all areas of exam preparation to ensure success, including cybersecurity, vendor management, business continuity planning and more. This example became an important topic of conversation and a key point that Safe Systems highlighted throughout the day.

Sticking with the theme of success, Safe Systems’ President, Darren Bridges, provided opening remarks encouraging banks to not only know what they do and how they do it, but to also have a strong understanding of why. This is an important part of creating a successful institution because the “why” is what makes a bank stand out from competitors and connect with the critical needs of its customers. During the keynote session, Dr. Randy Ross gave an energetic and memorable speech on designing a remarkable culture within financial institutions. He emphasized that culture is the single most important differentiator for community banks and sets the tone for how customers interact with the institution.

Safe Systems’ vice president of Compliance, Tom Hinkel, rounded out the day’s activities with an engaging presentation, where he highlighted some of the compliance challenges banks are facing today and provided helpful advice on how they can successfully manage this complex function.

Customer feedback sessions during the conference provided insights into current IT, security and compliance issues and trends bankers are most interested in and helped to identify areas where they will need the most support. Community bankers today wear many hats, and it can be daunting to keep up with all of the changes occurring in the world of IT. One big concern for bankers at the conference was being able to manage networks effectively and ensure that all activities are running smoothly for their institutions. Other major topics included understanding cybersecurity, managing new regulations, providing proper IT training for employees, and communicating effectively on IT issues with the board and senior management at the bank.

Free White Paper

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

Free White Paper

Safe Systems also worked to create an atmosphere where customers could exchange ideas and learn more about the latest technologies and services in the financial services industry. The conference featured many trusted partners and vendors, who either sponsored the summit, exhibited during the trade show, or both. These companies included:

  • Thigpen, Jones, and Seaton
  • Banc Intranets, LLC
  • Consolidated Banking Services, Inc.
  • Rebycsecurity
  • iTransit Solutions
  • Porter Keadle Moore, LLC
  • Bitdefender
  • Jack Henry & Associates
  • CashTrans
  • ATM Response
  • Kaseya
  • Intronis

Overall, last month’s NetConnect Conference was an engaging and educational experience where bankers received invaluable knowledge and advice regarding technology, compliance, and security. Safe Systems continues to enhance its products and services to help community banks strengthen their businesses and build success! We look forward to the next event to grow and create new opportunities for our clients.

07 Sep 2016

TeamViewer Hacks Remind Banks to be Vigilant – Best Practices for Banks Using Remote Access Solutions

TeamViewer Hacks Remind Banks to be Vigilant - Best Practices for Banks Using Remote Access Solutions

Like many organizations today, many community banks use remote login technology, a service or software that allows individuals to log into their computers from remote locations. With such remote access solutions, bank employees have the ability to access a computer or a network from a different branch, while traveling, or when telecommuting from home. Remote control tools also allow external IT service providers and vendors to provide support and service to their applications quickly without the hassles of a site visit. While remote access software is most definitely convenient, it also introduces security issues that need to be top of mind for banks.

This has become even more apparent in light of a recent security event with TeamViewer, the maker of a cloud-based remote control solution. TeamViewer experienced a significant data breach where malicious actors were able to take control of users’ computers through their TeamViewer accounts, and, in some cases, steal personal details such as bank and PayPal account information.

It seems the cause behind this breach is unclear. TeamViewer is claiming it was compromised through a cluster of recently exposed megabreaches involving more than 642 million passwords belonging to users of LinkedIn, MySpace, and other services. These 3rd part breaches were linked to TeamViewer accounts through the “carelessness” of TeamViewer users who they claim used the same IDs and passwords across multiple sites and services; thus, when these recycled credentials were exposed elsewhere, the bad guys simply had to copy/paste stolen username and password information until they found valid credentials. In addition, TeamViewer also claims that many of its users did not take the time to set up and activate dual factor authentication features. Dual factor authentication strengthens credential strength by requiring a token in addition to username and passcode information.

Free White Paper

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

7 Reasons Why Small Community Banks Should Outsource IT Network Management

FFIEC Guidance Around Remote Access Solutions

While remote access solutions are becoming more popular, the FFIEC has clear guidance around remote access to systems. Primarly, the guidance states that financial institutions should disallow remote access by policy and practice unless there is a compelling business justification for its use. A “compelling business justification” is a tough standard, but most banks do use some form of remote control. For instance, many banks work with vendors that require remote access in order to access their services and provide support. If your institution deems remote access a necessity, then here are a few best practices a bank can implement to ensure their system is secure and compliant with FFIEC guidance:

Best Practices for Banks Using Remote Access Solutions

  • Maintain a detailed log of who is accessing the system, when the system is being accessed, and from where
  • Audit applications on workstations to check for anything that might not look normal
  • Do not use a free remote access platform
  • Remote access solutions should be initiated by the bank directly, and not a third party
  • Ensure there are triggers to deny access and control of the solution
  • Passwords for remote access accounts should change every sixty days, or less. For more information on password safety, review our blog, Creating Strong Passwords to Protect Your Community Bank
  • Review remote control logs regularly and look for login activity originating from unknown accounts or occurring during off-hours. These reviews can be done monthly or quarterly, depending upon the amount of use.
  • Have vendors use applications that remove themselves upon completion of the session.
  • Ensure remote users are fully disconnecting when their task is complete
  • In firewalls, only white list specific IP addresses from which support is going to come
  • Utilize dual factor authentication whenever possible

What Banks Should Look for in a Remote Access Solution

While there are many remote access solutions on the market today, banks should look for solutions that have proven security measures in place. First and foremost, the solution should provide strong session encryption. In order to provide a paper trail, the solution should offer detailed logging of session details. The remote control you choose should also have a handful of additional authentication requirements, including the option to implement dual factor authentication, granular permissions that require the bank to provide specific approval for each individual support representative, and the requirement that all users have a registered account in order to access the network.
While none of our clients using TeamViewer have been hacked, the fallout has served as a reminder that banks must remain vigilant when it comes to the security of all remote access solutions they use. Enforcing security policies and access controls for employees, external IT service providers, and vendors is challenging, but when individuals have privileged access to your bank’s networks and systems, you need to ensure those accounts are managed in a secure, auditable and compliant way.

03 Aug 2016

Advice on Adding New Applications to Jack Henry Core Banking Systems

Let’s face it, keeping up with evolving banking applications, meeting customer and regulatory demands and managing and securing a network can be a huge challenge for any financial institution, especially community banks. Today, in an effort to bring customers the best features and options banking technology can provide, banks are adding applications to their networks that must integrate seamlessly with their core banking system. Each core has its own complex product matrix comprised of layer upon layer of acquired companies and products. Because of this each core has its own specific application set and standard practices, most of which have been developed in separate silos from each other.

As a result, we typically see the core-provided solutions built in a modular fashion requiring little to no analysis of the existing environment. This can result in a disjointed network comprised of extraneous hardware and licensing that are difficult to manage and do not fit into the bank’s future strategic plans. Working with an independent IT provider who understands core providers can be a huge benefit when it comes to incorporating new core systems into the existing network and wider vision for the network’s growth.

As a Jack Henry customer you may have first-hand experience overcoming some of these same hurdles. With over 100 Jack Henry clients, Safe Systems has implemented many of the JHA and various Profitstar applications in many different environments. Here are some suggestions to help you identify and avoid common implementation challenges in the future:

Adapt Your Network Configuration to Support New Applications

When you are adding an application to your network the core will often require that the application be housed on its own designated server. They will often quote you physical hardware for the application to reside on as this fits their modular one size fits all mentality. Depending on your network infrastructure, new designated servers and/or suggested physical hardware may not be necessary to support the new application. Be sure to review your bank’s specific network configuration before licensing /acquiring any new hardware. This review can be a challenging endeavor unless you have a team familiar with both the product requirements and the existing network configuration.

Once you determine the optimal set up and new servers are required, there are many tasks that must be performed to ensure they are being managed properly. These servers must be set up on the network and added into the bank’s inventory of technology assets. They must also be enrolled in a credible patch management program and accounted for in the network disaster recovery plan and backup process. Working with an experienced bank IT network provider that has a holistic view of your entire network will help ensure you are not purchasing and running unnecessary hardware and that you avoid creating network management issues.

Ensure Compliance and Security Day One

What happens after new products and services are implemented in the bank? All new applications must be secure and in compliance with FFIEC regulations (How will this impact business continuity planning? How does it factor into the incident response program?). The right outsourced IT provider should have teams that work extensively with the core provider and the bank to ensure the new product is fully implemented correctly at the bank and meet all operations, compliance and security objectives.

Ensure Patch Management Out of the Box

Patch management is more important than ever! The lack of an effective patch management process has contributed significantly to the increase in the number of security incidents in financial institutions. An effective patch management program should include policies and procedures to identify, prioritize, test and apply patches in a timely manner. The longer that a system remains unpatched the more vulnerable the institution becomes. If you choose to work with an outsourced service provider, be sure they can offer your institution a comprehensive patching program that delivers quick, accurate, and secure patch updates to all applications. This process will help mitigate the multiple risks associated with running unpatched programs and automate the time-consuming process of testing and deploying new patches.

Free White Paper

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

7 Reasons Why Small Community Banks Should Outsource IT Network Management

Get The Right Help

Working with an experienced outsourced IT provider such as Safe Systems helps ensure your integration with Jack Henry core systems will be smooth and efficient. Safe Systems is a banking-specific technology specialist with more than 20 years in the industry and relationships with more than 600 financial institutions. We have a unique understanding of critical components such as Jack Henry core processing, 3rd party banking applications, financial industry best practices, information security, business continuity and FFIEC guidance.

We have been working with and supporting more than 100 Jack Henry core banking clients for more than 20 years. This experience has provided us with a thorough understanding of Jack Henry’s core banking solution, best practices for working with the solution and how to efficiently add applications in a secure environment. Our holistic approach to financial services ensures our financial institutions are running an efficient and secure network.

Talk with an Expert

22 Oct 2015

Eight Keys to Creating and Managing Your Passwords

In recent years, hackers have developed sophisticated methods using malware such as bots, worms and viruses to infiltrate systems and capture your critical data without you knowing until it is too late. IT staffers at community banks and credit unions around the country defend against these attacks with antivirus software and firewalls.

Despite these efforts, it is likely that the most vulnerable point in the line of defense is you, or more specifically, your passwords. The whole point of passwords is to defend against threats to your valuable and sometimes personal data. Therefore, cyber thieves often attempt to gain entrance into banks and credit unions through targeted attacks on bank employees. That is why it has become so important to understand the keys to creating, managing and securing all of your passwords.

Top 8 Keys to Password Creation and Management

  1. Make passwords impersonal.
    Avoid using names and dates such as birthdays, wedding anniversaries, spouse names, kids’ names, grandkids’ names, pet names, etc. These are some of the most popular and overused passwords today making it easy for hackers to figure out. If you are using personal names and dates as your passwords, you are not offering yourself a high level of security.
  2. Mix letters, numbers, case and symbols in your passwords. Try multiple words together separated by symbols such as “Run?Jump?Laugh?Fun?” or substitute numbers for specific letter, such as “$+@p135&0ff1c3M@x” instead of “Staples&OfficeMax.” Mixing lower-case and upper-case letters adds another layer of complexity and increases security as well.
  3. The longer the password, the better.
    Passwords should contain as many characters as possible. The length of a password is a major key to its security. When allowed, a password should be a minimum of 12 characters. With each additional character added to a password, the likelihood of the password being compromised is decreased by an increasing percentage.
  4. Use a formula to create your passwords.
    Be sure the formula isn’t easily identifiable. For example, “MarkJaneLucyBob” has a lot of characters but anyone who sees this knows you are most likely using your family names as your password. “Ma*Ja*Lu*Bo!” is much more secure and not too difficult to remember.
  5. Never reuse your passwords.
    Although it is tempting to use the same password in multiple programs or sites, it is not a good idea. If your password is compromised in one place, then you are immediately vulnerable in multiple places.Whenever possible, randomly generate a unique password for each program or site you use.
  6. Change your passwords on a regular basis.
    This key becomes more important if you are not following the previous keys regarding personalization and complexity. A complicated, lengthy, randomly generated password that is not reused on other sites might be acceptable to use for an extended period of time. Conversely, a short, simple password including personal names and dates, that are reused on multiple sights should be changed much more regularly.
  7. Use a password management program.
    While these tools have their own security issue as they are the key to all your passwords, they are really the only practical way to manage all of your user names and passwords. A heavy internet and social media user can easily have 50 passwords or more while even a novice user most likely has as many as 15 passwords. These cannot be maintained long term without help. Smart phone apps offer various password management options and the app store will provide ratings and reviews from other users. Respected industry resources, such as CNET or PC Magazine will also provide trustworthy list of options.
  8. Test the strength of your passwords.
    There are some excellent free tools available for you to test the strength and vulnerability of the passwords you create. One option that provides you with a score is The Password Meter. It gives users a percentage score and complexity rating. Another one, called “How Secure is my Password?” informs you how long it would take for your password to be cracked.

With the amount of valuable, personal data in need of protection it is important to create and maintain secure passwords as part of your overall data security strategy. As part of our Security service offerings, Safe Systems provides system hardening, system monitoring and validation. We also offer DNS Protect, which defends against internet-based threats on all servers, workstations and laptops on your network.

Free White Paper

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

26 Feb 2015

Minding the Encryption Gap

Email technology presents a host of security concerns for financial institutions, many of which can be mitigated by implementing the proper controls. Virus and malware infection risks, for example, can be mitigated with email antivirus and spam filtering software to sniff out malicious attachments or phishing attempts. Legal or reputation risks related to employee misuse can be addressed by training users on acceptable email usage and appending email messages with a disclaimer message. However, one powerful security control designed to protect messages in transit has yet to become standard fare – email encryption.

The protocols that make modern email flow have remained largely unchanged since the early days of the Internet when the security of transmitted data was not a pressing concern. When you email a sensitive attachment to a coworker on the same mail server, there is likely little cause for worry; however, email messages to and from external parties must leave the protected space of your local network. By default, these email messages are transmitted in clear text, and are susceptible to interception, eavesdropping, or tampering while in transit. While the exposure of sensitive information is never good for any business, financial institutions face an added regulatory compliance risk if an intercepted message contains non-public customer information. While end-user training can limit the amount of sensitive data sent via email, it is not a guaranteed method of preventing the unintended disclosure of sensitive information. Bank security personnel should look toward a technology solution to fill this gap, and this is where email encryption comes into play.

Free White Paper

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Email encryption is almost synonymous with the Transport Layer Security (TLS) protocol. TLS was created to work alongside existing email protocols to protect messages as they traverse the wilds of the Internet. When using TLS encryption, the sender’s email server first encrypts the many individual data packets that make up an email message before transmitting them. Once the batch of packets reaches the relative safety of the recipient’s network, the receiving email server then unscrambles them using a decryption key before piecing them back together. While these encrypted packets of information can still be intercepted during the journey from sender to recipient, they are jumbled and useless to a malicious 3rd party without the proper decryption key.

In order for these secure communication sessions to work as intended, both the sending and receiving email servers must support and be configured to use TLS. So, even if you properly set up your system for TLS, there is no guarantee that your recipient’s email system can service secure communications. This potential mismatch in mail server capabilities is handled differently by different encryption solutions. Perhaps the least sophisticated way to jump this hurdle is to configure email servers and systems to use opportunistic TLS. Email systems using this method of encryption will always attempt to establish a secure channel for email communications; however, if the receiving mail system does not support TLS, then the sending system will opt to use traditional insecure delivery.

While opportunistic TLS is better than no encryption at all, this method of encryption does not provide the guaranteed security necessary for financial institutions. More robust encryption solutions close this opportunistic TLS security hole by delivering messages that are unable to be sent through secure channels to a secure portal site rather than the recipient’s email system. Instead, the recipient receives an informational email notifying them that a message is waiting for them to pick up. While there is a small hassle for the recipient to log into the SSL-secured website to collect their message, it maintains a consistent level of security.

Enabling TLS is a conscious decision, but it is not always an option. Many widely-used applications and devices have a built-in SMTP server, and can be configured to send email directly; unfortunately, many of these systems lack the sophistication to use TLS. Some common examples of such under-the-radar SMTP servers are SAN appliances that send performance and alerting information, backup software that sends backup status alerts, and standalone multifunction printing devices configured to email scanned documents. Multifunction printers in particular can be problematic. Loan packets or new account documents are goldmines of customer NPI, and if these are being sent across the Internet unencrypted, then they are at risk. For networks with an internal email solution, all email messages should be configured to flow through the internal mail server(s) to prevent any unintended email exposure. If a financial institution opts for a hosted or cloud-based email solution, they may face a trickier encryption gap.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

Get a Copy

Since you cannot simply stop scanning from your MFP altogether just because you use a hosted email solution, management and IT staff should make efforts to mitigate the risk of unintended exposure. Luckily, there are a few options to consider. First, older network scanning devices could be replaced with more modern equipment that supports TLS, but this is not a viable option for many institutions. If the device cannot be replaced, then investigate if the device can be configured for scanning to a network folder location in lieu of scan-to-email. Finally, if all else fails, consider adding a secure relay to your network. A secure relay is a TLS-capable hardware or software solution placed on the network that receives, encrypts, and forwards messages to the remote mail system. All devices, appliances, or software that are sending messages but are not TLS-capable must then be pointed toward the secure relay. Once properly configured, a secure relay may be the last piece necessary to finally plug the encryption gap.

It is important to note that auditors and examiners do not currently require email encryption; however, encryption is considered a security best practice for any network that needs to keep the contents of their email messages secure. Depending upon your policies, network, and email solution, setting up encryption may be as easy as enabling TLS on the Exchange server, or as complex as implementing a secure relay. To ensure consistent security, the financial institution should consider how their system will handle receiving email servers that are incapable of TLS. Regardless of your solution, you cannot achieve consistent and comprehensive email security without a full understanding of how email flows through your network. Financial institution IT staff should scour the network and compile a list of all devices and systems dispensing email to ensure that your email practices match your policies.

21 Oct 2013

The Dangers of Recycling Passwords

CharlesCharles Copland, Quality Assurance Analyst | Safe Systems

Reduce, reuse, recycle.  This positive mantra has made recycling a common practice for individuals and businesses across the country. And while this practice helps reduce the amount of physical waste in landfills, when the concept bleeds into other areas of daily life, unfortunately it can have disastrous consequences.  Specifically, it’s time to stop reducing, reusing or recycling passwords.

Between work-related system credentials, social-media sites, personal email, and every other website that requires a login, estimates place the average person has 20-plus website or service accounts.  Remembering all the passwords that secure your daily activities can become a tall order. Thus, people tend to gravitate to a limited set of passwords that are easy to remember.  It’s all too simple to reenlist that familiar password when creating an account for the hottest new website.  But it’s troubling when a financial institution employee is prompted to change their password and follows this same pattern.

As long as a password is complex and the systems or websites claim to be secure, then what’s the worry?  Even “brand name” websites can be surprisingly susceptible to data breaches.  These breaches can expose sensitive user information, which in turn may have been used elsewhere. Including at work.  This assertion is not a hypothetical scare tactic, but a reality of the digital age.

For examples you need look back only to July, when (more…)