Attention: The Safe Systems website is transitioning to UFSTech.com. Please access our client portal, news, and blog posts from there.

Tag: 2024

26 Dec 2024
Banks, Credit Unions, Security, Technology Jamie Davis 0 comment

Navigating M365 Security: Insights from Our 4-Part Immersion Training

The highly anticipated and well-attended M365 Security Immersion Training event explored the nuances of Microsoft 365 (M365) security. Led by seasoned experts and M365-certified security administrator associates, this series offered critical insights into Conditional Access Policies, Azure/Entra ID tenant configurations, and the transformative role of Artificial Intelligence (AI) in community banking. For those bankers eager to strengthen their security strategies and mitigate unauthorized access threats, each webinar session was recorded and is now available to watch. Below is a summary of the valuable lessons, hands-on guidance, and actionable takeaways from each session:

Part 1: Understanding and Avoiding Misconfigurations in Conditional Access Policies

Conditional Access Policies (CAPs) are critical to safeguarding your financial institution’s sensitive data. However, when misconfigured, they pose a substantial risk. The opening session inspected the typical errors within CAP setups and explained in detail how to rectify them. Participants learned about the essential terminology—like Entra ID and Named Locations—and got acquainted with common pitfalls, which include the exclusion of Break Glass Accounts, the improper definition of Named Locations, and overlooking Multi-factor Authentication (MFA) requirements. The training emphasized the importance of ongoing CAP management and shared best practices for future-proofing these security measures against potential threats.

Part 2: Elevate Your M365 Security Game

The second session delved into Microsoft 365’s robust security infrastructure, differentiating it from Office 365 by focusing on security, identity, and compliance. Our experts unraveled M365’s key security features—like Security Defaults, Global Auditing, and the reformation of mailbox protocols—and stressed best practices for managing these components. It highlighted the significance of applications, stopping user unauthorized trials or purchases, managing administrative roles, and ensuring secure email communications. It also provided a handy infographic to explore overlooked M365 security features to help you implement everything needed under your license type. Overall, this hands-on training demonstrated why keeping pace with such security measures is vital to preventing evolving cyber threats.

Part 3: Mastering Azure Tenant Configuration: CAPs and Intune Deployment

Azure, known for its expansive capabilities, demands meticulous configuration to leverage its potential fully. This session provided guidance on managing Azure/Entra ID tenants effectively, implementing CAPs, and deploying Intune. It covered essential aspects such as user-based exceptions for CAPs, Intune objectives, and tips for device and network maintenance. Attendees gained insights into crafting and enforcing policies that address unauthorized device access and ensure compliance with application usage, alongside strategies for regular device and policy maintenance to bolster their security.

Part 4: AI Governance and Accountability in Azure

Exploring the growing role of Artificial Intelligence (AI) in banking, this concluding session emphasized understanding governance and responsibility in deploying AI tools like Microsoft Copilot. It explained Copilot’s features and architecture, the importance of access control, and the implications of global data handling. With comprehensive insights, participants were shown how to balance innovation with security and compliance, maximizing data utility while safeguarding organizational integrity.

Watch All Four Sessions

These sessions provide security best practices and strategic insights into managing M365 environments effectively. Packed with practical demonstrations, expert advice, and interactive segments, the M365 Security Immersion Training is invaluable for financial institutions seeking to strengthen their security posture. Now you can access all recordings and tap into the wealth of knowledge this series offers.

07 Nov 2024
Banks, Credit Unions Jamie Davis 0 comment

Unmanaged Azure Tenants: A Hidden Security Risk

If your institution uses Exchange Online or Microsoft 365 for email, you have a Microsoft Azure tenant. However, many institutions are unaware that this tenant requires management and continuous monitoring to ensure security and efficiency. Certain settings should be locked down by default, others require adjustments, while some require ongoing monitoring. In serving hundreds of community banks and credit unions across the US, we have identified numerous tenants that are either unmanaged or improperly managed. This exposes vulnerabilities that bad actors can exploit, potentially leading to compromised accounts and data exfiltration.

Outlined below are some common issues we have encountered. The numbers referenced are based on the average annual count of activities per 100 institutions.

Compromised User Accounts

Each year, we observe approximately 1,000 successful logins from outside the United States. While some of these logins occur when employees are traveling, many do not. Often these logins indicate a compromised account.

Institutions should block or limit logins from outside the US based on business requirements and employee work patterns, while also monitoring and alerting for these occurrences.

Unknown Users

While exact numbers are unavailable, we often encounter this issue when conducting reviews with customers. We frequently discover accounts that the institution cannot identify and are not associated with current employees. Some of these may be old accounts that were not deactivated upon an employee’s departure. However, there is a risk that some of these accounts were created by bad actors with malicious intent. In some cases, we discovered that the accounts were created with administrator privileges, allowing cybercriminals full access.

Forwarding of Emails to Outside Accounts

Email forwarding or redirection is added to email accounts approximately 700 times a year. Discussions with multiple institutions revealed that, in many cases, these settings were not configured by authorized personnel. Bad actors are using this method to monitor the emails of specific accounts long after they have lost direct access.

Permissions to Access Someone’s Email Account (e.g., “Send as,” “On behalf of”)

Much like the previous example, email account settings are frequently being altered. However, instead of merely redirecting emails, they allow unauthorized individuals to send emails on behalf of someone else. We observe this occurring approximately 2,600 times annually. These changes are often unknown to the institution, indicating that a bad actor potentially gained control of an email account.

Unauthorized Use of Sharing Tools to Share Files with External Users (e.g., OneDrive)

Many institutions say their employees are prohibited from sharing files outside the organization. However, we encounter numerous instances where this is not actually enforced. Safe Systems, for example, observes approximately 2,000 files shared externally through OneDrive each year. This discrepancy highlights a common issue: having expectations without the technical knowledge to enforce them effectively.

Insecure Protocols Enabled

We do not have specific instances of exploits from insecure protocols as we address these during our initial customer setups. However, it is important to note that establishing the correct protocols is critical to ensuring your Azure tenant remains safe and secure.

Attempts to Log in as a User

While some end users may find multifactor authentication (MFA) burdensome, it is essential in today’s cybersecurity landscape. We observe around 50 instances annually where logins from outside the US had the correct passwords but failed the MFA requirement. These are almost certainly bad actors that were not able fully compromise the account simply because of MFA. We have also observed over 6,000 instances of “a large number” of failed login attempts (as defined by Microsoft) annually. Both statistics underscore the vital role MFA plays in restricting unauthorized access.

Configuring your tenant securely and implementing Conditional Access Policies (CAPs) with appropriate compensating controls are crucial steps in mitigating these types of risks. Regular monitoring and alerting on suspicious activities are equally important. This is why we developed M365 Security Basics to enhance visibility, reporting, and alerting for security settings within Entra ID (formerly Azure Active Directory). This tool is designed to help community banks and credit unions, like yours, identify and mitigate common security risks more effectively.

10 Oct 2024
Banks, Credit Unions, Security Eric Delgado 0 comment

Elevate Your M365 Security Game: Tips from Our Certified Pros!

In a recent webinar, our M365-certified security administrators provided an in-depth look at various Microsoft 365 building blocks such as security configurations, features, and policies. The session also covered the significance of secure email protocols, data protection, and the continuous evolution of cloud security technologies.

This blog highlights several key security features and best practices to help you protect your institution’s data and ensure that only authorized users gain access to critical systems.

Understanding Key Terminology

M365 vs. Office 365

Office 365 features familiar tools such as Exchange Online, SharePoint, OneDrive, and Teams. Microsoft 365 (M365) enhances this suite by incorporating additional technologies focused on security, identity, and compliance, offering a more comprehensive package.

Entra ID

Essential for identity management, Entra ID covers users, devices, endpoints, and service principals, forming the backbone of various security configurations.

Security, Identity, and Compliance (SIC)

These conceptual buckets guide the technological frameworks and policies that ensure data security, identity assurance, and regulatory compliance.

M365 Security Features Breakdown

Security Defaults

Security Defaults are designed to provide a pre-configured baseline level of security by enforcing numerous non-customizable policies and settings. Among the policy sets is one requiring multifactor authentication (MFA) device registration for all new Azure accounts with at least one sign-in. However, registration does not equal enforcement. Security Defaults will only enforce MFA conditionally based on Microsoft’s analysis.

Consider implementing per-user MFA policies to ensure comprehensive enforcement, closing gaps that might be exploited if only Security Defaults are relied upon.

Applications

Registered Applications and Enterprise Applications can pose significant risks if not properly managed. By default, Microsoft allows users to register applications, which could potentially introduce security vulnerabilities without an administrator’s knowledge.

Consider disabling this default feature and actively managing which applications receive permissions to ensure there is no unauthorized access.

Global Auditing

Microsoft’s Purview compliance technology includes a crucial feature—global auditing—that logs all actions within the organization. If compromised, these logs are vital for forensic investigations to determine the breach’s extent and enact proper remediation steps.

Consider enabling this setting, which is disabled by default.

Office Store and Trial Accounts

Allowing users to purchase licenses and trials with their work identities, including AI tools like Copilot, may expose sensitive data inadvertently.

Consider disabling the ability for users to make these purchases on their own, as restricting user capabilities ensures organizational oversight and protects against data breaches stemming from unauthorized applications.

Administrative Roles, Partners, and GDAP

Regular reviews of administrative roles and partner access, such as those granted through Granular Delegated Admin Privileges (GDAP) are crucial. Microsoft recommends a maximum of five global administrators and stresses the principle of least privilege even for partners.

Consider conducting these reviews regularly to ensure security and compliance.

Exchange Online and Communication Protocols

Mailbox Protocols

Various mailbox protocols (IMAP, POP3, EAS) carry different risks, such as allowance for or reliance on basic authentication.

Consider disabling unused protocols to minimize these vulnerabilities.

Receive Connectors

Email architectures that utilize Exchange Online with edge services provided by a third party have a vulnerability in the form of a public-facing, organization-specific SMTP relay that delivers mail to Exchange Online. This relay allows for direct connectivity and enables anonymous identities to deliver emails inbound to an organization, thereby allowing attackers to bypass the organization’s edge services entirely.

Consider implementing Receive Connectors to limit delivery authorization on the relay to the trusted edge service provider.

Sharing in SharePoint and OneDrive

Sharing capabilities in SharePoint and OneDrive can expose organizations to external threats if not properly managed. External users leveraging shared links can gain unauthorized access to sensitive information, posing significant security risks.

Consider restricting sharing capabilities to internal users to prevent external threats from exploiting shared links..

Teams External Communication

By default, Teams allows global communication, which can serve as a potential risk vector. Unrestricted external communication can lead to interactions with unknown and potentially malicious entities.

Consider locking down these settings to ensure interactions are limited to known, secure identities.

Advanced Levels of Security

Conditional Access Policies (CAPs)

These advanced security rules specify who can access resources and under what conditions, enhancing the security posture when combined with telemetry from services like Entra ID and Intune. CAPs help ensure that only authorized users under specific conditions can access sensitive resources.

Consider implementing Conditional Access Policies to enhance security by defining access conditions based on user and device attributes.

Hybrid Computer Identity

Synchronizing on-premises Active Directory computers with Entra ID allows CAPs to limit access to trusted devices only, offering a substantial security improvement over generic Windows access.

Consider synchronizing your on-premises Active Directory computers with Entra ID to allow CAPs to restrict access to trusted devices and improve security.

Intune for Mobile Device Management (MDM)

Organizations should use Intune to enroll and manage mobile devices, ensuring compliance with security policies. By integrating Intune’s compliance telemetry with Conditional Access Policies (CAPs), only compliant devices can sign in and access corporate resources, enhancing overall security.

Consider using Intune for device enrollment and compliance, and integrate its telemetry with Conditional Access Policies to secure sign-ins.

Modern MFA and Azure Information Protection

Emerging MFA technologies like push notifications and phishing-resistant methods (FIDO2) are encouraged over legacy MFA practices. Meanwhile, Azure Information Protection manages data encryption and user access, ensuring sensitive information is secure even when it leaves the organization.

Consider adopting modern MFA technologies to protect your users and Azure Information Protection to protect sensitive data.

Conclusion

By understanding and implementing Microsoft security measures, you can significantly enhance the security and efficiency of your institution’s digital environment. In addition, leveraging advanced MFA technologies and synchronizing on-premises Active Directory with Entra ID is a proactive way to fortify access control. It is also important to regularly review and update your security protocols to ensure they remain effective against evolving threats.

Don’t forget to download this handy infographic to explore overlooked M365 security features. This knowledge can help you implement everything needed under your license type to enhance your cybersecurity posture.

08 Oct 2024
Banks, Credit Unions, Security Jamie Davis 0 comment

Secure Our World: Join Us in Celebrating Cybersecurity Awareness Month

Cybersecurity Awareness Month, held annually in October, is a vital international initiative designed to raise awareness about the importance of being safe and secure online. This year’s theme, “Secure Our World,” continues from 2023 and highlights simple yet effective ways for individuals, families, and businesses to protect themselves from cyber threats.

The Cybersecurity and Infrastructure Security Agency (CISA) leads the federal efforts for this campaign. They work closely with the National Cybersecurity Alliance (NCA), known for their @staysafeonline initiative, to develop and disseminate resources that educate the public on key cybersecurity practices.

Cybersecurity Tips

Here are some essential tips provided from this year’s Cybersecurity Awareness Month campaign:

  • Recognize and Report Phishing: Learn to identify phishing attempts by familiarizing yourself with their common indicators, such as suspicious links or unexpected attachments. Resist the urge to click on these and ensure you delete phishing messages promptly.
  • Use Strong Passwords: Enhance your account security by choosing passwords that are long, random, and unique. This trifecta helps protect against unauthorized access.
  • Turn On Multi-Factor Authentication (MFA): Activate MFA on all your accounts, including email, social media, and financial services. This adds an extra layer of security, making it significantly harder for cybercriminals to gain access.
  • Update Software: Keeping your devices updated with the latest security patches is crucial. If automatic updates are not available, regularly check for updates to ensure your software is secure.

Throughout October, stay engaged and increase your cybersecurity awareness by visiting the National Initiative for Cybersecurity Careers and Studies (NICCS) Cybersecurity Awareness Month page for resources and tools. You can also follow updates using the #CybersecurityAwarenessMonth on social media.

Cybersecurity Resources

Safe Systems is also providing resources to help raise cybersecurity awareness, knowledge, and understanding for our community banks and credit unions.

Please explore some of our latest offerings:

  • M365 Immersion Training – Register for this complimentary, four-part series on Microsoft 365 (M365) security. Led by certified engineers, it covers essential topics including Conditional Access Policies (CAPs), Intune management, Azure AI governance, and more. Each session delivers practical insights and actionable knowledge, ensuring robust security practices for institutions using M365 core technologies. Reserve your spot.
  • MFA Quiz – When implemented correctly, MFA can be the single most effective tool to protect against remote attacks. Test your knowledge of how MFA works and why it is so important.
  • Cybersecurity Outlook Survey – We surveyed community banks and credit unions to gain more insight into their cybersecurity challenges, priorities, best practices, and how they manage cybersecurity preparedness. Discover their responses.

For more resources, visit our Resource Center, blog site, or our interactive Compliance Guru platform which provides reliable answers to your IT, cybersecurity, and information security questions. You can also follow us on our social media channels – Facebook and LinkedIn for timely news and helpful articles throughout the year.

When it comes to investing in security, Safe Systems understands that protecting your community bank or credit union can be complex and confusing. That’s why we offer multi-layered security solutions to protect vulnerability points both inside and outside your network and we have certified engineers who specialize in Microsoft cloud security.

Please join us this month in raising awareness and taking advantage of the many available resources to help your institution secure its digital environment and prevent cyber threats.

01 Aug 2024
Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Effective Governance and Communication: Enhancing Your FI’s Resiliency

With the rise in cyber threats and the increasing complexity of regulatory requirements, Information Security Officers (ISOs) face unprecedented challenges. This blog focuses on the importance of governance and effective communication as a key strategy for enhancing operational resiliency.

The Gramm-Leach-Bliley Act (GLBA) first brought to the forefront the importance of establishing the role of an ISO for financial institutions (FIs). However, the significance of this role has only magnified as information technology has become essential to every department and business function within an FI. The exposure of customer non-public information (NPI) has exponentially increased with the widespread adoption of online transactions, mobile banking, and third-party relationships.

Managing information security risks effectively requires collaboration. Each stakeholder group, including end-users, IT management, IT Steering Committee, Executive Management, Risk/Audit Committees, and the Board of Directors, plays a crucial role in supporting and executing information security standards. Segregating duties between IT management and the ISO is one of the biggest challenges for many FIs. For those that lack a formal infrastructure, the FFIEC provides “visibility” and “accountability” guidelines showing how an ISO can and should collaborate with IT management.

In addition, ISOs must break down silos and communicate clearly with all the various stakeholders. This effort requires access to relevant, actionable, and up-to-date information that aligns with each group’s distinct reporting needs, engagement level, and technical understanding.

ISOs may also need to broaden the scope and frequency of their communications. For instance, it is a good best practice to meet with the Board more frequently than once a year. Board members will benefit from periodic discussions with the ISO and IT management to accurately and quickly identify potential issues related to risk such as inconsistent server backups, software patches, and systems nearing EOL. A comprehensive understanding of Human Resources standards and their impact on information security is also important to ensure that policies and procedures are consistent across the organization.

To facilitate and ensure these meetings and conversations are effective, ISOs should rely on industry-standard frameworks that can be customized for audience-based agendas and repeatable tasks. Essentially, ISOs should be transparent in communicating changes that could result in increased risk to NPI.

Overall, this can be a challenging effort, especially for smaller banks and credit unions who may not have the expertise or the time to ensure a consistent approach to governance and communication. For this reason, many FIs choose to partner with a reliable Virtual Information Security Officer (VISO) service. These third-party services provide strategic guidance and the necessary oversight to ensure comprehensive information security management.

Safe Systems ISOversight® is a VISO service that includes a suite of applications, real-time reporting, and knowledgeable FFIEC risk-management professionals who assist with policy implementation, third-party relationship management, BCP, cybersecurity risk assessments, incident response and BCP testing, and other required tasks that are customized for each FI. They also provide ongoing coaching and accurate reporting to help with communication tailored to each stakeholder group. These collaborative efforts will go a long way to ensure operational resiliency and reduce reputation risk.

For a deeper understanding of governance and communication within the ISO role and to gain more insights into enhancing operational resiliency, refer to the complete white paper, Operational Resiliency: Elevating the Role of the ISO.

18 Jul 2024
Banks, Compliance, Credit Unions Christine Ray 0 comment

Ask the Experts: Get Reliable Answers to Your Risk Management Questions on ComplianceGuru.com

We are excited to announce the relaunch of ComplianceGuru.com. For over a decade, Safe Systems’ Compliance Guru site has been a trusted resource for community banks and credit unions providing essential insights on regulatory trends and compliance best practices.

We’ve reimagined it to be more interactive, allowing you to ask questions directly to our FFIEC risk and compliance experts, addressing risk management topics and concerns most relevant to your institution. You can also learn what your banking peers are concerned about and leverage the advice from our team to strengthen your security posture.

Since launching the new site, our Gurus have answered questions about Ransomware Self-Assessment Tool (RSAT) 2.0, NIST Cybersecurity Framework (CSF) 2.0, and work area security.

Here is a sample of what they’re saying about these important topics:

RSAT 2.0: A Proactive Approach to Ransomware Threats

Financial institutions are increasingly targeted by sophisticated ransomware attacks. To mitigate these risks, the RSAT (Ransomware Self-Assessment Tool) was developed to support banks and credit unions in their cybersecurity efforts. Originally released in October 2020, this tool was a collaborative initiative by the CSBS (Conference of State Bank Supervisors), the BECTF (Bank Electronic Crimes Task Force), and the U.S. Secret Service.

The updated version, RSAT 2.0, released in October 2023 was designed to address emerging ransomware attack vectors.

Some key questions surrounding RSAT 2.0 that financial institutions have been asking:

  • Are financial institutions required to complete RSAT 2.0?
  • Who should be involved in completing this self-assessment tool?
  • How does RSAT 2.0 differ from its predecessor?

NIST CSF 2.0: Modernizing Cybersecurity Frameworks

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a foundational guideline for improving the security and resilience of critical infrastructure. It provides a structured approach for assessing your institution’s security posture across five components: Identify, Protect, Detect, Respond, and Recover. NIST CSF 2.0 represents the latest iteration, incorporating lessons learned and adding a sixth component, Governance.

Here are some important questions you and other institutions may be asking about CSF 2.0:

  • How can CSF 2.0 address current cybersecurity challenges?
  • What resources are available to implement CSF 2.0?
  • How can CSF 2.0 be integrated into your institution’s existing risk management framework?

Compliance Guru offers reliable and informed answers to these and other IT, cybersecurity, and information security challenges. It is an invaluable resource offering guidance and tools to help community banks and credit unions like yours enhance cyber resilience.

We invite you to subscribe to this new platform to stay informed and discover best practices that better position your institution to protect customer data and ensure compliance with important federal and state regulatory guidance.

And by the way, we’re offering a limited number of $50 gift cards* to valid U.S. financial institutions that submit risk management questions on ComplianceGuru.com. So, submit your questions today!

Ask the Gurus for a Chance to win!

* Contest Rules

To qualify for the $50 gift card, your financial institution must be a valid U.S. financial institution that submits a question on ComplianceGuru.com. Questions must be relevant to risk management topics, including but not limited to IT, cybersecurity, information security, and third-party.

11 Jul 2024
Banks, Credit Unions, Technology Jamie Davis 0 comment

Enhance Your DR Plan: Key Testing Strategies

Disaster recovery (DR) planning is fundamental to maintaining operational resilience within financial institutions. It ensures that essential functions can be restored rapidly following a disruptive event, minimizing operational interruptions and financial losses.

DR Testing helps organizations understand how well their Disaster Recovery plan would work if an actual disaster were to occur. Here are some essential guidelines for conducting effective disaster recovery testing.

Exercise vs Test

Both exercises and tests are crucial for validating procedures in your Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) plan, but they serve different purposes:

  • Exercise: A procedure designed to validate one or more aspects of your BCP or DRP. A common exercise is a structured walk-through (“table-top”) where stakeholders go through each step and component outlined in the plan. This guarantees that everyone involved is aware of their responsibilities during an emergency. It can also help uncover inconsistencies, missing information, or errors in the plan.
  • Test: A form of exercise that measures the performance or reliability of your system resilience in a simulated environment. For example, simulating the recovery of your communication lines, servers, and applications is a DR test.

The Cost of Downtime

Financial institutions should be acutely aware of the high costs associated with downtime. According to Emerson Network Power, the average cost of data center downtime across industries increased a staggering 41 percent since 2010. Furthermore, CA Technologies reports that financial institutions face an average annual revenue loss of $224,000 due to downtime. These costs may vary according to institution size, but the key takeaway is that any amount of downtime can lead to lost revenue. This underscores the importance of rigorous and regular disaster recovery testing.

FFIEC Guidelines

The Federal Financial Institutions Examination Council (FFIEC) provides clear guidance on disaster recovery tests and objectives. The council states, “Management uses tests to determine whether system resilience conforms to the BCP and stated recovery objectives.” Here are three critical metrics to consider:

  • Recovery Point Objective (RPO): The most recent backup you can safely retrieve following a disruptive event.
  • Recovery Time Objective (RTO): The minimum time necessary to restore your services after a disruption.
  • Maximum Tolerable Downtime (MTD): The longest duration your institution can afford to be down before its future is at risk.

FFIEC expects institutions not only to define but also to test these recovery objectives. If a recovery objective falls short during testing, it should be reevaluated and adjusted accordingly.

A Comprehensive Checklist

Disaster recovery testing is essential for minimizing downtime during adverse situations. However, these tests are only as effective as the practices behind them. It’s crucial to follow a consistent and thorough testing process that includes:

  • Critical Business Functions: Confirm that systems can support vital business processes in an emergency, including alternative site transfers, increased workloads, manual workarounds, and communication timelines.
  • Technological Integration: Integrate technologies that support essential business activities, such as data replication, recovery, and off-site storage.
  • Backup Data Testing: Regularly test backup data integrity and availability.

Post-testing Evaluation

During testing, if a recovery objective does not align with actual capabilities, you should always reevaluate that particular objective. It’s also important to consider dependencies within processes. For instance, some processes with shorter RTOs, such as lending processes, may hinge on those with longer RTOs, like the lending server’s restoration time. It is also important to remember that the evaluation of the DR tests is not only to determine whether the plan is appropriate for current needs but anticipated future needs, too.

Managed DR Testing

For many institutions, outsourcing disaster recovery testing to experts like Safe Systems can streamline the process, ensuring compliance with industry standards and focusing internal resources on core business operations.

Disaster recovery testing is more than a regulatory requirement-it is a vital practice to ensure the continuous operation and financial well-being of your institution

By following these guidelines and leveraging expert services, you can ensure that your organization is prepared to respond to any disruptive event.

To equip your team with an outline of these essential testing strategies, download our infographic: Guidelines for Disaster Recovery Testing” infographic today

27 Jun 2024
Banks, Credit Unions, Technology Jamie Davis 0 comment

Leveraging Cloud Technology for Disaster Recovery

Community banks and credit unions must stay prepared to handle unforeseen disruptions. A comprehensive disaster recovery (DR) solution is essential to ensuring financial institutions maintain operational continuity, meet regulatory requirements, and safeguard customer data. Cloud technology has emerged as a key player in modern disaster recovery strategies, providing cost-effective, secure, and scalable solutions.

Benefits of Cloud-based DR

Moving critical servers to the Cloud as virtual machines enables financial institutions to meet disaster recovery (DR) needs more cost-effectively. Traditional DR setups typically require significant investments in physical infrastructure, maintenance, and personnel, but cloud solutions eliminate the need for a dedicated DR data center, reducing both capital and operational expenditures. Additionally, cloud technology offers scalability that on-premises solutions can’t match, providing the flexibility to adapt to an institution’s evolving requirements. Whether your bank or credit union is expanding services or increasing data volumes, cloud-based DR solutions can scale to meet specific needs without requiring significant overhauls.

These cloud-based DR solutions are high-availability systems designed to rapidly recover critical servers, ensuring institutions can minimize downtime and maintain business continuity.

Managed Site Recovery

Safe Systems’ Managed Site Recovery service is a fully managed, secure data replication and failover solution built specifically for community banks and credit unions. Since each institution’s needs differ, we customize the DR solution to align with your specific requirements. Here are some other advantages to our cloud-based DR solution:

1. Meet Compliance and Examiner Requirements:

Managed Site Recovery helps institutions meet Business Continuity Plan (BCP) and Recovery Time Objective (RTO) requirements. Our service includes an annual DR test with an annual DR test with a comprehensive result write-up demonstrating a credible and robust DR strategy to examiners. According to Chris Bailey, Network Security Administrator at Bank of Cleveland, “The examiners were very pleased with how Safe Systems laid out the results and were also impressed with the fact that the test was being done by a third-party entity outside of our organization.”

2. Provide Secure Data Replication and Failover:

Our service offers strong and secure data replication with cloud server vaulting, ensuring geographically varied data center backups. This guarantees the availability of crucial business data and applications during unexpected business interruptions. Like other cloud-DR solutions, Managed Site Recovery provides expedited recovery periods to lessen disruptions and maintain operational continuity. Distinctively, it includes a team of third-party specialists available to consult on DR procedures, ensure ongoing backups and routine testing within proper timelines, and serve as an extension of your staff in the event of a disaster.

3. Save Time and Money:

Managing a DR failover data center can be complex and costly. Managed Site Recovery removes this burden, allowing your institution to focus on its core functions. By leveraging our compliant, cloud-based disaster recovery service, your bank or credit union can also meet DR requirements and ensure rapid recovery of critical servers at a fraction of the cost.

Cloud technology has revolutionized the approach to DR, offering cost-effective, scalable, and secure solutions. Safe Systems’ Managed Site Recovery service is a cloud-based DR solution that addresses the unique needs of financial institutions, helping them stay compliant, secure, and operationally resilient. This service ensures your institution can achieve peace of mind, knowing your critical data and applications are protected against disruptions, and your test results will stand up to examiners’ scrutiny.

Ready to learn more about Managed Site Recovery? Visit Disaster Recovery Service for Financial Institutions

13 Jun 2024
Banks, Compliance, Credit Unions, Technology, Uncategorized Jamie Davis 0 comment

Resilience and Recovery: BCP and DR Essentials

The importance of disaster preparation cannot be overstated for financial institutions. These institutions must be ready for the unexpected, whether it’s a natural disaster, pandemic, or cyber-attack. If your financial institution’s systems went down, how quickly could you restore operations? Ensuring swift and efficient recovery depends on having solid Business Continuity Plans (BCP) and Disaster Recovery (DR) plans.

BCP and DR are both critical components of the overall Business Continuity Management (BCM) process, which also includes resilience, emergency response, crisis management, and third-party integration. The Federal Financial Institutions Examination Council (FFIEC) guidelines emphasize the need for institutions to adopt an enterprise-wide, process-oriented approach to business continuity. This strategy aims to ensure that financial institutions are not just prepared to recover but are also resilient enough to withstand disruptions.

Key Differences Between BCP and DR

You might wonder why both a Business Continuity Plan and a Disaster Recovery Plan are necessary. While they are closely related and designed to work in tandem, they serve different purposes. A BCP outlines the strategies and protocols that enable a financial institution to continue operations during and immediately following a disaster. In contrast, a DR plan focuses on restoring critical data and applications so the institution can operate normally.

BCP:

  • A plan to continue business operations.
  • Consists of a business impact analysis, risk assessment, and an overall business continuity strategy.
  • Includes pandemic planning as part of its overall strategy.

DR:

  • A plan for accessing required technology and infrastructure after a disaster.
  • Involves evaluating backups and ensuring necessary redundant equipment is up-to-date and functional.

Both plans require regular testing and maintenance to ensure they are effective. The BCP test, often a tabletop exercise, ensures employees know their roles during a disaster. The DR test is more hands-on, confirming that backup technologies can restore operations within the Recovery Time Objective (RTO).

7 Tips to Prepare for Disasters or Business Interruptions

Existing BCP and DR plans are crucial, but beyond that, several additional steps can further prepare your institution for various disruptions. Below are 7 best practices. Read the full white paper, BCP and DR Plans: What Every Financial Institution Needs to Know, for more.

  1. Monitor the success of backups and replication services.
  2. Utilize Uninterruptible Power Supplies (UPS) for short-term outages.
  3. Safeguard critical equipment by preemptively shutting it down if an extended outage is anticipated.
  4. Secure the server room and ensure all equipment is protected.
  5. Ensure ATMs are for customers that need access to cash.
  6. Verify key employees have someone to step in if they are unavailable.
  7. Validate and test the BCP and DR plans at least annually to ensure they are up-to-date and effective.

Choosing to Manage BCM In-house or with an IT Partner

Preparing for or recovering from a disaster can be challenging for some community financial institutions that often lack IT resources. When choosing an in-house disaster recovery solution, they face technical and time-consuming processes, which can strain limited IT staff. When outsourcing, institutions can choose a local provider for convenience, but these providers may have little financial services expertise posing its own set of difficulties. When in-house resources or local expertise are limited, another alternative is partnering with a national managed services provider that specializes in the banking industry. This offers several benefits, including streamlined processes, improved disaster preparedness, and dedicated DR support.

However an institution chooses to manage DR and BCP, it is essential to develop, implement, and regularly test disaster recovery and business continuity plans. Though daunting, using automation and outsourcing services can ease the maintenance burden and ensure compliance with evolving regulations.

To learn more about resilience and recovery, read our white paper, BCP and DR Plans: What Every Financial Institution Needs to Know.

If you’re unsure whether your institution is BCM ready, consider a complimentary plan review to ensure your BCP and DR plans are up to date and fully compliant,

08 Mar 2024
The Crucial Role of Cybersecurity Management in 2024
Banks, Compliance, Credit Unions, Uncategorized The Safe Systems Compliance Team 0 comment

The Crucial Role of Cybersecurity Management in 2024

The Crucial Role of Cybersecurity Management in 2024

As we reflect on the challenges of 2023 and the growing reliance on cloud providers in the financial industry, it is clear that cybersecurity management is more important than ever. With the increasing threat of cyberattacks and the need to protect customer information and financial transactions, community financial institutions must prioritize cybersecurity to ensure the safety and trust of their customers.

In our recent webinar, our IT and Information Security experts discussed cybersecurity management with areas of emphasis on the importance of understanding third-party risk management, the new version of the Conference of State Bank Supervisors (CSBS) Ransomware Self-Assessment Tool (RSAT 2.0), and lessons learned from exams and audits in 2023. This post explores some of the key highlights.

NIST Framework and the Arrival of CSF 2.0

The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) is a valuable resource for organizations to manage and reduce cybersecurity risk. This framework continuously integrates lessons learned and best practices while retaining its core functions: Identify, Protect, Detect, Respond, and Recover. The recently updated CSF 2.0 includes the introduction of a sixth function, ‘Govern,’ underscoring the importance of clear role definitions, policies, and risk prioritization procedures within cybersecurity programs. It also provides improved guidance on implementation, ensuring that organizations are equipped to address the latest cybersecurity challenges.

Critical Third-party Relationship Management

Third-party risk management is crucial as financial institutions are increasingly relying on third and fourth parties. Interagency guidance underscores the importance of understanding the impact and interaction levels of these relationships on operations and customers. Financial institutions are encouraged to establish sound methodologies for comprehensive oversight of the activities surrounding third parties. This includes a thorough understanding of third-party business processes and systems as well as an understanding of the risks and benefits before contract execution. As financial institutions move forward with third-party relationships, they must also exert pressure on their service providers to ensure adherence to strong cybersecurity standards to effectively safeguard the interests of the financial institution and ultimately its customers.

Importance of the Ransomware Self-Assessment Tool (RSAT 2.0)

The Ransomware Self-Assessment Tool (RSAT) version 2.0 represents a significant step forward in helping financial institutions fortify their defenses against ransomware attacks. The latest version is developed through the integration of feedback from institutions that have been impacted by ransomware, ensuring that the tool remains relevant and effective as this type of malware continues to evolve. With a focus on cloud-based service providers, RSAT 2.0 emphasizes the importance of understanding the flow of data, particularly in environments outside the U.S., and how it is subject to various privacy regulations like GDPR. Furthermore, RSAT 2.0 places increased emphasis on multifactor authentication (MFA) and employee cyber-awareness, reflecting the industry’s recognition of the critical role these factors play in strengthening cybersecurity postures.

Key Lessons Learned from Exams and Audits

A few of the biggest areas of scrutiny that we’re seeing from recent IT exams and audits include:

  • Asset Management – paying attention to asset lifecycles and end-of-life risks as well as implementing robust authentication methods that govern customers who are logging into electronic banking applications
  • Change Management – establishing baseline standards and auditable procedures for change requests and appropriate reporting for project management and cost overruns
  • Data Recovery – periodically rotating through your critical servers and restoring data so that you can ensure the effectiveness, integrity, and availability of that data
  • Increased Incident Response Testing and Training – conducting testing as frequently as possible over different threat scenarios, documenting those tests, and training the employees who are going to be involved in the actual response

For more lessons learned and emerging trends, watch the full webinar recording.

Community banks and credit unions must prioritize cybersecurity management to protect customer information and maintain operational resilience. Enhanced cybersecurity strategies are imperative, urging institutions to adopt a multidimensional approach that incorporates people, processes, and technologies. Regular assessments, third-party risk management, and adherence to cybersecurity frameworks contribute to a proactive defense against cyber threats.

If you have any questions or want to learn more about our complimentary information security review, please visit safesystems.com/review.

18 Jan 2024
Our Top Blog Posts of 2023
Banks, Compliance, Credit Unions, Security, Technology Safe Systems 0 comment

Top Blogs of 2023

Our Top Blog Posts of 2023

As we begin the new year, it’s a great time to revisit some of the most popular blogs we published in 2023. Our top blogs from last year covered a range of topics, including a cybersecurity outlook, updated third-party risk management guidelines, using conditional access policies (CAPs) and multifactor authentication (MFA) to enhance security within Microsoft Azure Active Directory (AD), and NetConnect 2023. If you didn’t have a chance to read these posts—or simply want to review them—here is a recap of each of them. They offer unique perspectives, best practices, and a wealth of insights that can help your financial institution prepare for greater success in the year ahead.

2023 Cybersecurity Outlook for Community Banks and Credit Unions

Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions revealed valuable peer-to-peer insights that can help financial institutions enhance their security posture. The survey highlights cyber preparedness and budget restraints as top security challenges of more than 50% of the 160 participating financial institutions. It also shared participants’ feedback on other important areas, including prevention and detection security layers; employee security awareness training and testing; and advanced firewall features. For instance, respondents use multiple layers of security, but less than 50% of them combine every security layer listed in the survey. Survey respondents also use a variety of security training—including resource-intensive individual instruction. In addition, most of the survey participants are taking advantage of advanced firewall features, although only 24% of 135 respondents leverage sandboxing technology to detect threats. Read more.

Updated Regulatory Guidelines on Third-Party Risk Management

In June, federal bank regulatory agencies issued updated guidelines to make it easier for financial institutions to manage third-party risks. This new guidance from the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) impacts all banking institutions that use third parties. The majority of statements in the new guidance focus on the planning, due diligence, and contract phases with an emphasis on pre-engagement. Since auditors and examiners will be looking more closely at what happens during the pre-engagement stage, institutions need to place more emphasis on scrutinizing potential third parties. Not all statements in the guidance will apply to all institutions or relationships, so we have developed an interactive checklist designed to walk you through key regulatory requirements of the third-party relationship life cycle. Read more.

Using CAPs and MFA to Enhance Security within Microsoft Azure AD

There was a surge in successful phishing campaigns last year, including sophisticated schemes that were able to bypass MFA. MFA-resistant phishing is a significant threat since this type of attack could impact a vast segment of organizations that rely on Microsoft Azure AD (now known as Microsoft Entra ID) and Microsoft M365 services to support their operations. However, financial institutions can use a variety of measures to prevent cyberattacks, including Conditional Access Policies (CAPs). CAPs, which are foundational to safeguarding identities within Microsoft Entra ID, protect the initial step of the identification chain—the sign-in attempt. To maximize protection, institutions should stack multiple CAPs, such as requiring MFA, denying sign-ins from outside of the USA, and requiring device compliance. When designing CAP logic, they should take a broad approach to the scope of the CAP to impact as many areas as possible. Institutions can take a multi-layered approach to optimizing security by leveraging multiple security tactics, technologies, and resources. Read more.

NetConnect 2023—A Glimpse into the Future of Technology and Compliance

The 2023 NetConnect Customer User Conference brought Safe Systems’ customers, employees, and partners together in Alpharetta, Ga. to discuss banking industry trends, challenges, and innovations. NetConnect 2023 provided valuable insights into banking and technology’s vital role in shaping the industry’s future. With multiple informative sessions, the conference covered the significance of hope in business, changes relating to regulatory compliance, vulnerability management, and Microsoft Azure fundamentals. Read more.

Get the latest industry developments, insights, and trends delivered directly to your inbox. Subscribe now to the Safe Systems blog.

© 2025 UFS and Safe Systems are now the same company. Safe Systems is a registered trademark in the US. All rights reserved. Privacy Policy