Tag: 2022

30 Nov 2022
Microsoft Azure Maintenance Basics

Microsoft Azure Maintenance Basics

Microsoft Azure Maintenance Basics

Financial institutions need to stay on top of Microsoft Azure maintenance to efficiently use Microsoft cloud services and have effective controls across identity and access. Azure maintenance is also a matter of regulatory compliance.

Microsoft Azure maintenance encompasses Azure Active Directory, M365 (formerly called Office 365), Microsoft Exchange Online, and other associated Azure cloud services. Many institutions may not realize they are leveraging cloud solutions because it’s not always obvious where different technology services originate. Regardless of how an institution obtains Microsoft Exchange or M365, it creates a Microsoft tenant with Azure AD. Institutions are ultimately responsible for these tenants and this includes properly securing and maintaining them.

The Federal Financial Institutions Examination Council (FFIEC) expects institutions to engage in effective risk management for the “safe and sound” use of cloud computing services. The council indicated as much in its statement on “Security in a Cloud Computing Environment,” saying: “System vulnerabilities can arise due to the failure to properly configure security tools within cloud computing systems. Financial institutions can use their own tools, leverage those provided by cloud service providers, or use tools from industry organizations to securely configure systems, provision access, and log and monitor the financial institution’s systems and information assets residing in the cloud computing environment.”

In addition, financial institutions are obligated to oversee third-party service providers and make sure that they use proper security controls. “Management should be responsible for ensuring that such third parties use suitable information security controls when providing services to the institution,” the FFIEC IT Handbook’s Information Security booklet stated. “Management should verify that third-party service providers implement and maintain controls sufficient to appropriately mitigate risks.”

Azure Active Directory

Azure Active Directory (Azure AD, AAD) is the primary identity platform across all Azure services. There are some standard maintenance objectives that financial institutions should meet with Azure AD.

Some of the key types of identities to review within Azure AD are users, devices, and enterprise applications. User maintenance is an area many people are familiar with, and it involves ensuring the list of users matches expectations. IT administrators should be on the lookout for new accounts; they should look for users who should not be there and delete or disable them if appropriate. For example, users may need to be purged from the list after they complete off-boarding procedures.

With device maintenance, it is important to be aware of all the devices that the organization has placed into Azure AD. IT administrators should ensure that, at least for Windows OS devices, they follow the established naming convention. They should delete “stale” or inactive devices and ensure that all devices—whether desktop or mobile—adhere to established compliance policies.

The maintenance for enterprise applications—objects with some form of connectivity with your Azure tenant—involves making sure various service apps meet expectations for functionality. Administrators should review the apps’ properties to ensure the best controls are being applied. For instance, this could include addressing apps that have an expired certificate.

Other important maintenance areas within Azure AD include reviewing privilege role assignments to ensure their validity, scrutinizing delegated administration partners to confirm their level of access, and “right-sizing” the number and types of licenses to avoid being over or under-provisioned.

M365 and Exchange Administration

SharePoint Online, Exchange Online, and OneDrive are core components of M365 and as such, they require strategic maintenance. Here are some important areas IT admins should address to maintain these services:

  • Usage reporting— Monitor usage reports to ensure they match the institution’s expectations. Anomalies in consumption and storage could indicate a possible security or compliance concern.
  • Cleaning up files— Delete old, unused files from OneDrive or SharePoint. Administrators can solicit help from users by notifying those who are approaching their limits.
  • File retention policy— Automatically delete files based on a set schedule or duration, such as anything older than seven years.
  • Exchange Online mailbox usage— Notice mailbox statistics before users reach their limit to avoid service disruptions—and complaints.
  • Distribution list review— Make sure distribution lists contain the appropriate members for the most effective targeting.
  • Exchange Online mobile devices— Keep track of the details about users’ mobile devices to gain additional insights for achieving maintenance objectives and compliance.

For more information, listen to our “Azure Maintenance —The Basics Every IT Administrator Should Know” webinar.

09 Nov 2022
Best Practices for Ransomware Prevention and Recovery

Best Practices for Ransomware Prevention and Recovery

Best Practices for Ransomware Prevention and Recovery

In the world of cybersecurity, an ounce of prevention is worth a pound of cure—especially when it comes to ransomware. Ransomware attacks hit a new target every 14 seconds, disrupting operations, stealing information, and exploiting businesses, according to the Cybersecurity and Infrastructure Security Agency (CISA). As a result of ransomware attacks, US Banks paid out nearly $1.2 billion in 2021, which is up by 188% from 2020 according to the Financial Trend Analysis report [PDF] on ransomware from the US Treasury’s Financial Crimes Enforcement Network (FinCEN). But banks and credit unions that consistently implement best practices can effectively prevent and recover from ransomware attacks.

Prevention Strategies

The ideal strategy is to keep ransomware assaults from happening in the first place, but prevention can be tedious and challenging. As a general practice, institutions should identify and address known security gaps that can enable a ransomware infection. (If there is a loophole, hackers will eventually find it.) Since human mistakes are the root cause of most security breaches, providing ransomware training for employees is a crucial step that institutions can take to reduce their cybersecurity risk. Ransomware awareness training can help staff identify, respond to, and circumvent attacks as well as test their knowledge in a safe environment. Institutions can also limit their security risk by adhering to the principle of “least access” to grant employees the minimum levels of access or permission needed for their job.

As another best practice, institutions can also take a stricter stance on the technical aspects of cybersecurity. They can employ intelligent network design and network segmentation to limit risk by restricting ransomware intrusions to a portion of the network instead of the whole system. Institutions should also have overlapping security solutions to provide layered protection for their systems and networks. Then if a single security element fails, another layer will be in place to compensate.

Response and Recovery Tactics

Even with multiple protective measures in place, there is only so much financial institutions can do to avert a ransomware attack. When a breach happens, the institution must respond immediately to mitigate the impact. This includes implementing pre-established processes for incident response, vendor management, business continuity, and other key areas. Bank management, for example, should have an incident response program to minimize damage to the institution and its customers, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Information Security booklet.

Having pre-defined procedures to declare and respond to an incident can be essential to effectively containing and recovering from a ransomware infection. While incident containment strategies can vary between different entities, they typically include the isolation of compromised systems or enhanced monitoring of intruder activities; search for additional compromised systems; collection and preservation of evidence; and communication with affected parties and often the primary regulator, information-sharing organizations, or law enforcement, according to the FFIEC.

In addition, restoration and follow-up strategies for incidents should address the:

  • elimination of the intruder’s means of access
  • restoration of systems, programs, and data to a “known good state” (using available offline or offsite backups)
  • the initiation of customer notification and assistance activities consistent with laws, regulations, and interagency guidance
  • monitoring to detect similar or further incidents

Another step in the recovery process might involve notifying an insurance carrier—if the institution has ransomware coverage. However, cyber insurance might not prove to be the ultimate remedy: A policy exclusion could keep the carrier from paying the claim. Or the settlement amount may not fully compensate for the institution’s intellectual property losses, revenue reduction, tarnished reputation, and other damages.

Augmenting Internal Resources

With the growing complexity of ransomware, it can be challenging for institutions to react to and recover from a cyberattack. However, those with limited internal resources can get help from a third-party cybersecurity expert to manage the process. Safe Systems, for instance, offers multi-layered security services that make it easier for community banks and credit unions to enhance their cybersecurity posture, so they can be better equipped to prevent, respond to, and recover from a ransomware attack. For more information about this critical topic, read our white paper on “The Changing Traits, Tactics, and Trends of Ransomware.”

27 Oct 2022
Social Engineering Scams - It Could Happen to You

Social Engineering Scams – It Could Happen to You!

Social Engineering Scams - It Could Happen to You

Many of us have heard the story about the fake printer repair person who shows up at the office to fix an issue with the intent to gain access to a secure area and collect confidential information. In reality, these things don’t really happen, right? At least not to small businesses or individuals…maybe this happened once to a large corporation and received a lot of press? This level of social engineering doesn’t really happen to someone like me, or does it?

Here’s What Happened to Me

My personal story involves a person visiting my house, a letter in the mail “from the government”, and a friend request on a popular social media platform from someone I knew 20 years ago. Each incident seemed innocent enough at the time, and on its own, did not raise any red flags. But as the events unfolded, I recognized a few mistakes that were made and realized that this was a coordinated effort and a scam!

It started with my doorbell ringing and my six-year-old yelling “Dad, someone’s at the door.” I answered the door to a well-dressed, very professional, middle-aged female with a smile and a government-issued badge around her neck. She promptly showed me the badge and explained she was there to ensure I had received a survey from the Department of Health and Human Services (DHHS). She explained it was important that I fill out the survey to provide the data needed for them to make decisions to properly serve their constituents.

I conduct many surveys at Safe Systems, so I empathized with her need for information and the effort it requires to get people to fill out surveys. I informed her that I had not received the survey she was inquiring about. She then handed me a sample copy of the survey and said that my actual form would have a randomly generated code to help them track when each family had filled out the survey. Even though the survey was anonymous, they used the code to track completion. When I stated again that I had not received the survey, she politely asked me to keep an eye out for it. She said she would check back next week to confirm I had received it. She complimented me on my house and walked away. Although I found the personal stop at my house odd, I didn’t notice any red flags at first. I simply thought this was similar to how they knock on doors for the census every 10 years.

Two days later, when checking the mail, I found a letter addressed to my wife and me. When I opened it, it included a survey that looked like the sample the lady had shown me a few days earlier, but this survey also had the randomly generated code that she told me about. I was still a little suspicious but planned on doing some research online to see if everything checked out.

A few days later, I received a friend invite on Facebook from someone I had not spoken to in 20 years. I’m not a big social media person but I do have a few accounts to keep up with different family affairs. Once I accepted the invite, this person started asking me about life and family. He didn’t ask anything personal, just general questions about how everyone is doing, jobs, etc. He seemed chattier than I remember him from 20 years ago, but we all change over time. I was cordial with my responses but not overly responsive. Over a few days, I got several short messages from him, then I get hit with this question, “have you filled out the DHHS survey?” He said he had seen my name on a list of people who had not completed it, and since he knew me, he thought he would reach out. RED FLAG!

The last I knew he didn’t work for the DHHS so how would he see my name on a DHHS survey list? And how could he be sure I was the same guy he knew 20 years ago living in a different town? Everyone who knows me, knows I go by my nickname. Very few people know my official birth certificate name, which is what was used on the DHHS survey. So, the odds of my name jumping off the page at him is unlikely. RED FLAG! I was curious about where this was going so, I continued the conversation, but guardedly. I admitted I had the survey but had not had a chance to fill it out yet.

Not wanting to let on that I was suspicious of him and the survey, I lied and said I would get around to it at some point. His response was the clincher for me that this was a scam. He said, “Great, just don’t want you to miss out on all the money I got from doing it.” Suddenly, there is money involved with filling out this survey which had not been mentioned anywhere. BIG RED FLAG! Also, it is very unlikely that someone filling out the survey would see a list of others who had received it, especially if it was supposed to be anonymous. RED FLAG!

I decided at this point, I wanted to know how far they would take this scam. I started chatting with him about some trip we went on years ago and how great it would be to do it again (but the truth was we never went on any trip). I never heard from him again, and his Facebook account was deleted and removed 2 days later.

It is important to discuss his Facebook page, as it not only had pictures of him and his family but also indicated that we had a single “mutual friend.” This was meant to convince me of his authenticity but should have also raised a RED FLAG considering how much overlap there was in the people we knew. Apparently, someone had stolen the pictures from his Facebook page and created a new account. I later recalled I was already friends with him on Facebook and compared his actual page to what I had seen on the fake account. They were identical if you just looked at the profile picture and the last post or two. There was almost no history on the fake account, but I had not paid attention to this RED FLAG at the time.

Social Engineering Can Happen to Anyone

In the grand scheme of things, I’m your average American stereotype. I live in a small neighborhood in suburbia with a minimal presence on the internet. Why would anyone have any interest in me? Yet, with no reason to target me, someone came to my house, mailed me a letter, set up a fake profile of someone I knew 20 years ago, and created an elaborate scheme to get me to fill out a survey that asked for personal information.

The moral of the story is if it can happen to me, it can happen to you, your family, and your business! Don’t assume these things only happen to others or large corporations. Social engineering schemes are very real, and they can work if you don’t have your guard up!

As we reach the end of Cybersecurity Awareness Month 2022, I thought this would be an appropriate story to share. As you can see from my story, social engineering can be very elaborate and can use means that are outside of the internet to deceive you into providing access to confidential or personal information and/or your computer systems. So, awareness is key. In the spirit of this month, I hope my story serves as a reminder to talk to your employees and customers about recognizing red flags and staying safe online.

25 Oct 2022
Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Cybersecurity Awareness Month 2022 is reminding individuals and organizations that there are a variety of ways to protect their data—and practicing the basics of cybersecurity can make a huge difference. This year’s campaign centers around an overarching theme that promotes self-empowerment: See Yourself in Cyber. The initiative’s co-leaders, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), are encouraging people to focus on four key behaviors:

  • Enabling multi-factor authentication (MFA) — Often called two-step verification, MFA is an effective security measure because it requires anyone logging into an account to verify their identity in multiple ways. Typically, it asks the individual to enter their username and password and then prove who they are through some other means, such as providing their fingerprint or responding to a text message.
  • Using strong passwords and a password manager — All passwords should be created so that they are long (consisting of at least 12 characters), complex (including a combination of upper case letters, lower case letters, numbers, and special characters), and unique. This approach should be implemented with all accounts. Because we do more online today, it is possible to have hundreds of passwords to manage. And, if your passwords are long, unique, and complex as they should be, it can be impossible to remember and track them all. Using a secure and encrypted password manager is not only safer than using a physical notebook or a notes app to store your passwords, but it can also provide benefits such as alerting you of potential compromises and auto-generating new hyper-strong passwords that are stored along with the others.

A quality password manager should encrypt all passwords, require multi-factor authentication on your password vault, and not store the keys needed to decrypt the main password that unlocks your vault.

  • Updating software — Updates resolve general software issues and provide new security patches where criminals might get in and cause problems. You should update software often, obtain the patch from a known trusted source, and make the updates automatic if available.
  • Recognizing and reporting phishing — With the right training, you and your employees can learn to identify phishing, a scheme where criminals use fake emails, social media posts, or direct messages to trick unwitting victims to click on a bad link or download a malicious attachment. The signs can be subtle, but once suspect a phishing scam, you should report it immediately, and the sender’s address should be blocked.

Cybersecurity Resources

Cybersecurity Awareness Month is dedicated to providing resources to help individuals and organizations stay safe online. Businesses that need additional resources to address their specific needs can partner with an external cybersecurity expert. For example, Safe Systems offers a wide variety of compliance, technology, and security solutions to help community banks and credit unions safeguard their data.

Some of our cybersecurity products and services include:

  • Cybersecurity RADAR™: A web-based application combined with a team of compliance experts to help you assess your cybersecurity risk and maturity, using the standards set by the FFIEC’s Cybersecurity Assessment Tool (CAT) or the NCUA’s Automated Cybersecurity Examination Tool (ACET).
  • Information Security Program: A solution that allows you to build a customized, interactive, and FFIEC-compliant Information Security Program, complete with notifications, reporting, collaboration, approval processes, and regulatory updates.
  • NetInsight®: A cyber risk reporting solution that runs independently of your existing network and security tools to provide “insight” into information technology and information security KPIs and controls.
  • Layered Security: Build a basic layered approach including a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process, or add more sophisticated layers depending on your security needs.

In addition, we continue to provide access to trusted information related to technology trends, regulatory updates, and security best practices on our Resource Center. Our latest white paper focuses on the leading security risk to businesses today, ransomware. Download a copy of “The Changing Traits, Tactics, and Trends of Ransomware” to discover how to better position your institution to prevent and recover from a ransomware attack.

20 Oct 2022
Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Our first Customer Success Summer Series offered live webinars with special guest speakers who shared their industry knowledge to help our customers and other financial institutions enhance internal processes and key areas of their banking operations.

The Evolution of Phone Systems

Today businesses are facing the acceleration of remote working—Voice over internet protocol (VoIP), Virtual Private Networks (VPN), virtual meetings, and dynamic routing of phone systems based on the user’s location—all have become must-have requirements. Legacy telephone services are becoming more obsolete as some telecoms decommission analog technologies in favor of fiber pots and other alternatives. The old telephone system is evolving into a more modern option: unified communications as a service (UCaaS), which merges communication channels into a single cloud-based system. UCaaS offers all the necessary infrastructure, applications, and resources businesses need in an easily scalable solution. Unified communications tools can include chat, VoIP, text messaging, and online video conferencing.

UCaaS gives institutions the benefit of advanced functionality which allows employees to work remotely more efficiently, including things like the ability to check other users’ availability, reach people whether they are in the office or out in the field, and access the platform from anywhere. Another evolving facet in telecommunications is call center as a service (CCaaS), which also streamlines omnichannel communication and allows remote employees to work together as a call center team.

Given its flexibility and efficiency, it is easy to see why UCaaS is moving to the forefront of communications. There is a wide range of unified communications features, equipment, and prices and it is important for your institution to clearly define its unique needs to find a solution that will satisfy its requirements. It is also important to continue to evaluate your equipment and services every few years as technology and pricing continue to change.

Watch the recording of this webinar to gain a better understanding of UCaaS and other options so you can make the right choice for your institution.

2 Guys and a Microphone

Matt and Tom have both spent most of their careers focused on risk and regulatory compliance for financial institutions. We recorded their recent conversation which spans many topics including increased scrutiny on vendor management, continued focus on ransomware, and more.

Recent audit and exam trends continue to have a strong focus on third parties and proper vendor management. Examiners are considering the preponderance of fintechs, how much the average financial institution is outsourcing, and the inherent risk that originates from third-party vendors. Interestingly, their increased scrutiny may extend to any significant sub-service vendors that institutions may have. In addition, we are seeing questions arise about vendor management in the context of insurance. Cyber liability insurance applications are requesting more details about the management of vendors and other third parties.

There have also been some interesting audit and exam findings. For instance, one institution was encouraged to complete a post-pandemic/walk-through test or “dry run” of their pandemic procedures. This is curious considering all institutions have been in a “live exercise” for the past few years with the pandemic. Regardless, there is a good chance that the pandemic verbiage in your disaster recovery plan needs to be updated based on what has or has not been done in response to the current pandemic. And it is important to consider that an annual pandemic test will be a part of examiner expectations going forward along with the traditional business continuity, natural disaster, and cyber incident tests.

On the regulatory front, the new Computer-Incident Notification Rule went into effect on April 1, 2022, which is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The rule has two components:

  • The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
  • The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

In March, we hosted an in-depth webinar on understanding the requirements, recognizing gray areas, and preparing for unknowns. To help intuitions meet these requirements, we also created a detailed flowchart to understand when an event is severe enough to activate your Incident Response Team (IRT) and when regulators and customers should be notified.

Another regulatory trend to keep your eyes on is the increasing focus on ransomware industry-wide is prompting some state banking organizations to require institutions to use the Ransomware Self-Assessment Tool (R-SAT). The 16-question R-SAT is designed to help institutions evaluate their general cybersecurity preparedness and reduce ransomware risks. The R-SAT supplements the Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC). It will be interesting to see if more states begin requiring this additional diagnostic tool.

Watch the recording to hear more insights about INTrex, SOC Reports, and SSAE 21.

08 Sep 2022
What to Budget for in 2023

What to Budget for in 2023

What to Budget for in 2023

Marty McFly (the lead character in “Back to the Future”) could not have predicted the world we live in today. Though the movie’s portrayal of flying cars, floating hoverboards, and shoes that lace themselves may have been a little far-fetched, we now have IoT, the Internet of Things. This powerful networking capability connects everything in our lives to a single electronic device that can be held in the palm of our hands. I can open my garage door, adjust the temperature of my house, set my alarm system, and even check the status of the clothes in my dryer—all from my mobile phone. Predictions are always a synthesis of art, science—and uncertainty. None of us truly knows what tomorrow will bring. We just know it will look a little different than it did today. With that in mind, it’s almost budgeting season, so here are my predictions for the top areas your bank or credit union should consider budgeting for in 2023:

1. Compliance Services

Compliance continues to be a strong focus for many community financial institutions. It’s important to be able to evaluate all your policies and programs to see where you may need assistance before your next exam. If you aren’t sure if your policies and programs are keeping up with regulations, you may want to hire a third party to provide an objective perspective. Companies like Safe Systems will often conduct a review as a courtesy or for a nominal fee.

You should also consider investing in these two popular compliance services that have gained traction in recent years:

  • Virtual ISO: There are several service models available, so make sure you find the one that matches your institution’s needs. (Check out our recent webinar that walks you through the pros and cons of three virtual ISO models.) For instance, Safe Systems’ ISOversight service includes a dedicated compliance specialist, along with a suite of online compliance applications to help you develop and manage your vendors, business continuity plan, Cybersecurity Assessment Tool, and information security program.
  • Vendor Management: Your assessment of a vendor should define what controls are needed to effectively mitigate risks posed by each vendor. Some critical or high-risk vendors may require reviewing documents like contracts, financials, or SOC 2 audit reports. Evaluating these documents can feel daunting because it can be time-consuming and understanding each type of document can require a different skill set. Many institutions are offloading the document review process to third-party companies to help them identify the key information in each document and better manage risk.

2. Supply Chain Issues

The supply chain issues that started during the middle of the pandemic have continued through 2022. Servers, switches, firewalls, and other hardware devices are still in limited supply. For 2023, continue to plan and order hardware well in advance of your needs. If you wait until you need it, you may encounter delays. Six months is the current lead time for certain devices. Also, when replacing a workstation in 2023, evaluate whether a laptop or desktop computer would be the best replacement. While laptops introduce some new risks due to their mobility, they also allow flexibility for users. If a laptop will enable an employee to work remotely during a disaster or pandemic, it may be more beneficial to switch to this laptop to optimize your hardware investment.

3. Cloud Security

Cloud security should continue to be top of mind. Although the Cloud offers plenty of advantages, it comes with numerous control settings, management tools, and security options that must be effectively configured and maintained to ensure the highest level of protection. This should be a key area of concern for not only institutions with infrastructure in the Cloud, but also those with M365 licenses—which include Exchange Online, SharePoint, OneDrive—or those using Microsoft Azure Active Directory as an authentication platform through a third-party provider. Too often institutions only think about hosting servers in the Cloud when it comes to cloud security. While moving infrastructure to the Cloud is a current trend, almost all institutions store some information there. Safe Systems has worked with several institutions with assets ranging from $100 million to multi-billion dollars and found that almost all of them had gaps in their cloud security when it comes to their cloud tenants. Some institutions had their email or user accounts compromised while others had the wrong M365 security settings in place, which left the door open to future compromises. Safe Systems’ CloudInsight suite of products includes M365 Security and Utility Basics solutions to detect common risks and help institutions better manage the increasing array of M365 security settings and controls. These reasonably priced options deliver a substantial amount of value, so contact us for a quote to determine if our CloudInsight solution will fit into your budget next year.

4. Cybersecurity

Cybersecurity must stay top of mind for both your institution and its employees. If you do not have a solution to train and test your staff on information security best practices, consider investing in one next year. These are typically not expensive solutions, and they provide exceptional value—as well as critical protection. It is estimated that cyberattacks are 300 times more likely to be targeted against financial services firms than other companies. If that isn’t enough to keep you up at night, then consider that Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025—and will be more profitable than the global trade of all major illegal drugs combined. Remember, where the money is, the crooks will follow. Every year you must evaluate your current security layers and decide if they are still effective and if you have enough of them in place.

“If it were measured as a country, then cybercrime—which is thought to have inflicted damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China.”

Preparing for next year requires you to first evaluate where you are this year. You could decide to simply “rinse and repeat” what you did this year, but that would be a missed opportunity to really understand what is working, what isn’t, and what can be improved. Also, consider your institution’s short- and long-term plans. Sometimes what makes sense today doesn’t make sense when compared to your future plans for growth, increased redundancy, and more. While you can’t predict the future, you can at least ensure your 2023 budget reflects your best guess for where your institution is headed.

01 Sep 2022
Addressing the Growing Ransomware Problem

Addressing the Growing Ransomware Problem

Addressing the Growing Ransomware Problem

Ransomware has become the leading cyber threat to businesses today—and it is growing at an alarming rate. Threat actors, who often work in groups, continue to evolve and create different ransomware strains. They rebrand themselves and resurface under new identities, making it difficult to curtail their criminal activities. Ransomware has continued its upward trend with an almost 13% rise—an increase as big as the last five years combined, according to the 2022 Verizon “2022 Data Breach Investigations Report.” And the FBI’s Internet Crime Complaint Center Annual Report stated recorded 3,729 ransomware complaints in 2021 with adjusted losses of more than $49.2 million.

The pervasive nature of the ransomware problem affects all types of companies, sectors, and industries worldwide. Approximately 37 percent of global organizations were targeted by a ransomware attack in 2021, based on the IDC’s “2021 Ransomware Study.” And in February 2022, the Cybersecurity and Infrastructure Security Agency (CISA) reported that fourteen of the 16 US critical infrastructure sectors had ransomware incidents.

The Impact

Ransomware is malicious software or malware that locks victims out of their computing devices or blocks access to files until they pay a ransom. More sophisticated versions can encrypt files and folders on attached drives and even networked computers, raising the stakes even higher. (In all cases, the FBI does not support paying a ransom in response to a ransomware attack.)

Typically, ransomware gets installed on a workstation using a social engineering technique such as phishing. It tricks people into clicking on a link or opening an attachment and disclosing their login information or even financial data. Regardless of the threat vector used, a ransomware infection can wreak havoc on victims, causing extensive business interruptions, legal expenses, and reputational damage. According to IBM’s Cost of a Data Breach 2022 report, the average cost of a ransomware breach, not including the ransom payment, declined slightly, from USD 4.62 million to USD 4.54 million. However, the frequency of ransomware breaches has increased — from 7.8% of breaches in the 2021 report to 11% in the 2022 study. In certain industries, an attack may be considered a data breach and involve even more negative consequences. For instance, financial institutions and other critical infrastructure agencies may be required to pay fines for an attack due to their failure to protect clients’ data.

Cybercriminals are shifting away from ransomware attacks that merely demand a payment to unlock the victim’s data or device. They are focusing on more multidimensional extortion methods to extract a larger reward. IBM Security’s 2022 “X-Force Threat Intelligence Index” report indicates that virtually all ransomware assaults today are “double extortion” attacks that demand a ransom to unlock data and prevent its theft. Some attackers opt to exfiltrate sensitive data, so they can present additional ransom demands in the future. They may also sell personal data—credit card numbers, email addresses, online credentials, or bank account information—to make the fraud even more lucrative.

Best Practices

Security is a complicated issue, which makes staying on top of threats and vulnerabilities challenging. Financial institutions must complete a myriad of time-consuming and complex tasks to maintain a strong security posture. Addressing ransomware can be particularly difficult for community banking institutions with limited internal technical expertise and resources. And there is only so much an institution can do to stay vigilant against ransomware threats.

However, institutions can reduce their risk by implementing some key security strategies such as:

  • Having a well-trained staff because most ransomware intrusions are caused by human error.
  • Having overlapping security products and or services to cover the protection of systems and networks.
  • Having well-designed network infrastructure with security in mind.
  • Having a proper incident response plan that can be adhered to in the event of a breach.

Using a Managed Service Provider

Financial institutions that put mitigating systems, processes, and practices in place will be better positioned to prevent, detect, and recover from a ransomware breach. However, many smaller institutions may lack the resources and knowledge in-house to close security gaps and circumvent attacks. They can remedy the situation by employing the products and services of a managed service provider to strengthen their security posture.

Safe Systems provides a wide range of layered security solutions to help institutions address the risk of ransomware. Our security offerings include behavior-based vulnerability monitoring, advanced endpoint protection, vulnerable systems patching, next-generation firewalls, email software security, and staff training. These products and services deliver essential overlapping protection, and they are specially designed to meet the needs of community banks and credit unions.

Also, stay tuned for our upcoming white paper that will provide more data on the current state of ransomware and how banking institutions can better minimize the risks of an attack.

05 Aug 2022
The Importance of Succession Planning

The Importance of Succession Planning to IT and Information Security Resiliency

The Importance of Succession Planning

Change can be challenging—especially when it involves the transition of IT management and other key personnel. That’s why it’s imperative for banks and credit unions to be proactive about succession planning.

While regulators expect institutions to have a formal succession plan for key leadership roles, having a strategy for filling critical positions is a matter of practicality. If an IT administrator or information security officer (ISO) is not in place, or not available to complete the tasks, reports, and other responsibilities of these roles, then it could lead to cyberattacks and other security issues. This, in turn, can have dire consequences on a financial institution’s operations, risk-profile compliance, and reputation.

Succession Planning Strategies

Institutions can ensure IT and information security resiliency by having an effective plan for managing the absence of key security-related personnel. Depending on their size, type, and goals, they can adopt any of these approaches to succession planning:

  • Proactively assess internal talent and then orient the most suitable individual to serve as an alternate or backup for various IT admin or ISO responsibilities. The ISO alternate, for instance, should train with the existing ISO, attend ISO oversight meetings, and present appropriate information to executive management and the board. If the ISO leaves, the backup individual should be equipped to assume the role temporarily or even for the long term if necessary. Training a staff member to perform IT or information security duties is not only pragmatic, but it complies with regulatory guidance.
  • Implement an internal committee or team approach to managing IT and information security during a temporary or permanent personnel change. The committee can facilitate the IT and information security program in several ways. It can maintain processes until an outside replacement is installed or support an internal successor who is transitioning into the position. The committee can also provide coaching to keep the replacement from becoming overwhelmed by the complexity and assortment of tasks required.
  • Partner with a trusted third party to obtain the additional expertise needed to meet IT and information security benchmarks. This approach provides an accountability partnership role and a regular framework that clearly defines key responsibilities and streamlines processes. This strategy can ensure institutions have suitable resources to ease the transition of key personnel to enhance IT and information security resiliency.

Leveraging a Virtual ISO

A virtual ISO can be an ideal solution for institutions seeking to enhance IT and information security resiliency. This third-party service can not only support succession planning, but it can also serve as an extension of the internal ISO providing an external layer of oversight and an objective point of view — which allows institutions to approach risk more strategically and proactively.

ISOversight from Safe Systems, for instance, is a complete solution that makes it easier for community banks and credit unions to master information security and compliance online. This virtual ISO solution—which is especially for financial institutions—offers valuable access to applications and resources, cyber risk reporting, and compliance experts. With ISOversight, banks and credit unions can be confident that all their ISO-related requirements are completed on time, documented properly, and reported to the appropriate parties. Learn more about how to enhance your institution’s security posture during tough times. Read our white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

27 Jul 2022
Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

  • BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
  • CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
  • Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
  • Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
  • Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
  • NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
  • Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
  • V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.

14 Jul 2022
How to Always Be Prepared for a Cyberattack

How to Always Be Prepared for a Cyberattack

How to Always Be Prepared for a Cyberattack

Cybersecurity attacks have been ramping up nationwide, and the FBI expects the trend to continue. Americans reported 847,376 complaints in 2021, a 7-percent increase from 2020, according to the FBI’s Internet Crime Complaint Center’s 2021 Internet Crime Report. Many of the complaints filed in 2021 involved ransomware, phishing, data breach, and business email compromise. Financial services is one of the critical infrastructure sectors that are most frequently targeted by ransomware attacks.

However, here are five best practices that if effectively implemented, managed, and monitored can ensure that your financial institution is always prepared for a cyberattack:

1. Authentication

Passwords have become more complicated to create, remember, and maintain. Twenty years ago, passwords consisted of a simple string of characters. Now they are more complex, requiring a combination of numbers, symbols, and upper- and lower-case letters. Increasingly, user management tools allow institutions to take advantage of robust authentication options like multifactor authentication (MFA). MFA adds extra elements and more security to the sign-on process, which is why users should employ it whenever possible to log in to any network or system at your institution. This is especially important for higher-risk situations that involve network administrator accounts, virtual private network access, and critical management applications.

MFA is one of the most important cybersecurity practices to reduce the risk of intrusions. Users who enable MFA are up to 99 percent less likely to have an account compromised, according to a joint advisory issued by the FBI and Cybersecurity and Infrastructure Security Agency. “Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available,” the advisory states.

2. Patch Management

Patching can be a constant and tedious process as it requires keeping up with updates from numerous sources and applications. This can entail patching a plethora of Microsoft products, along with banking and lending applications, PDF readers, virtualization applications, database applications, ATM software, and more. Not patching a security hole in any of these could lead to a massive security breach with catastrophic implications for institutions. It’s imperative to maintain a list of all approved applications and monitoring software on the network as well as have an update policy and a clearly defined process for each application. Major breaches have happened because a single patch was missing on a single device. Patch management cannot be ignored or treated as an afterthought.

3. Email Security and End User Best Practices

Understanding email, specifically phishing techniques, is one of the most critical aspects of being prepared for a cyberattack. While financial institutions are frequently targeted by phishing attacks, following these best practices can help to prevent business email compromise:

  • Augment your email solution with effective scanning software. This can help identify SPAM and phishing emails before they reach employees.
  • Train employees to recognize phony phishing emails, so they can “think before they click.” These bogus emails can be difficult to spot unless you know what you are looking for; e.g., poor grammar and spelling, links that don’t match the domain, unsolicited attachments, etc.
  • Test employees to see how well they respond to a realistic phishing attempt. Invest in a program that lets you send fake phishing messages and track which employees fail the test, so you can offer additional training to those who need it.

4. Backups

Backups play a crucial role in file recovery, disaster recovery, and ransomware attacks. To successfully bounce back from a cyberattack, institutions need to have all backup scenarios sufficiently covered, including file-level backups, disaster recovery backups, Veeam backups (for virtual servers), and SQL/database backups. While most institutions use a combination of different backup solutions, the key objective is to back up files offline or in the cloud, so they are not connected to your network. Then if a ransomware attack strikes the network, your offline and cloud backups will not be affected.

5. Vendor Risk Management

Vendor management can have a dramatic impact on the overall success of your information security plan. If you outsource to a vendor with inadequate security protocols, their weakness essentially becomes your weakness. The first step in vendor risk management is to perform a risk assessment to evaluate your level of inherent risk. This must always be done first so that you can then identify and implement the proper controls. If the controls selected do not completely offset the risks identified, then alternate or compensating controls would need to be identified to achieve a level of residual risk that is within your risk appetite.

There’s no silver bullet when it comes to resisting a cyberattack but focusing on the five areas above can significantly increase your institution’s cyber resiliency. Safe Systems offers a range of technology, compliance, and security solutions that are exclusively designed for community banks and credit unions. Contact us to learn how we can help you implement these five and other best practices.

19 May 2022
The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

IT administrators (IT admins) and information security officers (ISOs) have independent yet interdependent roles that are critical to their financial institution’s security, regulatory compliance, and overall success. Both individuals must maintain a separation of duties yet work closely together to achieve a common goal: ensuring their organization’s day-to-day activities appropriately support its policies and procedures.

ISO Responsibilities

ISOs oversee everything from network security (including cybersecurity) to vendor management, to strategic alignment of IT initiatives, to general information security regulatory compliance, all of which require having on-demand access to relevant, timely, and actionable information.

ISOs rely heavily on IT administrators to share data about the network, so they can translate that data into the information that will allow them to perform their duties effectively. Therefore, reports are an integral aspect of the IT admin-ISO relationship. ISOs depend on the data provided by IT admins to complete the enterprise-wide thinking and strategic planning that is needed to protect the bank’s information and other assets.

For example, an IT admin might extract data about the number of devices that have been updated with the latest patches and report this information to the ISO. The ISO would certainly be interested in the status of all devices but would most keenly be interested in the exceptions—the devices that have not been patched—as even a single unpatched device could represent a significant risk to the organization. In addition, the ISO must further evaluate the root cause behind the exceptions: do they represent a predictable lag between patch rollout and installation that will be resolved during the normal course of reboots; or do they represent a procedural deviation or deficiency? If the latter, the ISO could make a recommendation to revisit patch management procedures and practices

IT Admin Responsibilities

IT administrators are responsible for a variety of tasks, including managing computer systems, IT personnel, information systems, data backups, and network security—and providing ISOs with essential information on all those activities. Since IT admins may have a small staff—or might be the only IT person in the department—and have privileged access to the network, institutions must closely oversee their position. According to the FFIEC Information Security Handbook, Section II.C.7(c) Segregation of Duties:

“System administrators, for instance, have the most powerful role in the user access process and have unlimited access to an institution’s information assets and technology. Given this extensive access, management should evaluate the process for determining which individuals should be granted system administrator privileges. Such access should be appropriately monitored for unauthorized or inappropriate activity.”

The ISO in combination with the IT Steering Committee provides an important checks-and-balances process to ensure all systems are being effectively managed and maintained, and that status reporting is reliable.

ISO and IT Admin Cooperation

It’s important to remember that although the ISO and IT admin roles must be independent, they are also complementary since both entities are responsible and accountable for making sense of the vast amount of data flowing through their institution.

Because ISOs must utilize the information supplied by IT admins to produce the reporting necessary to periodically update senior management and the Board, and to authoritatively interact with IT auditors and IT examiners, this relationship must be cooperative. By maintaining a close working relationship, ISOs and IT administrators can make sure their actions support the institution’s IT strategic plan. Done properly, a successful ISO- IT admin relationship should in no way be adversarial, it should be mutually beneficial to both parties, as well as to the institution as a whole.

Obtaining Third-Party Support

Regulators place a high priority on the continuity and consistency of leadership for effective information security. At times, financial institutions will have ISOs and IT administrators leave their position either temporarily or permanently. When this happens, it can be beneficial to employ an internal committee/team or a trusted third party to help manage IT and information security.

A third-party partner can provide additional support while the ISO position is vacant, help a new employee transition into the role, or simply provide another set of eyes and an external layer of oversight to supplement what they already have in place. Collaborating with an external information security expert cannot only help the institution think more objectively, strategically, and proactively about risk during a time of transition but also when things are running smoothly. This can prevent problems later and position the institution to be stronger and more successful in the future.

Financial institutions can take advantage of a wide range of external resources designed to support the ISO and IT administrator roles. For example, ISOversight™, our virtual ISO service, offers community banks and credit unions a complete solution to help them master information security and manage compliance online. With ISOversight, institutions can make sure nothing gets overlooked, so they stay on track—which is vital with the complexities and constant changes in the technology and security environments.

22 Apr 2022
More Microsoft Azure and 365 Security Basics

More Microsoft Azure and 365 Security Basics

More Microsoft Azure and 365 Security Basics

Banks and credit unions today face an ever-increasing number of cloud security hazards. Here’s the good news: Financial institutions that use Microsoft Active Directory (Azure AD) and Microsoft 365 can lower their risk by modifying their security settings for these services. Not only can this help the financial institution minimize threats, but it can allow them to customize the features of Azure AD and Microsoft 365 (previously called Office 365) to their specific preferences and requirements.

Organizations are responsible for managing Azure AD and its security settings because when they purchased M365 licenses, they established a Microsoft tenant with Azure AD. From a compliance perspective, adjusting Azure AD’s settings is crucial since Microsoft automatically enables certain features that may violate or conflict with compliance policies for organizations in regulated industries.

Optimizing /M365 and Exchange Online Settings

Depending on your institution’s licenses, there is a wide range of security and compliance settings you can customize in Azure AD, M365, and Exchange Online such as:

  • OneDrive and SharePoint Sharing: Review the default level of sharing to control the flow of data based on what is appropriate for your institution.
  • Teams and External Collaboration: Review the platform’s default security and compliance settings, and if they are not sufficient, you can block all external domains to keep users from communicating externally.
  • Exchange Online: Control access, how emails are transmitted, the types of messages users can send to recipients in external domains, and the devices or apps that can connect.
  • Protection Center: Use the Basic Mobility and Security feature to manage and secure the mobile devices that are connected to your Microsoft 365 organization.
  • Security Center: Optimize email management by employing anti-spam policies for inbound emails, blocking automatic forwarding of outbound emails, using phishing simulations, quarantining potentially harmful messages, and blocking messages from fake senders.
  • Compliance Center: Implement a retention policy to manage the data by proactively choosing how to retain or delete content.
  • M365 Admin Center: Use modern authentication‎ in ‎Exchange Online‎ to enhance your institution’s security with features like conditional access and multifactor authentication. (Microsoft‎ strongly recommends turning off basic authentication for your organization.)

More Ways to Boost Security

You can further enhance cloud security by modifying the settings related to Azure AD Premium P1, Intune, and Azure Information Protection (AIP) licenses. With Azure AD Premium P1, for instance, you can include your institution’s logo, color scheme, and other branding elements on your Azure AD sign-in pages. You can also employ the hybrid Azure AD joined devices, conditional access policies, and password protection features. Microsoft Intune integration lets you configure policies to control how your institution’s devices and applications are used, including smartphones, tablets, and laptops. And AIP allows you to use deep content analysis to minimize data loss and enhance the labeling capabilities of Microsoft 365 to protect documents and emails.

M365 Security Basics Can Help

There are countless security settings that can be adjusted in Azure AD and /M365, and Microsoft is always introducing new features. This can make it difficult for institutions to ensure they have the most appropriate security, identity, and compliance settings—but our CloudInsight™ M365 Security Basics solution can make the process easier. M365 Security Basics is a collection of services designed to give community banks and credit unions a cost-effective way to manage their M365 settings. It offers reporting, the delivery of Microsoft data in a user-friendly format; alerting, notifications of the most common indicators of compromise; and quarterly reviews, expert analysis of M365 Security Basics reports, and explanations of the risk visible on the report and ways those risks may be mitigated.

To learn more about how to customize your institution’s Azure AD and M365 settings to bolster cloud security, access our “Microsoft Azure and M365 Security Basics” white paper.

30 Mar 2022
Get Prepared for the New Computer-Security Incident Notification Rule

Get Prepared for the New Computer-Security Incident Notification Rule

Get Prepared for the New Computer-Security Incident Notification Rule

As of April 1st, financial institutions are expected to comply with new cyber incident notification requirements for banking organizations and their third-party service providers. The Computer-Incident Notification Rule, as it’s officially called, is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The final rule—approved last November by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC)—takes effect on April 1, 2022, with full compliance extended to May 1, 2022. (To date, the NCUA has not adopted the new rule, although it’s possible they may at some point. Credit Unions should check with their regulator for notification expectation specifics.)

Understanding the Regulations

To meet the upcoming deadline, financial institutions need to be well versed in the intricacies of the new rule. The rule has two components:

  1. The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incidentthat rises to the level of a “notification incident.”
  2. The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

Focusing on the financial institution expectations under the final rule, a couple of definitions must be understood.

  • A computer-security incident” could include almost anything: a hardware or software failure, an innocent mistake by an employee, or a malicious act by a cybercriminal. However, the incident must result in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
  • A “notification incident” is defined as a significant computer-security incident that has materially disrupted or degraded a banking organization in at least one of these areas:
  • its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base in the ordinary course of business
  • its business line(s), including associated operations, services, functions, and support that, upon failure would result in a material loss of revenue, profit, or franchise value
  • its operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

In the event an incident rises to the level of a “notification incident,” the banking organization’s primary federal regulator must receive this notification as soon as possible, and no later than 36 hours after the banking organization determines that a notification incident has happened.

Recognizing the Gray Areas

The words “material” and “materially” are key terms; so much so that they are used 97 times in the 79-page guidance about the ruling. But beyond an “enterprise-wide” impact, the regulation does not precisely define these concepts, so financial institutions will need to specify what this term means to their organization as a whole. And since a determination of materiality is a prerequisite to starting the 36-hour “clock” for notification, they should do so ahead of time. The undefined nature of “material” to each organization creates a gray area open for interpretation that not only allows institutions some flexibility in this area but also opens the door for differences in opinion between an institution and its regulator.

In another gray area, the rule does not impose any specific recordkeeping requirements, which is a reduced burden. However, we strongly recommend keeping at least basic documentation in case the examiners ever question why your institution did or did not decide to escalate an event from a computer-security incident to a notification incident, and why it started the “clock” when it did.

Preparing for the Unknowns

At this stage, there are some unknowns about the implications of the new cyber incident notification requirements. One of the unknowns discussed in our recent webinar was related to an official contact person and method for each primary federal regulator. This has since been addressed and we recommend incorporating the following verbiage into the regulator notification section of your Incident Response Plan:

FDIC institutions:

  • Notification can be made to the case manager (primary contact for all supervisory-related matters), to any member of an FDIC examination team if the event occurs during an examination, or if the primary contact is unavailable, the FDIC may be notified by email at: incident@fdic.gov.

OCC Institutions:

  • Notification may be done by emailing or calling the OCC supervisory office. Communication may also be made via the BankNet website, or by contacting the BankNet Help Desk via email (BankNet@occ.treas.gov) or phone (800) 641-5925.

Federal Reserve Institutions:

  • Notification may be made by communicating with any of the Federal Reserve supervisory contacts or the central point of contact at the Board either by email to incident@frb.gov or by telephone to (866) 364-0096.

Another unknown as of the date of this post: Will the State banking regulators also require notification if a federal regulator is notified? The unofficial initial indication we have received is ‘Yes,’ but it would be good practice for institutions to check with their state regulator. Chances are regulators will request this, but whether or not it will be a requirement is still unknown.

Steps to Take Now

There are additional steps financial institutions can take now to be better prepared to address the requirements of the computer-Security Incident Notification Rule.

  • Our primary recommendation is for institutions to expand the notification section of their incident response plan to include the criteria for determination of a notification incident, and to add the regulator contact information above.
  • Institutions should also define “materially” for their organization and predetermine the meaning of “materially disrupted or degraded,” or what constitutes a “material portion” of their customer base.
  • Third-party contracts should contain verbiage obligating them to notify your institution under certain circumstances as required by the new rule. We also strongly advise designating an official contact person within your institution — whether it’s the CEO, CIO, or ISO — who should receive incident notifications from your third parties. It’s also prudent to specify a backup contact person—and make sure vendors know who the primary and alternate contacts are to ensure a smooth notification process.

For more information about this important topic, access our webinar on “New Cyber Incident Notification rules: How to Get Prepared”, or this recent blog post from Compliance Guru.

09 Mar 2022
Microsoft Azure and 365 Security Basics Continued

Microsoft Azure and 365 Security Basics Continued

Microsoft Azure and 365 Security Basics Continued

When your institution acquired Microsoft 365 (also known as M365 and formerly called Office 365), it automatically created a Microsoft tenant with Azure AD. Since that tenant belongs to your organization, you are responsible for managing Azure AD and its security settings. Microsoft Azure services enable various default features that could be incompatible with the security, identity, and compliance requirements of your institution. it’s essential to customize the settings in Azure AD, M365, and Exchange Online (or Azure AD Premium P1, Intune, and Azure Information Protection) to fit your organization’s needs.

Customizing Azure AD Defaults

  • Security Defaults — Turn on security defaults to make it easier for your institution to thwart cyberattacks by using preconfigured security settings. (If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.)
  • Password Policy — Configure the password policy applied to every user account that is created and managed directly in Azure AD. (Institutions with on-premises AD password policies governing password expirations should expect to manually synchronize their Azure AD password policy and their on-premises AD password policy.)
  • Azure AD Device Registration — Prevent users from joining devices on their own and require multi-factor authentication (MFA) to register or join devices with Azure AD.
  • Enterprise and Registered Apps — Keep non-administrator users from arbitrarily adding enterprise or registered applications, which can significantly increase risk. Afterwards, make sure to review every enterprise and registered application.
  • External Collaboration — Restrict regular users from inviting guests for collaboration and keep guest users from signing into your apps and services with their own work, school, or social identities.
  • Hybrid Identity with Password Hash Synchronization — Employ a hybrid identity architecture to synchronize users from on-premises Active Directory to Azure AD to minimize the number of identities users have across various platforms.
  • Azure AD Administration Portal — Limit regular users’ ability to read data in the Azure AD Administration Portal.
  • Administrator Review — Grant administrators only the specific permission they need to do their job and limit the number of static Global Administrator role assignments to fewer than five people.
  • Partners – When working with Microsoft-certified solution providers (partners) to purchase and manage solutions for your institution, they could be granted Global/Helpdesk admin roles giving them delegated administrative capabilities to your Azure instance. Make sure to review all partners and their delegated rights regularly.

Altering M365 and Exchange Online Settings

In M365, you can customize a variety of settings. In OneDrive, SharePoint Online, and Teams, look at configuring external collaboration capabilities of users. For Exchange Online, there are many settings to review but one to start with is the current forwarding capabilities and settings for users both globally and per-user. Modifying or reviewing these settings is highly advisable since they are inherently designed to facilitate interaction and external collaboration. In addition, you can use the Protection Center to secure mobile devices that are connected to your Microsoft 365 organization; the Security Center to refine email management; the Compliance Center to implement an effective data retention policy; and the M365 Admin Center to enhance security with modern authentication, which encompasses MFA. (According to Microsoft, 99.9 percent of account compromises can be blocked with MFA.)

And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.

M365 Security Basics Solution

Once your institution has sufficient settings in place to support your policies, it is essential to monitor for exceptions with reporting and alerting features such as those provided with Safe Systems CloudInsight™ M365 Security Basics solution. Financial institutions that partner with Safe Systems can gain critical visibility into their security settings helping them successfully navigate the complexities of optimizing M365’s features..

For more information about how your institution can optimize Azure AD and O365/M365 settings to improve cloud security, download our white paper on “Azure and M365 Security Basics.”

Important Disclaimer

The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.

01 Mar 2022
Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

It can be challenging for financial institutions to manage security, identity, and compliance within Microsoft Azure Active Directory (Azure AD) and Microsoft 365 (also known as M365 and formerly branded as O365). Understanding the services and settings of the Azure AD and M365 ecosystem can make the process easier for IT administrators.

Some of the basic security settings that apply to most organizations fall under the free license level for Azure AD. These are also some of the low-hanging fruit that institutions can easily implement to make a dramatic difference in their security.

Security Defaults

One of the settings that can have the biggest impact is security defaults, which can be enabled to enforce a set of non-configurable conditional access policies. The policy set in Azure includes the ability to require multifactor authentication (MFA) and MFA registration for all users. It also offers the capability to block legacy authentication, which should be a high-priority goal for any organization.

Hackers can exploit basic authentication to effectively bypass MFA, which is a fundamental security service we recommend that every institution implement. If your institution has gone through the effort of enforcing MFA for users—but you’re not blocking basic authentication explicitly—there’s a major security gap. That gap should be addressed immediately, especially given Microsoft’s plans to decommission basic authentication protocols in Exchange Online in October 2022.

Identity Considerations

It’s also crucial to review the identity architecture for your financial institution. Any user, device, or app connecting to Azure should have an identity, whether it’s a guest user, mobile device, Mac OS device, or a Windows computer, so it can be assigned data access rights or even take on administrative capabilities. Every identity outside of Active Directory—which is the primary identity for users in many institutions—is another attack vector in a different system. An effective way to manage different identities is to consolidate them by sourcing them at the AD level and then synchronizing users and their password hashes to Azure AD. You should also review the level of access for all administrators as well as partners as they represent a huge risk downstream. Reviewing the level of access for partners goes beyond security; it’s also a matter of regulatory compliance.

Additional Considerations

Depending on your institution’s license level, there are additional Azure and M365 settings you can adjust in the areas of protection, compliance, and administration. For example, global auditing is an essential setting that should be enabled to augment security and facilitate troubleshooting after attacks. You should also block settings allowing for open collaboration and outbound email forwarding to avoid data loss and minimize cyberattacks.

If your institution is at the M365 level, it also needs the mobile device management (MDM) platform that offers sufficient protection. Exchange Online has built-in MDM capabilities but these capabilities do not extend to all M365/O365 apps.

Conditional access policies govern sign-ins and attempts. They can enable the enforcement of MFA and are the highest control layer for determining who has access to the data within Azure’s security ecosystem.

Since data lives outside of Exchange Online in the M365 world, if your institution has specific compliance requirements for retention, your retention policies will generally need to extend to all data.

M365 Security Basics

Adjusting all the security settings of Azure AD and M365 can be a daunting task, especially since Microsoft is constantly updating the features of its technology services. Our CloudInsight™ M365 Security Basics solution provides insights into security settings for Azure AD and M365 tenants. It helps IT administrators navigate the complexities of customizing their institution’s security settings through three services: reporting, alerting, and quarterly reviews.

The reporting service provides ongoing Microsoft data and packages it into a readable format that shows security settings at a glance, allowing institutions to easily see irregularities, such as when users sign in from Outside of the USA. Alerting sends a notification when an activity indicates that a potential compromise has occurred. With the quarterly reviews, trained experts analyze the settings, reports, and alerts and review them with administrators so they can speak with confidence to their board, steering committees, and auditors about their institution’s technology services and cloud security.

If you need help understanding how M365 Security Basics can support your financial institution’s risk mitigation or strategic planning efforts, contact us. You can learn more about this topic with our “How to Manage Security Identity and Compliance within the Microsoft Azure and M365 Ecosystem” webinar.

Important Disclaimer

The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.

17 Feb 2022
Microsoft Azure and 365 Security Basics Featured Blog Image_Featured Image

Microsoft Azure and 365 Security Basics

Microsoft Azure and 365 Security Basics Featured Blog Image_Featured Image

Financial Institutions that employ Microsoft 365 (also known as M365 and formerly branded as Office 365) are in the Cloud, and therefore, face a growing number of cyber threats. Consider this: The FBI’s Internet Crime Complaint Center (IC3) has seen a 400-percent increase in cybersecurity complaints since the pandemic started.

The surge in cybercrimes means financial institutions that use M365 need to focus on protecting their assets in the Cloud. Our CloudInsight™ M365 Security Basics makes it easy and affordable for institutions to start the process. M365 Security Basics provides visibility into security settings for Microsoft Azure Active Directory (Azure AD) and M365. Banks and credit unions can leverage this multi-faceted solution to get ahead of cyber threats and enhance cloud security.

Importance of Customizing Your Azure AD and M365 Settings

Your financial institution likely has a Microsoft tenant with Azure AD, whether you realize it or not. This is partly because every exchange online and M365 implementation requires the creation of a Microsoft tenant and Azure AD, even if the services are managed through a third party. There are also many other scenarios requiring the creation a Microsoft tenant, making it rare for most institutions not to have one.

It is important to understand whether you have a Microsoft tenant with Azure AD because the tenant belongs to your institution—not the licensing reseller—it is your obligation to know how to manage the security settings in these systems, including Azure AD, M365, and Exchange Online. This can be challenging because Microsoft’s default settings might conflict with your institution’s security and compliance requirements. Therefore, you must customize these settings to create more sophisticated and appropriate security, identity, and compliance policies for your institution. This should entail building policies around what users are allowed to do, what your institution’s risk assessment defines, what your institution’s compliance policies dictate, and what users will tolerate.

Once your institution has sufficient policies in place, it is essential to monitor for exceptions with reporting and alerting. And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.

How M365 Security Basics Can Help

Microsoft is constantly adjusting its platforms and automatically enabling new features to adapt to an ever-evolving security environment, making it difficult for banks and credit unions to keep up. Partnering with a value-added technology expert like Safe Systems can help you better manage your M365 tenant. Our M365 Security Basics service identifies cloud security blind spots and common risks such as compromised user accounts, enabled insecure protocols, and targeted phishing or SPAM attacks.

M365 Security Basics key services:

  • Reporting – Collects Microsoft data that may not be readily available to institutions and assembles it in a user-friendly format
  • Alerting – Delivers notifications for the most common indicators of compromise in Microsoft M365 tenants
  • Quarterly reviews – Provide a vital, objective look at M365 Security Basics reports to help institutions determine the optimal security settings for their requirements

The Importance of MFA

An invaluable security control financial institutions should also consider implementing is multi-factor authentication (MFA). MFA applies a combination of factors to validate people’s identity before giving them access to sensitive data, account information, and other assets. MFA offers effective, low-cost protection against cyberattacks and other threats; and not implementing this security feature in Azure AD is risky. According to Microsoft, 99.9 percent of account compromises can be blocked with MFA, but the overall MFA adoption rate we have seen in the financial industry is only around 46 percent.

The bottom line: Microsoft is constantly enabling and disabling features in Azure AD and M365—, therefore, financial institutions must be able to manage the complexities of optimizing their security, identity, and compliance settings. To learn more about how your institution can customize Azure AD and M365 settings to enhance cloud security, read our “Azure and M365 Security Basics” white paper.

02 Feb 2022
Compliance Review and Tactics

2021 Compliance Review and Tactics for Staying Ahead of Regulators in 2022

Compliance Review and Tactics

With 2021 in the rearview and 2022 well underway, it’s a good time to consider some compliance issues from last year, and current trends and tactics for keeping ahead of regulators this year. In 2021, we saw a number of compliance-related changes from the Federal Financial Institutions Examination Council’s (FFIEC) and Federal Deposit Insurance Corporation (FDIC). One important development, especially for smaller community banks and credit unions, was the FDIC’s new Office for Supervisory Appeals. The office—launched in December to operate independently within the FDIC—considers and decides appeals of material supervisory determinations. It replaces the existing Supervision Appeals Review Committee.

The Office of Supervisory Appeals will “enhance the independence of the FDIC’s supervisory appeals process and further the FDIC’s goal of ensuring consistency and accountability in the examination process,” according to the FDIC. There’s a broad range of material supervisory determinations that institutions can appeal through the office, including CAMELS ratings under the Uniform Financial Institutions Rating System; IT ratings under the Uniform Rating System for Information Technology (URSIT); and Trust ratings under the Uniform Interagency Trust Rating System. This new appeal process isn’t a guarantee that supervisory findings will be changed but may prove useful as a last resort for FDIC institutions facing downgrades in scores where there is a material disagreement between the FI and the FDIC.

Another significant FFIEC development last year involved amendments to the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations. The BSA amendments included certain provisions to the USA Patriots Act to detect, deter and disrupt terrorist financing networks. This would appear to be an area of focus going forward, as 3 of the 10 most substantive (i.e., non appointment-related) FFIEC releases in 2021 were related to BSA/AML.

In June, the FFIEC issued a new Architecture, Infrastructure and Operations (AIO) booklet as part of its Information Technology Handbook. With this logical move, the FFIEC replaced its July 2004 Operations Handbook with a single booklet that merges three interconnected areas. In August the FFIEC also enhanced its guidance on authentication and access to services and systems—advocating for the widespread use of multi-factor authentication (MFA)—and released guidance on conducting due diligence on fintech companies.

One additional item of note in 2021; the FDIC’s tech lab, FDITECH, launched an initiative to challenge institutions to measure and test bank operational resiliency. Ultimately, a set of metrics may be applied to financial institutions—perhaps community banks in particular—to determine whether they are adequately resilient against operational disruptions. We’re keeping a close eye on this as it may lead to a universal formula for grading or ranking resilience. Anything that reduces subjectivity also reduces uncertainty, and that is a good thing when it comes to regulations.

Tips, Tricks, and Tactics

One of the main tactics to apply now to enhance compliance is to focus on the concept of resilience in all areas of the financial institution. Incorporate this concept into your business continuity management plan, vendor management program, third-party supply chain management, and information security. The key is to prepare in advance for a disruption—to put processes in place to reduce the possibility of disruption, and to minimize the impact of disruption should it occur.

Here’s another way to stay ahead of regulators: Financial institutions can connect the concept of risk appetite to the acceptable risk in their risk assessments. This goes beyond merely asserting that whatever residual risk you may have is deemed acceptable, which is highly subjective. Inherent risk less controls establish residual risk. However, residual risk levels must be compared to pre-determined risk appetite levels to determine acceptability. Only if the residual risk is less than or equal to their risk appetite can residual risk be considered acceptable. This process also reduces subjectivity and uncertainty—which should leave examiners and auditors much less room for interpretation, and result in a better audit/exam experience for you.

What to Consider in 2022 and Current Trends

Another area we’ll definitely be watching in 2022 involves the new incident notification rules that were issued late last year. All financial institutions will need to update their incident response plan and possibly their vendor management program and business continuity plans to accommodate these new regulations. These changes, while not necessarily difficult, can be pervasive in that they will cross over into multiple policies and procedures. In short, the rule requires institutions to notify their primary federal regulator as soon as possible—no later than 36 hours—after they determine that a notification incident has occurred. There are also new requirements for third parties to notify you if they experience a similar event, which could require changes to the vendor contract. The effective date of the new rule is April 1, 2022, with compliance expected to begin on May 1, 2022. There may be a grace period, but financial institutions should be prepared for examiners to ask questions about your adherence to these new rules at your next Safety and Soundness exam.

Regarding trends, we believe the focus on third-party risk management will continue in 2022 and into the future. Currently, there’s growing support for the idea of having the FDIC, Federal Reserve, National Credit Union Administration (NCUA) and other agencies coalesce around a single set of standards for third-party management. This would create more consistency with the rules concerning how regulators and others define third parties and vendors, and expectations for effective risk management. The outcome of the discussions around this topic may not manifest until Q3 or Q4 of this year, but institutions should work on formalizing their process for conducting due diligence when dealing with fintech companies and other critical vendors.

Safe Systems has been serving financial institutions for more than 25 years. To get more of our experts’ views on this topic, listen to our webinar on “Compliance Review and Tips, Tricks, and Trends for Staying Ahead of Regulators in 2022.”

19 Jan 2022
Balancing Strategy and Compliance

Balancing Strategy and Compliance: Addressing the Strategic Needs of Your Institution While Remaining Compliant

Balancing Strategy and Compliance

Banks and credit unions require a complex interconnected infrastructure to support their employees, serve customers, and maintain their operations. This entails an array of owned and outsourced elements: hardware, software, controls, processes, and evolving technologies such as cloud, artificial intelligence (AI), machine learning, and more. In addition, effective data governance and data management are fundamental to maintaining the confidentiality, integrity, and availability of information. The data management process is highly regulated and financial institutions are under increasing pressure when trying to balance the strategic needs of their organization with the increased demands for remote employees and online customers.

Evolving Remote Workforce and Customer Base

Over the past couple of decades, advancements in communication and technologies have allowed for a more mobile workforce and customer base, and the ongoing COVID-19 pandemic quickly intensified this trend. During the first year of the pandemic, Gartner conducted a survey that found 82% of businesses intended to allow remote work at least part of the time, with 47% of companies allowing it full time. Although 2o20 represented a significant increase in remote work and digital engagement, the trend seems to be continuing for the foreseeable future. According to Upwork’s Future Workforce Report 2021, 40.7 million American professionals, nearly 28% of respondents, will be fully remote in the next five years, up from 22.9% from the last survey conducted in November 2020.

This trend requires adding more technology and devices to enable online access to financial services, and to enable secure access to the information and other resources needed for remote workers to perform their duties away from the office. Banking customers want convenient access to financial services, whether through a physical location, the internet, or a mobile app, and institutions need the tools and techniques to keep them secure. With more devices in the hands of employees and customers, there are many more vectors for cyberattacks and way more endpoints to secure. Even institutions that have been trying to avoid the risks that come with enabling remote engagement are forced to reevaluate the costs and benefits.

Increasing Regulatory Requirements

Privacy and data security have become key compliance issues for financial institutions as they adapt to accommodate employees and customers who prefer to work and bank remotely. From a regulatory standpoint, the Federal Financial Institution Examination Council (FFIEC) has always expected financial institutions to have data management controls in place to protect data in physical and digital forms wherever the data is stored, processed, or transmitted. This includes any data relating to the organization, its employees, and its customers. “The data management process involves the development and execution of policies, standards, and procedures to acquire, validate, store, protect, and process data,” states the FFIEC IT Handbook’s Architecture, Infrastructure, and Operations booklet. “Effective data management ensures that the required data are accessible, reliable, and timely to meet user needs.”

The FFIEC requires institutions to follow a wide range of other guidelines and procedures, which are reflected in various FFIEC booklets and include:

  • Governance – Management should promote effective IT governance by establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution’s information and systems.
  • Know-your-customer – Financial institution management should choose the level of e-banking services provided to various customer segments based on customer needs and the institution’s risk assessment considerations.
  • Resilience – Financial institutions are responsible for business continuity management (BCM), which is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

Strategic Compliance Solutions

With so many compliance issues to address, it can be difficult to balance the needs of your financial institution, your remote workers, and your customers. Safe Systems has a team of compliance experts and a broad range of compliance solutions to help you manage government regulations, information security, and reporting efficiently. Our team of compliance experts are trained in banking regulations, hold numerous certifications, and are laser-focused on delivering the tools and knowledge to give you compliance peace of mind.