Category: Technology

30 Nov 2022
Microsoft Azure Maintenance Basics

Microsoft Azure Maintenance Basics

Microsoft Azure Maintenance Basics

Financial institutions need to stay on top of Microsoft Azure maintenance to efficiently use Microsoft cloud services and have effective controls across identity and access. Azure maintenance is also a matter of regulatory compliance.

Microsoft Azure maintenance encompasses Azure Active Directory, M365 (formerly called Office 365), Microsoft Exchange Online, and other associated Azure cloud services. Many institutions may not realize they are leveraging cloud solutions because it’s not always obvious where different technology services originate. Regardless of how an institution obtains Microsoft Exchange or M365, it creates a Microsoft tenant with Azure AD. Institutions are ultimately responsible for these tenants and this includes properly securing and maintaining them.

The Federal Financial Institutions Examination Council (FFIEC) expects institutions to engage in effective risk management for the “safe and sound” use of cloud computing services. The council indicated as much in its statement on “Security in a Cloud Computing Environment,” saying: “System vulnerabilities can arise due to the failure to properly configure security tools within cloud computing systems. Financial institutions can use their own tools, leverage those provided by cloud service providers, or use tools from industry organizations to securely configure systems, provision access, and log and monitor the financial institution’s systems and information assets residing in the cloud computing environment.”

In addition, financial institutions are obligated to oversee third-party service providers and make sure that they use proper security controls. “Management should be responsible for ensuring that such third parties use suitable information security controls when providing services to the institution,” the FFIEC IT Handbook’s Information Security booklet stated. “Management should verify that third-party service providers implement and maintain controls sufficient to appropriately mitigate risks.”

Azure Active Directory

Azure Active Directory (Azure AD, AAD) is the primary identity platform across all Azure services. There are some standard maintenance objectives that financial institutions should meet with Azure AD.

Some of the key types of identities to review within Azure AD are users, devices, and enterprise applications. User maintenance is an area many people are familiar with, and it involves ensuring the list of users matches expectations. IT administrators should be on the lookout for new accounts; they should look for users who should not be there and delete or disable them if appropriate. For example, users may need to be purged from the list after they complete off-boarding procedures.

With device maintenance, it is important to be aware of all the devices that the organization has placed into Azure AD. IT administrators should ensure that, at least for Windows OS devices, they follow the established naming convention. They should delete “stale” or inactive devices and ensure that all devices—whether desktop or mobile—adhere to established compliance policies.

The maintenance for enterprise applications—objects with some form of connectivity with your Azure tenant—involves making sure various service apps meet expectations for functionality. Administrators should review the apps’ properties to ensure the best controls are being applied. For instance, this could include addressing apps that have an expired certificate.

Other important maintenance areas within Azure AD include reviewing privilege role assignments to ensure their validity, scrutinizing delegated administration partners to confirm their level of access, and “right-sizing” the number and types of licenses to avoid being over or under-provisioned.

M365 and Exchange Administration

SharePoint Online, Exchange Online, and OneDrive are core components of M365 and as such, they require strategic maintenance. Here are some important areas IT admins should address to maintain these services:

  • Usage reporting— Monitor usage reports to ensure they match the institution’s expectations. Anomalies in consumption and storage could indicate a possible security or compliance concern.
  • Cleaning up files— Delete old, unused files from OneDrive or SharePoint. Administrators can solicit help from users by notifying those who are approaching their limits.
  • File retention policy— Automatically delete files based on a set schedule or duration, such as anything older than seven years.
  • Exchange Online mailbox usage— Notice mailbox statistics before users reach their limit to avoid service disruptions—and complaints.
  • Distribution list review— Make sure distribution lists contain the appropriate members for the most effective targeting.
  • Exchange Online mobile devices— Keep track of the details about users’ mobile devices to gain additional insights for achieving maintenance objectives and compliance.

For more information, listen to our “Azure Maintenance —The Basics Every IT Administrator Should Know” webinar.

25 Oct 2022
Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Cybersecurity Awareness Month 2022 is reminding individuals and organizations that there are a variety of ways to protect their data—and practicing the basics of cybersecurity can make a huge difference. This year’s campaign centers around an overarching theme that promotes self-empowerment: See Yourself in Cyber. The initiative’s co-leaders, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), are encouraging people to focus on four key behaviors:

  • Enabling multi-factor authentication (MFA) — Often called two-step verification, MFA is an effective security measure because it requires anyone logging into an account to verify their identity in multiple ways. Typically, it asks the individual to enter their username and password and then prove who they are through some other means, such as providing their fingerprint or responding to a text message.
  • Using strong passwords and a password manager — All passwords should be created so that they are long (consisting of at least 12 characters), complex (including a combination of upper case letters, lower case letters, numbers, and special characters), and unique. This approach should be implemented with all accounts. Because we do more online today, it is possible to have hundreds of passwords to manage. And, if your passwords are long, unique, and complex as they should be, it can be impossible to remember and track them all. Using a secure and encrypted password manager is not only safer than using a physical notebook or a notes app to store your passwords, but it can also provide benefits such as alerting you of potential compromises and auto-generating new hyper-strong passwords that are stored along with the others.

A quality password manager should encrypt all passwords, require multi-factor authentication on your password vault, and not store the keys needed to decrypt the main password that unlocks your vault.

  • Updating software — Updates resolve general software issues and provide new security patches where criminals might get in and cause problems. You should update software often, obtain the patch from a known trusted source, and make the updates automatic if available.
  • Recognizing and reporting phishing — With the right training, you and your employees can learn to identify phishing, a scheme where criminals use fake emails, social media posts, or direct messages to trick unwitting victims to click on a bad link or download a malicious attachment. The signs can be subtle, but once suspect a phishing scam, you should report it immediately, and the sender’s address should be blocked.

Cybersecurity Resources

Cybersecurity Awareness Month is dedicated to providing resources to help individuals and organizations stay safe online. Businesses that need additional resources to address their specific needs can partner with an external cybersecurity expert. For example, Safe Systems offers a wide variety of compliance, technology, and security solutions to help community banks and credit unions safeguard their data.

Some of our cybersecurity products and services include:

  • Cybersecurity RADAR™: A web-based application combined with a team of compliance experts to help you assess your cybersecurity risk and maturity, using the standards set by the FFIEC’s Cybersecurity Assessment Tool (CAT) or the NCUA’s Automated Cybersecurity Examination Tool (ACET).
  • Information Security Program: A solution that allows you to build a customized, interactive, and FFIEC-compliant Information Security Program, complete with notifications, reporting, collaboration, approval processes, and regulatory updates.
  • NetInsight®: A cyber risk reporting solution that runs independently of your existing network and security tools to provide “insight” into information technology and information security KPIs and controls.
  • Security Awareness Training: Safe Systems has partnered with KnowBe4, a market leader who is in the business of training employees to make smarter security
  • Layered Security: Build a basic layered approach including a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process, or add more sophisticated layers depending on your security needs.

In addition, we continue to provide access to trusted information related to technology trends, regulatory updates, and security best practices on our Resource Center. Our latest white paper focuses on the leading security risk to businesses today, ransomware. Download a copy of “The Changing Traits, Tactics, and Trends of Ransomware” to discover how to better position your institution to prevent and recover from a ransomware attack.

20 Oct 2022
Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Our first Customer Success Summer Series offered live webinars with special guest speakers who shared their industry knowledge to help our customers and other financial institutions enhance internal processes and key areas of their banking operations.

The Evolution of Phone Systems

Today businesses are facing the acceleration of remote working—Voice over internet protocol (VoIP), Virtual Private Networks (VPN), virtual meetings, and dynamic routing of phone systems based on the user’s location—all have become must-have requirements. Legacy telephone services are becoming more obsolete as some telecoms decommission analog technologies in favor of fiber pots and other alternatives. The old telephone system is evolving into a more modern option: unified communications as a service (UCaaS), which merges communication channels into a single cloud-based system. UCaaS offers all the necessary infrastructure, applications, and resources businesses need in an easily scalable solution. Unified communications tools can include chat, VoIP, text messaging, and online video conferencing.

UCaaS gives institutions the benefit of advanced functionality which allows employees to work remotely more efficiently, including things like the ability to check other users’ availability, reach people whether they are in the office or out in the field, and access the platform from anywhere. Another evolving facet in telecommunications is call center as a service (CCaaS), which also streamlines omnichannel communication and allows remote employees to work together as a call center team.

Given its flexibility and efficiency, it is easy to see why UCaaS is moving to the forefront of communications. There is a wide range of unified communications features, equipment, and prices and it is important for your institution to clearly define its unique needs to find a solution that will satisfy its requirements. It is also important to continue to evaluate your equipment and services every few years as technology and pricing continue to change.

Watch the recording of this webinar to gain a better understanding of UCaaS and other options so you can make the right choice for your institution.

2 Guys and a Microphone

Matt and Tom have both spent most of their careers focused on risk and regulatory compliance for financial institutions. We recorded their recent conversation which spans many topics including increased scrutiny on vendor management, continued focus on ransomware, and more.

Recent audit and exam trends continue to have a strong focus on third parties and proper vendor management. Examiners are considering the preponderance of fintechs, how much the average financial institution is outsourcing, and the inherent risk that originates from third-party vendors. Interestingly, their increased scrutiny may extend to any significant sub-service vendors that institutions may have. In addition, we are seeing questions arise about vendor management in the context of insurance. Cyber liability insurance applications are requesting more details about the management of vendors and other third parties.

There have also been some interesting audit and exam findings. For instance, one institution was encouraged to complete a post-pandemic/walk-through test or “dry run” of their pandemic procedures. This is curious considering all institutions have been in a “live exercise” for the past few years with the pandemic. Regardless, there is a good chance that the pandemic verbiage in your disaster recovery plan needs to be updated based on what has or has not been done in response to the current pandemic. And it is important to consider that an annual pandemic test will be a part of examiner expectations going forward along with the traditional business continuity, natural disaster, and cyber incident tests.

On the regulatory front, the new Computer-Incident Notification Rule went into effect on April 1, 2022, which is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The rule has two components:

  • The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
  • The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

In March, we hosted an in-depth webinar on understanding the requirements, recognizing gray areas, and preparing for unknowns. To help intuitions meet these requirements, we also created a detailed flowchart to understand when an event is severe enough to activate your Incident Response Team (IRT) and when regulators and customers should be notified.

Another regulatory trend to keep your eyes on is the increasing focus on ransomware industry-wide is prompting some state banking organizations to require institutions to use the Ransomware Self-Assessment Tool (R-SAT). The 16-question R-SAT is designed to help institutions evaluate their general cybersecurity preparedness and reduce ransomware risks. The R-SAT supplements the Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC). It will be interesting to see if more states begin requiring this additional diagnostic tool.

Watch the recording to hear more insights about INTrex, SOC Reports, and SSAE 21.

08 Sep 2022
What to Budget for in 2023

What to Budget for in 2023

What to Budget for in 2023

Marty McFly (the lead character in “Back to the Future”) could not have predicted the world we live in today. Though the movie’s portrayal of flying cars, floating hoverboards, and shoes that lace themselves may have been a little far-fetched, we now have IoT, the Internet of Things. This powerful networking capability connects everything in our lives to a single electronic device that can be held in the palm of our hands. I can open my garage door, adjust the temperature of my house, set my alarm system, and even check the status of the clothes in my dryer—all from my mobile phone. Predictions are always a synthesis of art, science—and uncertainty. None of us truly knows what tomorrow will bring. We just know it will look a little different than it did today. With that in mind, it’s almost budgeting season, so here are my predictions for the top areas your bank or credit union should consider budgeting for in 2023:

1. Compliance Services

Compliance continues to be a strong focus for many community financial institutions. It’s important to be able to evaluate all your policies and programs to see where you may need assistance before your next exam. If you aren’t sure if your policies and programs are keeping up with regulations, you may want to hire a third party to provide an objective perspective. Companies like Safe Systems will often conduct a review as a courtesy or for a nominal fee.

You should also consider investing in these two popular compliance services that have gained traction in recent years:

  • Virtual ISO: There are several service models available, so make sure you find the one that matches your institution’s needs. (Check out our recent webinar that walks you through the pros and cons of three virtual ISO models.) For instance, Safe Systems’ ISOversight service includes a dedicated compliance specialist, along with a suite of online compliance applications to help you develop and manage your vendors, business continuity plan, Cybersecurity Assessment Tool, and information security program.
  • Vendor Management: Your assessment of a vendor should define what controls are needed to effectively mitigate risks posed by each vendor. Some critical or high-risk vendors may require reviewing documents like contracts, financials, or SOC 2 audit reports. Evaluating these documents can feel daunting because it can be time-consuming and understanding each type of document can require a different skill set. Many institutions are offloading the document review process to third-party companies to help them identify the key information in each document and better manage risk.

2. Supply Chain Issues

The supply chain issues that started during the middle of the pandemic have continued through 2022. Servers, switches, firewalls, and other hardware devices are still in limited supply. For 2023, continue to plan and order hardware well in advance of your needs. If you wait until you need it, you may encounter delays. Six months is the current lead time for certain devices. Also, when replacing a workstation in 2023, evaluate whether a laptop or desktop computer would be the best replacement. While laptops introduce some new risks due to their mobility, they also allow flexibility for users. If a laptop will enable an employee to work remotely during a disaster or pandemic, it may be more beneficial to switch to this laptop to optimize your hardware investment.

3. Cloud Security

Cloud security should continue to be top of mind. Although the Cloud offers plenty of advantages, it comes with numerous control settings, management tools, and security options that must be effectively configured and maintained to ensure the highest level of protection. This should be a key area of concern for not only institutions with infrastructure in the Cloud, but also those with M365 licenses—which include Exchange Online, SharePoint, OneDrive—or those using Microsoft Azure Active Directory as an authentication platform through a third-party provider. Too often institutions only think about hosting servers in the Cloud when it comes to cloud security. While moving infrastructure to the Cloud is a current trend, almost all institutions store some information there. Safe Systems has worked with several institutions with assets ranging from $100 million to multi-billion dollars and found that almost all of them had gaps in their cloud security when it comes to their cloud tenants. Some institutions had their email or user accounts compromised while others had the wrong M365 security settings in place, which left the door open to future compromises. Safe Systems’ CloudInsight suite of products includes M365 Security and Utility Basics solutions to detect common risks and help institutions better manage the increasing array of M365 security settings and controls. These reasonably priced options deliver a substantial amount of value, so contact us for a quote to determine if our CloudInsight solution will fit into your budget next year.

4. Cybersecurity

Cybersecurity must stay top of mind for both your institution and its employees. If you do not have a solution to train and test your staff on information security best practices, consider investing in one next year. These are typically not expensive solutions, and they provide exceptional value—as well as critical protection. It is estimated that cyberattacks are 300 times more likely to be targeted against financial services firms than other companies. If that isn’t enough to keep you up at night, then consider that Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025—and will be more profitable than the global trade of all major illegal drugs combined. Remember, where the money is, the crooks will follow. Every year you must evaluate your current security layers and decide if they are still effective and if you have enough of them in place.

“If it were measured as a country, then cybercrime—which is thought to have inflicted damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China.”

Preparing for next year requires you to first evaluate where you are this year. You could decide to simply “rinse and repeat” what you did this year, but that would be a missed opportunity to really understand what is working, what isn’t, and what can be improved. Also, consider your institution’s short- and long-term plans. Sometimes what makes sense today doesn’t make sense when compared to your future plans for growth, increased redundancy, and more. While you can’t predict the future, you can at least ensure your 2023 budget reflects your best guess for where your institution is headed.

23 Jun 2022
Tips for the Latest Microsoft Windows 10 Feature Update

Tips for the Latest Microsoft Windows 10 Feature Update

Tips for the Latest Microsoft Windows 10 Feature Update

Microsoft recently released the latest feature update for Windows 10, and financial institutions should upgrade the operating system as soon as possible. Installing the new update—Windows 10, version 21H2—sooner than later will give institutions access to important benefits, with a key advantage being enhanced security. The update will enable them to keep receiving security patches against malware and other vulnerabilities, so they can continue operating with the same level of safety and convenience. In addition, upgrading now will enable institutions to extract more longevity and functionality from the system, which will save them money in the long run. Implementing the current update will also keep them ahead of the curve and better prepared to meet the Windows 10 end-of-life date: Oct. 14, 2025.

Safe Systems Makes the Process Easy

Safe Systems can complete the upgrade for their network management, NetComply® One, customers using a proprietary solution designed by in-house technology experts. This advanced, automated method lessens the time and effort involved with installing version 21H2. We typically make one download per location instead of going from machine to machine—which can each take several hours to update. We can also employ file sourcing to reduce the amount of bandwidth consumed during the update. These streamlined tactics significantly minimize downtime, which can have a major impact on daily operations, personnel productivity, and other network utilization issues. If a machine has a problem with our automated process, customers will receive an email from Safe Systems notifying them that several failed attempts have occurred. At that point, they can decide whether to upgrade the machine themselves or submit a ticket requesting us to remediate the issue.

In addition, customers can run reports to gain insights, enhance decision-making, and optimize the upgrade process. For instance, they can:

  • identify which version of Windows 10 is currently running on their machines;
  • review results from the previous upgrade;
  • determine time of the next attempted upgrade;
  • detect which machines are excluded from upgrades; and
  • confirm that machines scheduled for the update are turned on and online.

By leveraging our network management solution and custom technology for feature upgrades, guesswork and human intervention are removed from the update process. This not only leaves financial institutions with more time to focus on other important issues, but it results in a more successful upgrade project. So, our customers get the best of two worlds: an efficient, computerized upgrade and support from technology experts.

A Specialized Network Management Solution

Completing Windows 10 21H2 updates for our customers means they will have one less thing to worry about. This supports our ultimate objective—to give financial institutions of all sizes a cost-effective way to leverage the best technology, compliance, and security solutions to serve the financial needs of their community. Our network monitoring and management platform, NetComply One, is designed exclusively for community banks and credit unions and provides them with a unique blend of services: automated ticketing, patch management, qualified alerting, custom reports, and quarterly advisement—all from an industry leader with more than 25 years of banking and IT experience.

So why run the security risk of not installing the new Windows update now when we’re making the process easy? Contact us today for questions about the upgrade or more information about NetComply One.

22 Apr 2022
More Microsoft Azure and 365 Security Basics

More Microsoft Azure and 365 Security Basics

More Microsoft Azure and 365 Security Basics

Banks and credit unions today face an ever-increasing number of cloud security hazards. Here’s the good news: Financial institutions that use Microsoft Active Directory (Azure AD) and Microsoft 365 can lower their risk by modifying their security settings for these services. Not only can this help the financial institution minimize threats, but it can allow them to customize the features of Azure AD and Microsoft 365 (previously called Office 365) to their specific preferences and requirements.

Organizations are responsible for managing Azure AD and its security settings because when they purchased M365 licenses, they established a Microsoft tenant with Azure AD. From a compliance perspective, adjusting Azure AD’s settings is crucial since Microsoft automatically enables certain features that may violate or conflict with compliance policies for organizations in regulated industries.

Optimizing /M365 and Exchange Online Settings

Depending on your institution’s licenses, there is a wide range of security and compliance settings you can customize in Azure AD, M365, and Exchange Online such as:

  • OneDrive and SharePoint Sharing: Review the default level of sharing to control the flow of data based on what is appropriate for your institution.
  • Teams and External Collaboration: Review the platform’s default security and compliance settings, and if they are not sufficient, you can block all external domains to keep users from communicating externally.
  • Exchange Online: Control access, how emails are transmitted, the types of messages users can send to recipients in external domains, and the devices or apps that can connect.
  • Protection Center: Use the Basic Mobility and Security feature to manage and secure the mobile devices that are connected to your Microsoft 365 organization.
  • Security Center: Optimize email management by employing anti-spam policies for inbound emails, blocking automatic forwarding of outbound emails, using phishing simulations, quarantining potentially harmful messages, and blocking messages from fake senders.
  • Compliance Center: Implement a retention policy to manage the data by proactively choosing how to retain or delete content.
  • M365 Admin Center: Use modern authentication‎ in ‎Exchange Online‎ to enhance your institution’s security with features like conditional access and multifactor authentication. (Microsoft‎ strongly recommends turning off basic authentication for your organization.)

More Ways to Boost Security

You can further enhance cloud security by modifying the settings related to Azure AD Premium P1, Intune, and Azure Information Protection (AIP) licenses. With Azure AD Premium P1, for instance, you can include your institution’s logo, color scheme, and other branding elements on your Azure AD sign-in pages. You can also employ the hybrid Azure AD joined devices, conditional access policies, and password protection features. Microsoft Intune integration lets you configure policies to control how your institution’s devices and applications are used, including smartphones, tablets, and laptops. And AIP allows you to use deep content analysis to minimize data loss and enhance the labeling capabilities of Microsoft 365 to protect documents and emails.

M365 Security Basics Can Help

There are countless security settings that can be adjusted in Azure AD and /M365, and Microsoft is always introducing new features. This can make it difficult for institutions to ensure they have the most appropriate security, identity, and compliance settings—but our CloudInsight™ M365 Security Basics solution can make the process easier. M365 Security Basics is a collection of services designed to give community banks and credit unions a cost-effective way to manage their M365 settings. It offers reporting, the delivery of Microsoft data in a user-friendly format; alerting, notifications of the most common indicators of compromise; and quarterly reviews, expert analysis of M365 Security Basics reports, and explanations of the risk visible on the report and ways those risks may be mitigated.

To learn more about how to customize your institution’s Azure AD and M365 settings to bolster cloud security, access our “Microsoft Azure and M365 Security Basics” white paper.

09 Mar 2022
Microsoft Azure and 365 Security Basics Continued

Microsoft Azure and 365 Security Basics Continued

Microsoft Azure and 365 Security Basics Continued

When your institution acquired Microsoft 365 (also known as M365 and formerly called Office 365), it automatically created a Microsoft tenant with Azure AD. Since that tenant belongs to your organization, you are responsible for managing Azure AD and its security settings. Microsoft Azure services enable various default features that could be incompatible with the security, identity, and compliance requirements of your institution. it’s essential to customize the settings in Azure AD, M365, and Exchange Online (or Azure AD Premium P1, Intune, and Azure Information Protection) to fit your organization’s needs.

Customizing Azure AD Defaults

  • Security Defaults — Turn on security defaults to make it easier for your institution to thwart cyberattacks by using preconfigured security settings. (If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.)
  • Password Policy — Configure the password policy applied to every user account that is created and managed directly in Azure AD. (Institutions with on-premises AD password policies governing password expirations should expect to manually synchronize their Azure AD password policy and their on-premises AD password policy.)
  • Azure AD Device Registration — Prevent users from joining devices on their own and require multi-factor authentication (MFA) to register or join devices with Azure AD.
  • Enterprise and Registered Apps — Keep non-administrator users from arbitrarily adding enterprise or registered applications, which can significantly increase risk. Afterwards, make sure to review every enterprise and registered application.
  • External Collaboration — Restrict regular users from inviting guests for collaboration and keep guest users from signing into your apps and services with their own work, school, or social identities.
  • Hybrid Identity with Password Hash Synchronization — Employ a hybrid identity architecture to synchronize users from on-premises Active Directory to Azure AD to minimize the number of identities users have across various platforms.
  • Azure AD Administration Portal — Limit regular users’ ability to read data in the Azure AD Administration Portal.
  • Administrator Review — Grant administrators only the specific permission they need to do their job and limit the number of static Global Administrator role assignments to fewer than five people.
  • Partners – When working with Microsoft-certified solution providers (partners) to purchase and manage solutions for your institution, they could be granted Global/Helpdesk admin roles giving them delegated administrative capabilities to your Azure instance. Make sure to review all partners and their delegated rights regularly.

Altering M365 and Exchange Online Settings

In M365, you can customize a variety of settings. In OneDrive, SharePoint Online, and Teams, look at configuring external collaboration capabilities of users. For Exchange Online, there are many settings to review but one to start with is the current forwarding capabilities and settings for users both globally and per-user. Modifying or reviewing these settings is highly advisable since they are inherently designed to facilitate interaction and external collaboration. In addition, you can use the Protection Center to secure mobile devices that are connected to your Microsoft 365 organization; the Security Center to refine email management; the Compliance Center to implement an effective data retention policy; and the M365 Admin Center to enhance security with modern authentication, which encompasses MFA. (According to Microsoft, 99.9 percent of account compromises can be blocked with MFA.)

And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.

M365 Security Basics Solution

Once your institution has sufficient settings in place to support your policies, it is essential to monitor for exceptions with reporting and alerting features such as those provided with Safe Systems CloudInsight™ M365 Security Basics solution. Financial institutions that partner with Safe Systems can gain critical visibility into their security settings helping them successfully navigate the complexities of optimizing M365’s features..

For more information about how your institution can optimize Azure AD and O365/M365 settings to improve cloud security, download our white paper on “Azure and M365 Security Basics.”

Important Disclaimer

The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.

01 Mar 2022
Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

It can be challenging for financial institutions to manage security, identity, and compliance within Microsoft Azure Active Directory (Azure AD) and Microsoft 365 (also known as M365 and formerly branded as O365). Understanding the services and settings of the Azure AD and M365 ecosystem can make the process easier for IT administrators.

Some of the basic security settings that apply to most organizations fall under the free license level for Azure AD. These are also some of the low-hanging fruit that institutions can easily implement to make a dramatic difference in their security.

Security Defaults

One of the settings that can have the biggest impact is security defaults, which can be enabled to enforce a set of non-configurable conditional access policies. The policy set in Azure includes the ability to require multifactor authentication (MFA) and MFA registration for all users. It also offers the capability to block legacy authentication, which should be a high-priority goal for any organization.

Hackers can exploit basic authentication to effectively bypass MFA, which is a fundamental security service we recommend that every institution implement. If your institution has gone through the effort of enforcing MFA for users—but you’re not blocking basic authentication explicitly—there’s a major security gap. That gap should be addressed immediately, especially given Microsoft’s plans to decommission basic authentication protocols in Exchange Online in October 2022.

Identity Considerations

It’s also crucial to review the identity architecture for your financial institution. Any user, device, or app connecting to Azure should have an identity, whether it’s a guest user, mobile device, Mac OS device, or a Windows computer, so it can be assigned data access rights or even take on administrative capabilities. Every identity outside of Active Directory—which is the primary identity for users in many institutions—is another attack vector in a different system. An effective way to manage different identities is to consolidate them by sourcing them at the AD level and then synchronizing users and their password hashes to Azure AD. You should also review the level of access for all administrators as well as partners as they represent a huge risk downstream. Reviewing the level of access for partners goes beyond security; it’s also a matter of regulatory compliance.

Additional Considerations

Depending on your institution’s license level, there are additional Azure and M365 settings you can adjust in the areas of protection, compliance, and administration. For example, global auditing is an essential setting that should be enabled to augment security and facilitate troubleshooting after attacks. You should also block settings allowing for open collaboration and outbound email forwarding to avoid data loss and minimize cyberattacks.

If your institution is at the M365 level, it also needs the mobile device management (MDM) platform that offers sufficient protection. Exchange Online has built-in MDM capabilities but these capabilities do not extend to all M365/O365 apps.

Conditional access policies govern sign-ins and attempts. They can enable the enforcement of MFA and are the highest control layer for determining who has access to the data within Azure’s security ecosystem.

Since data lives outside of Exchange Online in the M365 world, if your institution has specific compliance requirements for retention, your retention policies will generally need to extend to all data.

M365 Security Basics

Adjusting all the security settings of Azure AD and M365 can be a daunting task, especially since Microsoft is constantly updating the features of its technology services. Our CloudInsight™ M365 Security Basics solution provides insights into security settings for Azure AD and M365 tenants. It helps IT administrators navigate the complexities of customizing their institution’s security settings through three services: reporting, alerting, and quarterly reviews.

The reporting service provides ongoing Microsoft data and packages it into a readable format that shows security settings at a glance, allowing institutions to easily see irregularities, such as when users sign in from Outside of the USA. Alerting sends a notification when an activity indicates that a potential compromise has occurred. With the quarterly reviews, trained experts analyze the settings, reports, and alerts and review them with administrators so they can speak with confidence to their board, steering committees, and auditors about their institution’s technology services and cloud security.

If you need help understanding how M365 Security Basics can support your financial institution’s risk mitigation or strategic planning efforts, contact us. You can learn more about this topic with our “How to Manage Security Identity and Compliance within the Microsoft Azure and M365 Ecosystem” webinar.

Important Disclaimer

The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.

30 Dec 2021
Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

With a new year approaching, it’s a good time to review some of the key discussions from the past year. Read these highlights from our top blog posts of 2021, to help your financial institution refine key operational strategies for 2022 and beyond:

1. 2021 Hot Topics in Compliance: Mid-Year Update

Although the COVID-19 pandemic isn’t over, financial institutions have learned valuable lessons so far. Key impacts have been primarily operational, involving risks related to temporary measures taken to weather the crisis. In addition, there are important compliance trends and new regulatory guidance institutions should anticipate going forward. Ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely increase in the future. This will be reflected, in part, by the number of (and types of) assessments that regulators might expect institutions to perform annually. These assessments from various state and federal entities include the Cybersecurity Assessment Tool (CAT), the optional Ransomware Self-Assessment Tool (R-SAT), the Cybersecurity Evaluation Tool, and the modified Information Technology Risk Examination for Credit Unions (InTREx-CU). In addition, there have been major shifts with cyber insurance, and the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. Read more.

2. The 4 “R’s” of Disaster Recovery

Maintaining an effective approach to disaster recovery can help financial institutions satisfy regulatory requirements, better protect themselves from the effects of negative events, and improve their ability to continue operating after a disaster. There are four important “R’s” that institutions should concentrate on for disaster recovery: recovery time objective ( RTO ), recovery point objective ( RPO ), replication , and recurring testing .

RTO is the longest acceptable length of time a computer, system, network, or application can be down after a disaster happens. When establishing RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. The RPO is the amount of time between a disaster occurring and a financial institution’s most recent backup. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. DR replication entails having an exact copy of an institution’s data available and remotely accessible when an adverse event transpires. The best practice is to keep one backup copy onsite and another offsite in a different geographic location that’s not impacted by the disaster. Recurring testing allows institutions to identify key aspects of their DR strategy and adjust as needed to accomplish their objectives. Regular testing can expose potential problems in their DR plan so they can address these issues immediately. Read more.

3. Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s crucial for financial institutions to maintain distinct duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the health of their operations. There should be at least one designated ISO who is responsible for implementing and monitoring the information security program and who reports directly to the board or senior management—not to IT operations management. The significance of segregating the ISO’s duties comes down to oversight: Separating ISO and network administrator tasks helps to create a clear audit trail and ensures risk is being accurately assessed and reported to senior management . It also allows the ISO to provide another “set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders. The ISO’s independent role primarily serves to ensure the integrity of an institution’s information security program . Financial institutions can also use a virtual ISO to create an additional layer of oversight on top of what they have in place internally. Read more.

Discover these and other key topics about banking compliance, security, and technology on the Safe Systems blog.

Or, subscribe now to be the first to receive the latest updates on banking trends and regulatory guidance directly to your inbox.

Subscribe to our blog

 

16 Nov 2021
Using the Free Features of Microsoft Azure AD and O365/M365 to Enhance Cloud Security

Using the Free Features of Microsoft Azure AD and O365/M365 to Enhance Cloud Security

Using the Free Features of Microsoft Azure AD and O365/M365 to Enhance Cloud Security

Microsoft Azure Active Directory (Azure AD) and Office 365/M365 have a variety of free security settings that financial institutions can customize to their needs. These settings are important because they can enhance an institution’s cloud environment and operational security—and they’re available to everyone with Azure AD or O365/M365. Remember, even if the license was acquired through a third party, your institution is still responsible for managing all the security features of these cloud-based solutions.

Be aware that while adjustments made to the defaults can strengthen your cloud security, they will also impact the way people use the products. For instance, multifactor authentication (MFA) is a great first step at improving the security of your cloud environment but does impact how your users will log in.

Here are some other important free security settings you can optimize in Azure AD and/or O365/M365 to enhance security:

  • Global Auditing — The global auditing feature logs events that happen across Azure AD and O365/M365. It is advisable to enable Global Auditing. The information gained with this feature can help troubleshoot problems and investigate issues. Once Global Auditing has been enabled, it can take about 24 hours for the new setting to take effect.
  • Alert policies — Alert policies are designed to help you monitor threats against your existing resources. There are default built-in policies, and you can also create additional custom policies for free on your own. Keep in mind, you need to set the target recipient(s) for these policies.
  • Sharing in Microsoft OneDrive and SharePoint — Since these products were created to foster collaboration, their default setting is normally set to enable external data sharing. This allows users to create anonymous access links that make it possible for anyone in any organization with OneDrive and SharePoint to sign in and view their information. It is recommended that you review the level of sharing to control the flow of data based on what is appropriate for your organization.
  • External access in Microsoft Teams — Teams is set up by default to make it easy for individuals to connect with users located anywhere in the world, even in other organizations. You should review the platform’s security and compliance settings to ensure it fits your organization’s standards. You can block all external domains to restrict users’ ability to communicate externally.
  • Enterprise applications — Enterprise apps can represent a huge risk if users have the freedom to add them on their own. You can change the security setting to prevent anyone from randomly adding apps without the administrator’s approval. When this feature is activated, Microsoft will block users’ attempts to add apps and notify the administrator, who can approve or deny their requests.
  • Application registrations — Similarly, institutions can alter their security features to block users from registering any applications. There’s rarely a reason to allow users without administrative rights to create app registrations, so reviewing and/or adjusting this setting is essential.

Making these adjustments will help you to maintain control over users’ activities and tighten security. To learn more about M365 security topics, listen to our recent webinar, Ask the Experts: O-M365 Security Basics for IT Administrators.

Safe Systems’ M365 Security Basics solution provides visibility into these and other security settings and allows banks and credit unions to regularly monitor and review their configurations making it easier for them to manage their Azure AD and O365/M365 accounts.

26 Oct 2021
Glennville Bank Strengthens Security Posture with CloudInsight™ M365 Security Basics

Glennville Bank Strengthens Security Posture with CloudInsight™ M365 Security Basics

Glennville Bank Strengthens Security Posture with CloudInsight™ M365 Security Basics

Our CloudInsight™ M365 Security Basics solution is helping community financial institutions increase their security posture. Take Glennville Bank, for example. The Georgia community bank, which has $312 million in assets, seven locations, and 66 employees, jumped at the chance to capitalize on the service to identify and secure threats to its Microsoft 365 settings. M365 Security Basics provided the bank with greater visibility into cloud security settings for Azure Active Directory (Azure AD) and M365 tenants through reports and alerts.

Like most financial institutions, Glennville Bank leverages technology to better serve its customers and maintain its operations. Also, like other institutions, the bank has a variety of Microsoft licenses, and managing the security settings for these products became difficult and time-consuming, particularly for Glennville Bank’s network administrator, Zach Horn, who describes his proficiency with Microsoft as “fairly limited.”

“Given the complexity of our cloud tenant settings, I’m not comfortable enough with Microsoft or their updates to manage every setting correctly,” Horn explained. “With all the potential security risks out there, I knew I needed reports that could help me identify risky security settings, monitor identity controls, and ensure our configuration matches our information security policy.”

With M365 Security Basics, Glennville Bank was able to set data trends and identify several settings that needed addressing, such as creating a baseline for failed logins. The bank also discovered that its user access details were often inconsistent, and through the M365 Security Basics service they received easy-to-follow instructions for correcting the problem. “Safe Systems did a great job fine-tuning the product to the demographic we needed,” Horn said. “Their knowledge has been helpful in pointing me in the right direction in knowing which Microsoft licenses I need to go to in the future.”

Product Highlights

M365 Security Basics is the first offering in Safe Systems’ CloudInsight™ family of products. It’s specifically designed for community banks and credit unions that have Microsoft 365 products (Exchange Online, SharePoint, or OneDrive), use Azure AD, and store non-public information in the cloud. M365 Security Basics’ reporting, alerts, and quarterly reviews are customized to help financial institutions improve their cloud security awareness by identifying potential risks and common signs of compromise. The product is developed by engineers who hold dozens of certifications, including the Microsoft 365 Certified: Security Administrator Associate certification. M365 Security Basics makes it easier for institutions to monitor their configurations for current and new features that are automatically enabled by major cloud providers like Microsoft Azure.

The powerful reporting from M365 Security Basics enables financial institutions to review vital Microsoft cloud tenant settings. This allows them to recognize unsafe security settings, examine identity controls, make sure their configuration is consistent with their information security policy, and demonstrate this to examiners and stakeholders. Reports are available as “Summary” versions (with brief information, such as the Tenant Summary and User Summary) and “Details” versions with more in-depth data. (Glennville Bank uses the Tenant Summary to highlight important issues during IT steering committee meetings.)

M365 Security Basics also offers alerts and quarterly reviews as add-on services. Alerts provide notifications about the most common indicators of compromise (like unauthorized access) and are grouped under Azure AD Roles, Azure AD Sign Ins, OneDrive, SharePoint, and Exchange Online. The quarterly reviews give institutions a periodic, objective analysis of their recent M365 Security Basics reporting, so they can gain a better understanding of their Microsoft 365 tenant security.

CloudInsight™ M365 Security Basics not only helps financial institutions like Glennville Bank secure their information but also makes it easier to compile data required for examiners. Read the complete Glennville case study to see how your organization can benefit from M365 Security Basics.

11 Oct 2021
What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

Many of us thought 2021 was going to be the downhill side of the pandemic. I recall working on a webinar presentation that we hosted last summer and including the words, “Now that the pandemic is behind us…” Obviously, I was overly optimistic. As we look ahead to 2022, we must acknowledge that the COVID-19 pandemic will continue to affect us to one degree or another. With that said, these budgeting ideas for 2022 may look somewhat similar to those for 2021, but there are slight variations based on current banking technology, compliance, and security issues.

1. Multifactor Authentication

Implement multifactor authentication (MFA) on all your email accounts wherever it is possible and appropriate. MFA can reduce the risk of having account credentials compromised by as much as 99.9%, making it one of the most effective measures you can use to protect your institution. There is typically a small cost for licensing and implementing MFA software. So, you can add MFA to your email accounts for a nominal cost and with minimal effort in most cases. If you are using Microsoft’s cloud email solution, for instance, implementing MFA can be as easy as changing a few minor settings. Another area to consider for MFA is logging into the domain account. There can be a cost associated with this as you will probably want to use a tool to help you manage the process. You can apply MFA only on accounts with administrator rights or on all users. But since many cybersecurity insurance companies are requiring MFA for accounts with administrator rights, using this stronger type of authentication might be your only option.

2. Laptops

With different variants of COVID-19 or other viruses popping up, remote work may still be an option for certain employees. Remote capabilities may even be necessary to keep the institution operating smoothly at times. Be sure you have the infrastructure in place for a partial remote workforce because the need could develop at any point. For this reason, you should consider providing laptops for all employees who could conceivably work from home. Start with those who need new devices. Then prioritize based on those doing the highest-level work necessary to keep the institution running. Laptops and encryption software, required for mobile devices, may cost slightly more but should not cause a huge increase in expenditures. In some cases, you may be able to reuse a desktop computer to replace an older workstation for an employee whose duties cannot be performed remotely.

And don’t forget… There is a chip shortage and high demand for laptops, which means it can take months to secure computers and other hardware. So, order any equipment you need well in advance to ensure you have the appropriate infrastructure in place to support staff that may need to work from home.

3. Moving to the Cloud

Having infrastructure in the cloud can be extremely beneficial, so slowly start moving your infrastructure to the cloud. Cloud infrastructure decreases the need for an employee to be onsite with the hardware, and cloud computing increases uptime. In addition, disaster recovery becomes easier and faster with cloud infrastructure. More than 90% of Fortune 500 companies are running at least some infrastructure in the cloud, primarily through Microsoft’s cloud computing platform: Azure. The cloud is the future of IT and infrastructure, and it makes sense for institutions that need reliable and resilient infrastructures. So, if you need to purchase a server next year, consider getting a quote for moving the server to the cloud instead.

4. Cloud Security

While the cloud offers plenty of advantages, it comes with settings, management tools, and security options that must be effectively configured and managed to ensure the highest level of security in the cloud. Cloud security is a concern for not only institutions with infrastructure in the cloud, but also for M365 Windows/Office licensees with OneDrive enabled, email in the cloud, or using Microsoft as an authentication mechanism with a third-party application. Earlier this year, the FDIC released a letter outlining the need to secure cloud configurations. Their cloud-security concerns are warranted. Safe Systems has worked with several institutions ranging from a hundred million in assets up to multibillion dollars in assets and found that almost every institution had gaps in their cloud security. Some institutions had indications of their email or user accounts being compromised; others had settings that could open the door to future compromises. Safe Systems worked closely with these institutions to develop an innovative M365 Security solution to address these issues with reports, alerts, and reviews. This unique product is specifically designed to help financial institutions manage their cloud setup now and in the future. In addition, it is a reasonably priced option for the substantial amount of value that it delivers. Institutions should reach out for a quote to determine if M365 Security could fit into their budget next year.

5. Virtual ISO

Another item to consider for your budget is virtual Information Security Officer or VISO services, which we also mentioned last year. These services have become increasingly popular as the landscape of information security has grown more extensive and complex. In many cases, institutions are finding it harder to keep up with the latest information security expectations, regulations, and trends. Safe Systems’ ISOversight service addresses this problem by combining applications for self-management with assistance from compliance experts to offer a VISO service at a competitive price. This type of service can be beneficial in many ways as it can provide structure, automation, accountability, assistance, and consistency throughout your information security program. It can also enable your institution to stay engaged, which is critical when an exam or audit occurs. VISO services, which vary in price depending on the work being performed by the third-party provider, are ideal for any institution with limited access to security expertise in-house.

6. Cybersecurity

You cannot have a conversation about budgets for next year without addressing the issue of cybersecurity. Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, a recent Boston Consulting Group report indicates. Cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights. And cybersecurity has become even more precarious during the COVID-19 pandemic. The pandemic has created new opportunities for security breaches as the increase in remote work makes information security more challenging to manage. Unfortunately, institutions will need to increase their security layers and annual spending to address this issue. According to Computer Services Inc. (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

In Conclusion

The threat to your institution’s data is as real today as it ever has been. Therefore, make sure you are applying these measures to strengthen your security:

  • Employee training to ensure adequate, effective, and safe practices
  • Perimeter protection to ensure the appropriate layers are enabled and all traffic is being handled correctly, including encrypted traffic
  • Advanced threat protection and logging to be able to identify how, if at all, malware or an intrusion created an incident
  • Backup and data redundancy to ensure ransomware cannot wipe out your data

Have a conversation with a security company you trust to ensure that, if you are the target of a ransomware attack, your business won’t sustain long-term damage. In other words, invest in cybersecurity now, so your institution won’t end up paying more later.

As you contemplate your budget for 2022, don’t just think about the items that others have put on your plate. Be sure to consider the changes that may have occurred at your institution—and the ones that may be coming—and have a plan to address these. All these changes can be exciting and make a major difference for your institution. But they can often be hard to get implemented if they are not budgeted for ahead of time.

29 Sep 2021
Understanding Microsoft O365/M365 Settings to Ensure Your Security Controls Are Effective

Understanding Microsoft O365/M365 Settings to Ensure Your Security Controls Are Effective

Understanding Microsoft O365/M365 Settings to Ensure Your Security Controls Are Effective

It’s important for financial institutions to understand Microsoft Office 365 (O365) and M365 settings, so they can optimize the security controls and quickly detect potential areas of compromise. The educational journey begins with acknowledging the role of Azure Active Directory (Azure AD), Microsoft’s cloud-based user authentication platform.

When your institution purchased O365 (recently rebranded as M365), it established a Microsoft tenant with Azure AD. Since that tenant belongs to you and your institution—not the licensing reseller—it is your responsibility to understand Azure AD and its controls. This is where you can customize the settings to create more sophisticated and appropriate security policies for your institution.



Monitoring for Exceptions to Security Controls

Once your institution has good policies in place, it’s essential to monitor for exceptions. There are so many security controls to check; it can be difficult to know if there is a policy exception or even an active compromise. As an added challenge, some controls can have a major impact on the user experience, and these controls cannot be created arbitrarily by a third party simply based on what is presumed to be best practice.

Therefore, you must build policies around what users are allowed to do, what your institution’s risk assessment defines, and what users will tolerate. Making appropriate policy-related adjustments to O365/M365 requires knowing how to connect with and analyze specific Microsoft data to modify the related security controls. Microsoft has created a plethora of controls, which can be difficult for many customers to navigate. That’s where it can be beneficial to partner with a value-added reseller like Safe Systems.

M365 Security Basics

Safe Systems consults with clients to help them best use O365/M365 controls and uncover their cloud security “blind spots.” M365 Security Basics is the first CloudInsight™ offering that provides visibility into security settings for Azure Active Directory and O365/M365 tenants.

M365 Security Basics consists of three main parts—reporting, alerting, and quarterly reviews— that your institution can choose from based on its needs. The reporting feature pulls Microsoft data that may not be easily accessible and compiles it into a user-friendly format. The reports show the fundamental settings at a glance, so institutions can track configuration changes over time. There are summary reports that IT administrators can use to quickly identify anomalies in their organization as well as detailed reports that include the specifics of a given anomaly.



While reporting generates important ongoing details, it can produce a substantial amount of information for you to review. Alerts can notify you as soon as possible about the most common setting changes or activity that can represent an indicator of compromise, so you can investigate and respond.

With the quarterly review component, Safe Systems will help you walk through the content of all your reports and discuss your overall strategy for adjusting the configurations. Having all this data at your fingertips makes it easier to make assessments to determine which settings are right for your organization. Two key settings to enable are multi-factor authentication—which should be universal for every user because it adds a critical layer of protection to the user sign-in process—and auditing which is crucial for investigating changes.



Educate. Expose. Empower.

The goal of M365 Security Basics is to educate financial institutions about the unfamiliar concepts related to O365/M365, expose the reality of what they are already living today, and empower them to take action where changes are needed.

For more information about how to understand O365/M365 settings to ensure your security controls are effective, listen to our webinar on “Cloud O365-M365 Security – Do You Know if You Are Currently Compromised?”

21 Sep 2021
Multi-Factor Authentication Offers Secure, Reliable Access Control

Multi-Factor Authentication Offers Secure, Reliable Access Control

Multi-Factor Authentication Offers Secure, Reliable Access Control

In our increasingly digital world, financial institutions must go beyond requiring only usernames and passwords for the sign-in process. They need to employ a combination of factors to validate the individuals using their resources, whether they’re customers accessing electronic products and services or employees accessing systems, applications, and data. Institutions can choose various levels of authentication to verify people’s identity before giving them access to sensitive information, accounts, and other assets. However, multi-factor authentication (MFA) offers a secure and reliable approach for reducing the potential for unauthorized access.

One of the key values of MFA lies in its use of multiple factors for the validation process. MFA adds a layer of protection by requiring users to present a variety of elements to prove who they are. With this method, users must supply valid identification data such as a username followed by at least two types of credentials, such as:

  • Something the person knows: This represents “secret” information that is known or shared by both the user and the authenticating entity. Passwords and personal identification numbers (PINs) are the most commonly used shared secrets, but newer methods of identification are gaining popularity. Users may be required to answer questions that only they should know, like the amount of their monthly mortgage payment. Another example is they might have to identify their pre-selected image (chosen when they opened their account) from a group of pictures.
  • Something the person has: This is often a security token or a physical device, such as an I.D. card or smartphone, that people must have in their possession. Password-generating tokens can significantly enhance security because they display a random, one-time password or passcode that the recipient must promptly provide to complete the authentication process. Having unpredictable, one-time passwords makes it more challenging for hackers to use keyboard logging to steal credentials.
  • Something the person is: This more complex approach to authentication uses a physical characteristic (biometrics) such as face, fingerprint, or voice recognition to verify people’s identity.

Since MFA incorporates factors based on knowledge, possession, and/or biometrics, it makes it more difficult for cybercriminals to compromise people’s identity. Thus, MFA is an ideal verification method to use when more sensitive or critical assets are at stake. MFA is so reliable that the Federal Financial Institution Examination Council (FFIEC) recommends applying it in more high-risk situations. “Management should use multi-factor authentication over encrypted network connections for administrators accessing and managing network devices,” states the FFIEC IT Handbook’s Architecture, Infrastructure, and Operations booklet.

MFA gives financial institutions a valuable security control for their internal and cloud resources. Take our quiz to see how much you know about multi-factor authentication.

14 Sep 2021
How Financial Institutions Can Better Manage Their Azure Active Directory Responsibilities

How Financial Institutions Can Better Manage Their Azure Active Directory Responsibilities

How Financial Institutions Can Better Manage Their Azure Active Directory Responsibilities

If your institution is using Microsoft 365 (formerly Office 365), you also have—and are responsible for—Azure Active Directory (Azure AD), Microsoft’s cloud-based identity and access management service. Microsoft Online business services like M365/O365, require Azure AD for sign-in and to help with identity protection. If you subscribe to Microsoft Online business services, you automatically get Azure AD with access to all the free features.

With an Azure AD tenant, you’re responsible for overseeing Azure AD’s security features, which can be customized to your business requirements. For instance, you can use Azure AD to require multi-factor authentication for users who are accessing important organizational resources. You can also employ Azure AD utilities to automate user provisioning between your existing Windows Server AD and cloud apps, including M365.

The Good News: You’ve Already Vetted Azure AD

If you’re daunted by the idea of overseeing Azure AD, don’t be. You’ve likely already vetted Azure AD for compliance because you’re using M365/O365. So, if you properly completed the vendor management process, Azure is already covered. In addition, Microsoft has taken steps to secure the environment that houses data in the Azure AD platform.

However, customers have the ability to choose settings that can make Azure AD more secure. Since M365/O365 is designed to be a collaborative environment, their out-of-the-box security settings are calibrated for sharing, requiring some modifications to enhance the security features. For example, you can use the Azure AD management interface to adjust the sharing dial to keep users from disclosing non-public or sensitive information.

Oversight Responsibilities

If you obtain an Azure AD license through a third party, you’re still responsible for managing, controlling, and monitoring access within your organization. This includes access to resources in Azure AD and other Microsoft Online services like Microsoft 365/Office 365. More importantly, your institution (not your vendor) is responsible for managing all the security features of Azure AD.

With an Azure AD tenant, you should:

  • Manage your cloud and on-premises apps
  • Manage your guest users and external partners, while maintaining control over your own corporate data
  • Customize and control how users sign up, sign in, and manage their profiles when using your apps
  • Manage how your cloud or on-premises devices access your corporate data
  • Manage your organization’s identity through employee, business partner, vendor, service, and app access controls
  • Detect potential vulnerabilities affecting your organization’s identities, configure policies to respond to suspicious actions, and then take appropriate action to resolve them
  • Gain insights into the security and usage patterns in your environment through reports and monitoring

Safe Systems can help financial institutions optimize key features in Azure AD and M365/O365 to meet or exceed their security objectives. Our M365 Security Basics solution can provide expertise and visibility into security settings through reporting, alerting, and quarterly reviews.

08 Sep 2021
Key Terms FIs Need to Know for Microsoft 365 (Office 365) and Azure Active Directory

Key Terms FIs Need to Know for Microsoft 365 (Office 365) and Azure Active Directory

Key Terms FIs Need to Know for Microsoft 365 (Office 365) and Azure Active Directory

Many financial institutions rely on Microsoft 365 (formerly Office 365) and Azure Active Directory (Azure AD) to access resources that can enhance their employee productivity and business operations. Here are some basic, but important, terms to keep in mind for these products:

  • Microsoft 365 (M365) versus Microsoft Office (O365)

Microsoft announced early last year that it was rebranding most of its O365 products to M365.

“We are changing the names of our Office 365 SMB SKUs on April 21, 2020. Yes, that’s right, the Office 365 name is hanging up its jersey and making way for Microsoft 365.”

Because Office 365 was so widely used, it has taken a while for this name change to catch on. Adding to the confusion, Microsoft already had M365 products prior to the name change. In most cases today, M365 and O365 are terms that are used interchangeably.

  • Azure AD

Microsoft Azure AD is a cloud-based identity and access management service that enables users to sign in and access various resources. You may be familiar with Active Directory as your on-premises identity management platform. What you may not realize is this: When you purchased M365, you received Azure AD along with it. Azure AD allows your employees to sign into resources like M365, the Azure portal, and other SaaS applications. They can also use Azure AD to sign into some of your institution’s other resources, such as apps on the corporate network and intranet.

  • Azure AD Sign in

Since all O365/M365 services are funneled through Azure AD, whenever employees try to access these resources, they must first sign in to Azure AD. Essentially, Azure AD facilitates sign-in attempts by authenticating users’ identities. Because Azure AD works behind the scenes, employees may not realize they’re not directly signing into O365/M365.

  • Basic versus Modern Authentication

Customers of O365/M365 and Azure AD can choose basic or modern authentication to access their services. Basic authentication requires simple credentials like a username and password while modern authentication goes a step further with multi-factor authentication. This advanced login protocol requires a username, password, and another identity verification such as scanning a fingerprint, entering a code received by phone, or using the Microsoft Authenticator app. This adds another layer of protection to the sign-in process before users can access their O365/M365 and Azure AD accounts.

Safe Systems can make it easier for financial institutions to strengthen their security posture when using cloud-based solutions like M365 and Azure AD. M365 Security Basics provides visibility into security settings for these products through in-depth reporting, alerting, and quarterly reviews.

18 Jun 2021
5 Areas to Outsource so Your IT Administrator Can Go on Vacation

5 Areas to Outsource So Your IT Administrator Can Go on Vacation

5 Areas to Outsource so Your IT Administrator Can Go on Vacation

It’s summertime. And COVID restrictions are finally being lifted. Maybe now your IT administrator can go on vacation—if there’s someone available to fill in.

Third-party IT and security service providers can make it easier for smaller banks and credit unions to manage when staff takes time off. Here are five areas where financial institutions can outsource to maintain adequate IT resources—and peace of mind—while the IT administrator is out of the office enjoying some downtime:

1. Network monitoring for diagnostic or security issues — Monitoring is critical for detecting, diagnosing, and resolving network performance issues. A network monitoring solution can gather real-time information to ensure the system is being effectively managed, controlled, and secured. With proactive monitoring, IT staff can find and fix network issues more quickly and easily. This can help them keep the network operating smoothly, stay ahead of outages, and avoid expensive downtime. It can also help the IT department maintain critical business services and reduce potential security risks for the institution. Outsourcing network monitoring can lighten the workload for time-strapped staff who are probably juggling more tasks while the IT administrator is away.

2. Managed replication and real-time backup to the cloud — Replication tools can automate the process of copying data across multiple sources, relieving the IT department from the burden of monitoring backups on a daily basis. The data gets stored in multiple locations, increasing its redundancy and resiliency. Using cloud-based managed data replication and backup solutions can make it easier for institutions to have the data they need to maintain normal business functions. It also provides another major benefit: No matter where the network admin is, it will be easy to restore data if a hardware failure, power outage, cyberattack, or some other disaster impacts the system.

View the PDF5 Things to Outsource So Your IT Administrator Can Go on Vacation Get a Copy

3. Regulatory and IT reporting — The need for data to confirm controls are in place does not go away when someone leaves or goes on vacation. It is important for management to have access to timely reporting about IT issues to enhance security and meet regulatory compliance. Having a system in place that generates reports in a single location, rather than manually created reports or reports pulled from disparate systems helps ensure data on security controls can be reviewed by anyone anytime. Partnering with a third-party provider that can aggregate reporting and control data can make it easier for institutions to meet these requirements.

4. IT support experts — Financial institutions must have the appropriate IT expertise to stay on top of complex security issues. Outside vendors can provide access to IT specialists who can augment the efforts of their IT team. The added support not only can be a godsend while the system administrator is on vacation, but it can also meet an ongoing need. An institution can use outside experts to provide technical knowledge and resources that may be lacking in the IT department.

5. Cloud-based infrastructure — Virtual servers, storage, software, and other cloud-based solutions offer access to resources on demand. And since cloud infrastructure is flexible and scalable, it is the ideal way to modernize a computer system and build redundancy. Using cloud-based infrastructure allows financial institutions to have duplicate copies of their data and core systems available whenever they’re needed. So, if an IT issue comes up, a third-party service provider can troubleshoot the problem remotely while the IT administrator is on leave.

Safe Systems offers a range of IT and security solutions to help institutions keep their operation and network running efficiently. Learn more about how our compliant solutions can provide professional support whenever your IT administrator takes a much-needed break.

10 Jun 2021
Resource Center

Technology, Compliance, and Security Best Practices – All in One Place

Resource Center

A few years have passed since we launched the Safe Systems online Resource Center, which provides community banks and credit unions access to a centralized knowledge base of materials that help you learn more about technology, compliance, and security best practices.

With a wide variety of content, ranging from videos to white papers to case studies, the Resource Center allows you to stay current with the latest trends and insights in the industry. For example, visit the Resource Center to view our latest webinar, infographic, or a short and timely blog. Come back often, as we add new content every week!

Just in case you missed our Resource Center reveal, or you would like a few more details on what it has to offer, please view the original blog post here.

03 Jun 2021
What CEOs Should Know about Disaster Recovery

What CEOs Should Know about Disaster Recovery

What CEOs Should Know about Disaster Recovery

Disaster recovery—the process of restoring IT infrastructure, data and systems in the aftermath of a major negative event—is a specialized area of technology that’s not always top of mind for executives. CEOs must ensure their organization is equipped to quickly resume mission-critical functions following a calamity.

Here are some key considerations that bank CEOs should keep in mind to make sure their financial institution has a feasible approach to disaster recovery.

Expect the Unexpected

A disaster can happen anytime—and in any form. While people typically think of disasters as being natural occurrences, manmade catastrophes such as power outages, equipment failures, cyber attacks, and network downtime due to human error are equally common causes of disruption. Regardless of the source, the need for DR is truly a matter of when—not if. So, CEOs should get comfortable with the uncomfortable idea that some type of disaster will eventually impact their institution.

Be Proactive

DR planning is the key to both preventing disasters, and when they do eventually occur, successfully recovering from a natural or manmade calamity. Not having a sufficient plan in place can hit an institution where it hurts most: a loss of data, business functions, clients and reputation—not to mention time and money. Therefore, bank CEOs must ensure their management team is taking proactive steps to adopt effective DR strategies. This includes implementing—and testing—a plan for getting operations back to normal with minimum interruption.

Besides the practical need for DR planning, the Federal Financial Institutions Examination Council (FFIEC) advocates taking a preemptive approach to this often overlooked area of technology. The FFIEC IT Handbook’s Business Continuity Management booklet advises: “Management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored, which should be reflected in the BIA. In addition, management should develop a coordinated strategy for the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software.”

The business impact analysis (BIA) is one tool that bank management can use to ensure their financial institution is adequately preparing for DR. This important mechanism predetermines and prioritizes the potential impact disruptive events will have on business functions. Essentially, the BIA can show gaps in critical processes that would impede disaster recovery and, in turn, the institution’s business continuity.

Consider Outsourcing DR

The intricacies of disaster recovery planning can be daunting, which is why many organizations fail to create a viable DR plan. More than one-third of small and medium-sized businesses do not have a plan in place for responding to data breaches and cyber attacks, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report. However, bank management can leverage external resources to expand their institution’s disaster recovery capabilities. Outside vendors can provide new technologies that reduce risk and enhance data backup, storage and recovery. They offer a variety of cloud-based solutions that can make the DR process more streamlined, efficient and cost-effective. Outsourcing DR can be especially advantageous to smaller banks that may lack this type of specialized knowledge in house. It can also benefit larger institutions that want the comfort of having third-party services available to support their resident DR specialists.

CEOs have a lot on their plates but paying attention to these important DR issues can help ensure both operational resilience during a disaster as well as regulatory compliance. To learn more about how Safe Systems helps financial institutions and their CEOs develop well designed, compliant DR plans, explore our Managed Site Recovery solution.

06 May 2021
After the Disaster: Real Community Banking Recovery Stories

After the Disaster: Real Community Banking Recovery Stories

After the Disaster: Real Community Banking Recovery Stories

Even the best-laid plans can go awry—especially after a disaster. Our real-life stories from actual community financial institutions underscore the importance of having an effective disaster recovery (DR) process in place.

It’s obvious that a disaster can strike anywhere and anytime. What’s less obvious is that a natural disaster doesn’t have to happen for a financial institution to implement its DR plan. For instance, a server room and all the equipment inside could become damaged by a fire or flood. A power outage or loss of a communications line could take out an institution’s phones, email, and internet. This could be devastating because communication is such an integral function of a financial institution.

Not knowing how long a power outage will last can further complicate the issue. If the outage stretches over a few hours or days, the institution should be thinking about implementing its DR process. But making that call can be difficult. That’s where having an outside team of DR experts available can be helpful. For example, we can help institutions quickly leverage Microsoft Azure for cloud site recovery. We can also assist with ongoing monitoring, maintenance, and testing to ensure the viability of their DR plan.

Real DR Stories from Community Banks

For example, a tornado struck one of our community bank clients and severely damaged its main office. The branch was rendered completely inoperable, unable to serve customers or employees. Fortunately, the critical servers that were housed in the building were not destroyed, and we were able to relocate them to a different branch location. The bank operated the servers from that site for a year while the main office was being rebuilt. Ultimately, we returned the servers to their original location and made the necessary reconfigurations to get everything functioning again. Moving the severs to a different place allowed the bank to avoid failback, which can be the most complicated aspect of the disaster recovery process.

Another DR scenario involves a financial institution on the South Carolina coast, where hurricanes frequently make landfall. In this case, a hurricane demolished the main office and completely flooded the location. As a result, the institution lost its servers, internet connection, and ability to communicate. The bank’s DR strategy relied on using 4G to restore internet connectivity, but the cell towers were down. Thankfully, the network had an old telecommunication circuit that we were able to get turned on and operational. So, after we dealt with the communication curveball, we were able to get the network—and bank—up and running again.

Community Bank in Alaska Shares Insights

It’s often the physical environment that determines the disasters that an institution may encounter. Potential hazards for Fairbanks, Alaska-based Denali State Bank include flooding from nearby rivers, jolting earthquakes, and volcanic eruptions on the Aleutian Chain. Therefore, Denali State Bank—which has $380 million in assets and 150 endpoints across five branches—focuses on ensuring that it has critical IT staff and services available during a disaster.

As part of its DR solution, the bank maintains a designated alternate site—one of its branches—that sits on a separate portion of the power grid. Denali also uses cloud-based Microsoft Azure, which makes it easy to run and test critical functions. During testing, the bank can shut down all connections to its main office (including large SQL servers), quickly spin up everything virtually through Azure, and establish connectivity through a Safe Systems co-location facility. This helps to ensure that vital functions will work properly to support the institution after a disaster.

Get more community banking DR insights. Listen to our webinar on “After a Disaster: Real Community Banking Recovery Stories” to make sure your institution is better prepared for an unexpected negative event.

29 Apr 2021
The 4 “Rs” of Disaster Recovery

The 4 “Rs” of Disaster Recovery

The 4 “Rs” of Disaster Recovery

Organizations can be impacted by a natural or manmade disaster at any time. Having an effective approach to disaster recovery (DR) can help banks and credit unions meet their regulatory obligations, better protect themselves from the impact of a significant negative event and enhance their ability to bounce back and continue operating in the aftermath of a disaster.

There are four “R’s” when it comes to disaster recovery that every financial institution should focus on: Recovery Time Objective (RTO); Recovery Point Objective (RPO); Replication; and Recurring Testing. Here’s why each of them is integral to DR:

RTO

RTO, the longest acceptable length of time that a computer, system, network, or application can be down after a disaster happens, is a crucial facet of DR. Established RTOs essentially represent trade-offs, with shorter RTOs requiring more resources and ongoing expenses. When setting RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. Ideally, financial institutions will have RTOs predetermined before a disaster strikes, and the RTOs will be included in the institution’s Business Impact Analysis (BIA) as part of the business continuity planning process. Following a disaster, the recovery process will depend on the type of institution, technology solutions, and business functions as well as the amount of data involved. Institutions with an outside vendor guiding their disaster relief efforts typically have a more streamlined and less stressful recovery process.

RPO

The RPO represents the amount of time between a disaster occurring and a financial institution’s most recent backup. If too long, and too much data is allowed to be lost, it could result in substantial damage. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. The Information Security Officer (ISO) and management must define exactly how long they are willing to go without having a copy of their data available. As banks and credit unions become more dependent on technology, however, their tolerance for not having critical functions available shrinks. Increasingly, financial institutions are turning to outside vendors to bolster their recovery solutions, but they must ensure that those third-party providers are adequately equipped to satisfy their RPO requirements.

Replication

Effective DR replication is essential because it allows an exact copy of an institution’s data to be available and remotely accessible when an adverse event happens. DR requires the duplication of data and computer processing to take place in a location not impacted by the disaster. The best practice is to have one backup onsite and another offsite in a different geographic region—somewhere that is not likely to be affected by the same disaster. Options for recovery can take various forms: fully redundant systems at alternate sites; cloud-based recovery solutions (either internally developed or outsourced); another data center; or a third-party service provider; according to the Federal Financial Institution Examination Council (FFIEC).

Recurring Testing

Recurring testing allows banks and credit unions to pinpoint key aspects of their DR strategy and adjust as needed to accomplish their objectives. Thorough testing of a financial institution’s core applications should be done annually — while they are functioning normally — to generate the most meaningful feedback. The institution should employ a variety of tests and exercises to verify its ability to quickly resume vital business operations in a disaster situation. Regular testing can reveal possible problems in the institution’s DR plan so that it can immediately address these issues. The aim is not necessarily to pass each test or exercise, but rather to find and fix flaws before a disaster occurs.

Read more about how your bank or credit union can be better positioned to recover from a disaster. Download our “4 Rs of Disaster Recovery” white paper.

15 Apr 2021
Latest Microsoft Updates Show Importance of Patch Testing

Latest Microsoft Updates Show Importance of Patch Testing

Latest Microsoft Updates Show Importance of Patch Testing

In early March 2021, Microsoft published some cumulative updates for different versions of Windows 10, including KB5000802. Unfortunately, the new updates and patches caused a variety of problems, including workstation crashes when printing, problems opening emails in Outlook, and some vendor products, such as Fiserv’s Navigator, not displaying correctly.

As a result, many people could not use printers from several popular brands such as Kyocera and Ricoh, and the new patches caused some users to experience the dreaded “Blue Screen of Death” (BSoD) when they clicked on the “print” option in some apps. Ultimately, Microsoft addressed the issue and rolled out a fix for the printer problems.

Importance of Patch Testing

The problems associated with Windows 10 KB5000802 serve as effective real-world reminders of the importance of patch testing as these issues could have been avoided by implementing proper testing procedures. Vendors are constantly releasing patches to correct software problems, improve performance and enhance security. But as the recent Microsoft incident clearly shows, patches can sometimes trigger new problems while trying to address existing ones.

All of this demonstrates why it is so important for banks and credit unions to test patches before installing them. Ideally, financial institutions should create a test group of the different kinds of machines and applications used in their environment and then apply any newly released patches to the elements in the group. Besides being a pragmatic approach, utilizing a test group also adheres to guidelines of the Federal Financial Institutions Examination Council (FFIEC), and it helps effectively protect institutions from downtime, security breaches, and IT issues.

Value of a Third-Party with Financial Industry Expertise Managing Patches

The problems surrounding the latest Microsoft patch also illustrate the value that a qualified third-party IT expert like Safe Systems can bring to community banks and credit unions. Through our meticulous testing process, which includes more than 2,000 machines running a wide variety of banking and lending applications, Safe Systems was able to identify both general PC issues and banking application issues related to the patch. This regimented testing process, which follows FFIEC guidance, enabled Safe Systems to minimize the impact on more than 25,000 financial institution devices. As a result, clients were able to avoid major hassles and headaches with a vast majority of their devices.

Safe Systems issued an official notification about the situation, spelling out the specific problem, impact, resolution, and action required for customers and eliminated the patch from the environments of clients that were having trouble. Customers using NetComply One to manage patches didn’t need to take any additional action—unless they still had problems after the patch was removed. For clients with lingering complications, Safe Systems’ fully staffed Network Operation Center (NOC) was available to resolve their issues quickly.

Safe Systems’ proactive actions to neutralize possible issues relating to the patch is a prime example of the benefit of our NetComply One solution. Part “product” and part “service,” NetComply One is a comprehensive patch management solution that offers quarterly advisement from Safe Systems experts. It provides valuable reporting and insight into potential issues to help community banks and credit unions pass audits and exams. To learn more about how NetComply One can help your financial institution, click here.

18 Feb 2021
Is Your FI Ready to Move to the Cloud? | Webinar Recap

Webinar Recap: Is Your FI Ready to Move to the Cloud?

Is Your FI Ready to Move to the Cloud? | Webinar Recap

With organizations in virtually every industry employing cloud computing to enhance their infrastructure, cloud adoption is becoming mainstream. But is your bank or credit union ready to make the move to the Cloud?

Before you attempt to answer this question, start with why you should be considering the Cloud. There are significant benefits to using cloud-based solutions: guaranteed uptime; rapid scalability for expanding or reducing resources; flexibility for reprovisioning; and improved redundancy. Another important—but often undervalued—reason for moving to the Cloud is ease of use. The Cloud simply makes it easier for IT administrators to do their jobs and easier for financial institutions to manage infrastructure costs. Instead of buying, owning, and maintaining physical data centers and servers, institutions can procure IT resources over the Internet on an “as-needed” basis with true “pay-as-you-go” pricing. This kind of arrangement can be especially appealing to a de novo, a growing bank, or any institution wanting a more efficient, cost-effective way to manage IT-related expenses.

In addition, cloud systems offer the key advantage that they’re built from the ground up to cater to remote users. Bank and credit union employees can access the same tools, applications, and resources using the Internet whether they’re working on-site, from home, or in another location, making the Cloud the ideal tool for both remote work and collaboration.

Determining When to Make the Move

So how do you know if your financial institution is ready to move to the Cloud? The main indicator is whether management is supportive of the idea or feels implementation would be too burdensome. If your institution can’t manage the research, preparation, and challenges involved with cloud migration, it may not be the best time to make the transition.

One obvious sign that you are ready for the Cloud is if your organization is steadily growing and needing to augment resources. Perhaps you’re looking at expanding to new servers or rethinking your current architecture. Maybe it’s a situation where you’re tired of being stuck in a cycle of dealing with replacement projects for new servers. If you’re looking at replacing multiple servers that are running out of warranty, it could be the opportune time to move some of that workload up to the Cloud.

Transitioning Slowly

Moving to the Cloud can be a complex undertaking, but the good news is that your institution doesn’t have to make the leap all at once. In general, it’s best to be slow and methodical. This strategy can involve transferring one aspect at a time over several years. We are seeing a number of institutions start with moving their disaster recovery solution to the Cloud or using a “brick-by-brick” approach by migrating one or two servers at a time.

Don’t forget, the Cloud isn’t just a new tool, it’s a whole new world. Once your institution makes the jump to the Cloud, you need to monitor and manage the systems in the Cloud going forward. As with everything in IT, some adjustments may be needed over time. If you engage with a trusted partner for cloud services, they may be able to assist with your ongoing monitoring and management of your resources in the Cloud.

For more insights about cloud migration, watch our webinar on “Are You Ready to Move to the Cloud.”

28 Jan 2021
Why De Novo Banks Should Choose the Cloud

Why De Novo Banks Should Choose the Cloud

De novo banks have enough to be concerned about as they struggle to get established: raising capital, selecting a core system and products, getting enough personnel in place—and keeping everything afloat until they begin to thrive. Opting for the Cloud is one of the most prudent decisions a de novo bank can make.

Ease and Speed

A key benefit of employing the Cloud is the ease and speed of implementation, which is especially advantageous for a de novo with a tight timeline to get up and running. The Cloud also affords a de novo the ability to choose technology solutions based on its unique specifications. Rather than trying to estimate and make provisions for future growth, the bank can select cloud services according to its current requirements and as the de novo grows or reduces its operation over years, it can make the necessary adjustments to fit. In a real-world scenario, if a bank needs the capacity to process more loans, a cloud provider can instantly ramp up to meet that demand.

Cloud services also provide de novos with the cost-saving flexibility to forgo extensive infrastructure investments upfront and help avoid the expense of maintaining and replacing outdated hardware over time. Working with a major cloud provider means de novos will always be using the latest and best technology. This supports more predictable technology costs, especially when working in tandem with a managed cloud provider that can minimize the need for retaining a larger IT staff.

Disaster Recovery

Financial institutions—no matter how new they are—must have a strategy in place for restoring their IT infrastructure, data, and systems following adverse events, such as natural disasters, infrastructure failures, technology failures, the unavailability of staff, or cyber attacks, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

When a de novo chooses the Cloud to support its banking system, it simplifies many of the typical aspects of disaster recovery (DR). Cloud-based DR allows institutions to replicate the data in their main offices and transmit it to a safe location that staff can access during a catastrophic event. Having continuous replication means there’s minimal lag time when switching from live to DR mode. Plus, the Cloud makes it easier for IT staff to go live, run tests, and complete tests more thoroughly. Ultimately, cloud services can help de novos go beyond merely addressing disaster recovery, to instituting steps for disaster avoidance.

Here are some other compelling reasons for de novos to embrace the Cloud:

  • Security: A de novo bank has access to more security resources with the Cloud, making it easier to incorporate the best practices that regulators expect. Major cloud providers like Microsoft, Google, and Amazon maintain an army of security experts; they simply can offer more robust security than small de novos can build on their own.
  • Compliance: Leading cloud vendors are well versed in regulatory compliance issues, and de novos that use managed cloud providers receive a comprehensive solution that can further enhance compliance and vendor management.
  • Flexibility: With cloud services, de novos not only gain the advantage of being able to manage their IT infrastructure from anywhere, but they also gain the capability to easily turn on/off cloud services allowing them to quickly explore new ideas or diagnose problems within their environment.

The simple truth is that a de novo bank could never build an IT infrastructure on par with what it can accomplish through the Cloud. And working with a managed cloud service provider like Safe Systems can make using the Cloud even easier, leaving bankers free to focus on banking.

23 Dec 2020
Banking Bits and Bytes

What You Need to Know About Securing Exchange Online: Connecting to Exchange Online

What You Need to Know About Securing Azure AD

Technical Level: Beginner/Intermediate
Note: Previously, we discussed PowerShell basics. Later in this series, we’ll discuss security concerns.
TL;DR: In order to properly secure Exchange Online, you need to know how to traverse and manipulate settings with PowerShell. In this guide we cover the installation of the EXOv2 module, using the module to connect to an Exchange Online instance, and running some basic commands.

Exchange Online Security with PowerShell

In this post we are going to pick up where we left off last time. Now that we have the basics of PowerShell under our belt, we can go ahead and install the newer ExO V2 Module and then use that module to connect to an Exchange Online instance. Finally, we will go over a few simple commands just to verify the connection has been established.

Exchange Online V2 Module Installation

If you follow the link above for the EXOv2 Module you will find the installation instructions point you to the PS Gallery page for the module.

Securing Exchange - Code Example

The PS Gallery has a few ways to install the module.

Securing Exchange - Code Example

If your package manager is already set, you can enter the following statement to begin the installation of the module:


Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3

Note: In this case, -RequiredVersion is a switch parameter (I just call them switches) to indicate the version you are looking to download. You don’t have to specify the version when you run the command.

If you run the command you should see that PowerShell prompts you to confirm the installation. I would show you that with a screen grab, but I was met with an error:

Securing Exchange - Code Example

I decided to include this error because you will inevitably run into errors when trying to run command logic. Being able to troubleshoot based on the error description is pretty much a necessity with PowerShell and thankfully the error messages are mostly useful. In this case, even though I had uninstalled the Exchange Online V2 Module previously, there are some remnants of the module still in place on my system. PowerShell won’t let me override existing commands with commands from a new module, unless I give explicit permission with a switch. In this case, I ran the following command to get the module installed:


Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3 -AllowClobber

Securing Exchange - Code Example

This time there was no error and I was just brought to the next line. I am kind of a cautious guy, so this lack of feedback is disconcerting. How can we tell if the module was really installed? A valid question to which there is a valid response: the Get-InstalledModule command. You can use the following command to verify the installation:


Get-InstalledModule ExchangeOnlineManagement

Securing Exchange - Code Example

Tips and Tricks

Once you get into using various modules it can be difficult to keep track of all the different module names. Thankfully, the Get-InstalledModule command is pretty versatile. If you know at least part of the module name you can surround it with wildcards (the * symbol) to have PowerShell find any module that contains the text between the wildcards. For example, running the command below will also show us that the Exchange Online Management module is installed:


Get-InstalledModule *Exchange*

Securing Exchange - Code Example

Exchange Online v2 Module – Connecting to Exchange Online

Now that the module has been installed, we can use it to connect to an Exchange Online instance. There are a few different types of connectivity options depending on the type of workflow you are using to connect to Exchange Online. For these examples, the assumption is that you are an administrator for a single instance of Exchange Online. Without delegated rights or service principals to worry about, connecting is straight forward. Use the following code and an account with enough access to connect to Exchange Online:


Connect-ExchangeOnline

Securing Exchange - Code Example

Since the new ExO V2 module supports modern authentication, if your account has MFA enabled, you will be asked to sign in with modern authentication:

Securing Exchange - Code Example

Securing Exchange - Code Example

Securing Exchange - Code Example

After you successfully authenticate, you will be brought back to a new line:

Securing Exchange - Code Example

Once again this is one of those things you are just going to have to take on good faith that the authentication was successful. If it wasn’t, you will be prompted with an error.

Get Over Here!

In general, there are three basic command archetypes within Exchange Online: Get, Set, and New. Get commands are basically read operations. They get values/properties and are really pretty harmless to run so this is where we will start.

Note: Set commands are all about modifying existing values/properties and New commands are about creating new values/properties. Both have some inherent risk so we will cover them in a future post.

Let’s use our new connection to grab the mailbox objects for all our users. Use the following code to utilize the new v2 cmdlets to gather all mailboxes:


Get-EXOMailbox

Securing Exchange - Code Example

Side bar: I am really impressed with the new cmdlets! They are just so much faster than the old ones and since there is full backward compatibility you don’t have to take my word for it, you can run the old one and the new and see the time difference yourself!

Ready For A PowerShell Picnic?

My number one recommendation for new NOC analysts and administrators unfamiliar with PowerShell is always to fool around with it and the more you work with it, the less intimidating it will be. With that in mind, it is time to reach back to our previous picnic themed post and pull the concepts from that picnic basket and start eating a PowerShell sandwich made from mailbox statistics.

The command to get mailbox statistics using v2 cmdlets is:


Get-EXOMailboxStatistics

Securing Exchange - Code Example

Yea I kind of set you up for failure on that one but I had a good reason I promise! The command failed but the reason why it failed is important and so is the resolution. Both can be found in the red text of the error but to make it a bit easier to read and understand, I have included the important bits parsed here.

The reason for the failure is “Identity is a mandatory value to provide for running Get-ExoMailboxStatistics.” What this means is we tried to run the command, but it has a mandatory switch that must be provided for the command to run properly.

Note: You can find out which switches are required by looking at the documentation for the command either online — honestly, using your favorite search engine and searching for the command to get to the Microsoft documentation page for the command is your best bet for this option — or straight from within PowerShell with the get-help command.


Get-Help Get-EXOMailboxStatistics -Full

The suggested resolution is:

You can specify identity by using either of the following

  1. Any one of the three available parameters: Identity, ExchangeGuid, UserPrincipalName.
  2. ExchangeGuid and DatabaseGuid.

What this means practically speaking is that the command was not intended to be run to gather statistics for all mailboxes in the organization at once. It requires a specific mailbox and then it will gather the statistics for just that one mailbox. That is the intent of the command but I really would not want to type that command a hundred times just to be able to view the statistics for all my users.

The acceptable identity parameters are Identity, ExternalDirectoryObjectId, or UserPrincipalName. All three are properties that are provided in the default set of properties for a mailbox object. In other words, when we run the command to get mailboxes, the objects that are returned have the information we need to be able to run the mailbox statistics command.
You can see this in action with the following code logic:


Get-EXOMailbox | Get-EXOMailboxStatistics

Securing Exchange - Code Example

Bring Home the Leftovers

Ok, seriously I am kind of running out of picnic metaphors so I may have to switch it up in the next post. Lets wrap up this PowerShell picnic by exporting the data for easier consumption. For me, there are two trains of thought here depending on what I plan to do with the data. If the plan is just to view the data, then pipe the results to an export-csv command and you are set.


Get-EXOMailbox | Get-EXOMailboxStatistics | Export-Csv -NoTypeInformation -Path “c:\temp\EXOMailboxStats.csv”

Securing Exchange - Code Example

If you plan to use that data for more PS commands (in the same session), then store it in an object first and then export the data. This way you won’t have to spend time gathering it again.


$exoMailboxStats = Get-EXOMailbox | Get-EXOMailboxStatistics
$exoMailboxStats | Export-Csv -NoTypeInformation -Path "c:\temp\EXOMailboxStats.csv"

Securing Exchange - Code Example

Conclusion

That about sums it up (pun totally intended). In this post we went over installing the new ExO V2 module, using the module to connect to Exchange Online, and then using our new connection with some small scripting logic to gather mailbox statistics.

Get commands really are important because they are what will show you all your current Exchange Online properties. There are so many properties though, so which ones are important to look at??? Join us next time around as we solidify our grasp of the get commands and start to look at security related properties that could help show you if your users have been compromised!

05 Nov 2020
How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

Banks and credit unions of all sizes experience some level of turnover or unexpected absence that can affect internal positions. When the IT administrator role is impacted, it can cause the most disruption, especially for smaller community institutions, as many have limited resources and may rely on only one employee in the role. When an IT administrator leaves, he or she takes with them the institutional knowledge and expertise gained through working with the FI’s unique IT infrastructure and network management processes. To lessen the impact, it’s up to the institution to effectively build continuity into its IT strategy and pay attention to the strategic decisions being made by the IT team.

In a recent Safe Systems webinar, we discussed the importance of continuity in IT and ensuring effective management of the network through transition periods. In this blog post, we highlight three key areas of focus to achieve continuity and keep the institution operating efficiently.

1. Strategic Decisions

We have seen financial institutions fall victim to the “power of one”, where the IT admin has all the knowledge and authority to make IT strategic decisions alone. Then when they leave, the rest of the institution doesn’t have a clear view of what’s been done to the network and how to properly maintain it.

Some IT admins prefer to try new technologies and add more automation to the institution’s processes. While others might stick to their comfort zone and not push for new IT tools. While it’s important to provide an appropriate level of autonomy to the IT admin, it is critical to also have a system of checks and balances in place and to examine the benefits and consequences of these decisions closely to ensure the institution has the right tools to succeed .

2. Strategic Management

For IT personnel to be successful, it is important to outline what your institution wants the IT admin to accomplish and let them know what success will look like when they achieve these goals. Some key questions to consider include: What are the desired outcomes you’re expecting from IT? Is the goal to spend their time and budget on efficiency projects, redundancy projects, or security projects? In other words, what is your tolerance for downtime, security risks, or ineffective and slower processes? How will these goals be measured?

Once these expectations are established, the IT admin should be given the freedom to do what they need to do to achieve the institution’s goals but there should also be a clear chain of command to provide oversight and to evaluate their work.

You do not want to let an employee’s expertise (or lack thereof) impact your technology or for the institution’s security to be affected negatively. Define clear objectives for your IT personnel, whether that’s uptime, recovery time objectives (RTOs), redundancy, budgeting, or specific controls you’d like to have in place to ensure the institution is operating securely.

3. Strategic Plan

Make sure the expectations and objectives you set for IT personnel align with your strategic plan. According to the Federal Financial Institution Examination Council (FFIEC), “strategic IT planning should address long-term goals and the allocation of IT resources to achieve them. Strategic IT planning focuses on a three- to five-year horizon and helps ensure that the institution’s technology plans are consistent and aligned with the institution’s business plan. Effective strategic IT planning can ensure the delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace. The IT strategic plan should address the budget, periodic board reporting, and the status of risk management controls.”

When discussing the strategic plan with management, it’s important to identify the key areas of improvement and provide information on price, level of risk, and what exactly the institution is trying to accomplish. Sometimes having an outside perspective can help push key initiatives along and get them into the budget for the year ahead.

To learn more, download the recording of our webinar, “Understanding The Lifecycle of the IT Administrator: Ensure Effective Management of Your Network.”

22 Oct 2020
Why Safe Systems Made the Switch from Java to Amazon Corretto for Network Management

Why Safe Systems Made the Switch from Java to Amazon Corretto for Network Management

Why Safe Systems Made the Switch from Java to Amazon Corretto for Network Management

Java is a programming language and computing platform first released by Sun Microsystems in 1995. On April 16, 2019, Oracle (who owns Java and its development) changed its client-based Java model from free to fee-based. This created a huge issue in the marketplace because so many businesses, consumers, applications used Java and based their code off of Java. So now, to get Oracle’s version of Java requires a fee per device. Many companies are facing an update and licensing management issue as they are forced to track who in their organization has Java; who needs it; and whether there are enough licenses. At this point, they must update only the computers who have purchased licenses.

It seemed like overnight, supporting and updating Java went from “not a big deal” to a headache for a lot of IT people. Luckily several companies saw the issue and began creating their own Java client based on the open source code that was released for Java. Several major players like IBM, Amazon, and even Oracle started creating their own versions of Java. Safe Systems researched which of these versions would be supported by the core providers and software vendors in the financial industry, and Amazon Corretto emerged as a top choice because it is free to use and is backed by a reputable company.

What’s Next?

At the end of December 2020, Safe Systems has decided to no longer support the fee-based version Oracle offers of Java as we now have no way to confirm if a license has been purchased or not. Instead, we have worked with financial institutions and have adopted Amazon Corretto as a supportable alternative to the Oracle fee-based version. Safe Systems will support, update, and report on Amazon Corretto as part of our third-party patching program with NetComply™.

Safe Systems did not make this decision lightly. We worked with multiple institutions using various banking applications to ensure that this could be a widely accepted switch in the industry. We spent hundreds of man hours testing and implementing the appropriate changes to ensure this is a smooth transition. We are happy to say that we can successfully support Amazon Corretto as a key application that in turn supports your critical banking applications.

NetComply is built around monitoring, alerting, automation, and supporting your machines, but it is also about keeping key applications fully patched so that your network is as secure as possible. We encourage each of you to confirm all of your applications work with Amazon Corretto before switching. If they do, there is nothing left to do but sit back and let NetComply take it from there.

01 Oct 2020
After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

In 2020 we’ve learned a lot about ourselves, and whether the general population realizes it or not, they have learned a lot about something often relegated just to banking: Risk Tolerance. And with that in mind, here are seven key items that your institution should consider while budgeting for 2021:

1. Laptops

Supply is down, demand is up, so from a pricing standpoint, you are unlikely to find great deals on laptops, but their portability has been a key component to companies and employees being successful during the pandemic. Remote work is a great option for employees who do not need face-to-face interactions with customers or members, but not every department can work successfully outside of the main office or branch.

When planning for next year, each position in the institution needs to be evaluated, if it hasn’t already, to determine the ability and effectiveness of remote working. When possible, consider having remote employees use a company laptop going forward. In a recent Safe Systems survey of community financial institutions, 1/3 of respondents have already decided that they will be purchasing more laptops this year.

2. Hardware Management Software

How many of the controls you use to secure your institution’s devices require the device to physically be in the office? As the work environment changes and more people make the shift to working from home offices, your current controls need to be evaluated to ensure they work just as effectively outside of the branch. For years, the push for “agentless” controls has been popular, but many of these controls assumed the office was a well-defined building where all devices used the financial institution’s network. As the home office becomes the new standard for many banks and credit unions, the need for agent-based controls is greater than ever. Controls/security measures are no longer effective if they require the device to be on premise.

3. Business Continuity Plan (BCP) Update

Having an updated pandemic plan as part of your BCP is still likely a need for many institutions. Because it has been more than a century since a full-scale pandemic hit the U.S., many of the assumptions and concepts that pandemic plans were based on have proven to be incorrect. For instance, many plans outlined operational changes based on only 50% staff for just a week or two. Much of the concern before 2020 was making sure staff members were properly cross trained in the event key individuals were unavailable for days or perhaps a few weeks. While this is still very important, it represents only a tiny portion of truly being ready for a pandemic.

Pandemic plans often did not address managing operations for a long duration or important measures like social distancing, security measures, consumer access, etc. Financial institutions must take a hard look at key lessons learned so far during the COVID-19 pandemic and update their plans accordingly.

4. Moving to the Cloud

Recognizing that having employees working outside of the office is a real possibility moving forward, investing in new servers and putting them in offices is becoming an antiquated idea. The cloud provides a level of redundancy, scalability, and accessibility that cannot be matched by buying a single server. It also means no one has to be in the office to manage the infrastructure. As servers need to be replaced, banks and credit unions should seriously consider the process of moving to the cloud.

5. Client Experience

One question every institution should be asking itself is: “how can we better enhance the customer experience?” While IT is usually seen as a cost center, the events of the past year may have opened a door for IT to step up and offer solutions that directly affect the customer experience. The pandemic has forced many people, some maybe for the first time, to adopt digital banking solutions. If IT can offer specific tools and/or insight into how to improve the customer experience, this may be the opening that IT has hoped for to secure a “seat at the table” among their institution’s leadership.

6. Cybersecurity

Garmin, the GPS and active wear company, reportedly paid $10 million in 2020 to counter a ransomware attack. Their customers were without the services for over a week while Garmin’s data was held hostage. All of the information about their case is not available yet, but the sad reality is that they likely could have prevented the entire situation with just a few technology solutions and security settings being implemented correctly. The threat to your data is as real today as it ever has been. Be sure to have a conversation with a security company you trust to ensure that even if you are the target of a ransomware attack, it won’t be able to hurt your business long-term. Invest in cybersecurity now, so that your institution won’t end up paying much more later.

Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report, and cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights.

Unfortunately spend and layers of protection most likely need to increase annually to address this issue.

  • Employee training – to ensure adequate and effective
  • Perimeter protection – to ensure the appropriate layers are enabled and all traffic is being handled correctly including encrypted traffic
  • Advance threat protection and logging – to be able to identify how, if at all, malware or an intrusion created an incident
  • Backup and data redundancy – to ensure ransomware can’t wipe out your data

Per Computer Services, Inc (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

7. ISO

With the increase in responsibilities of the Information Security Officer and the focus on separation/segregation of duties, there has been an uptick in the number of institutions looking for virtual ISO (VISO)-type solutions. These solutions can help by taking some level of burden off of internal resources, provide staff with templates or toolsets when needed, and oversight to ensure nothing is falling through the cracks.

For 2021, there are a lot of things to consider. One focus should be to look at the changes your institution had to make because of the pandemic and what changes you should consider making in the future to improve cybersecurity, information security, and as always, your customers’ and members’ experience.

20 Aug 2020
Banking Bits and Bytes

What You Need to Know About Securing Exchange Online: PowerShell Basics

What You Need to Know About Securing Azure AD

Technical Level: Beginner/Intermediate
Note: If you would like to skip ahead, the next post in this series covers how to connect to Exchange Online.
TL;DR: Microsoft recently released the GA version of their Exchange Online V2 module for PowerShell. In order to configure some of the more advanced settings for Exchange Online, familiarity with PowerShell is going to be required. Knowing how to store variables, run commands, and connect to Exchange Online will be the bare minimum to get started.

Exchange Online Security

Exchange online security is another one of those huge areas that can be difficult to cover in just one sitting. Topics here can range from making sure offboarded employees cannot sign in, to disabling protocols per user, or preventing client access for the entire organization based on protocol, user, or public IP, and that is just the start of it. Our future posts will go into some of the more intricate details of securing Exchange Online but before we can do that, we need to make sure everyone is familiar with PowerShell (PS) at a base level.

The reason for this is three-fold. First, some information can only be gathered via PS. Second, some settings can only be configured via PS. Third, when you need to affect users at a large scale, you will need PS for some settings (unless you like clicking through the Exchange Admin Center a million times).

Practical PowerShell Basics

Disclaimer: We aren’t going to go over the finer details of the “internal machinations” of PS. Our goal here is practical use of PS for administration of Exchange Online. The terminology, definitions, and examples are all geared toward this purpose with an intended audience being those beginning to use PS.

Let’s go ahead and set the stage by opening PS and checking to see what our version is. You can do this by running the following command:


$PSVersionTable

When you run the command, you will see your PS version information displayed on the screen:

Securing Exchange - Code Example

These results introduce us to a couple of core concepts: variables, shortcuts (aka Aliases), and command logic.

Variables

Variables are just another name for a container in PS. Think of a basket. You can place any number of objects, like say bread, cheese, and wine, into a basket and go have a picnic. You won’t have a picnic if you are working in PS but it can be just as fun!

With the example above, $PSVersionTable is our basket and it holds one object, a Hashtable. That Hashtable has Key/Value pairs that equate to what was displayed on screen. Just like a basket can hold multiple items, so too can a variable hold multiple objects. Let’s go ahead and try it out.

Note: The $ is what designates the start of a variable name and what ends that designation is a space. In the example above, we end the designation with a carriage return.
Run the following command:

$Basket = “Bread”, ”Cheese”, ”Wine”
$Basket

Your results should look like this:

Securing Exchange - Code Example

What we have done here is create a variable named Basket and assigned it a set of string objects where a string is a set of characters. In other words, we stored those objects in the Basket container. The next command should look familiar. By typing the variable name with a $ in front of it, we tell PS to show us what the contents of the container are.

Note: Variable assignments will get much more complex from here on out and so will our use cases for variables. However, understanding how they fundamentally function is the first piece of this puzzle.

With both commands completed, we are ready to venture into some of the shortcuts available within PS and wouldn’t you know it, there is already some mastery of this topic, so congratulations!

Shortcuts (Aliases)

To introduce shortcuts properly, realize that all the commands we have run so far have been cut short from their original iterations. For example, if we wanted to do the same exact variable assignment for a variable named Basket2 and then show what the values of that variable are, this is what the long-form approach would look like:


New-Variable -Name "Basket2" -Value "Bread", "Cheese", "Wine"
Get-Variable -Name “Basket2”

Your results will look like this:

Securing Exchange - Code Example

Notice that the results from the Get-Variable command do not match what we get if we were just to show the variable by running $Basket2. This is because what is returned by the Get-Variable command is the variable, not the contents of that container. In other words, it is like picking up the entire basket, filled with items. While you can “see” inside the basket (the value column pictured above), to actually access the items inside you need to “open” the basket.

We will open the basket with the use of another core shortcut concept called piping. When we pipe in PS, we take all the results of a command and feed them into another command. For example, let’s run the following code to get the values of the Basket2 variable from the Get-Variable command:

Note: The | character is called a pipe. You can type a pipe by holding down Shift and pushing the Backslash button (usually found above the enter/carriage return key on a QWERTY keyboard).

Get-Variable -Name “Basket2” | Select-Object -ExpandProperty Value

The results of the command will now show the contents of Basket2:

Securing Exchange - Code Example

This brings us to the last topic for this post, command logic.

Command Logic

Command or script logic is the flow of the PS commands throughout a PS session. At a high level, command logic is read from top to bottom and left to right. More intricate scripts can get more ambiguous as preset groupings of commands, called functions, allow script logic to be reused throughout a script. For now, we can focus on how command logic can be used to pair multiple commands together to achieve desired results.

We mentioned earlier that the pipe command is a shortcut. So how else can we show the results of our Get-Variable command (“open” the basket) without the pipe? We could run the following commands:


foreach($picnicItem in $(Get-Variable -Name "Basket2").Value) { Write-Host $picnicItem}

Note: There is a bit of redundancy here since we started off with a variable assignment and now are having to do some variable assignments for each returned result. This is just an example of how else to open a container. The shortcuts exist for a reason, use them!

The results of the command will show that the output now matches what was previously generated from our other commands:

Securing Exchange - Code Example

From left to right, there are a couple of new concepts that need to be explained. First, is the concept of a foreach statement. The foreach statement is a templated function in PS that allows the iteration of the objects in a container, one at a time. The basic structure is as follows:


Foreach("New Variable" in "Existing Variable"){ "Command logic to run" }
Get-

Like all variable assignments, the names of new variables are entirely up to the creator. will be used throughout the command logic as a representative item from .

Note: In the logic above, wrapping our command logic in $() lets PS know that we expect it to evaluate every command contained within and use that output as our . We add on the .Value because we need to access the individual values of the as a collective set.

For the script above, if we translate the code to layman’s terms, what we are saying is as follows: For each picnic item in the basket, tell me what that item is.

When PS is handling the command logic, it follows those orders exactly. First it considers the foreach() parameters and grabs the first item in the basket and stores that item in the picnicItem variable. In this case it is “Bread”. Then PS looks at the command logic and sees the request to write the value of the variable onto the console, so it displays Bread on the console.

After the command logic is completely evaluated, PS will then take it from the top again, but this time will grab the next item from the basket, in this case “Cheese” and store it in picnicItem. Then PS will evaluate the command logic, which states to write the value of the object onto the console, so it displays Cheese on the console.

PS will continue to iterate through all the items in the basket until no more items are left and then the command’s run has ended. To start winding down, we are going to go over a little bit of a more complex assignment scenario. So far, we have kept things simple and manually assigned some strings to a variable but as we progress, the assignments are usually dynamically populated from the results of commands, so we need to get used to doing that. For example, if we wanted to store the objects representing all the running processes on our current machine, we could do an assignment variable like this:


$Processes = Get-Process

We could then manipulate the objects in that variable any way we see fit. For example, to show only the processes named chrome, we can pipe the results of the object to a Where-Object command that we can use for filtering:


$Processes | where-object {$_.ProcessName -eq “chrome”}

Securing Exchange - Code Example

Remember that when piping, the functional equivalent is a foreach statement. In this case, $_ is akin to the assignment of an iteration and we are accessing the ProcessName property.

Conclusion

We can only have so much fun in a day with PS before we start to lose focus, so this is a good stopping point. We went over variables, how to assign values to them, how to use shortcuts to cut down on our work, and how command logic is structured. Stay tuned for more PowerShell Basics as we dive into connecting to Exchange Online and using what we have learned to administer users and settings.

Microsoft Source: https://docs.microsoft.com/en-us/powershell/
Exchange Online V2 Module: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps

18 Aug 2020
Banking Bits and Bytes

What You Need to Know About Securing Azure AD

What You Need to Know About Securing Azure AD

Technical Level: Beginner
TLDR: Microsoft has decommissioned Baseline Conditional Access Policies and has replaced them with the new Security Defaults as of the end of February 2020. If you have been using Baseline Conditional Access Policies, Microsoft advises that you move to the new Security Defaults policy or to custom Conditional Access Policies.

Azure AD Security

Security within Azure is a huge topic covering a range of services offered by Microsoft. Everything from password protection, to data protection, to device protection, the list goes on and on. Our future posts will go into what you could be doing to protect your Azure instance. For this post though, we are going to go over what you can (and arguably should) be doing at a minimum to secure your Azure instance.

First, we will go over what the current system is and then what the new system will be.

Baseline Conditional Access Policies

Microsoft has recognized that customers of all licensing levels have security concerns. To help their customers, they released these free Baseline Conditional Access Policies. With this system, Microsoft basically said, here are some Conditional Access Policies that you don’t need to pay for that are going to help protect your Azure instance. There are four individual policies covering four important security vectors:

  • MFA for Admins
  • MFA for All Users
  • Legacy Authentication Block
  • MFA for Service Management

As you can tell by their names, the set of policies are largely focused around Multifactor Authentication. A recent blog by Melanie Maynes, Senior Product Marketing Manager, Microsoft Security, states over 99.9 percent of account compromise attacks can be blocked with MFA.

The remaining policy, governing Legacy Authentication, is also indirectly related to MFA in that the protocols that are used for Legacy Authentication (POP, IMAP, older Office desktop clients) can also be used to bypass MFA. The policies just don’t have the capability of utilizing more than a single factor for authentication, so it doesn’t provide as much security if you enable MFA for your users but then also allow them (or a bad actor) to bypass MFA with Legacy Authentication protocols.

What you should know about Baseline Conditional Access Policies is that the set of four policies can be enabled individually, independent from each other. This is important because you cannot modify the policies. If your organization has a use case for a single user, or small set of users, that needs a Legacy Authentication protocol you can’t just add exclusions like you would to a normal Conditional Access Policy. Instead you would have to leave the entire Baseline Conditional Access Policy disabled. Obviously, you would need to weigh the consequences of this action but at least you have the choice of keeping the other MFA related policies enabled and just keeping the Legacy Authentication policy disabled.

Security Defaults

In a recent article, Alex Weinert, Director of Identity Security at Microsoft, goes over the reasons for adding in Security Defaults. In the article, he goes over some of the attacks Microsoft sees and why they have been evolving their base security levels for customers. He also briefly mentions the Baseline policies with an indication that they were just one attempt at trying to secure customers but that they ultimately moved away from the Baseline policies based on customer feedback and their other learnings. Whatever the reason for the switch, at the end of February 2020, they got rid of the Baseline Conditional Access policies and replaced them with a new Directory property called Security Defaults. Really, it is just the same Baseline policies with one catch: it is an all or nothing switch. You won’t get to choose which of the policies you enable and which you don’t.

Enabling Security Defaults

The distinction is important for any organization that isn’t quite ready to invest in Conditional Access Policies for added security. If your organization has processes which utilize Legacy Authentication protocols (which include Basic Authentication for Remote PowerShell and SMTP for printers/scanners!) enabling the Security Defaults will break those processes. If you are a CSP using RPS with Basic Authentication for automated, non-interactive, connectivity to Exchange Online, you will need to make sure you have converted your processes to utilize Microsoft’s Secure Application Model. For your printers/scanners, you will need to utilize a relay capable of modern authentication or authentication via certificate or IP.

Conclusion

In lieu of paid for Conditional Access Policies, where you can customize policies and make exceptions, the new Security Defaults provide a simple and effective way of protecting your Azure AD instance. If you plan on enabling them, just be sure to understand that they block Legacy Authentication which could cause some issues with automated non-interactive connectivity or with your printers/scanners for those that utilize Basic Authentication with SMTP. If you utilize Exchange Online and have printers/scanners that fall into this category, consider setting up a relay with authentication based on certificate or IP (we will be going over this later as well).

If you are already using the Baseline Conditional Access Policies but picking and choosing among the four, be prepared to purchase licenses for Conditional Access Policies or be prepared to enable the entire set of them via Security Defaults.

Source: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new

04 Jun 2020
I’m New to Banking Technology – What Do I Need to Know?

I’m New to Banking Technology – What Do I Need to Know?

I’m New to Banking Technology – What Do I Need to Know?

The reality for the community banking industry is that often, institutions are limited in staff size, especially in IT. As a result, employees are sometimes placed in an IT role without any prior experience and they are forced to learn the “ins and outs” of information technology quickly to ensure that the institution stays in compliance and the IT environment is secure.

This can be a daunting task for a financial institution employee who’s been placed in an IT role for the first time. From our experience working with more than 600 community financial institutions, there are four key steps that someone who’s new to banking technology needs to know to quickly get up to speed on all things IT:

Step 1: Determine the Financial Institution’s Current State

When stepping into an IT role from another department, the first thing you must do is get a strong understanding of the current state of the institution and how the IT infrastructure is set up. Key questions include:

  • What does the IT infrastructure look like?
  • What technology is currently in place?
  • Is there hardware or software that is reaching end-of-life?
  • Are network schematics and data flow diagrams up to date and accurate?

Look at all the policies and procedures currently in place and understand what management has approved for the information technology program and how the environment is organized. It’s important to know exactly where the bank is from an IT perspective because without this knowledge you won’t be able to troubleshoot potential issues or plan strategically for where the financial institution needs to be to meet compliance guidelines.

Step 2: Review Vendor Relationships and Responsibilities

It is critical to know exactly who is responsible for each IT activity. Many community banks and credit unions use a variety of vendors, including core providers, cloud providers, managed services providers, and others. It’s important to understand which vendors are involved with all your hardware, software, and IT services and review the service level agreements (SLAs) which are typically found in the contract to be clear on what the vendor should be providing to the institution. This is crucial because if an issue arises you need to know if it is your responsibility to handle it internally or if you should reach out to a vendor for support. Make sure you are clear about what the institution’s vendors are responsible for, when to go to them for help, and which activities are your responsibility under the SLA.

Another key part of this role is vendor management. As a new IT admin, you have a shared responsibility for monitoring and managing the institution’s vendors and weighing the risks each one poses to the institution. To keep the network compliant and secure, you need to thoroughly evaluate potential vendors; identify critical vendors and services; implement an effective risk management process throughout the lifecycle of the vendor relationship, and report appropriately to senior management. Some key best practices include:

  • Developing plans that outline the institution’s strategy;
  • Identifying the inherent risks of the specific activity, and the residual, or remaining, risk after the application of controls;
  • Detailing how the institution selects, assesses, and oversees third-party providers;
  • Performing proper due diligence on all vendors;
  • Creating a contingency plan for terminating vendor relationships effectively; and
  • Producing clear documentation and reporting to meet all regulatory requirements.

Having a proactive plan in place will help you effectively manage vendors and have a clear understanding of the level of criticality and risk for each service provider. Properly vetting and managing vendors will reduce risk for the institution, while also ensuring compliance requirements are met successfully.

Step 3: Understand the Institution’s IT Organizational Structure

How IT roles are structured within a community bank or credit union varies by the institution, but many financial institutions have an IT administrator, information security officer (ISO), chief information officer (CIO), and an IT steering committee to support IT activities. It’s important to learn how the institution is set up and understand what the ISO and CIO are responsible for so you can work together to ensure the institution’s environment is operating securely and efficiently. It’s also important to make sure all ISO duties are separated from other IT roles at the institution to maintain compliance with FFIEC requirements.

At some point, every functional area of a bank or credit union touches IT in one way or another so understanding how every system, application, and functional area within the institution operates and relates back to IT enables you to help the staff by troubleshooting the different issues each department may experience.

Step 4. Review Recent Audits and Exams

Another way to determine the current state of the financial institution is to review all recent IT audits and exams. Determine if there were any findings or recommendations made by a regulatory agency and make sure that this has been addressed and remediated appropriately. With this information, you can tell if there are any current issues or pain points and start to make strategic plans or address specific issues as they arise.

Financial institutions are held accountable for FFIEC compliance and must manage regulatory activities including reporting effectively. New IT personnel should become familiar with FFIEC guidance and understand what is required to meet regulatory expectations and perform well on future audits and exams.

With these steps, new IT admins can gain a deeper understanding of information technology and what their key responsibilities are at the financial institution to ensure the community bank or credit union can successfully meet examiner expectations and keep operations running smoothly.

14 May 2020
Key Benefits of Cloud Infrastructure for Banking IT Operations

Key Benefits of Cloud Infrastructure for Banking IT Operations

Key Benefits of Cloud Infrastructure for Banking IT Operations

Cloud technology has been driving efficiency and innovation across many industries for years and today, many community banks and credit unions are adopting cloud services for their IT operations.

In a recent webinar, Safe Systems presented an overview of cloud infrastructure and the key benefits to financial institutions. Here are a few points to keep in mind if you’re thinking about implementing cloud services:

Data Centers

Cloud service providers, like Microsoft Azure or Amazon Web Services, have some of the best data centers in the world, providing space, power, cooling, and physical security. You no longer have to worry about the management burdens of an on-premise solution or co-location when your servers and applications are hosted in a secure cloud environment.

Lifecycle Management

The cost of server hardware does not end with its purchase. There are hidden costs of tracking which assets are still healthy, supported, and under warranty. Replacing aging equipment every few years often requires a complex project that impacts availability and takes time away from meeting more important objectives. With cloud services, you can eliminate lifecycle management of your server equipment, enabling you to focus your effort on higher-value projects that drive your business.

Availability

When you adopt cloud services, the availability of your critical application infrastructure and data is the responsibility of the cloud provider. The major cloud providers are able to attract and retain the best talent in the world to keep systems healthy and secure. They deliver your services from a highly resilient network of multiple data centers, vastly reducing your dependency on any single datacenter.

Flexibility

  • Experimentation
  • If your goal is to develop a specialized project for your institution, a platform like Microsoft Azure has many different services to make it easy for you to test scenarios or try new ideas without investing in hardware or navigating the justification and purchase order process. You simply visit the website, turn on a resource, and experiment. Later, you’re able to turn it off with no further commitment.

  • Fast Turnup and Fast Turndown
  • Cloud services enable you to get up and running fairly quickly in this new environment. Instead of having to order hardware and wait for it to be shipped or spend time setting up the solution, you can go from having an idea to having the solution turned on literally within a few minutes. Fast turndown is equally important. When you no longer need the solution, you can simply turn it off, and more importantly, the billing ends as well.

  • Elasticity
  • The elasticity of cloud service means that you can add capacity when you need it and remove expense when you don’t. For periodic computing tasks, like month-end processes, extra computing power can be added to your cloud services and then removed after the job is complete. This is more cost-effective than building an infrastructure that is sized for the busiest day of the year.

  • Serverless Functions
  • Lastly, large cloud providers have many advanced functions that can provide community banks and credit unions with new capabilities like serverless computing. Some workloads that traditionally required a dedicated server, like a Microsoft SQL database, may be able to move into a serverless alternative like Azure SQL. This creates the opportunity to start reducing the quantity of Windows Server instances that need to be patched and maintained.

Cloud infrastructure allows community banks and credit unions to reduce servers, internal infrastructure, and applications that would typically have to be hosted on-premises, in addition to the associated support each one requires. It also enables you to experiment and find the right services that fit your institution’s corporate strategy and IT objectives.

To learn more about cloud services, including cloud-based disaster recovery, watch our webinar recording, “The Cloud: Recovery and Resiliency is Just a Click Away.”

01 May 2020
Combating Business Email Compromise and Protecting Your Remote Workforce

Combating Business Email Compromise and Protecting Your Remote Workforce

Combating Business Email Compromise and Protecting Your Remote Workforce

Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).

Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:

What is business email compromise and how does it work?

Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.

These attacks have two main categories:

  1. Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.
  2. Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.

Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.

There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:

A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.

The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.

How Can Financial Institutions Defend Against These Threats?

Prevent

The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.

Mitigate

The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:

  • Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.
  • DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.
  • URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.
  • Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).

These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.

Respond

The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.

To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”

23 Apr 2020
Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

For many financial institutions, it has been a challenge to keep IT operations moving efficiently during this pandemic. Since community banks and credit unions are considered an essential business, they are required to continue to serve customers and members. This can be difficult when employees are unavailable or are forced to work remotely from their homes for the first time. Many financial institutions have questions about how to efficiently manage their remote workforce, while keeping the institution secure and employees, customers, and members safe.

To address these questions, Safe Systems’ Information Security Officer, Chuck Copland, VP of Compliance Services, Tom Hinkel, and Chief Technology Officer, Brendan McGowan held a live panel discussion last week covering ways financial institutions can manage banking IT operations during a pandemic. In this blog, we’ll cover a few of the top questions from the panel:

1. How would you suggest making sure that remote access vendors are vetted quickly but thoroughly?

For many financial institutions, remote access was limited before the pandemic because this technology either didn’t support critical functions or wasn’t a priority at the time. Now, remote access is very important to continue business operations efficiently, and many community banks and credit unions are evaluating options for larger scale use. To do this effectively, you first need to consider all of the risks associated with remote access and the potential impact on your organization. This helps you get a quick baseline of the controls you’re going to require, which will then inform your vendor review.

While some institutions may be in a rush to get remote access tools up and running, it is important to stick to your normal vendor review process and take the time to thoroughly evaluate third-party risk. If you do have to sacrifice the integrity of your normal due diligence process and cut some corners to choose a vendor quickly, understand that there will be a resulting change in your institution’s risk appetite, or your acceptable risk. Make sure this is updated and that the executive management team including the Board sign off on the your new risk appetite.

2. What are some lessons learned about remote access for financial institutions during this pandemic?

It can be difficult to determine which remote access tool fits best with your institution’s unique security and regulatory needs. First, you should identify the best way for your staff to access the network whether it’s through a virtual private network (VPN) or an application for remote access, like a telecommute remote control tool. A VPN is a piece of software that lives on a computer that your user has at home — preferably a bank or a credit union asset and not their personal home PC.

When a user connects through a VPN tunnel, typically the computer gives access to the local network at the institution. With telecommute remote control tools, like LogMeIn and Splashtop, the user is working from a local computer at the office. These tools limit the abilities of the computer from interacting with the institution’s local network, often, making it a secure option for organizations that don’t want employees to have direct access to the network. Because each tool achieves a different goal, you will want to determine exactly what your team needs to conduct remote work efficiently, effectively, and securely.

There are also several collaboration tools and meeting tools to consider which can help different teams within your institution communicate and collaborate on projects internally and meet with each other or speak with external users outside of your organization.

What are you hearing from examiners? How are exams continuing during the pandemic?

We’re seeing that all examinations have either been pushed back to a later date or changed to a remote visit. In the climate that we are in, examiners are expecting institutions to make accommodations to customers that may be negatively affected by this pandemic and ensure they have access to other critical products and services.

But what happens when the dust settles, and we go back to a more normal set of circumstances? What will examiners expect then?

Most likely, we expect them to be looking for a mature “lessons learned” document that financial institutions create to show what they have learned over the course of this particular pandemic event. We can certainly see guidance changes coming out of this, with regulators having a new set of expectations for financial institutions going forward. Right now, we are all concerned with just getting through this challenging time but all financial institutions need to document what they are doing and the lessons they have learned along the way. They also need to create a report for the Board and the executive management team recommending any necessary changes to mitigate the impact of a pandemic, should one happen again in the future.

If you’d like to find out what other questions were answered during the live panel, watch our recorded webinar, “Ask Our Experts: Managing Banking IT Operations During a Pandemic.”

02 Apr 2020
Microsoft’s LDAP Security Update and the Impact on Financial Institutions Today

Make It or Break It: Microsoft’s LDAP Security Update and the Impact on Financial Institutions Today

Microsoft’s LDAP Security Update and the Impact on Financial Institutions Today

In January 2020, Microsoft announced it would release a security update on Windows that by default enables LDAP channel binding and LDAP signing hardening changes for Active Directory. LDAP (Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory services authentication. LDAP provides the communication language that applications use to communicate with other Windows active directory (AD) servers which stores users, groups and passwords for many systems on an organization’s network. LDAP is the middle communication layer between the active directory and your business applications and systems.

LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. However, there are a set of insecure default configurations for LDAP channel binding and LDAP signing on Active Directory domain controllers that let the LDAP communicate without enforcing secure LDAP channel binding and LDAP signing. Many organizations have not addressed this vulnerability by changing their default setting to make the LDAP more secure, so Microsoft is leading the charge to ensure network security for all users.

While originally slated for March 2020, Microsoft plans to release the update mid-year, giving organizations more time to proactively prepare for the change. This is because the patch will disable all insecure LDAP bindings, which has the potential to break many systems for several organizations. Financial institutions must look at their systems, determine insecure devices or applications, and fix them while there is still the option to switch back to the default setting.

The Problem

So why is Microsoft forcing this update on its users? The main concern is password protection. With Windows Server active directory, passwords are essentially allowed to be sent over the network in clear text (a non-TLS encrypted communication) by default. Microsoft’s patch is going to harden LDAP to essentially block the ability to send a password over the network using clear text. This is important because if a hacker is trying to intercept your organization’s passwords and encounters an insecure LDAP, they would be able to read the password and use this information to access your systems. LDAP needs to be hardened and changed from an insecure 0 to a secure 1 or 2 to ensure this doesn’t occur. When you harden LDAP, you’re improving the security posture of this protocol, so it has less vulnerabilities and less chances of being exploited.

Download Free PDFMoving Beyond Traditional Firewall Protection to Develop an Integrated  Security Ecosystem Get a Copy

Remember this is an “all or nothing” setting. You either make it secure or you don’t, but there are many consequences tied to the latter. Once this update is released, if you send a communication in clear text, the server will block it from being authenticated. If you are unable to send the communication securely by leveraging hardened LDAP, then it will likely break and no longer perform that function. This can affect any client, device, application, or system at your financial institution that interacts with the Windows server and needs to be authenticated (e.g., scanners that scan-to-folder or enumerate an address book.)

The Solution

So, what can you do to get ahead of this impending patch? Financial institutions can make this change early before the patch is released, by changing the registry setting forcing the LDAP to be more secure and causing everything that is going to break to break. Then they can change the setting back and fix whatever is broken. Again, the affected systems could be anything that authenticates with AD that uses the LDAP protocol. This is a process of trial and error and will require a lot of manual investigation to determine potential breaks.

A good place to start is to enable additional logging and collect all of your event logs and review the event IDs to see if you are affected. Start by looking for event ID 2889, 2886, and 2887 in your directory service log. If event ID 2886 is present, it indicates that LDAP signing is not being enforced by your domain controller. Event ID 2887 occurs every 24 hours and reports how many unsigned and clear text binds have occurred over the network. Then, event ID 2889 helps determine which IP addresses and accounts are making insecure LDAP channel binding requests so you can identify the correct devices and applications to fix. You can also review additional event IDs to gather more information or use a PowerShell command to help you track down insecure LDAP binding before the deadline later this year. If you have a managed services provider, they will be able to help you find the right solution.

27 Mar 2020
What Community Banks and Credit Unions Should Do to Combat COVID-19

Facing a Pandemic: What Community Banks and Credit Unions Should Do to Combat COVID-19

What Community Banks and Credit Unions Should Do to Combat COVID-19

As the Coronavirus pandemic continues to rise throughout the world, it is important for community banks and credit unions to effectively carry out their pandemic plans to stop the spread of the virus and implement alternative ways to serve customers or members during this critical time. Safe Systems held a webinar last week covering five things all community banks and credit unions need to do during a pandemic. In this blog, we’ll cover a few of the key points from the webinar.

  1. Pandemic Testing
  2. According to the Federal Financial Institution Examination Council (FFIEC) guidelines, financial institutions need to have a “testing program designed to validate the effectiveness of the facilities, systems, and procedures identified” in their business continuity plan. In a pandemic, it is the people who are affected more than the facilities, so your systems and processes become more impacted than anything else.

    A preventative program has to address:

    • Monitoring outbreaks
    • Educating and providing appropriate hygiene training and tools to employees
    • Communicating with customers and members
    • Coordinating with critical providers and suppliers

    With the pandemic already underway, it can feel counterproductive to conduct a pandemic test for your financial institution. However, we’ve found it’s never too late to test and improve your pandemic plan, even in the midst of a crisis. Make sure you are validating your succession plan and cross training measures by purposely excluding certain key individuals from actively participating in the testing exercises you conduct for your institution. During a pandemic, important individuals may not be in the branch or available every day, so it’s important that you test your plan to make sure the institution can still operate efficiently.

  3. Social Distancing
  4. Social distancing is a term that’s come out of this global pandemic to stop the spread of the virus. The Center for Disease Control (CDC) states that individuals should keep a six-foot minimum distance from others to limit the spread of the virus, but how does this impact the way your financial institution does business? Think of how your teller line, customer service areas, lending offices, etc. are set up. For these more personal, face-to-face interactions, it is important for you to change the location set up to ensure the 6-foot distance is achieved to protect both the customer and employee. Here are some tips from the American Bankers Association® to consider:

    • Require non-customer facing personnel work from home and try limiting interactions of personnel as much as possible in offices.
    • Have staff sign in when they arrive and leave.
    • Designate times for “at risk” customers (because of age or condition) to visit the lobby when no others are allowed.
    • Make loans or open new accounts by appointment only. When you close a lobby, designate one drive-thru for business customers and one for consumers, as their transactions are very different and differentiating the two can help speed transactions.
    • Keep your messaging positive. Don’t not use the word “Closed” on your door or website; instead use “Appointments Available.” Remind customers that banks are never truly closed, thanks to online and digital platforms that provide customers with 24/7 access to their accounts.

    We are posting tips, resources, and FAQs from ABA, FDIC, NCUA, and our own Safe Systems’ experts on the homepage of our website.

  5. Security in Social Distancing
  6. For employees that are able to work from home, providing resources for working outside of the institution is another great option to keep staff and the public protected. If your staff members are working from home, here are a few things to consider to ensure the institution maintains both security and productivity.

    • Do your employees have enough bandwidth at home?
    • Do you have a dedicated VPN device?
    • Do you have a firewall to allow this connection?
    • Can the firewall/device handle the number of devices actively connecting remotely at one time?
    • Do you have enough licenses (if needed) for each user to connect remotely?

    When your staff is working from home, you still must worry about security. You will need to decide how they connect to your network, what device they use, and how that device is secured. For instance, if you are allowing an employee to use their personal computer, then reference your remote access policy. It should include rules for the appropriate cyber hygiene of the remote device (patching, antimalware, etc.), and should be signed by the end-user. OpenDNS offers free security options for DNS lookups on home computers, which is also a good consideration should you need to update or create a home PC access policy and requirements. You may also require multi-factor authentication as an additional precaution to keep the network secure.

Financial institutions provide critical services to their communities and must be able to support customers and have alternate ways of doing business during a pandemic.

If you would like to gain more insights on COVID-19 and listen to a brief Q&A from our compliance team and information security officer, download our recorded webinar, “5 Things Community Banks and Credit Unions Need to do During a pandemic.”

 

Watch Recorded Webinar


 

As many community banks and credit unions are still formulating their responses to the pandemic, we’d like to collect and share what steps financial institutions are actively taking to protect employees and customers while maintaining business operations. Please take a few minutes to complete this survey and tell us how your institution is responding to the novel coronavirus (COVID-19) pandemic.

 

How are you responding to the Pandemic? Take the Quiz


 

10 Feb 2020
The Value of User Conferences For Banks and Credit Unions

The Value of User Conferences for Banks and Credit Unions

The Value of User Conferences For Banks and Credit Unions

As the financial services industry has become more technology-driven and more complex operationally, user conferences have become key events along with industry association conferences. By providing a venue for banking professionals to collaborate directly with their technology providers and other peer institutions, user conferences represent a proven way for banks and credit unions to extend the ROI of their technology investments. Examiners and auditors recognize the importance of participation in these events and many now expect attendance to gain industry knowledge and strengthen existing vendor relationships.

Regulatory Expectations – Vendor Management

Examiners are increasingly focused on how a financial institution manages their vendors. According to the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook, “User groups are another mechanism financial institutions can use to monitor and influence their service provider. User groups can participate and influence service provider testing (i.e., security, disaster recovery, and systems) as well as promote client issues. Independent user groups can monitor and influence a service provider better than its individual clients. Collectively, the group will constitute a significant portion of the service provider’s business. User groups offer advantages to both the service provider and the serviced institution by allowing customers to discuss and prioritize their concerns…service providers should obtain customer feedback though user groups or customer surveys.”

In addition to effective vendor management requirements, the FFIEC also requires employees of financial institutions to participate in ongoing education and technical expertise to remain in compliance.

Educational Benefits of a Users’ Conference

Regulatory and compliance issues aside, user conferences offer a host of benefits to participating banks and credit unions, such as:

Classroom Training

Well-designed webinars or online training sessions are great resources, but focused, in-person learning, and networking allows attendees to remain current on the latest technology solutions and enhancements, industry developments, and specific products and functionality that your vendor is working on. The opportunity to learn first-hand from industry and subject matter experts, as well as share your own experiences and expertise, really should not be underestimated.
User conference learning opportunities often consist of:

  • Basic and advanced workshops or sessions
  • Issue-focused roundtable discussions
  • Networking opportunities with peers
  • Software demonstrations
  • Professional development courses
  • Hands-on training and consultations with vendors

Best Practices

Many find the greatest value in user conference participation through peer discussions and open Q&A sessions on best practices. These sessions give customers access to some of the best information and insight on how other institutions are utilizing the vendor’s solutions to solve problems and drive efficiencies and profitability.

Networking

We know from experience that peer groups serve as the perfect environment to share and exchange ideas, concerns, successes and failures tied to the industry. Many community banks and credit unions share the same worries about technology, compliance, security, and business issues. These events provide a venue for you to hear others’ experiences and tap into their knowledge, providing you the opportunity to make industry friends and gain a trusted group of individuals you can rely on in the future.

The Safe Systems National Customer User Conference, NetConnect™, is less than a month away. This event will bring Safe Systems’ employees and strategic partners together with a variety of banking professionals representing technology, compliance, operations and management roles.

We understand the value of user conferences and we use that opportunity to meet with a selection of customers (Customer Advisory Board) to discuss existing and new products and services that will meet their future business goals.

If you’ve never been to a user conference, don’t take our word for it. Here’s what a few of our customers have said:

“Every time I attend, I come away with knowledge and information that can help me do a better job in my organization.”
“It was good to hear feedback from other bankers about Safe Systems as well as make connections and contacts.”
“This is the best opportunity to get a pulse on exactly what’s happening in the IT Banker’s world.”
09 Jan 2020
Top Bank Technology, Security, and Compliance Concerns in 2020

Less Worrying. More Banking.™ Top Banking Technology, Security, and Compliance Concerns in 2020

Top Banking Technology, Security, and Compliance Concerns in 2020

The constant evolution of technology, the ever-changing compliance landscape, and increased security threats have fundamentally changed the way financial institutions operate today and the key concerns they are facing on a daily basis. In our 26 years of experience serving the community banking industry, we have not seen a more difficult landscape for our clients to navigate.

The risks associated with security, compliance and technology have never been more challenging than they are today. As the responsibilities of community financial institutions continue to grow and evolve, it is not uncommon to worry about limited resources, keeping up with new technologies, or simply maintaining a competitive advantage in the industry. We believe that all financial institutions, regardless of size and location, should be able to leverage the best technology solutions available so they can focus on serving the financial needs of their communities. It is our mission to provide peace of mind and value for our customers in these areas so banking professionals can get back to doing what they do best and spend less time worrying.

Through the years we have developed and offered compliance centric IT services designed exclusively for community banks and credit unions, ensuring that they are kept up to date on the current technologies, security risks, regulatory changes, and FFIEC guidelines. We strive to listen to our customers to ensure our solutions continue to support the changing needs of the industry and meet their expectations in addressing key concerns. We recently surveyed a group of our community bank and credit union customers to gain a better understanding of the top worries and concerns they have for 2020 as they relate to technology, compliance and security. Through that survey we uncovered the following:

Technology Challenges

Financial institutions of all sizes continue to depend on their IT network infrastructure and technology solutions for nearly all functions of the institution, which makes it crucial that all solutions work efficiently. While community banks and credit unions have been utilizing technology for quite some time now, they continue to face certain technology challenges heading into 2020. According to survey respondents, the expense of technology solutions, keeping up with rapid changes, and truly understanding the technology solutions are top concerns. In addition, many continue to struggle with network management and connectivity, patch management, and training employees on IT solutions.

Compliance

While banks and credit unions have adjusted to the frequent and strenuous regulatory reviews, they continue to struggle with meeting examiner expectations across critical areas such as vendor management, business continuity planning, and risk management and assessment. In addition, many struggle with adequately defining the requirements of the Information Security Officer (ISO), as this role has become more involved and the expertise needed has grown. The ISO has one of the most crucial roles in a financial institution. In fact, it is one of the few positions that are required by guidance. The FFIEC covers various issues related to information security in great detail, including the expectations and requirements for the ISO. According to the FFIEC IT Examination Handbook’s Information Security booklet, financial institutions should have at least one person who is dedicated to serving as an in-house ISO.

Security

Over the past several years, the industry has been impacted by a marked increase in data breaches, ransomware, card fraud and other malicious attacks. Additionally, an increase in devices connected to networks has made it critical for financial institutions to strengthen their security strategies and policies and ensure all systems are up to date and able to effectively combat today’s threats. Cybersecurity-related attacks on the financial sector continue to increase at an alarming rate, making cybersecurity a top area of concern for financial institutions. Additional areas of concern include ransomware, phishing, malware, disaster recovery, and network security.

Managing these challenges alone can be a daunting task to undertake. As a trusted resource for financial IT and regulatory support, Safe Systems is here to serve as a true extension of your team, providing you with access to technology professionals who are specifically trained in the banking industry. Safe Systems offers cost effective solutions such as IT support and managed services, internal network/cloud design and installation, hosted email, business continuity and disaster recovery, compliance consulting, security services, and IT and compliance training. Our services help financial institutions significantly decrease costs, increase performance, and improve compliance posture.

Let us help you get back to what you do best. Less worrying. More banking.™

 
12 Dec 2019
Five Ways Strategic Advisors Help Community Banks and Credit Unions Improve IT Planning

5 Ways Strategic Advisors Help Community Banks and Credit Unions Improve IT Planning

Five Ways Strategic Advisors Help Community Banks and Credit Unions Improve IT Planning

The day-to-day responsibilities of managing the IT network administration, compliance efforts, and security measures for a community financial institution have grown to be a cumbersome, challenging, and often inefficient process. It is likely that there is not enough people and resources on the team to manage the multiple solutions and responsibilities.

To help combat the limited staff issue, many community banks and credit unions turn to managed services providers that have strategic advisors who act as facilitators and trusted partners to guide technology committees and provide tools to address financial regulatory governance. These advisors have a wealth of banking IT expertise and are knowledgeable regarding regulatory and industry issues faced by financial institutions today. They also serve as a convenient, single point of contact within the managed service provider, and assist by performing the following tasks:

    Get a CopyTop 3 IT Management Worries for CEOs in Banking Get a Copy

  1. Attend Technology Steering Committee Meetings
  2. Participating in regular steering committee meetings enables the strategic advisor to interact with decision makers and help with deliberation, consideration, and recommendations on IT-related issues. They can help mitigate potential risks that are often overlooked while sharing the knowledge and insight needed to help move the financial institution in a positive direction.

  3. Assist with Strategic IT planning
  4. Strategic advisors have a wealth of knowledge and insight into not only the banking and financial services arena, but the IT solutions needed for a financial institution to be successful. They help banks and credit unions develop a comprehensive plan to ensure the institution is implementing and utilizing the solutions necessary to meet its goals.

  5. Facilitate Responses to Pre-exam IT Questionnaires
  6. The exam process has become a time-consuming endeavor. At the beginning of the exam process, the examiner typically sends a list of items they want to review; certain areas they plan to examine; and items they plan to discuss. This normally includes a list of questions the financial institution must prepare ahead of the review. The strategic advisor works with the bank or credit union to complete the questions to meet examiner expectations.

  7. Provide Updates on Current Trends in Compliance, Technology, and Security
  8. The advancement of technology, online banking services, compliance, and regulatory requirements, have made the business of banking more challenging. Strategic advisors provide knowledge and information to help banks and credit unions stay abreast of all the updates and trends in the industry.

  9. Quarterly System Reviews and Assessments
  10. Performing regular assessments helps the financial institution ensure all things related to IT network technology controls are working and up to date. It also serves as time for the strategic advisor to educate bank personnel on new or changing government regulations and expectations. This helps community banks and credit unions to remain in compliance and be better prepared for audits and exams.

With this type of guidance, financial institutions can gain deeper technology insights and enhance strategic IT planning. Strategic advisors act as an extension of the internal team while helping guide and advise the bank or credit union on initiatives that ensure success today and into the future.

05 Dec 2019
How to Maintain Bank Compliance and Security During the Holiday Season

How to Maintain Bank Compliance and Security During the Holiday Season

How to Maintain Bank Compliance and Security During the Holiday Season

The holiday season is in full swing, which means many employees are heading out of the office to enjoy some vacation time. However, just because it’s the holiday season, it doesn’t mean that cybercriminals are taking time off. Cybersecurity attacks continue to increase and are becoming more sophisticated. Institutions are expected to maintain bank compliance with regulatory guidelines and ensure all technology assets are working properly so operations continue to run smoothly during the holidays.

This can be a challenging time for many community banks and credit unions that have a small staff and rely on key individuals to make sure all activities related to technology, compliance, security, and regulatory requirements are taken care of. Today’s community financial institution relies on the IT department to maintain its hardware and software and to ensure all systems are available when needed. The department is also responsible for monitoring an array of ongoing IT concerns like anti-malware, cybersecurity issues, service-related touch points, compliance updates, and email security, to name just a few. So, what happens when the people responsible for these crucial aspects of the institution go on vacation?

Partner Up

Many financial institutions are turning to an industry-specific managed services provider to act as an extension of their organization and help augment internal technology and compliance resources and responsibilities. The right managed services provider, who is familiar with the banking industry, can serve as a true partner and work alongside current staff to provide timely support, and manage the technology, security, and regulatory compliance aspects for the institution.

A managed services provider can help automate and manage many of the administrative functions that normally fall to the technology or compliance department, making it less daunting for employees to get away. In addition, while this not only saves time and improves efficiencies, it also helps the bank or credit union extend its support hours beyond the traditional 9 to 5 retail hours, which is key for IT departments with limited staff.

Managing IT resources, bank compliance-related issues and combatting cybercrime are some of the greatest challenges and concerns for financial institutions today. When IT and security staff are out or unavailable, outsourcing these processes helps fill the personnel gap and provides added stability for the institution and peace of mind to all.


What To Do When Your Bank's IT Administrator Leaves

What To Do When Your Bank’s IT Administrator Leaves (Checklist)

07 Nov 2019
How CEOs Can Ensure Continuity In their Bank or Credit Union With Network Management

How CEOs Can Ensure Continuity in their Bank or Credit Union with Network Management

How CEOs Can Ensure Continuity In their Bank or Credit Union With Network Management

The role of a community bank or credit union CEO has become increasingly complex with responsibilities including oversight of all operations and procedures—no small task in light of today’s rapidly changing technology and security landscape, evolving compliance, and shifts in consumer behavior when selecting a banking partner. Given this, many CEOs are struggling to ensure continuity in this environment, especially working with limited resources and increased employee turnover.

An effective way to do this is to partner with a managed services provider that has a comprehensive network management solution designed specifically for community banks and credit unions to provide expertise, services, IT support and add to the existing internal knowledge bases.

Sustaining Personnel Continuity

The reality is that today, community banks and credit unions must address succession planning, especially as it relates to their IT department. CEOs are tasked with thinking about and planning for redundancy to counter the consequences of key staff leaving and taking that knowledge-base with them—and away from the institution. But true continuity is not limited to a single employee resigning; there needs to be a continuity plan in place to account for when employees take vacation, are out sick, are on short-term disability, or are on maternity leave. Regardless of the situation, a managed services provider can help minimize uncertainty, prevent unnecessary stress, and assure continuity by acting as an extension of a bank or credit union and helping to augment internal IT resources.

Ensuring Technology Continuity

Get a CopyTop 3 IT Management Worries for CEOs in Banking Get a Copy

In addition to human capital, technology continuity is a key component of a community financial institution’s success. The advancement of technology, online banking services, compliance, and regulatory requirements, plus the growing demand from customers and members to have 24/7 access to their financial lives, has made the business of banking that much more challenging as it has become more IT-focused. This has made it crucial for banks and credit unions to have a proven technology program and framework in place to ensure that operations continually run smoothly.

Working with a provider who offers IT network management solutions exclusively tailored for the community banking industry provides a level of continuity and expertise that can otherwise be difficult to maintain internally on a long-term basis. Doing so ensures that the financial institution’s network is properly adhering to its operational, security, and compliance policies and procedures.

Continued Adherence to Government Regulations and Compliance

The burden of understanding how an ever-growing list of regulations applies to IT operations is shared across the organization. This pressure can be alleviated by an outsourced provider that truly understands the industry and is able to help institutions better manage their processes in a compliant manner. Taking a proactive approach to network management, for example, gives community banks and credit unions the ability to better stay ahead of new and pending regulatory requirements while effectively managing costs through limited resources.

Change is inevitable for any institution. However, having the ability to withstand change and still meet (or better yet, exceed) customer and member demands and expectations in spite of personnel turnover, natural disasters, technology struggles, etc. is key in today’s marketplace. An experienced managed services provider that offers a comprehensive network management system can go a long way toward ensuring continuity.

31 Oct 2019
IT, Compliance, Security and Personnel Challenges That De Novos Face

IT, Compliance, Security and Personnel Challenges That De Novos Face

IT, Compliance, Security and Personnel Challenges That De Novos Face

While the economy is making way for startups, there are still significant challenges to starting a bank from scratch. In addition to the overall challenging environment for community banks and the need to raise significant capital and funding, De Novos face additional obstacles such as complex regulatory and compliance expectations, strict information security requirements, and the stress of finding qualified staff in continuously evolving IT landscape.

People

Download PDFSuccess Story: American Pride Bank Get a Copy

Attracting and retaining the right people is one of the most daunting steps in launching a De Novo, particularly because early on, everyone needs to be very hands-on and wear multiple hats. Hiring the right personnel takes time and resources and can force executives who are trying to secure funding and capital for opening the bank to redirect their attention. All of this makes staffing and the development of in-house expertise significant pain points for De Novos to manage.

Technology

The advancement of information technology, security, compliance, and regulatory expectations and online banking services—plus the growing demand from customers to have 24/7 access to their financial lives—have changed the business of banking. Today, bankers have expanded their focus to include management of data, IT networks, compliance requirements, and security, in addition to their traditional roles of managing money and providing loans for their customers. Because technology has become central to the operations of banks, De Novos must quickly establish a proven technology program and framework to ensure that their operations run smoothly both at launch and ongoing. Even with the latest technology, however, the challenge often lies in trying to keep pace with the rapid rate of change that continues to impact their institution.

Information Security

From day one, De Novos must establish a strong information security posture to counter the increasing frequency of cyberattacks in today’s business environment. While falling victim to security breaches and associated attacks is costly for any community bank, both from a financial and reputational standpoint, it is especially harmful to new banks that are working hard to establish trust among its new customers and the community. Furthermore, successfully recovering from the damage and destruction of data, theft of personal and financial data, and disruption to the normal business operations can exceed a De Novo’s financial resources.

Compliance

Get a CopyTop 3 IT Management Worries for CEOs in Banking Get a Copy

Regulators have historically been more stringent in ensuring that De Novos are in compliance with, and adhering to, expectations. As an example, the FDIC’s InTREx program (Information Technology Risk Examination) is designed to provide a more uniform and less subjective examination experience—one that requires a deeper analysis by the examiner and in turn puts a greater compliance burden on the bank. Proper documentation will often make the difference between a “satisfactory” and a “less than satisfactory” assessment. This means that institutions must be adequately prepared to meet examiner expectations. In addition to proving that the bank has enough capital to operate, they must also prove they, with all applicable laws, regulations, and supervisory policies. De Novos have found managing regulatory compliance efforts to be a resource-consuming and expensive task.

Today’s complex regulations, increased use of technology, personnel restraints, and security expectations, are forcing De Novos to find new ways to manage risk, remain compliant, and be competitive in today’s environment. Under these mounting pressures, De Novos are increasingly turning to managed service providers to help bear the burden and establish a framework to meet these challenges. Such partners bring knowledge, additional resources and expertise to help financial institutions better control and more successfully manage their complex IT environments – positioning them to operate in today’s financial services arena with a greater degree of confidence and success.

24 Oct 2019
Reducing Risk for CEOs

Reducing Risk: Top 4 Things CEOs Can do to Reduce Risk in their Bank or Credit Union

Reducing Risk for CEOs

The role of a community bank and credit union CEO has expanded and now requires a much deeper understanding of technology issues, risks, and regulatory requirements. CEOs are ultimately responsible for the health of the institution, which requires effective oversight of all operations and procedures and ensuring the institution is efficiently managing and reducing risk.

Many risk events arise from preventable mistakes, including: the right security layers not being in place; flaws in transaction processing; flaws in IT solutions and processes; security breaches; and/or outright fraudulent acts.
The CEO is ultimately responsible for ensuring the institution manages and combats these risks. Some key things CEOs can do or implement to reduce risk include:

  • Attract and Retain Skilled Staff

The CEO must make sure that the staff has the knowledge to ensure the institution is both compliant and competitive in today’s market. Employees must understand the ever-growing complexity of regulations as they relate to IT operations and ensure the institution remains compliant with continuously changing regulatory requirements and is up-to-date with evolving technology to meet customer and member demands and expectations.

  • Implement Information Security Procedures

Get a CopyTop 3 IT Management Worries for CEOs in Banking Get a Copy

The CEO must ensure proper technologies and solutions to thwart viruses, spyware, and other harmful threats are installed. This entails overseeing the creation of enforceable policies and processes to both educate employees and protect the institution’s computer infrastructure, networks, and data. Cybersecurity represents a large component of the risk prevention strategy. Ensuring security defenses fit closely with the institution’s long-term goals as well as support the IT and compliance strategies is vital to not only the health of the organization but also in remaining compliant with current regulations.

  • Understand Compliance and Regulatory Expectations

Regulators now pay more attention to issues around governance, security, and IT solutions than they have in the past, and they have made clear that it is on CEOs to make sure that the institution is adequately protecting customer or member data, are aware of the institution’s operations, and are following all FFIEC and Gramm-Leach-Bliley Act (GLBA) requirements. The CEO must evaluate risk assessment efforts and security initiatives and establish policies regarding the management of key compliance and consumer risks to ensure the organization adheres to the correct policies.

  • Partner with the Right Managed Services Provider

More and more community financial institutions are turning to third-party providers for expertise, services, and IT support. Working with a provider who offers solutions exclusively tailored for community banks and credit unions ensures the institution’s network adheres to its operational, security, and compliance policies and procedures. Partnering with the right managed service provider can also help eliminate redundant resources, reduce existing fixed costs by maximizing capacity and leveraging economies of scale, and can add to existing internal knowledge bases.

CEOs of community financial institutions are continuously looking for ways to more efficiently and effectively manage risk. As a result, they are increasingly recognizing that partnering with a managed service provider that offers a comprehensive network management system, designed specifically for the financial services industry, helps them not only better manage their responsibilities and streamline processes, but reduces their regulatory risks as well.

To gain more insight into how CEOs can reduce risk, as well as other IT management issues for CEOs to be aware of, download our white paper, Top 3 IT Management Worries for CEOs in Banking.

17 Oct 2019
Morris Bank Experiences Growth with the Help of Safe Systems’ Network Management Solution

Morris Bank Experiences Growth with the Help of Safe Systems’ Network Management Solution

Morris Bank Experiences Growth with the Help of Safe Systems’ Network Management Solution

In today’s fast-paced, technology driven environment, managing community banks’ IT operations and networks have become a very time-consuming process to execute, especially for financial institutions looking to achieve strong growth, increase acquisitions, and build brand new institutions for their communities. The number of patch updates, reporting requirements, network troubleshooting, and regulatory compliance responsibilities are cumbersome for many IT professionals to handle while also working to keep bank operations running efficiently and seamlessly in various branches and locations.

Creating an Environment for Growth

Many community banks set out to build the best institutions for their communities, and when they’re successful, the next logical step is to expand. Morris Bank, headquartered in Dublin, Georgia, was on a mission to grow by offering more services, more locations, and more opportunities for their customers to thrive. A major challenge for banks that take on this task is ensuring IT operations are implemented and managed effectively, especially during these periods of growth and change, and that the institution is compliant with all regulatory requirements.

Larry Schenck, IT Officer at Morris Bank, realized the bank was already engaged with a provider that could help him more efficiently manage and meet the growing IT needs of the institution. Morris Bank has been a Safe Systems customer for 15 years. Schenck knew that they understood the demands of the banking industry and could adequately support the bank’s IT and compliance requirements. After careful consideration, Morris Bank decided to implement Safe Systems’ NetComply® One IT network management solution in 2016.

As a community bank with limited staff and branches in several locations, Morris Bank relies heavily on third-party providers, such as Safe Systems, to offer new opportunities to streamline processes. NetComply One helps Morris Bank efficiently manage all important network tasks including automated patch management, network monitoring, qualified alerting, and detailed reporting for examiners. Since the bank implemented Safe Systems to manage its IT network, the IT team has been able to focus on more revenue-generating opportunities and market expansions that have led to great successes for the bank.

“Our vendors play a key part in our success as well, and working with Safe Systems has helped us to simplify IT processes, meet compliance guidelines, and provide continuity for our internal team and our community as a whole.”

The last 10 years brought on a lot of change and growth for Morris Bank. The bank grew its total assets from roughly $180 million to $980 million and added seven locations to equal nine branches throughout Middle and South Georgia in Dublin, Gray, Gordon, Warner Robins, Statesboro, and Brooklet. The bank was able to grow so successfully by not only acquiring other smaller banks and their assets but also by opening branches in desirable locations. In fact, after being opened only two-years, the branch in Gray was the fastest growing bank branch in the state of Georgia.

“At Morris Bank, we have a great management team and an amazing staff that enable us to keep growing and continue to provide great service to our customers,” said Schenck. “Our vendors play a key part in our success as well, and working with Safe Systems has helped us to simplify IT processes, meet compliance guidelines, and provide continuity for our internal team and our community as a whole.”

Overcoming Challenges with Network Management

Acquiring banks and branches is a complex process, especially in terms of IT integration. All equipment and systems must be brought onto the same network and operate through the same infrastructure. Compatibility is not always easy, and often, the larger the bank or branch being acquired, the more complicated the task.

One of the bank’s recent acquisitions included three branches with 40 employees; more than 40 workstations; several servers; and additional devices and systems that needed to be set up on the network. First, all systems and devices must be tested for updated patches and antivirus. While this can be a cumbersome task, Safe Systems’ network management system enabled the bank to efficiently manage and complete the process. “Onboarding new machines and getting all systems set up on the network is a challenging task during an acquisition,” said Schenck. “With the reporting NetComply One offers, we can easily see which machines need updates, remedy any issues and have more visibility into the network to efficiently manage integrations.”

In addition to the reporting from NetComply One, Morris Bank relies on Safe Systems’ Strategic Advisors to help them navigate the processes needed to complete integrations. With the knowledge the advisors provide, the bank has been able to complete the challenging tasks of ensuring all systems are working in a compliant manner and all branches are running efficiently.

The patch management component of NetComply One has also been very important for Morris Bank. The bank has approximately 250 computers to manage and keep up to date with patches, which is critical to information security and combating cyber threats. “While Safe Systems manages and provides the patches, they are also very careful to not just arbitrarily patch machines and equipment without proper testing,” says Schenck. “Safe Systems tests each patch to ensure it will work with our current systems and ensure no holes will be left for hackers to exploit.”

Building a Strong Partnership

Morris Bank relies on a number of vendors to offer its customers key products and services that give them more convenience and control. Over the years, they have added additional Safe Systems services, including their Vendor Management solution. This solution enables a more efficient risk assessment and due diligence process, as well as provides the ability to proactively manage vendor renewals, centralize all important documents, and have detailed information to share with auditors, examiners, senior management, and the Board.

“Regulators are more closely scrutinizing the vendor management process within banks, and with Safe Systems’ vendor management solution, we are able to easily provide the proper documentation to examiners in an efficient manner,” said Schenck.

I worry less and sleep better at night knowing we have Safe Systems’ solutions running in our bank.”

Through its partnership with Safe Systems, Morris Bank has been able to expand its reach in all areas of technology, compliance, and security. The bank receives positive feedback from regulators on its network management and vendor management programs and has enhanced its compliance posture.

“Through the years, Safe Systems has been a valuable and trusted partner to our bank,” said Schenck. “The solutions Safe Systems provide enable us to give our customers a better banking experience as well as a more efficient work environment for our employees. I worry less and sleep better at night knowing we have Safe Systems’ solutions running in our bank.”

Free White Paper

The New Era of RegTech

Building Compliance into Your Financial Institution’s Processes
Why Reasons Why Antivirus Isn't Enough Anymore

10 Oct 2019
5 Things Community Banks and Credit Unions Should Budget for in 2020

5 Things Community Banks and Credit Unions Should Budget for in 2020

5 Things Community Banks and Credit Unions Should Budget for in 2020

The final months of the year signal the beginning of many traditions. For community banks and credit unions, the Fall marks the start of budget season. Financial institutions use this time to assess the year’s performance, make necessary adjustments—or full upgrades—for 2020 and beyond.

As you know, technology and security are constantly evolving, and compliance continues to be a moving target, so it’s time to consider important areas your institution needs to budget for in the next year. To ensure that your institution heads into 2020 on an upward trajectory, here are five key items to include on your list.

  1. Hardware
  2. Every year hardware should be evaluated to see if it is under warranty; in good working condition; and that the operating system hasn’t reached end of life.

    Two dates to be aware of:

    • SQL Server 2008 R2 reached end of life on 7/9/2019
    • Windows Server 2008 and 2008 R2 reach end of life on January 14, 2020

    These items will need to be upgraded or replaced as soon as possible with supported software. If the decision is to replace a server based on these products being end of life, there are options to consider as covered in number 2 in this article.

  3. Cloud vs. In-house Infrastructure
  4. Free eBookEverything You Need to Know About the Cloud Get a Copy

    Moving internal infrastructure out of the office is the new trend. This move feels similar to the move to virtualization, in that everyone agrees this is the next logical step in the evolution of computing. You should be asking the same question about cloud infrastructure as you did about virtualization—when is the right time for your institution to make the move and what are the pros and cons of this move? When the time comes to replace pieces of your infrastructure, start to gather information about the benefits of moving to the cloud and the costs associated with it. Remember, each server has both direct and indirect costs.

    Direct:

    • Server Hardware
    • Warranty
    • Software

    Indirect:

    • Electricity
    • Cooling
    • Storage/physical space
    • Maintenance
    • Backup
    • Disaster Recovery

    Each year as hardware becomes outdated and needs to be replaced, evaluate whether moving that server to the Cloud makes sense. Be sure that the functions of the server can be accomplished in a cloud environment. Once a presence in the cloud is established, future growth and changes become much easier and quicker.

  5. Firewalls
  6. Download Free PDFMoving Beyond Traditional Firewall Protection to Develop an Integrated  Security Ecosystem Get a Copy

    Firewalls continue to evolve as network and cybersecurity threats evolve and change. Ten years ago, adding intrusion prevention systems (IPS) to firewalls became commonplace in the industry. Now there are a host of new features that can be added to your firewall to improve your institution’s security posture. Many of these fall under products using the term next-gen firewalls. A few key features to consider include:

    • Secure Sockets Layer, or SSL, is the industry standard for transmitting secure data over the internet. The good news is most websites on the internet now use SSL to secure the traffic between the PC and the website. The bad news is, your firewall may be protecting your institution from fewer sites than ever before. Google researchers found that 85% of the websites visited by people using the Chrome browser are sites encrypted with SSL. This means that for many firewalls, 85% of web traffic cannot be inspected by the firewall. Many firewalls can perform SSL inspection but may require a model with more capacity; a new license to activate the feature; and configuration changes to enable this feature to work.
    • Sandbox analysis is a security mechanism used to analyze suspect data and execute it in a sandbox environment to evaluate its behavior. This is a great feature to introduce to your infrastructure because it provides more testing and insight into the data coming into your institution.
    • Threat intelligence feeds (like FS ISAC), built-in network automation, and correlation alerting are also important features that can help you keep track of emerging security threats; automate key processes; and improve your institution’s cybersecurity posture.

    Consider enhancing your firewall features or upgrading to a next-gen firewall to ensure the traffic traversing your firewall is truly being evaluated and inspected.

  7. Virtual Information Security Officer (VISO)
  8. A newer service that has grown in popularity over the last year is the Virtual ISO or VISO role. While services like this have been available for a while, this is the first year we have heard so much talk from community financial institutions. As the job of Information Security Officer (ISO) has become more involved the expertise needed has grown as well. These VISO services offer a way to supplement the internal staff with external expertise to accomplish the tasks of the ISO. Budgeting for a service like this becomes critical if one of the following is true:

    • No one else in the institution has the needed knowledge base and finding this knowledge set in your area is difficult or expensive;
    • Your current ISO does not have a background in the field or is wearing too many hats to do it well;
    • Your current ISO is likely to retire or leave due to predictable life change events; or
    • The role of ISO and Network Administrator or other IT personnel do not provide adequate separation of duties at the institution.

  9. Disaster Recovery (DR)
  10. Many institutions do not have a fully actionable or testable disaster recovery process. A verified DR process is a critical element of meeting business continuity planning (BCP) requirements. Therefore, this can be a significant reputational risk for the financial institution, if not done correctly. If your institution hasn’t completed a thorough and successful DR test in the last 12 months, it is time to evaluate your current DR process. Using a managed site recovery service can ensure you have the proper technology and support to thoroughly test your DR plan and recover quickly in the event of a disaster.

    Budget season is a time to address needs and wants, but also a time to seek improvement or evaluate key changes for the new year and beyond. For example, moving your infrastructure to the cloud may not make sense for the coming year, but the insight gained by evaluating it this budget season improves your knowledge-base for when it is time to make that decision. As we conclude 2019, we hope these insights position your institution for a productive budget season and a successful 2020.

26 Sep 2019
2019 Threat Outlook

2019 Threat Outlook – Business Email Compromise Continues to Threaten Banks and Credit Unions

2019 Threat Outlook

Today, cybersecurity threats are ubiquitous. Cyber attackers are infiltrating email systems, computer networks and anywhere else they can find weaknesses to exploit. They’re using a variety of schemes to steal data, money and other assets—and tarnish corporate reputations.

Financial institutions are prime targets for cyber criminals, which is why cybersecurity must be a top priority. In 2018 alone, more than 500 security incidents affected financial and insurance organizations—with almost 25 percent having confirmed data disclosure, according to the Verizon Data Breach Investigations Report.

In addition, the costs to remedy the damage from cybercrime is higher than ever, and still growing. Now, the average cost of cybercrime for an organization is $13.0 million, up from $1.4 million in 2017, according to Accenture’s 2019 Cost of Cybercrime Study.

The Rise of Business Email Compromise

New call-to-actionTop IT Areas Where CEOs Should Focus to Enhance Cybersecurity Posture  Get a Copy

Not only are cyber threats rampant, but they’re becoming more devious and complex. For example, business email compromise (BEC) is one of the top threat vectors for 2019. BEC is a sophisticated type of phishing scam that’s perpetrated through five main scenarios, according to the FBI’s Internet Crime Complaint Center (IC3). Often, BEC scammers pretend to be a foreign supplier and attempt to trick employees into wiring funds for outstanding invoices into their bank account. In another common BEC scam, attackers impersonate a high-level executive, such as a CIO, CEO, or CFO, to try to deceive employees into wiring money.

However, BEC doesn’t always entail requesting wire transfers. More recently, BEC has involved data theft—the receipt of fraudulent emails asking for either wage or tax statement forms or a company list of personally identifiable information (PII). Regardless of the scenario, the business executive’s email is compromised, either by hacking (normally through a personal email account) or spoofing (altering the sender’s information to mimic a legitimate email request).

Like other cybercrimes, BEC continues to evolve and is rapidly expanding. The scam has been reported by victims in all 50 states and in 100 countries, according to IC3. Many BEC complaints have involved businesses and associated personnel using open source email accounts; the phrases “code to admin expenses” or “urgent wire transfer;” requested dollar amounts that are similar to normal business transaction amounts; and IP addresses that frequently trace back to free domain registrars.

Strengthen Cybersecurity Processes

Financial institutions and other organizations can protect themselves from BEC by implementing robust internal prevention techniques at all levels, particularly with front-line employees who are more likely to receive initial phishing emails. Some institutions are reducing BEC-related fraud by simply holding customer requests for international wire transfers for an additional time period to verify the legitimacy of the request. Other IC3-recommended strategies for strengthening bank cybersecurity against BEC include:

  • Avoid free web-based e-mail accounts;
  • Be careful about what is posted to social media and company websites (especially job duties/descriptions, hierarchal information, and out of office details);
  • Be suspicious of requests for secrecy or pressure to take action quickly;
  • Consider using additional IT and bank cybersecurity procedures, including a two-step verification process;
  • Beware of sudden changes in business practices, such as being asked to contact a business associate through a personal email instead of company email address; and
  • Provide security awareness training to all employees.

Regardless of the threat outlook for BEC and other cyber-attacks, financial institutions must have effective tactics for safeguarding their customer information, infrastructure and operations. This necessitates meeting regulatory and industry compliance standards for collecting, protecting and using private financial data.

To gain more insight into this area, as well as other key topics for CEOs to be aware of, download our white paper, Top IT Areas Where CEOs of Financial Institutions Should Focus: Important Questions and Answers.

 
 
23 Sep 2019
The Dangers Financial Institutions Face with a DIY Approach to Disaster Recovery

The Dangers Financial Institutions Face with a DIY Approach to Disaster Recovery

The Dangers Financial Institutions Face with a DIY Approach to Disaster Recovery

Disaster recovery planning is an essential aspect of protecting a financial institution’s data, infrastructure, and overall business operations. It encompasses restoring access to the information technology systems and other resources that organizations need to resume critical business functions. This includes everything from networks, servers, and computers to software applications, data, and connectivity (fiber, cable, or wireless).

Without all the necessary system components in place, financial institutions will not be able to access critical files and applications and function effectively during a disaster situation. This can result in significant losses in employee productivity, business and, ultimately, public trust. Given all the looming threats—natural disasters, fires, floods, power outages, hardware failures, or plain human error—a do-it-yourself (DIY) approach to disaster recovery can be dangerous for banks and credit unions.

A DIY approach to disaster recovery is when a financial institution performs or puts together a disaster recovery solution in-house and all hardware and software that is required must be implemented by an IT staff member. While this can be costly depending on the amount of resources an organization needs to restore and maintain their environment, it is also a technical and time-consuming process, which can be a burden for institutions with limited IT staff.

So Much at Stake

Most DIY disaster recovery solutions involve multiple technologies along with automation, scripting, and well-documented procedures. These components and processes can be difficult for a static IT environment to manage, and technology continues to change and evolve, adding an extra layer of complication to the process. A DIY approach requires in-house resources to be available, and in the case of a disaster, communications may be limited, or the employees may be caught in the disaster themselves and unable to respond.

Testing is an important component of disaster recovery to ensure the institution can recover quickly and meet its unique Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). However, DIY disaster recovery solutions are often difficult to test because few IT departments are equipped to do a full outage simulation with complete failover to the disaster recovery environment. Testing enables failures to be documented and corrected, but without proper testing, the risk of extended downtime in the event of an actual disaster remains high.

Get My CopyHow Southern Bank and Trust Recovered from Hurricane Irma Get a Copy

The DIY disaster recovery approach often starts with the best intentions. However, a lack of understanding of the ongoing time commitment by senior management and the IT knowledge required to keep disaster recovery systems up-to-date and effective is easily overlooked as time passes. At the very least, inadequate disaster recovery can end up costing a financial institution more time and expense. As a worst-case scenario, it can lead to reputational damage if the institution cannot successfully bounce back from a disaster or other business disruption.

Benefits of a Managed Services Provider

To combat these issues, financial institutions should consider using a managed services provider to support their disaster recovery needs. This can offer a more affordable, feasible, and reliable alternative than going the DIY route. A managed site recovery solution that replicates servers from a financial institution’s site to the cloud can get the organization back up and running in minutes—not hours or days—after a natural disaster, system outage, or other disruption. Partnering with the right services provider will also ensure financial institutions find the right-sized solution for their needs so they are not underestimating or over-spending trying to do it themselves.

In addition, working with a managed services provider can provide several other benefits over a DIY solution. For one, the solution is setup, installed, monitored, and maintained by experts in the field. The institution doesn’t have to worry about their key IT personnel spending their time focused solely on the recovery process during a disaster. Instead, they can focus on getting users setup on computers, ensuring printers are connected, and verifying that critical applications are installed. In short, managing the disaster recovery process would just be another burden for them to bare. Community banks and credit unions have the comfort of knowing that a skilled managed services provider and redundant resources will be available when needed.

A managed services provider can also provide annual DR testing and on-going support to ensure the institution is well-equipped to recover from any disaster.

All financial institutions can benefit from managed site recovery services. And partnering with a managed services provider can be especially advantageous for banks and credit unions with branches that are grouped within the same geographic area. The impact of a storm could be even more devastating to these types of institutions if they lose their only branch or the location hosting communication to their core provider.

A DIY approach may seem like the easier route to take, but when a disaster strikes, financial institutions shouldn’t have to recover on their own. A managed services provider can work as an extension of the internal team to provide dedicated support and ensure the institution recovers quickly and efficiently. The goal of a disaster recovery program is to ensure continuity, not only for the financial institution, but for the communities it serves. In the event of a disaster, financial institutions need to have a solid DR environment in place and detailed processes to recover successfully. Working with a team that can effectively address the institution’s unique needs and provide dedicated DR support streamlines internal processes, improves disaster preparedness, and provides confidence that no matter what disasters arise, the institution will be able to resume business operations.

05 Sep 2019
Disaster Recovery Planning What You Do Not Know Can Hurt You

Disaster Recovery Planning: What You Don’t Know Can Hurt You

Disaster Recovery Planning What You Do Not Know Can Hurt You

Disaster recovery is a crucial business continuity area that all financial institutions must prepare for, no matter the size of the organization or location. Each year, the U.S. gets hit with multiple tornadoes, hurricanes and other storms that produce damaging winds, rain and flooding. As of July 9th, there were already six weather and climate disaster events with losses exceeding $1 billion each across the United States, according to the National Center for Environmental Information (NCEI). The costs of these events varied, including physical damage to commercial buildings; time element losses like business interruption; and disaster restoration expenses. In addition, many areas of the Southeast are currently preparing for Hurricane Dorian as we speak!

The overall impact of adverse weather can be particularly detrimental to community banks and credit unions that may have fewer disaster recovery resources at their disposal. This highlights the need for all financial institutions to be prepared for potential disasters—whether natural or manmade—so they can implement a smooth recovery. Here are some important aspects about disaster recovery planning that community banks and credit unions should consider:

  1. Implement Effective Strategies and Tactics
  2. The disaster recovery plan provides detailed instructions to ensure all mission-critical functions can recover in the event of a business interruption. To facilitate effective disaster recovery, bank and credit union personnel must be able to implement specific activities that can restore an institution’s vital support systems after a disaster strikes. These include ensuring all back-ups are up to date and working; implementing uninterruptable power supplies for short-term outages; making sure the server room is secure and all sensitive documentation is protected; and ensuring all employees, vendors, and customers are aware of the proper communication protocols. Without these steps, the institution will not have the resources required to meet its operational needs, which could have a devastating effect on the entire organization.

  3. Prepare for All Disaster Situations
  4. Get My CopyHow Southern Bank and Trust Recovered from Hurricane Irma Get a Copy

    Disaster recovery often focuses on the prospect of restoring technology and communications after a hurricane, tornado, or other storm. However, disaster preparedness must extend beyond storms, earthquakes, fires, floods, and other natural calamities. Events like electric power outages, hardware failures, security breaches, and human error can also be catastrophic. There are also mundane reasons for needing disaster recovery: A backhoe inadvertently wipes out the internet connection or a water line leak knocks out the server. Not planning broadly enough can cause institutions to miss covering all the bases when the time comes to implement the disaster recovery plan.

  5. Know What’s at Stake
  6. Disaster recovery planning goes well beyond minimizing the loss of hardware, applications or data. It’s a matter of losing time, money, clients and, in some cases, losing business opportunities or reputation. To minimize downtime and ensure critical business functions recover quickly, it is important to determine the specific Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for both the financial institution and all third-party vendors the institution relies on for critical business functions. The RTO is the amount of time an application can afford to be down without causing significant damage to the business, and the RPO is the allowable data loss. The longer a financial institution’s system is down the more it will suffer, so defining the RTOs and RPOs is an important step to ensure the institution can be up and running in a timely manner.

  7. Test the Plan
  8. Having a plan on paper is one thing; having a plan that works is another. Financial institutions must test their disaster recovery plan to determine what could go wrong and adjust accordingly. Not knowing if a plan works—until an actual disaster occurs—can be extremely risky. If the plan proves to be insufficient during a real-life scenario, the institution could experience undue damage and expense. Hence, the need for regular testing. The frequency of testing will depend on the size and type of financial institution. Smaller banks and credit unions should test at least once a year; larger institutions or those with a more fluid environment should test more often.

  9. Update the Plan as Needed
  10. As a part of the overall business continuity planning process, it’s essential for institutions to review and revise their disaster recovery plan to make sure it supports their current technological environment, business needs, and objectives. Updates to the plan should be done whenever an important element (internal or external) in the institution changes. To streamline this process, disaster recovery should be integrated into all business decisions and responsibility should be clearly outlined for each update and area. The importance of the disaster recovery plan should be communicated to the entire organization, which includes the board, senior management, and other stakeholders. The more frequently a disaster recovery plan is updated and the better educated the entire organization is on the plan, the more reliable and useful it will be when a problem arises.

It’s important to stay on top of all disaster recovery processes to make sure the entire financial institution is well-equipped to respond in the event of a disaster. The good news is community banks and credit unions do not have to be knowledgeable about every facet of disaster recovery planning to do this successfully. Instead of worrying about what they don’t know, they can capitalize on third-party recovery services that ensure they have the proper technology and support to recover quickly. Safe Systems, for example, offers a fully managed site recovery solution to support financial institutions of all sizes. Safe Systems’ experts can assist with disaster recovery planning, testing, and execution to safeguard institutions against the impact of a natural disaster and other threats.

29 Aug 2019
Capitalizing on Cloud Infrastructure

Capitalizing on Cloud Infrastructure: Everything Financial Institutions Need to Know About Moving to the Cloud

Capitalizing on Cloud Infrastructure

Capitalizing on Cloud Infrastructure: Everything Financial Institutions Need to Know About Moving to the Cloud

As financial institutions refine their digital strategy to keep up with market and regulatory demands, cloud computing is emerging as the future of banking technology. There are a myriad of reasons institutions should capitalize on cloud computing, including enhanced scalability, efficiency, reliability, risk management and regulatory compliance. Despite these and other appealing benefits, it can be intimidating for community banks and credit unions to move to the Cloud.

In this post, we examine some of the most important issues related to moving to the Cloud to help institutions streamline the decision-making process, determine what can and should be moved to the Cloud, and examine the cost and security issues of cloud computing. Hopefully, this will shed light on how beneficial cloud-based solutions can be and provide the information IT managers need to make the best decision for their institution.

Three Questions to Ask Before Moving to the Cloud

 
Hosting applications and systems on a cloud network can be appealing to community banks and credit unions as it allows them to reduce servers, internal infrastructure, and applications that would typically have to be hosted inside the institution, as well as the associated support each one requires. It also offers the benefits of system standardization, centralization of information, and the simplification of IT management. However, here are three essential questions financial institutions should ask before moving to the Cloud:

  1. Which applications can be moved to the Cloud? Evaluating which applications can be moved to the Cloud and which vendors offer cloud-based solutions is really the first step. This will help IT managers understand issues and elements that will be solved or created by the move to the Cloud. For example, even with cloud-based solutions, they will still need to manage user workstations, security issues, connections to applications, as well as switches and routers.
  2. Is the institution’s internet connectivity strong enough to support cloud-based solutions? Delays in loading cloud-based applications can be frustrating as well as costly. The increased use of cloud-based computing will place added demands on internet speed and connectivity, making a strong connection critical for the success and health of the financial institution. This is a very important consideration when determining whether to move to cloud-based services. Confirming the availability of the proper connectivity—including a redundant internet connection to ensure access at all times—will help streamline this transition.
  3. Are there additional compliance issues to consider when selecting a cloud vendor? Moving to a cloud-based application will mean giving up some controls to a cloud vendor. When selecting a vendor, institutions must evaluate their practices and strategies for user identity and access management, data protection, incident response, and SOC 2 Type II documentation. They should have a solid vendor management program in place to verify that their vendors are compliant and are following the service agreement.

Financial Implications of Migrating to the Cloud

 

Watch Video

Migrating to the Cloud commonly requires an organization to move from a capital expenditure (CAPEX) to an operating expenditure (OPEX) financial model. The difference in long-term costs can be difficult to measure as many of the internal costs of managing an IT network are not documented.

Most community banks and credit unions have a good understanding of their IT capital expenditures. The up-front, fixed costs, such as hardware and software, and the resulting amortized or depreciated costs over the life of the asset, are historically well tracked. Traditionally, an on-premise infrastructure is considered a capital expenditure since it includes the purchase of servers, computers, and networking hardware, as well as software licenses, maintenance, and upgrades.

What is not generally well documented are the internal costs involved with running the system, including the power, cooling, floor space, storage, physical security, and the time IT teams devote to the daily management and continual maintenance of these systems. In addition, the equipment and software will need to be upgraded or replaced periodically, making for on-going large capital costs in years to come.

The move to the Cloud means a move from a CAPEX financial model to an operating expenditure model, in which large capital outlays are replaced by monthly, quarterly, or annual fees an institution pays to operate the business. These periodic OPEX fees include license fees for software access, as well as all the infrastructure and maintenance costs associated with the technical environment. Hosting an application in the Cloud via a Software as a Service (SaaS) model can minimize required capital investments for the institution. It can enable them to be up to date with the latest technology which can lead to generating more profits and ROI. The OPEX model can also provide the IT staff more time to focus on strategic revenue-generating and customer-facing activities.

The evaluation of CAPEX and OPEX expenditures is not an apples-to-apples comparison. It is important for IT management to understand the differences between the CAPEX and OPEX models, perform an analysis, and be able to effectively communicate the pros and cons before presenting a proposal to leadership.

Four Steps for Moving Server Workloads to the Cloud

 

Watch Video

Today, banking services are increasingly being hosted in the Cloud. Cloud outsourcing often begins with specific IT functions or processes such as disaster recovery, backup, and supporting servers. However, a financial institution can be strongly in favor of cloud computing without moving 100 percent to the Cloud. For example, a bank could easily have its ancillary systems and lending in the Cloud and maintain its core in-house.

There is a great deal of infrastructure involved in managing all the applications needed to run an efficient and successful financial institution. While cloud technology has proven to be beneficial for community banks and credit unions by enabling their limited in-house personnel to focus on core strategic initiatives, there are four important factors institutions should carefully consider before moving their data to the Cloud. They are:

  1. Support the financial institution’s business strategy
     
    Some organizations consider moving to the Cloud simply because they think it is the right thing to do; however, there is no set path that all financial institutions must follow.
    Each community bank or credit union has a unique strategy driven by its market situation, whether that includes business expansion, rapid disaster recovery, or replacing existing servers or hardware. An institution’s decisions about cloud computing ultimately must align with its business goals, strategies, and objectives.
  2. Identify the application opportunities
     
    Not all business processes and applications are suitable for the Cloud. Before moving to the Cloud, the IT team must understand the requirements of their business applications. They should evaluate the data footprint, transaction types, and frequency, as well as the IT infrastructure that is being used to host each application in order to determine which applications need to remain on-premise and which can be moved to the Cloud.
  3. Determine the best path to the Cloud
     
    Once the institution’s cloud and business strategies have been aligned, and its applications have been identified, it is ready to migrate supporting servers, applications and other assets to the Cloud.
     
    There are several approaches that institutions can use to facilitate their migration to the Cloud. They can simply move the physical servers they already have to a co-location facility or data center. This can be an attractive option since it does not require extensive configuration changes to applications and servers but moves these critical assets out of their building to a highly available data center.
     
    Or a financial institution can adopt an Infrastructure as a Service (IaaS) model. This means that instead of physically moving the servers it owns, a bank or credit union can lease the server capacity that it needs from a third-party provider. The institution can then access the servers remotely to install, run, and maintain its applications.
     
    As a third option, financial institutions can implement the Software as a Service (SaaS) model. With this licensing fee and delivery model, software is licensed on a subscription basis and is centrally hosted by the application software provider. This approach enables community banks and credit unions to run their applications from a browser that is supported by the developer, so there is no additional infrastructure to maintain.
  4. Develop a Phased Approach
     
    Long term, financial institutions should consider using a graduated approach to moving their applications to the Cloud. The migration should be completed in multiple phases to enable a smoother transition. However, the applications that are not technically ready should not be moved as this can cause unnecessary complications and technical issues.

Misconceptions About Cloud Security

 

Free eBookEverything You Need to Know About the Cloud Get a Copy

Many community banks and credit unions struggle with truly understanding the security differences of housing their sensitive data in the Cloud vs. keeping it housed on servers and hardware solutions that are located on-premise.

Having sensitive data housed in a cloud-based data center is uniquely different from maintaining on-premise resources for data storage. So, it makes sense that security-related issues and concerns would need to be addressed and considered prior to cloud migration. Understandably, some institutions might have lingering doubts about whether they can truly trust a cloud-based data center that they can’t physically see or control.

Let’s take a look at some of the common issues and misconceptions organizations have about cloud security:

  1. Misconception #1: The Cloud is not secure
     
    To the contrary, the Cloud can enable financial institutions to experience as much as or more security than with an on-premise environment—and without the hassle and expense of maintaining physical servers and storage devices. Major cloud service providers have the technical expertise and strict internal processes to physically secure their IT hardware against unauthorized access, theft, fires, flooding and other potential hazards. For example, Microsoft® employs thousands of cybersecurity experts and cutting-edge technology such as artificial intelligence to detect, respond to and thwart security threats.
     
    In addition, cloud providers often give their customers access to extra security programs and resources. This can make it easier for organizations to more effectively combat threats like data loss, leaks, and hacking. Of course, no security model—even one that uses a multi-layered approach—is perfect, but a cloud solution protected by substantial security measures can ultimately enhance a financial institution’s security posture.
  2. Misconception #2: The provider is responsible for keeping data secure in the Cloud
     
    A common concern for many financial institutions who are considering moving to the Cloud is determining who is responsible for data security moving forward—the cloud services provider or the customer? The short answer is both parties. Data security is typically a shared responsibility and requires banks and credit unions to continue monitoring the security of their solutions to ensure the data is secure and meets all regulatory requirements.
  3. Misconception #3: Data can be easily lost in the Cloud
     
    Information resiliency is a key differentiator for cloud-based services. These solutions help reduce the likelihood of data loss if key security features and backups are enabled and used appropriately.
     
    In addition, cloud services can help financial institutions recover quickly from business disruptions like equipment failure, power outages, and natural disasters. This provides financial institutions with continuous access to data and other critical applications, enabling business operations to run smoothly.
  4. Misconception #4: Anyone can access data in the Cloud
     
    The Cloud actually prevents unauthorized individuals from accessing data on the network because cloud providers use a variety of security processes to control points of access. Most cloud providers use data encryption to protect data while it’s being stored and during transmission as well as multi-factor authentication to require two or more forms of verification to access the system.
     
    Moreover, cloud services providers maintain detailed activity logs that show who accessed, created and modified data. Having this type of intelligence allows cloud vendors to better understand unusual activities, detect potential threats and more effectively protect the client’s data.

Final Thoughts

 
Building a strategy for cloud computing can be intimidating. All community banks and credit unions have a unique business strategy that will guide how they migrate to the Cloud, what type of cloud solution is best for their environment, and what specific technology assets should be moved to the Cloud.

Working with an experienced service provider such as Safe Systems can simplify the process. Safe Systems helps institutions design and install cloud solutions while also ensuring their systems are compliant and meet examiner expectations.

25 Jul 2019
Resource Center

New Resource Center Features Banking Technology, Security, and Compliance Insights for Financial Institutions

Resource Center

In today’s fast-paced environment, it’s important for financial institutions to have access to trusted information related to technology, compliance, and security trends. To help facilitate this, Safe Systems has launched a new online Resource Center which provides community banks and credit unions with access to a centralized knowledge base of free materials. The Resource Center can easily be reached from any page of our website in the top navigation bar.

Meeting Your Interests and Needs

What is currently top of mind for your institution? What is keeping you awake at night? What are you most interested in learning to help you improve your performance?

Whether you are searching for information that will help your institution understand how to stop a cybersecurity attack; identify what to do when your IT administrator leaves; or recognize the top compliance and security areas where you should focus; our new online Resource Center can help. You’ll find the relevant information you need to help you worry less and focus more on banking.

 

Browse Our Resouces

Key Features and Benefits

Our Resource Center is designed to not only be useful but easy to use. There is a wide variety of content, ranging from videos to white papers to case studies. You have the freedom to search by topic and browse at your own pace to find the information most valuable to you, in the format you most prefer. When you make a selection, you’re taken to a secure page where you can choose to view the material instantly in our online environment or download it to your computer to view later at your convenience.

Whether you are trying to find a solution to a specific problem, stay on top of the latest trends and industry regulations, or simply discover new insights, our Resource Center allows you to conduct your research in an easy and meaningful way. Here are five features to help you find what you are looking for:

  • Categories – Assets are grouped in three main categories, compliance, technology, and security, allowing you to dive into specific pieces based on these themes.
  • Search box – You can conduct a search by category, keyword, or title to find your desired content faster.
  • Suggested content – Recommendations for related materials are highlighted on each page to help you find the most relevant content based on your search.
  • Dynamic environment – The Resource Center is updated frequently with new materials to provide timely and up-to-date information.
  • Archiving – Most materials remain in the center permanently allowing you to access relevant content on an ongoing basis as your needs change.

An Ever-evolving Resource

The Resource Center will continue to evolve as a virtual library. Website visitors can look forward to encountering a constantly-expanding cache of information making it a worthwhile experience for any financial institution.

 

Browse Our Resouces