Tag: Technology

30 Nov 2022
Microsoft Azure Maintenance Basics

Microsoft Azure Maintenance Basics

Microsoft Azure Maintenance Basics

Financial institutions need to stay on top of Microsoft Azure maintenance to efficiently use Microsoft cloud services and have effective controls across identity and access. Azure maintenance is also a matter of regulatory compliance.

Microsoft Azure maintenance encompasses Azure Active Directory, M365 (formerly called Office 365), Microsoft Exchange Online, and other associated Azure cloud services. Many institutions may not realize they are leveraging cloud solutions because it’s not always obvious where different technology services originate. Regardless of how an institution obtains Microsoft Exchange or M365, it creates a Microsoft tenant with Azure AD. Institutions are ultimately responsible for these tenants and this includes properly securing and maintaining them.

The Federal Financial Institutions Examination Council (FFIEC) expects institutions to engage in effective risk management for the “safe and sound” use of cloud computing services. The council indicated as much in its statement on “Security in a Cloud Computing Environment,” saying: “System vulnerabilities can arise due to the failure to properly configure security tools within cloud computing systems. Financial institutions can use their own tools, leverage those provided by cloud service providers, or use tools from industry organizations to securely configure systems, provision access, and log and monitor the financial institution’s systems and information assets residing in the cloud computing environment.”

In addition, financial institutions are obligated to oversee third-party service providers and make sure that they use proper security controls. “Management should be responsible for ensuring that such third parties use suitable information security controls when providing services to the institution,” the FFIEC IT Handbook’s Information Security booklet stated. “Management should verify that third-party service providers implement and maintain controls sufficient to appropriately mitigate risks.”

Azure Active Directory

Azure Active Directory (Azure AD, AAD) is the primary identity platform across all Azure services. There are some standard maintenance objectives that financial institutions should meet with Azure AD.

Some of the key types of identities to review within Azure AD are users, devices, and enterprise applications. User maintenance is an area many people are familiar with, and it involves ensuring the list of users matches expectations. IT administrators should be on the lookout for new accounts; they should look for users who should not be there and delete or disable them if appropriate. For example, users may need to be purged from the list after they complete off-boarding procedures.

With device maintenance, it is important to be aware of all the devices that the organization has placed into Azure AD. IT administrators should ensure that, at least for Windows OS devices, they follow the established naming convention. They should delete “stale” or inactive devices and ensure that all devices—whether desktop or mobile—adhere to established compliance policies.

The maintenance for enterprise applications—objects with some form of connectivity with your Azure tenant—involves making sure various service apps meet expectations for functionality. Administrators should review the apps’ properties to ensure the best controls are being applied. For instance, this could include addressing apps that have an expired certificate.

Other important maintenance areas within Azure AD include reviewing privilege role assignments to ensure their validity, scrutinizing delegated administration partners to confirm their level of access, and “right-sizing” the number and types of licenses to avoid being over or under-provisioned.

M365 and Exchange Administration

SharePoint Online, Exchange Online, and OneDrive are core components of M365 and as such, they require strategic maintenance. Here are some important areas IT admins should address to maintain these services:

  • Usage reporting— Monitor usage reports to ensure they match the institution’s expectations. Anomalies in consumption and storage could indicate a possible security or compliance concern.
  • Cleaning up files— Delete old, unused files from OneDrive or SharePoint. Administrators can solicit help from users by notifying those who are approaching their limits.
  • File retention policy— Automatically delete files based on a set schedule or duration, such as anything older than seven years.
  • Exchange Online mailbox usage— Notice mailbox statistics before users reach their limit to avoid service disruptions—and complaints.
  • Distribution list review— Make sure distribution lists contain the appropriate members for the most effective targeting.
  • Exchange Online mobile devices— Keep track of the details about users’ mobile devices to gain additional insights for achieving maintenance objectives and compliance.

For more information, listen to our “Azure Maintenance —The Basics Every IT Administrator Should Know” webinar.

25 Oct 2022
Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Cybersecurity Awareness Month 2022 is reminding individuals and organizations that there are a variety of ways to protect their data—and practicing the basics of cybersecurity can make a huge difference. This year’s campaign centers around an overarching theme that promotes self-empowerment: See Yourself in Cyber. The initiative’s co-leaders, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), are encouraging people to focus on four key behaviors:

  • Enabling multi-factor authentication (MFA) — Often called two-step verification, MFA is an effective security measure because it requires anyone logging into an account to verify their identity in multiple ways. Typically, it asks the individual to enter their username and password and then prove who they are through some other means, such as providing their fingerprint or responding to a text message.
  • Using strong passwords and a password manager — All passwords should be created so that they are long (consisting of at least 12 characters), complex (including a combination of upper case letters, lower case letters, numbers, and special characters), and unique. This approach should be implemented with all accounts. Because we do more online today, it is possible to have hundreds of passwords to manage. And, if your passwords are long, unique, and complex as they should be, it can be impossible to remember and track them all. Using a secure and encrypted password manager is not only safer than using a physical notebook or a notes app to store your passwords, but it can also provide benefits such as alerting you of potential compromises and auto-generating new hyper-strong passwords that are stored along with the others.

A quality password manager should encrypt all passwords, require multi-factor authentication on your password vault, and not store the keys needed to decrypt the main password that unlocks your vault.

  • Updating software — Updates resolve general software issues and provide new security patches where criminals might get in and cause problems. You should update software often, obtain the patch from a known trusted source, and make the updates automatic if available.
  • Recognizing and reporting phishing — With the right training, you and your employees can learn to identify phishing, a scheme where criminals use fake emails, social media posts, or direct messages to trick unwitting victims to click on a bad link or download a malicious attachment. The signs can be subtle, but once suspect a phishing scam, you should report it immediately, and the sender’s address should be blocked.

Cybersecurity Resources

Cybersecurity Awareness Month is dedicated to providing resources to help individuals and organizations stay safe online. Businesses that need additional resources to address their specific needs can partner with an external cybersecurity expert. For example, Safe Systems offers a wide variety of compliance, technology, and security solutions to help community banks and credit unions safeguard their data.

Some of our cybersecurity products and services include:

  • Cybersecurity RADAR™: A web-based application combined with a team of compliance experts to help you assess your cybersecurity risk and maturity, using the standards set by the FFIEC’s Cybersecurity Assessment Tool (CAT) or the NCUA’s Automated Cybersecurity Examination Tool (ACET).
  • Information Security Program: A solution that allows you to build a customized, interactive, and FFIEC-compliant Information Security Program, complete with notifications, reporting, collaboration, approval processes, and regulatory updates.
  • NetInsight®: A cyber risk reporting solution that runs independently of your existing network and security tools to provide “insight” into information technology and information security KPIs and controls.
  • Layered Security: Build a basic layered approach including a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process, or add more sophisticated layers depending on your security needs.

In addition, we continue to provide access to trusted information related to technology trends, regulatory updates, and security best practices on our Resource Center. Our latest white paper focuses on the leading security risk to businesses today, ransomware. Download a copy of “The Changing Traits, Tactics, and Trends of Ransomware” to discover how to better position your institution to prevent and recover from a ransomware attack.

20 Oct 2022
Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Our first Customer Success Summer Series offered live webinars with special guest speakers who shared their industry knowledge to help our customers and other financial institutions enhance internal processes and key areas of their banking operations.

The Evolution of Phone Systems

Today businesses are facing the acceleration of remote working—Voice over internet protocol (VoIP), Virtual Private Networks (VPN), virtual meetings, and dynamic routing of phone systems based on the user’s location—all have become must-have requirements. Legacy telephone services are becoming more obsolete as some telecoms decommission analog technologies in favor of fiber pots and other alternatives. The old telephone system is evolving into a more modern option: unified communications as a service (UCaaS), which merges communication channels into a single cloud-based system. UCaaS offers all the necessary infrastructure, applications, and resources businesses need in an easily scalable solution. Unified communications tools can include chat, VoIP, text messaging, and online video conferencing.

UCaaS gives institutions the benefit of advanced functionality which allows employees to work remotely more efficiently, including things like the ability to check other users’ availability, reach people whether they are in the office or out in the field, and access the platform from anywhere. Another evolving facet in telecommunications is call center as a service (CCaaS), which also streamlines omnichannel communication and allows remote employees to work together as a call center team.

Given its flexibility and efficiency, it is easy to see why UCaaS is moving to the forefront of communications. There is a wide range of unified communications features, equipment, and prices and it is important for your institution to clearly define its unique needs to find a solution that will satisfy its requirements. It is also important to continue to evaluate your equipment and services every few years as technology and pricing continue to change.

Watch the recording of this webinar to gain a better understanding of UCaaS and other options so you can make the right choice for your institution.

2 Guys and a Microphone

Matt and Tom have both spent most of their careers focused on risk and regulatory compliance for financial institutions. We recorded their recent conversation which spans many topics including increased scrutiny on vendor management, continued focus on ransomware, and more.

Recent audit and exam trends continue to have a strong focus on third parties and proper vendor management. Examiners are considering the preponderance of fintechs, how much the average financial institution is outsourcing, and the inherent risk that originates from third-party vendors. Interestingly, their increased scrutiny may extend to any significant sub-service vendors that institutions may have. In addition, we are seeing questions arise about vendor management in the context of insurance. Cyber liability insurance applications are requesting more details about the management of vendors and other third parties.

There have also been some interesting audit and exam findings. For instance, one institution was encouraged to complete a post-pandemic/walk-through test or “dry run” of their pandemic procedures. This is curious considering all institutions have been in a “live exercise” for the past few years with the pandemic. Regardless, there is a good chance that the pandemic verbiage in your disaster recovery plan needs to be updated based on what has or has not been done in response to the current pandemic. And it is important to consider that an annual pandemic test will be a part of examiner expectations going forward along with the traditional business continuity, natural disaster, and cyber incident tests.

On the regulatory front, the new Computer-Incident Notification Rule went into effect on April 1, 2022, which is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The rule has two components:

  • The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
  • The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

In March, we hosted an in-depth webinar on understanding the requirements, recognizing gray areas, and preparing for unknowns. To help intuitions meet these requirements, we also created a detailed flowchart to understand when an event is severe enough to activate your Incident Response Team (IRT) and when regulators and customers should be notified.

Another regulatory trend to keep your eyes on is the increasing focus on ransomware industry-wide is prompting some state banking organizations to require institutions to use the Ransomware Self-Assessment Tool (R-SAT). The 16-question R-SAT is designed to help institutions evaluate their general cybersecurity preparedness and reduce ransomware risks. The R-SAT supplements the Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC). It will be interesting to see if more states begin requiring this additional diagnostic tool.

Watch the recording to hear more insights about INTrex, SOC Reports, and SSAE 21.

08 Sep 2022
What to Budget for in 2023

What to Budget for in 2023

What to Budget for in 2023

Marty McFly (the lead character in “Back to the Future”) could not have predicted the world we live in today. Though the movie’s portrayal of flying cars, floating hoverboards, and shoes that lace themselves may have been a little far-fetched, we now have IoT, the Internet of Things. This powerful networking capability connects everything in our lives to a single electronic device that can be held in the palm of our hands. I can open my garage door, adjust the temperature of my house, set my alarm system, and even check the status of the clothes in my dryer—all from my mobile phone. Predictions are always a synthesis of art, science—and uncertainty. None of us truly knows what tomorrow will bring. We just know it will look a little different than it did today. With that in mind, it’s almost budgeting season, so here are my predictions for the top areas your bank or credit union should consider budgeting for in 2023:

1. Compliance Services

Compliance continues to be a strong focus for many community financial institutions. It’s important to be able to evaluate all your policies and programs to see where you may need assistance before your next exam. If you aren’t sure if your policies and programs are keeping up with regulations, you may want to hire a third party to provide an objective perspective. Companies like Safe Systems will often conduct a review as a courtesy or for a nominal fee.

You should also consider investing in these two popular compliance services that have gained traction in recent years:

  • Virtual ISO: There are several service models available, so make sure you find the one that matches your institution’s needs. (Check out our recent webinar that walks you through the pros and cons of three virtual ISO models.) For instance, Safe Systems’ ISOversight service includes a dedicated compliance specialist, along with a suite of online compliance applications to help you develop and manage your vendors, business continuity plan, Cybersecurity Assessment Tool, and information security program.
  • Vendor Management: Your assessment of a vendor should define what controls are needed to effectively mitigate risks posed by each vendor. Some critical or high-risk vendors may require reviewing documents like contracts, financials, or SOC 2 audit reports. Evaluating these documents can feel daunting because it can be time-consuming and understanding each type of document can require a different skill set. Many institutions are offloading the document review process to third-party companies to help them identify the key information in each document and better manage risk.

2. Supply Chain Issues

The supply chain issues that started during the middle of the pandemic have continued through 2022. Servers, switches, firewalls, and other hardware devices are still in limited supply. For 2023, continue to plan and order hardware well in advance of your needs. If you wait until you need it, you may encounter delays. Six months is the current lead time for certain devices. Also, when replacing a workstation in 2023, evaluate whether a laptop or desktop computer would be the best replacement. While laptops introduce some new risks due to their mobility, they also allow flexibility for users. If a laptop will enable an employee to work remotely during a disaster or pandemic, it may be more beneficial to switch to this laptop to optimize your hardware investment.

3. Cloud Security

Cloud security should continue to be top of mind. Although the Cloud offers plenty of advantages, it comes with numerous control settings, management tools, and security options that must be effectively configured and maintained to ensure the highest level of protection. This should be a key area of concern for not only institutions with infrastructure in the Cloud, but also those with M365 licenses—which include Exchange Online, SharePoint, OneDrive—or those using Microsoft Azure Active Directory as an authentication platform through a third-party provider. Too often institutions only think about hosting servers in the Cloud when it comes to cloud security. While moving infrastructure to the Cloud is a current trend, almost all institutions store some information there. Safe Systems has worked with several institutions with assets ranging from $100 million to multi-billion dollars and found that almost all of them had gaps in their cloud security when it comes to their cloud tenants. Some institutions had their email or user accounts compromised while others had the wrong M365 security settings in place, which left the door open to future compromises. Safe Systems’ CloudInsight suite of products includes M365 Security and Utility Basics solutions to detect common risks and help institutions better manage the increasing array of M365 security settings and controls. These reasonably priced options deliver a substantial amount of value, so contact us for a quote to determine if our CloudInsight solution will fit into your budget next year.

4. Cybersecurity

Cybersecurity must stay top of mind for both your institution and its employees. If you do not have a solution to train and test your staff on information security best practices, consider investing in one next year. These are typically not expensive solutions, and they provide exceptional value—as well as critical protection. It is estimated that cyberattacks are 300 times more likely to be targeted against financial services firms than other companies. If that isn’t enough to keep you up at night, then consider that Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025—and will be more profitable than the global trade of all major illegal drugs combined. Remember, where the money is, the crooks will follow. Every year you must evaluate your current security layers and decide if they are still effective and if you have enough of them in place.

“If it were measured as a country, then cybercrime—which is thought to have inflicted damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China.”

Preparing for next year requires you to first evaluate where you are this year. You could decide to simply “rinse and repeat” what you did this year, but that would be a missed opportunity to really understand what is working, what isn’t, and what can be improved. Also, consider your institution’s short- and long-term plans. Sometimes what makes sense today doesn’t make sense when compared to your future plans for growth, increased redundancy, and more. While you can’t predict the future, you can at least ensure your 2023 budget reflects your best guess for where your institution is headed.

14 Jul 2022
How to Always Be Prepared for a Cyberattack

How to Always Be Prepared for a Cyberattack

How to Always Be Prepared for a Cyberattack

Cybersecurity attacks have been ramping up nationwide, and the FBI expects the trend to continue. Americans reported 847,376 complaints in 2021, a 7-percent increase from 2020, according to the FBI’s Internet Crime Complaint Center’s 2021 Internet Crime Report. Many of the complaints filed in 2021 involved ransomware, phishing, data breach, and business email compromise. Financial services is one of the critical infrastructure sectors that are most frequently targeted by ransomware attacks.

However, here are five best practices that if effectively implemented, managed, and monitored can ensure that your financial institution is always prepared for a cyberattack:

1. Authentication

Passwords have become more complicated to create, remember, and maintain. Twenty years ago, passwords consisted of a simple string of characters. Now they are more complex, requiring a combination of numbers, symbols, and upper- and lower-case letters. Increasingly, user management tools allow institutions to take advantage of robust authentication options like multifactor authentication (MFA). MFA adds extra elements and more security to the sign-on process, which is why users should employ it whenever possible to log in to any network or system at your institution. This is especially important for higher-risk situations that involve network administrator accounts, virtual private network access, and critical management applications.

MFA is one of the most important cybersecurity practices to reduce the risk of intrusions. Users who enable MFA are up to 99 percent less likely to have an account compromised, according to a joint advisory issued by the FBI and Cybersecurity and Infrastructure Security Agency. “Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available,” the advisory states.

2. Patch Management

Patching can be a constant and tedious process as it requires keeping up with updates from numerous sources and applications. This can entail patching a plethora of Microsoft products, along with banking and lending applications, PDF readers, virtualization applications, database applications, ATM software, and more. Not patching a security hole in any of these could lead to a massive security breach with catastrophic implications for institutions. It’s imperative to maintain a list of all approved applications and monitoring software on the network as well as have an update policy and a clearly defined process for each application. Major breaches have happened because a single patch was missing on a single device. Patch management cannot be ignored or treated as an afterthought.

3. Email Security and End User Best Practices

Understanding email, specifically phishing techniques, is one of the most critical aspects of being prepared for a cyberattack. While financial institutions are frequently targeted by phishing attacks, following these best practices can help to prevent business email compromise:

  • Augment your email solution with effective scanning software. This can help identify SPAM and phishing emails before they reach employees.
  • Train employees to recognize phony phishing emails, so they can “think before they click.” These bogus emails can be difficult to spot unless you know what you are looking for; e.g., poor grammar and spelling, links that don’t match the domain, unsolicited attachments, etc.
  • Test employees to see how well they respond to a realistic phishing attempt. Invest in a program that lets you send fake phishing messages and track which employees fail the test, so you can offer additional training to those who need it.

4. Backups

Backups play a crucial role in file recovery, disaster recovery, and ransomware attacks. To successfully bounce back from a cyberattack, institutions need to have all backup scenarios sufficiently covered, including file-level backups, disaster recovery backups, Veeam backups (for virtual servers), and SQL/database backups. While most institutions use a combination of different backup solutions, the key objective is to back up files offline or in the cloud, so they are not connected to your network. Then if a ransomware attack strikes the network, your offline and cloud backups will not be affected.

5. Vendor Risk Management

Vendor management can have a dramatic impact on the overall success of your information security plan. If you outsource to a vendor with inadequate security protocols, their weakness essentially becomes your weakness. The first step in vendor risk management is to perform a risk assessment to evaluate your level of inherent risk. This must always be done first so that you can then identify and implement the proper controls. If the controls selected do not completely offset the risks identified, then alternate or compensating controls would need to be identified to achieve a level of residual risk that is within your risk appetite.

There’s no silver bullet when it comes to resisting a cyberattack but focusing on the five areas above can significantly increase your institution’s cyber resiliency. Safe Systems offers a range of technology, compliance, and security solutions that are exclusively designed for community banks and credit unions. Contact us to learn how we can help you implement these five and other best practices.

09 Jun 2022
Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

With the rise in cybercrimes and increased regulatory scrutiny, having a board-approved IT Strategic Plan is often not enough to ensure cyber resiliency. It’s essential for financial institutions to develop a robust IT management and information security infrastructure. The following excerpts from our recent white paper on “Building IT and Information Security Resiliency in Chaotic Times,” show how institutions can strengthen and support these key management roles to make better technology and security decisions, improve visibility, and reduce vulnerability. In addition, institutions can use strategic partners and risk management solutions to bolster resources they already have in place and enhance their overall cyber resilience.

1. Separating ISO Duties

Examiners have a strong interest in the IT administrator and ISO roles, which are interconnected and integral to an institution’s safety and soundness. However, many community banks and credit units still struggle with meeting the FFIEC requirements for segregating these positions. The importance of separating ISO duties relates to creating additional oversight to verify activities and maintain accountability to management and the board. Separating these functions also helps to build a clear audit trail to ensure risk is being accurately assessed and reported to senior management. While the ISO functions in an oversight capacity of the IT administrator, the ISO also relies heavily on the administrator to share data that can be used to recommend steps to improve the institution’s security posture. Therefore, the IT admin-ISO relationship must also be cooperative to ensure their daily activities support the organization’s policies and procedures.

2. Being Proactive about Succession Planning

Regulators expect financial institutions to have a formal succession plan for the ISO, IT administrator, and other key leadership roles, as indicated by the uptick in exam findings related to this issue. Depending on their size, type, and goals, institutions may employ different approaches for succession planning. They can identify and train someone to serve as an alternate or “backup” for various IT or ISO responsibilities, incorporate an internal committee or team approach for managing IT and information security, or use the support of a trusted third party to maintain IT and information security standards.

3. Partnering with a Trusted Third Party

An outside expert can provide an objective perspective that can help institutions think beyond the day-to-day issues and consider risk more proactively and strategically. Bringing in a technology partner on the front end—when things are going well—can also position institutions to be stronger and more successful in the future. For instance, a virtual information security officer (VISO) can expand an internal ISO’s capabilities and increase the likelihood that all ISO-related tasks are completed in a timely and efficient manner. A VISO can also provide an external layer of oversight to enable the required separation of duties.

ISOversight®, our virtual ISO service, makes it easier for financial institutions to master information security and manage compliance online. ISOversight is a comprehensive solution with a full suite of applications and resources, cyber risk reporting, and dedicated compliance specialists. It’s uniquely designed to help banking institutions enhance their strategies to improve IT management, information security, and compliance. With ISOversight, community banks and credit unions can ensure that no information security issues fall through the cracks—especially during challenging times.

For more information about how to enhance your institution’s security posture, read the full white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

22 Apr 2022
More Microsoft Azure and 365 Security Basics

More Microsoft Azure and 365 Security Basics

More Microsoft Azure and 365 Security Basics

Banks and credit unions today face an ever-increasing number of cloud security hazards. Here’s the good news: Financial institutions that use Microsoft Active Directory (Azure AD) and Microsoft 365 can lower their risk by modifying their security settings for these services. Not only can this help the financial institution minimize threats, but it can allow them to customize the features of Azure AD and Microsoft 365 (previously called Office 365) to their specific preferences and requirements.

Organizations are responsible for managing Azure AD and its security settings because when they purchased M365 licenses, they established a Microsoft tenant with Azure AD. From a compliance perspective, adjusting Azure AD’s settings is crucial since Microsoft automatically enables certain features that may violate or conflict with compliance policies for organizations in regulated industries.

Optimizing /M365 and Exchange Online Settings

Depending on your institution’s licenses, there is a wide range of security and compliance settings you can customize in Azure AD, M365, and Exchange Online such as:

  • OneDrive and SharePoint Sharing: Review the default level of sharing to control the flow of data based on what is appropriate for your institution.
  • Teams and External Collaboration: Review the platform’s default security and compliance settings, and if they are not sufficient, you can block all external domains to keep users from communicating externally.
  • Exchange Online: Control access, how emails are transmitted, the types of messages users can send to recipients in external domains, and the devices or apps that can connect.
  • Protection Center: Use the Basic Mobility and Security feature to manage and secure the mobile devices that are connected to your Microsoft 365 organization.
  • Security Center: Optimize email management by employing anti-spam policies for inbound emails, blocking automatic forwarding of outbound emails, using phishing simulations, quarantining potentially harmful messages, and blocking messages from fake senders.
  • Compliance Center: Implement a retention policy to manage the data by proactively choosing how to retain or delete content.
  • M365 Admin Center: Use modern authentication‎ in ‎Exchange Online‎ to enhance your institution’s security with features like conditional access and multifactor authentication. (Microsoft‎ strongly recommends turning off basic authentication for your organization.)

More Ways to Boost Security

You can further enhance cloud security by modifying the settings related to Azure AD Premium P1, Intune, and Azure Information Protection (AIP) licenses. With Azure AD Premium P1, for instance, you can include your institution’s logo, color scheme, and other branding elements on your Azure AD sign-in pages. You can also employ the hybrid Azure AD joined devices, conditional access policies, and password protection features. Microsoft Intune integration lets you configure policies to control how your institution’s devices and applications are used, including smartphones, tablets, and laptops. And AIP allows you to use deep content analysis to minimize data loss and enhance the labeling capabilities of Microsoft 365 to protect documents and emails.

M365 Security Basics Can Help

There are countless security settings that can be adjusted in Azure AD and /M365, and Microsoft is always introducing new features. This can make it difficult for institutions to ensure they have the most appropriate security, identity, and compliance settings—but our CloudInsight™ M365 Security Basics solution can make the process easier. M365 Security Basics is a collection of services designed to give community banks and credit unions a cost-effective way to manage their M365 settings. It offers reporting, the delivery of Microsoft data in a user-friendly format; alerting, notifications of the most common indicators of compromise; and quarterly reviews, expert analysis of M365 Security Basics reports, and explanations of the risk visible on the report and ways those risks may be mitigated.

To learn more about how to customize your institution’s Azure AD and M365 settings to bolster cloud security, access our “Microsoft Azure and M365 Security Basics” white paper.

09 Mar 2022
Microsoft Azure and 365 Security Basics Continued

Microsoft Azure and 365 Security Basics Continued

Microsoft Azure and 365 Security Basics Continued

When your institution acquired Microsoft 365 (also known as M365 and formerly called Office 365), it automatically created a Microsoft tenant with Azure AD. Since that tenant belongs to your organization, you are responsible for managing Azure AD and its security settings. Microsoft Azure services enable various default features that could be incompatible with the security, identity, and compliance requirements of your institution. it’s essential to customize the settings in Azure AD, M365, and Exchange Online (or Azure AD Premium P1, Intune, and Azure Information Protection) to fit your organization’s needs.

Customizing Azure AD Defaults

  • Security Defaults — Turn on security defaults to make it easier for your institution to thwart cyberattacks by using preconfigured security settings. (If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.)
  • Password Policy — Configure the password policy applied to every user account that is created and managed directly in Azure AD. (Institutions with on-premises AD password policies governing password expirations should expect to manually synchronize their Azure AD password policy and their on-premises AD password policy.)
  • Azure AD Device Registration — Prevent users from joining devices on their own and require multi-factor authentication (MFA) to register or join devices with Azure AD.
  • Enterprise and Registered Apps — Keep non-administrator users from arbitrarily adding enterprise or registered applications, which can significantly increase risk. Afterwards, make sure to review every enterprise and registered application.
  • External Collaboration — Restrict regular users from inviting guests for collaboration and keep guest users from signing into your apps and services with their own work, school, or social identities.
  • Hybrid Identity with Password Hash Synchronization — Employ a hybrid identity architecture to synchronize users from on-premises Active Directory to Azure AD to minimize the number of identities users have across various platforms.
  • Azure AD Administration Portal — Limit regular users’ ability to read data in the Azure AD Administration Portal.
  • Administrator Review — Grant administrators only the specific permission they need to do their job and limit the number of static Global Administrator role assignments to fewer than five people.
  • Partners – When working with Microsoft-certified solution providers (partners) to purchase and manage solutions for your institution, they could be granted Global/Helpdesk admin roles giving them delegated administrative capabilities to your Azure instance. Make sure to review all partners and their delegated rights regularly.

Altering M365 and Exchange Online Settings

In M365, you can customize a variety of settings. In OneDrive, SharePoint Online, and Teams, look at configuring external collaboration capabilities of users. For Exchange Online, there are many settings to review but one to start with is the current forwarding capabilities and settings for users both globally and per-user. Modifying or reviewing these settings is highly advisable since they are inherently designed to facilitate interaction and external collaboration. In addition, you can use the Protection Center to secure mobile devices that are connected to your Microsoft 365 organization; the Security Center to refine email management; the Compliance Center to implement an effective data retention policy; and the M365 Admin Center to enhance security with modern authentication, which encompasses MFA. (According to Microsoft, 99.9 percent of account compromises can be blocked with MFA.)

And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.

M365 Security Basics Solution

Once your institution has sufficient settings in place to support your policies, it is essential to monitor for exceptions with reporting and alerting features such as those provided with Safe Systems CloudInsight™ M365 Security Basics solution. Financial institutions that partner with Safe Systems can gain critical visibility into their security settings helping them successfully navigate the complexities of optimizing M365’s features..

For more information about how your institution can optimize Azure AD and O365/M365 settings to improve cloud security, download our white paper on “Azure and M365 Security Basics.”

Important Disclaimer

The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.

01 Mar 2022
Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

It can be challenging for financial institutions to manage security, identity, and compliance within Microsoft Azure Active Directory (Azure AD) and Microsoft 365 (also known as M365 and formerly branded as O365). Understanding the services and settings of the Azure AD and M365 ecosystem can make the process easier for IT administrators.

Some of the basic security settings that apply to most organizations fall under the free license level for Azure AD. These are also some of the low-hanging fruit that institutions can easily implement to make a dramatic difference in their security.

Security Defaults

One of the settings that can have the biggest impact is security defaults, which can be enabled to enforce a set of non-configurable conditional access policies. The policy set in Azure includes the ability to require multifactor authentication (MFA) and MFA registration for all users. It also offers the capability to block legacy authentication, which should be a high-priority goal for any organization.

Hackers can exploit basic authentication to effectively bypass MFA, which is a fundamental security service we recommend that every institution implement. If your institution has gone through the effort of enforcing MFA for users—but you’re not blocking basic authentication explicitly—there’s a major security gap. That gap should be addressed immediately, especially given Microsoft’s plans to decommission basic authentication protocols in Exchange Online in October 2022.

Identity Considerations

It’s also crucial to review the identity architecture for your financial institution. Any user, device, or app connecting to Azure should have an identity, whether it’s a guest user, mobile device, Mac OS device, or a Windows computer, so it can be assigned data access rights or even take on administrative capabilities. Every identity outside of Active Directory—which is the primary identity for users in many institutions—is another attack vector in a different system. An effective way to manage different identities is to consolidate them by sourcing them at the AD level and then synchronizing users and their password hashes to Azure AD. You should also review the level of access for all administrators as well as partners as they represent a huge risk downstream. Reviewing the level of access for partners goes beyond security; it’s also a matter of regulatory compliance.

Additional Considerations

Depending on your institution’s license level, there are additional Azure and M365 settings you can adjust in the areas of protection, compliance, and administration. For example, global auditing is an essential setting that should be enabled to augment security and facilitate troubleshooting after attacks. You should also block settings allowing for open collaboration and outbound email forwarding to avoid data loss and minimize cyberattacks.

If your institution is at the M365 level, it also needs the mobile device management (MDM) platform that offers sufficient protection. Exchange Online has built-in MDM capabilities but these capabilities do not extend to all M365/O365 apps.

Conditional access policies govern sign-ins and attempts. They can enable the enforcement of MFA and are the highest control layer for determining who has access to the data within Azure’s security ecosystem.

Since data lives outside of Exchange Online in the M365 world, if your institution has specific compliance requirements for retention, your retention policies will generally need to extend to all data.

M365 Security Basics

Adjusting all the security settings of Azure AD and M365 can be a daunting task, especially since Microsoft is constantly updating the features of its technology services. Our CloudInsight™ M365 Security Basics solution provides insights into security settings for Azure AD and M365 tenants. It helps IT administrators navigate the complexities of customizing their institution’s security settings through three services: reporting, alerting, and quarterly reviews.

The reporting service provides ongoing Microsoft data and packages it into a readable format that shows security settings at a glance, allowing institutions to easily see irregularities, such as when users sign in from Outside of the USA. Alerting sends a notification when an activity indicates that a potential compromise has occurred. With the quarterly reviews, trained experts analyze the settings, reports, and alerts and review them with administrators so they can speak with confidence to their board, steering committees, and auditors about their institution’s technology services and cloud security.

If you need help understanding how M365 Security Basics can support your financial institution’s risk mitigation or strategic planning efforts, contact us. You can learn more about this topic with our “How to Manage Security Identity and Compliance within the Microsoft Azure and M365 Ecosystem” webinar.

Important Disclaimer

The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.

17 Feb 2022
Microsoft Azure and 365 Security Basics Featured Blog Image_Featured Image

Microsoft Azure and 365 Security Basics

Microsoft Azure and 365 Security Basics Featured Blog Image_Featured Image

Financial Institutions that employ Microsoft 365 (also known as M365 and formerly branded as Office 365) are in the Cloud, and therefore, face a growing number of cyber threats. Consider this: The FBI’s Internet Crime Complaint Center (IC3) has seen a 400-percent increase in cybersecurity complaints since the pandemic started.

The surge in cybercrimes means financial institutions that use M365 need to focus on protecting their assets in the Cloud. Our CloudInsight™ M365 Security Basics makes it easy and affordable for institutions to start the process. M365 Security Basics provides visibility into security settings for Microsoft Azure Active Directory (Azure AD) and M365. Banks and credit unions can leverage this multi-faceted solution to get ahead of cyber threats and enhance cloud security.

Importance of Customizing Your Azure AD and M365 Settings

Your financial institution likely has a Microsoft tenant with Azure AD, whether you realize it or not. This is partly because every exchange online and M365 implementation requires the creation of a Microsoft tenant and Azure AD, even if the services are managed through a third party. There are also many other scenarios requiring the creation a Microsoft tenant, making it rare for most institutions not to have one.

It is important to understand whether you have a Microsoft tenant with Azure AD because the tenant belongs to your institution—not the licensing reseller—it is your obligation to know how to manage the security settings in these systems, including Azure AD, M365, and Exchange Online. This can be challenging because Microsoft’s default settings might conflict with your institution’s security and compliance requirements. Therefore, you must customize these settings to create more sophisticated and appropriate security, identity, and compliance policies for your institution. This should entail building policies around what users are allowed to do, what your institution’s risk assessment defines, what your institution’s compliance policies dictate, and what users will tolerate.

Once your institution has sufficient policies in place, it is essential to monitor for exceptions with reporting and alerting. And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.

How M365 Security Basics Can Help

Microsoft is constantly adjusting its platforms and automatically enabling new features to adapt to an ever-evolving security environment, making it difficult for banks and credit unions to keep up. Partnering with a value-added technology expert like Safe Systems can help you better manage your M365 tenant. Our M365 Security Basics service identifies cloud security blind spots and common risks such as compromised user accounts, enabled insecure protocols, and targeted phishing or SPAM attacks.

M365 Security Basics key services:

  • Reporting – Collects Microsoft data that may not be readily available to institutions and assembles it in a user-friendly format
  • Alerting – Delivers notifications for the most common indicators of compromise in Microsoft M365 tenants
  • Quarterly reviews – Provide a vital, objective look at M365 Security Basics reports to help institutions determine the optimal security settings for their requirements

The Importance of MFA

An invaluable security control financial institutions should also consider implementing is multi-factor authentication (MFA). MFA applies a combination of factors to validate people’s identity before giving them access to sensitive data, account information, and other assets. MFA offers effective, low-cost protection against cyberattacks and other threats; and not implementing this security feature in Azure AD is risky. According to Microsoft, 99.9 percent of account compromises can be blocked with MFA, but the overall MFA adoption rate we have seen in the financial industry is only around 46 percent.

The bottom line: Microsoft is constantly enabling and disabling features in Azure AD and M365—, therefore, financial institutions must be able to manage the complexities of optimizing their security, identity, and compliance settings. To learn more about how your institution can customize Azure AD and M365 settings to enhance cloud security, read our “Azure and M365 Security Basics” white paper.

30 Dec 2021
Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

With a new year approaching, it’s a good time to review some of the key discussions from the past year. Read these highlights from our top blog posts of 2021, to help your financial institution refine key operational strategies for 2022 and beyond:

1. 2021 Hot Topics in Compliance: Mid-Year Update

Although the COVID-19 pandemic isn’t over, financial institutions have learned valuable lessons so far. Key impacts have been primarily operational, involving risks related to temporary measures taken to weather the crisis. In addition, there are important compliance trends and new regulatory guidance institutions should anticipate going forward. Ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely increase in the future. This will be reflected, in part, by the number of (and types of) assessments that regulators might expect institutions to perform annually. These assessments from various state and federal entities include the Cybersecurity Assessment Tool (CAT), the optional Ransomware Self-Assessment Tool (R-SAT), the Cybersecurity Evaluation Tool, and the modified Information Technology Risk Examination for Credit Unions (InTREx-CU). In addition, there have been major shifts with cyber insurance, and the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. Read more.

2. The 4 “R’s” of Disaster Recovery

Maintaining an effective approach to disaster recovery can help financial institutions satisfy regulatory requirements, better protect themselves from the effects of negative events, and improve their ability to continue operating after a disaster. There are four important “R’s” that institutions should concentrate on for disaster recovery: recovery time objective ( RTO ), recovery point objective ( RPO ), replication , and recurring testing .

RTO is the longest acceptable length of time a computer, system, network, or application can be down after a disaster happens. When establishing RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. The RPO is the amount of time between a disaster occurring and a financial institution’s most recent backup. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. DR replication entails having an exact copy of an institution’s data available and remotely accessible when an adverse event transpires. The best practice is to keep one backup copy onsite and another offsite in a different geographic location that’s not impacted by the disaster. Recurring testing allows institutions to identify key aspects of their DR strategy and adjust as needed to accomplish their objectives. Regular testing can expose potential problems in their DR plan so they can address these issues immediately. Read more.

3. Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s crucial for financial institutions to maintain distinct duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the health of their operations. There should be at least one designated ISO who is responsible for implementing and monitoring the information security program and who reports directly to the board or senior management—not to IT operations management. The significance of segregating the ISO’s duties comes down to oversight: Separating ISO and network administrator tasks helps to create a clear audit trail and ensures risk is being accurately assessed and reported to senior management . It also allows the ISO to provide another “set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders. The ISO’s independent role primarily serves to ensure the integrity of an institution’s information security program . Financial institutions can also use a virtual ISO to create an additional layer of oversight on top of what they have in place internally. Read more.

Discover these and other key topics about banking compliance, security, and technology on the Safe Systems blog.

Or, subscribe now to be the first to receive the latest updates on banking trends and regulatory guidance directly to your inbox.

Subscribe to our blog

 

28 Dec 2021
Cybersecurity Insurance and Multi-Factor Authentication

Cybersecurity Insurance and Multi-Factor Authentication

Cybersecurity Insurance and Multi-Factor Authentication

Financial institutions are increasingly embracing cybersecurity insurance as an important aspect of their information security program. Cyber insurance can offer vital coverage to protect businesses from various technology-related risks. Data breach insurance, for example, helps companies respond if personally identifiable information gets lost or stolen from their computers—whether intentionally by a hacker or accidentally by an employee. Cyber liability insurance offers expanded protection to help businesses prepare for, respond to, and recover from cyberattacks.

As cybercrimes continue to intensify, more cybersecurity insurance companies are calling for organizations to employ multi-factor authentication (MFA). Some carriers are even refusing to provide insurance quotes to companies that are not using this authentication method. From their perspective, MFA adoption makes perfect sense; it keeps unauthorized individuals from accessing sensitive information, reducing ransomware, data breaches, and other cyberattacks. This, in turn, minimizes insurance claims and saves carriers money.

For insurance providers, MFA is appealing because it lowers cyber risk by requiring users to verify who they are. The individual must furnish valid identification data followed by at least one other credential: a password, one-time passcode, or physical characteristics like their fingerprint or face. This strict authentication system allows organizations to certify people’s identity—before granting them access to sensitive information, an account, or other assets—and this can significantly strengthen their security.

While MFA is heavily promoted by many cyber insurance companies, an institution’s regulators may not require financial institutions to use multi-factor authentication. However, implementing MFA for a whole internal network may not be a simple task. Depending on the solution, it may require installing agent software to all the endpoints requiring MFA and configuring appropriate “break-glass” accounts for emergency use, which creates more infrastructure to be monitored and managed.

MFA Implementation Tips

To simplify MFA implementation, Banks and credit unions can apply a sequenced strategy instead of jumping straight to the internal network. As a first step, institutions can ensure MFA is turned on for all remote-access users, including creating endpoint control policies for their devices. The next logical step would be to lock down MFA for cloud applications. This includes Microsoft Online services like M365 (formerly Office 365) and Azure Active Directory (Azure AD). These solutions come with a variety of free security features that organizations can customize to their business requirements. Even at low licensing levels, these products allow MFA to be turned on for all users—which can be highly effective for averting business email compromise and ransomware attacks. But institutions will need higher-level licensing if they want to make conditional access policies based on the specific location, identity, or device of users. Azure AD Premium P1 and M365 Enterprise E3, for example, have a variety of advanced features that allow conditional access policies to be established to enhance security.

MFA is just one layer of security for banks and credit unions to consider. We hope this post provided some insight into applying MFA for both security and insurance purposes. To learn more about this topic and other security layers, listen to our recent “Ransomware, Cybersecurity, and MFA” webinar, hosted by our Chief Technology Officer, Brendan McGowan.

16 Nov 2021
Using the Free Features of Microsoft Azure AD and O365/M365 to Enhance Cloud Security

Using the Free Features of Microsoft Azure AD and O365/M365 to Enhance Cloud Security

Using the Free Features of Microsoft Azure AD and O365/M365 to Enhance Cloud Security

Microsoft Azure Active Directory (Azure AD) and Office 365/M365 have a variety of free security settings that financial institutions can customize to their needs. These settings are important because they can enhance an institution’s cloud environment and operational security—and they’re available to everyone with Azure AD or O365/M365. Remember, even if the license was acquired through a third party, your institution is still responsible for managing all the security features of these cloud-based solutions.

Be aware that while adjustments made to the defaults can strengthen your cloud security, they will also impact the way people use the products. For instance, multifactor authentication (MFA) is a great first step at improving the security of your cloud environment but does impact how your users will log in.

Here are some other important free security settings you can optimize in Azure AD and/or O365/M365 to enhance security:

  • Global Auditing — The global auditing feature logs events that happen across Azure AD and O365/M365. It is advisable to enable Global Auditing. The information gained with this feature can help troubleshoot problems and investigate issues. Once Global Auditing has been enabled, it can take about 24 hours for the new setting to take effect.
  • Alert policies — Alert policies are designed to help you monitor threats against your existing resources. There are default built-in policies, and you can also create additional custom policies for free on your own. Keep in mind, you need to set the target recipient(s) for these policies.
  • Sharing in Microsoft OneDrive and SharePoint — Since these products were created to foster collaboration, their default setting is normally set to enable external data sharing. This allows users to create anonymous access links that make it possible for anyone in any organization with OneDrive and SharePoint to sign in and view their information. It is recommended that you review the level of sharing to control the flow of data based on what is appropriate for your organization.
  • External access in Microsoft Teams — Teams is set up by default to make it easy for individuals to connect with users located anywhere in the world, even in other organizations. You should review the platform’s security and compliance settings to ensure it fits your organization’s standards. You can block all external domains to restrict users’ ability to communicate externally.
  • Enterprise applications — Enterprise apps can represent a huge risk if users have the freedom to add them on their own. You can change the security setting to prevent anyone from randomly adding apps without the administrator’s approval. When this feature is activated, Microsoft will block users’ attempts to add apps and notify the administrator, who can approve or deny their requests.
  • Application registrations — Similarly, institutions can alter their security features to block users from registering any applications. There’s rarely a reason to allow users without administrative rights to create app registrations, so reviewing and/or adjusting this setting is essential.

Making these adjustments will help you to maintain control over users’ activities and tighten security. To learn more about M365 security topics, listen to our recent webinar, Ask the Experts: O-M365 Security Basics for IT Administrators.

Safe Systems’ M365 Security Basics solution provides visibility into these and other security settings and allows banks and credit unions to regularly monitor and review their configurations making it easier for them to manage their Azure AD and O365/M365 accounts.

26 Oct 2021
Glennville Bank Strengthens Security Posture with CloudInsight™ M365 Security Basics

Glennville Bank Strengthens Security Posture with CloudInsight™ M365 Security Basics

Glennville Bank Strengthens Security Posture with CloudInsight™ M365 Security Basics

Our CloudInsight™ M365 Security Basics solution is helping community financial institutions increase their security posture. Take Glennville Bank, for example. The Georgia community bank, which has $312 million in assets, seven locations, and 66 employees, jumped at the chance to capitalize on the service to identify and secure threats to its Microsoft 365 settings. M365 Security Basics provided the bank with greater visibility into cloud security settings for Azure Active Directory (Azure AD) and M365 tenants through reports and alerts.

Like most financial institutions, Glennville Bank leverages technology to better serve its customers and maintain its operations. Also, like other institutions, the bank has a variety of Microsoft licenses, and managing the security settings for these products became difficult and time-consuming, particularly for Glennville Bank’s network administrator, Zach Horn, who describes his proficiency with Microsoft as “fairly limited.”

“Given the complexity of our cloud tenant settings, I’m not comfortable enough with Microsoft or their updates to manage every setting correctly,” Horn explained. “With all the potential security risks out there, I knew I needed reports that could help me identify risky security settings, monitor identity controls, and ensure our configuration matches our information security policy.”

With M365 Security Basics, Glennville Bank was able to set data trends and identify several settings that needed addressing, such as creating a baseline for failed logins. The bank also discovered that its user access details were often inconsistent, and through the M365 Security Basics service they received easy-to-follow instructions for correcting the problem. “Safe Systems did a great job fine-tuning the product to the demographic we needed,” Horn said. “Their knowledge has been helpful in pointing me in the right direction in knowing which Microsoft licenses I need to go to in the future.”

Product Highlights

M365 Security Basics is the first offering in Safe Systems’ CloudInsight™ family of products. It’s specifically designed for community banks and credit unions that have Microsoft 365 products (Exchange Online, SharePoint, or OneDrive), use Azure AD, and store non-public information in the cloud. M365 Security Basics’ reporting, alerts, and quarterly reviews are customized to help financial institutions improve their cloud security awareness by identifying potential risks and common signs of compromise. The product is developed by engineers who hold dozens of certifications, including the Microsoft 365 Certified: Security Administrator Associate certification. M365 Security Basics makes it easier for institutions to monitor their configurations for current and new features that are automatically enabled by major cloud providers like Microsoft Azure.

The powerful reporting from M365 Security Basics enables financial institutions to review vital Microsoft cloud tenant settings. This allows them to recognize unsafe security settings, examine identity controls, make sure their configuration is consistent with their information security policy, and demonstrate this to examiners and stakeholders. Reports are available as “Summary” versions (with brief information, such as the Tenant Summary and User Summary) and “Details” versions with more in-depth data. (Glennville Bank uses the Tenant Summary to highlight important issues during IT steering committee meetings.)

M365 Security Basics also offers alerts and quarterly reviews as add-on services. Alerts provide notifications about the most common indicators of compromise (like unauthorized access) and are grouped under Azure AD Roles, Azure AD Sign Ins, OneDrive, SharePoint, and Exchange Online. The quarterly reviews give institutions a periodic, objective analysis of their recent M365 Security Basics reporting, so they can gain a better understanding of their Microsoft 365 tenant security.

CloudInsight™ M365 Security Basics not only helps financial institutions like Glennville Bank secure their information but also makes it easier to compile data required for examiners. Read the complete Glennville case study to see how your organization can benefit from M365 Security Basics.

13 Oct 2021
Stories from the Front Lines

Stories from the Front Lines: How Real Financial Institutions Handled an O365/M365 Cloud Security Compromise

Stories from the Front Lines

Microsoft 365 (formerly Office 365) comes with an array of settings that customers can modify to enhance their security controls. When these settings are not effectively adjusted though, serious cloud security compromises can ensue. Our M365 Security Basics solution helps financial institutions detect and respond to potential problems. From our recent webinar, here are real-life stories about financial institutions (whose names have been changed) that had their cloud security compromised. See how they handled each situation, so you can learn what to do and not do to secure your O365/M365 account.

Loan Officer – Email Forwarding

Luke, a loan officer, is constantly emailing people inside and outside his organization. He often sends sensitive information but uses encryption to protect his outbound emails and multi-factor authentication (MFA) to protect his identity. Somehow his email account was compromised—for eight whole months—before the problem was discovered. Our M365 Security Basics reporting indicated there was an issue with his email being forwarded to an external domain. We worked with the IT administration team to confirm that a suspicious Yahoo address was not an authorized send-to address for the emails Luke had been receiving. The intruders’ cunning scheme involved a modified mailbox setting that predated Luke’s MFA setup and the other precautions Luke had implemented. We were able to resolve the compromise by removing the forwarding property. Moving forward, Luke’s IT team needs to keep a close watch to ensure the organization’s email accounts are protected.

IT Administrator – Global Auditing

Han works at a smaller organization and wears multiple hats as an IT, compliance, and security administrator. While he’s not well versed in cloud security, Han thinks the cloud is the best option for his organization. He selects various Microsoft cloud resources and works with a vendor to establish a tenant in Azure Active Directory (Azure AD), which is a requirement for O365/M365. Han provisions his account administrative rights in Azure, synchronizes users and passwords, and gets help training end-users on Microsoft 365 services like OneDrive, SharePoint, and Teams. Then he notices an Azure AD account that he and his team have never seen—and the name of the account is strangely almost identical to an existing end-user. Han called our support staff for assistance and learned that his global administrator account had been compromised. To make matters worse, Han had left his security settings at defaults and had not enabled global auditing, which meant there was no way to determine what the attacker had changed in the system. The best solution was to move the organization’s data, email, and identities to a brand new Microsoft tenant. This extensive migration project could have likely been avoided if Han had enabled MFA and the proper audit settings.

HR – External Document Sharing

Human resources vice president Leah employs a variety of technologies to facilitate working from home and the office. Leah relies on the Cloud, and desktop and mobile apps to access documents on all her devices and enjoys using Teams to share files with others in her organization. Using these technology services has caused her to inadvertently place the company at risk of exposure and identity compromise because her IT administration team had not implemented the appropriate security controls for all their organization’s licensed technology services, creating a security gap. Luckily, the IT team received an M365 Security Basics alert for a file being shared externally in OneDrive, which is a common alert that we see. There was also enough data in the alert to indicate the multiple bad security, identity, and compliance practices that Leah has. The IT team resolved these issues by reducing the default sharing levels of SharePoint Online and OneDrive and retraining Leah on good and bad practices for security, identity, and compliance.

CEO – Multifactor Authentication

As the CEO of his organization, Chewy’s contact information is very public; his email address is prominently displayed on the company’s website, LinkedIn, and other social media platforms. Chewy uses multiple devices to get work done in the office and at home. He often signs into whatever computer is handy, whether it’s his or his wife’s laptop. Chewy’s account is under attack in Azure AD from a Russian IP. M365 Security Basics Alerting was able to notify his IT team of this by way of the Large Number of Failed Sign Ins for a Single User alert. Unfortunately, the IT department did not require MFA registration for most of the organization’s users, including Chewy, even after being alerted to the attack. The Russian attackers eventually compromised Chewy’s account. Once they did, our alerting engine promptly notified the IT team of a successful sign-in from outside of the USA, which they promptly responded to, limiting the amount of time the account was compromised.

Listen to the full stories or watch the complete webinar.

11 Oct 2021
What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

Many of us thought 2021 was going to be the downhill side of the pandemic. I recall working on a webinar presentation that we hosted last summer and including the words, “Now that the pandemic is behind us…” Obviously, I was overly optimistic. As we look ahead to 2022, we must acknowledge that the COVID-19 pandemic will continue to affect us to one degree or another. With that said, these budgeting ideas for 2022 may look somewhat similar to those for 2021, but there are slight variations based on current banking technology, compliance, and security issues.

1. Multifactor Authentication

Implement multifactor authentication (MFA) on all your email accounts wherever it is possible and appropriate. MFA can reduce the risk of having account credentials compromised by as much as 99.9%, making it one of the most effective measures you can use to protect your institution. There is typically a small cost for licensing and implementing MFA software. So, you can add MFA to your email accounts for a nominal cost and with minimal effort in most cases. If you are using Microsoft’s cloud email solution, for instance, implementing MFA can be as easy as changing a few minor settings. Another area to consider for MFA is logging into the domain account. There can be a cost associated with this as you will probably want to use a tool to help you manage the process. You can apply MFA only on accounts with administrator rights or on all users. But since many cybersecurity insurance companies are requiring MFA for accounts with administrator rights, using this stronger type of authentication might be your only option.

2. Laptops

With different variants of COVID-19 or other viruses popping up, remote work may still be an option for certain employees. Remote capabilities may even be necessary to keep the institution operating smoothly at times. Be sure you have the infrastructure in place for a partial remote workforce because the need could develop at any point. For this reason, you should consider providing laptops for all employees who could conceivably work from home. Start with those who need new devices. Then prioritize based on those doing the highest-level work necessary to keep the institution running. Laptops and encryption software, required for mobile devices, may cost slightly more but should not cause a huge increase in expenditures. In some cases, you may be able to reuse a desktop computer to replace an older workstation for an employee whose duties cannot be performed remotely.

And don’t forget… There is a chip shortage and high demand for laptops, which means it can take months to secure computers and other hardware. So, order any equipment you need well in advance to ensure you have the appropriate infrastructure in place to support staff that may need to work from home.

3. Moving to the Cloud

Having infrastructure in the cloud can be extremely beneficial, so slowly start moving your infrastructure to the cloud. Cloud infrastructure decreases the need for an employee to be onsite with the hardware, and cloud computing increases uptime. In addition, disaster recovery becomes easier and faster with cloud infrastructure. More than 90% of Fortune 500 companies are running at least some infrastructure in the cloud, primarily through Microsoft’s cloud computing platform: Azure. The cloud is the future of IT and infrastructure, and it makes sense for institutions that need reliable and resilient infrastructures. So, if you need to purchase a server next year, consider getting a quote for moving the server to the cloud instead.

4. Cloud Security

While the cloud offers plenty of advantages, it comes with settings, management tools, and security options that must be effectively configured and managed to ensure the highest level of security in the cloud. Cloud security is a concern for not only institutions with infrastructure in the cloud, but also for M365 Windows/Office licensees with OneDrive enabled, email in the cloud, or using Microsoft as an authentication mechanism with a third-party application. Earlier this year, the FDIC released a letter outlining the need to secure cloud configurations. Their cloud-security concerns are warranted. Safe Systems has worked with several institutions ranging from a hundred million in assets up to multibillion dollars in assets and found that almost every institution had gaps in their cloud security. Some institutions had indications of their email or user accounts being compromised; others had settings that could open the door to future compromises. Safe Systems worked closely with these institutions to develop an innovative M365 Security solution to address these issues with reports, alerts, and reviews. This unique product is specifically designed to help financial institutions manage their cloud setup now and in the future. In addition, it is a reasonably priced option for the substantial amount of value that it delivers. Institutions should reach out for a quote to determine if M365 Security could fit into their budget next year.

5. Virtual ISO

Another item to consider for your budget is virtual Information Security Officer or VISO services, which we also mentioned last year. These services have become increasingly popular as the landscape of information security has grown more extensive and complex. In many cases, institutions are finding it harder to keep up with the latest information security expectations, regulations, and trends. Safe Systems’ ISOversight service addresses this problem by combining applications for self-management with assistance from compliance experts to offer a VISO service at a competitive price. This type of service can be beneficial in many ways as it can provide structure, automation, accountability, assistance, and consistency throughout your information security program. It can also enable your institution to stay engaged, which is critical when an exam or audit occurs. VISO services, which vary in price depending on the work being performed by the third-party provider, are ideal for any institution with limited access to security expertise in-house.

6. Cybersecurity

You cannot have a conversation about budgets for next year without addressing the issue of cybersecurity. Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, a recent Boston Consulting Group report indicates. Cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights. And cybersecurity has become even more precarious during the COVID-19 pandemic. The pandemic has created new opportunities for security breaches as the increase in remote work makes information security more challenging to manage. Unfortunately, institutions will need to increase their security layers and annual spending to address this issue. According to Computer Services Inc. (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

In Conclusion

The threat to your institution’s data is as real today as it ever has been. Therefore, make sure you are applying these measures to strengthen your security:

  • Employee training to ensure adequate, effective, and safe practices
  • Perimeter protection to ensure the appropriate layers are enabled and all traffic is being handled correctly, including encrypted traffic
  • Advanced threat protection and logging to be able to identify how, if at all, malware or an intrusion created an incident
  • Backup and data redundancy to ensure ransomware cannot wipe out your data

Have a conversation with a security company you trust to ensure that, if you are the target of a ransomware attack, your business won’t sustain long-term damage. In other words, invest in cybersecurity now, so your institution won’t end up paying more later.

As you contemplate your budget for 2022, don’t just think about the items that others have put on your plate. Be sure to consider the changes that may have occurred at your institution—and the ones that may be coming—and have a plan to address these. All these changes can be exciting and make a major difference for your institution. But they can often be hard to get implemented if they are not budgeted for ahead of time.

29 Sep 2021
Understanding Microsoft O365/M365 Settings to Ensure Your Security Controls Are Effective

Understanding Microsoft O365/M365 Settings to Ensure Your Security Controls Are Effective

Understanding Microsoft O365/M365 Settings to Ensure Your Security Controls Are Effective

It’s important for financial institutions to understand Microsoft Office 365 (O365) and M365 settings, so they can optimize the security controls and quickly detect potential areas of compromise. The educational journey begins with acknowledging the role of Azure Active Directory (Azure AD), Microsoft’s cloud-based user authentication platform.

When your institution purchased O365 (recently rebranded as M365), it established a Microsoft tenant with Azure AD. Since that tenant belongs to you and your institution—not the licensing reseller—it is your responsibility to understand Azure AD and its controls. This is where you can customize the settings to create more sophisticated and appropriate security policies for your institution.



Monitoring for Exceptions to Security Controls

Once your institution has good policies in place, it’s essential to monitor for exceptions. There are so many security controls to check; it can be difficult to know if there is a policy exception or even an active compromise. As an added challenge, some controls can have a major impact on the user experience, and these controls cannot be created arbitrarily by a third party simply based on what is presumed to be best practice.

Therefore, you must build policies around what users are allowed to do, what your institution’s risk assessment defines, and what users will tolerate. Making appropriate policy-related adjustments to O365/M365 requires knowing how to connect with and analyze specific Microsoft data to modify the related security controls. Microsoft has created a plethora of controls, which can be difficult for many customers to navigate. That’s where it can be beneficial to partner with a value-added reseller like Safe Systems.

M365 Security Basics

Safe Systems consults with clients to help them best use O365/M365 controls and uncover their cloud security “blind spots.” M365 Security Basics is the first CloudInsight™ offering that provides visibility into security settings for Azure Active Directory and O365/M365 tenants.

M365 Security Basics consists of three main parts—reporting, alerting, and quarterly reviews— that your institution can choose from based on its needs. The reporting feature pulls Microsoft data that may not be easily accessible and compiles it into a user-friendly format. The reports show the fundamental settings at a glance, so institutions can track configuration changes over time. There are summary reports that IT administrators can use to quickly identify anomalies in their organization as well as detailed reports that include the specifics of a given anomaly.



While reporting generates important ongoing details, it can produce a substantial amount of information for you to review. Alerts can notify you as soon as possible about the most common setting changes or activity that can represent an indicator of compromise, so you can investigate and respond.

With the quarterly review component, Safe Systems will help you walk through the content of all your reports and discuss your overall strategy for adjusting the configurations. Having all this data at your fingertips makes it easier to make assessments to determine which settings are right for your organization. Two key settings to enable are multi-factor authentication—which should be universal for every user because it adds a critical layer of protection to the user sign-in process—and auditing which is crucial for investigating changes.



Educate. Expose. Empower.

The goal of M365 Security Basics is to educate financial institutions about the unfamiliar concepts related to O365/M365, expose the reality of what they are already living today, and empower them to take action where changes are needed.

For more information about how to understand O365/M365 settings to ensure your security controls are effective, listen to our webinar on “Cloud O365-M365 Security – Do You Know if You Are Currently Compromised?”

21 Sep 2021
Multi-Factor Authentication Offers Secure, Reliable Access Control

Multi-Factor Authentication Offers Secure, Reliable Access Control

Multi-Factor Authentication Offers Secure, Reliable Access Control

In our increasingly digital world, financial institutions must go beyond requiring only usernames and passwords for the sign-in process. They need to employ a combination of factors to validate the individuals using their resources, whether they’re customers accessing electronic products and services or employees accessing systems, applications, and data. Institutions can choose various levels of authentication to verify people’s identity before giving them access to sensitive information, accounts, and other assets. However, multi-factor authentication (MFA) offers a secure and reliable approach for reducing the potential for unauthorized access.

One of the key values of MFA lies in its use of multiple factors for the validation process. MFA adds a layer of protection by requiring users to present a variety of elements to prove who they are. With this method, users must supply valid identification data such as a username followed by at least two types of credentials, such as:

  • Something the person knows: This represents “secret” information that is known or shared by both the user and the authenticating entity. Passwords and personal identification numbers (PINs) are the most commonly used shared secrets, but newer methods of identification are gaining popularity. Users may be required to answer questions that only they should know, like the amount of their monthly mortgage payment. Another example is they might have to identify their pre-selected image (chosen when they opened their account) from a group of pictures.
  • Something the person has: This is often a security token or a physical device, such as an I.D. card or smartphone, that people must have in their possession. Password-generating tokens can significantly enhance security because they display a random, one-time password or passcode that the recipient must promptly provide to complete the authentication process. Having unpredictable, one-time passwords makes it more challenging for hackers to use keyboard logging to steal credentials.
  • Something the person is: This more complex approach to authentication uses a physical characteristic (biometrics) such as face, fingerprint, or voice recognition to verify people’s identity.

Since MFA incorporates factors based on knowledge, possession, and/or biometrics, it makes it more difficult for cybercriminals to compromise people’s identity. Thus, MFA is an ideal verification method to use when more sensitive or critical assets are at stake. MFA is so reliable that the Federal Financial Institution Examination Council (FFIEC) recommends applying it in more high-risk situations. “Management should use multi-factor authentication over encrypted network connections for administrators accessing and managing network devices,” states the FFIEC IT Handbook’s Architecture, Infrastructure, and Operations booklet.

MFA gives financial institutions a valuable security control for their internal and cloud resources. Take our quiz to see how much you know about multi-factor authentication.

08 Sep 2021
Key Terms FIs Need to Know for Microsoft 365 (Office 365) and Azure Active Directory

Key Terms FIs Need to Know for Microsoft 365 (Office 365) and Azure Active Directory

Key Terms FIs Need to Know for Microsoft 365 (Office 365) and Azure Active Directory

Many financial institutions rely on Microsoft 365 (formerly Office 365) and Azure Active Directory (Azure AD) to access resources that can enhance their employee productivity and business operations. Here are some basic, but important, terms to keep in mind for these products:

  • Microsoft 365 (M365) versus Microsoft Office (O365)

Microsoft announced early last year that it was rebranding most of its O365 products to M365.

“We are changing the names of our Office 365 SMB SKUs on April 21, 2020. Yes, that’s right, the Office 365 name is hanging up its jersey and making way for Microsoft 365.”

Because Office 365 was so widely used, it has taken a while for this name change to catch on. Adding to the confusion, Microsoft already had M365 products prior to the name change. In most cases today, M365 and O365 are terms that are used interchangeably.

  • Azure AD

Microsoft Azure AD is a cloud-based identity and access management service that enables users to sign in and access various resources. You may be familiar with Active Directory as your on-premises identity management platform. What you may not realize is this: When you purchased M365, you received Azure AD along with it. Azure AD allows your employees to sign into resources like M365, the Azure portal, and other SaaS applications. They can also use Azure AD to sign into some of your institution’s other resources, such as apps on the corporate network and intranet.

  • Azure AD Sign in

Since all O365/M365 services are funneled through Azure AD, whenever employees try to access these resources, they must first sign in to Azure AD. Essentially, Azure AD facilitates sign-in attempts by authenticating users’ identities. Because Azure AD works behind the scenes, employees may not realize they’re not directly signing into O365/M365.

  • Basic versus Modern Authentication

Customers of O365/M365 and Azure AD can choose basic or modern authentication to access their services. Basic authentication requires simple credentials like a username and password while modern authentication goes a step further with multi-factor authentication. This advanced login protocol requires a username, password, and another identity verification such as scanning a fingerprint, entering a code received by phone, or using the Microsoft Authenticator app. This adds another layer of protection to the sign-in process before users can access their O365/M365 and Azure AD accounts.

Safe Systems can make it easier for financial institutions to strengthen their security posture when using cloud-based solutions like M365 and Azure AD. M365 Security Basics provides visibility into security settings for these products through in-depth reporting, alerting, and quarterly reviews.

01 Sep 2021
FIs Must Plan Ahead for IT Projects to Get Hardware in Time

FIs Must Plan Ahead for IT Projects to Get Hardware in Time

FIs Must Plan Ahead for IT Projects to Get Hardware in Time

The coronavirus pandemic has fueled ongoing inventory and material shortages in a number of industries and IT is no exception. Many components, such as servers, routers, firewalls, network switches, phones, keyboards, microphones, webcams, and more are still in relatively short supply. We’re seeing lead times for hardware delivery lasting four to six months—and the situation could get worse with the Delta variant. So, it’s crucial for financial institutions to plan ahead when ordering IT equipment.

There’s a combination of factors driving these hardware shortages and delivery delays. With more people working from home, there’s an increased need for hardware, and the rise in demand for electronic devices has placed an extra load on the semiconductor industry. Semiconductors, commonly referred to as computer chips or chips, are a core element in almost everything electronic. The semiconductor market is also consolidated with only three manufactures who can produce the most advanced chips. These factors account for some of the reasons why chips are becoming scarce during a time of heightened demand. Currently, semiconductor lead times are stretching to more than 20 weeks—almost three times the pre-pandemic norm, according to Bloomberg.

Another key factor in hardware shortages is the just-in-time production (JIT) model that many companies, including those that manufacture chips, use to turn out small batches of products instead of creating huge inventories. While this lowers their production costs, it can cause supply chain problems when there’s a rapid surge in demand. Employee shortages worsened by the pandemic have only helped to strain hardware supply chain output even further.

If you’re planning to make upgrades or replace any end-of-life (EOL) equipment, you should order it now to help ensure your institution gets what it needs in time. Another issue is not about ordering the hardware; it’s about having time to properly execute the implementation. For instance, if you need new servers, routers, or phone systems, you need ample lead time to design the project, sufficient time for deployment, and additional time to ensure everything works properly post-implementation. Thinking ahead will make the hardware acquisition and implementation much easier to manage in the long run.

Potential Impact of Not Planning Ahead

Lack of effective planning for hardware purchases could result in serious complications. For instance, if you need a new phone system, you might not be able to secure phones, switches, and routers in time for your scheduled implementation. The delivery delay could be several months which not only impacts deployment but also results in a disruption to your current business functions.

In addition, a delay in installing new equipment could lead to security problems. Often, the new version of software will not install on old hardware, which could leave your institution using obsolete software that doesn’t get the appropriate patches and updates. So, actively researching any EOL issues that could lead to this problem is critical, (Incidentally, Microsoft Server 2012 is coming up on its EOL.)

Keeping hardware and software properly updated is also a matter of regulatory compliance for financial institutions. Management should implement policies, standards, and procedures to identify assets and their EOL time frames to track assets’ EOLs and to replace, or upgrade, the asset, according to the FFIEC Examination Handbook’s Architecture, Infrastructure, and Operations booklet. The guidance states, “Failure to maintain effective identification, tracking, and replacement processes could have operational or security implications (e.g., unavailable or unapplied security updates [patches] that make technology vulnerable to disruption).”

The bottom line is: If you need any IT equipment, it could be months before it’s available. So, plan your project accordingly and order the hardware as soon as possible to ensure the success of your implementation timeline. If you need assistance with researching lead times on hardware such as servers, routers, firewalls, network switches, and more or would like support with EOL products and planning for what is ahead, Safe Systems has experts on hand to help.

10 Jun 2021
Resource Center

Technology, Compliance, and Security Best Practices – All in One Place

Resource Center

A few years have passed since we launched the Safe Systems online Resource Center, which provides community banks and credit unions access to a centralized knowledge base of materials that help you learn more about technology, compliance, and security best practices.

With a wide variety of content, ranging from videos to white papers to case studies, the Resource Center allows you to stay current with the latest trends and insights in the industry. For example, visit the Resource Center to view our latest webinar, infographic, or a short and timely blog. Come back often, as we add new content every week!

Just in case you missed our Resource Center reveal, or you would like a few more details on what it has to offer, please view the original blog post here.

03 Jun 2021
What CEOs Should Know about Disaster Recovery

What CEOs Should Know about Disaster Recovery

What CEOs Should Know about Disaster Recovery

Disaster recovery—the process of restoring IT infrastructure, data and systems in the aftermath of a major negative event—is a specialized area of technology that’s not always top of mind for executives. CEOs must ensure their organization is equipped to quickly resume mission-critical functions following a calamity.

Here are some key considerations that bank CEOs should keep in mind to make sure their financial institution has a feasible approach to disaster recovery.

Expect the Unexpected

A disaster can happen anytime—and in any form. While people typically think of disasters as being natural occurrences, manmade catastrophes such as power outages, equipment failures, cyber attacks, and network downtime due to human error are equally common causes of disruption. Regardless of the source, the need for DR is truly a matter of when—not if. So, CEOs should get comfortable with the uncomfortable idea that some type of disaster will eventually impact their institution.

Be Proactive

DR planning is the key to both preventing disasters, and when they do eventually occur, successfully recovering from a natural or manmade calamity. Not having a sufficient plan in place can hit an institution where it hurts most: a loss of data, business functions, clients and reputation—not to mention time and money. Therefore, bank CEOs must ensure their management team is taking proactive steps to adopt effective DR strategies. This includes implementing—and testing—a plan for getting operations back to normal with minimum interruption.

Besides the practical need for DR planning, the Federal Financial Institutions Examination Council (FFIEC) advocates taking a preemptive approach to this often overlooked area of technology. The FFIEC IT Handbook’s Business Continuity Management booklet advises: “Management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored, which should be reflected in the BIA. In addition, management should develop a coordinated strategy for the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software.”

The business impact analysis (BIA) is one tool that bank management can use to ensure their financial institution is adequately preparing for DR. This important mechanism predetermines and prioritizes the potential impact disruptive events will have on business functions. Essentially, the BIA can show gaps in critical processes that would impede disaster recovery and, in turn, the institution’s business continuity.

Consider Outsourcing DR

The intricacies of disaster recovery planning can be daunting, which is why many organizations fail to create a viable DR plan. More than one-third of small and medium-sized businesses do not have a plan in place for responding to data breaches and cyber attacks, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report. However, bank management can leverage external resources to expand their institution’s disaster recovery capabilities. Outside vendors can provide new technologies that reduce risk and enhance data backup, storage and recovery. They offer a variety of cloud-based solutions that can make the DR process more streamlined, efficient and cost-effective. Outsourcing DR can be especially advantageous to smaller banks that may lack this type of specialized knowledge in house. It can also benefit larger institutions that want the comfort of having third-party services available to support their resident DR specialists.

CEOs have a lot on their plates but paying attention to these important DR issues can help ensure both operational resilience during a disaster as well as regulatory compliance. To learn more about how Safe Systems helps financial institutions and their CEOs develop well designed, compliant DR plans, explore our Managed Site Recovery solution.

27 May 2021
Kids on Banking – 3 Years Later…

Kids on Banking – 3 Years Later…

 

Kids on Banking – 3 Years Later…

It’s been almost 3 years since our 25th anniversary, and thus, the introduction of our Kids on Banking project. Designed to give us a refreshing perspective on banking from the minds of children, Kids on Banking offers a little comedic relief in stressful times. Who knew banking concepts could be so fun?!

While we are so grateful to have spent the last 28 years serving more than 600 financial institutions and managing more than 20,000 network devices, we are even more excited to see what the next 28+ have in store.

In case you missed our original Kids on Banking reveal, view the blog (and adorable video!) here.

06 May 2021
After the Disaster: Real Community Banking Recovery Stories

After the Disaster: Real Community Banking Recovery Stories

After the Disaster: Real Community Banking Recovery Stories

Even the best-laid plans can go awry—especially after a disaster. Our real-life stories from actual community financial institutions underscore the importance of having an effective disaster recovery (DR) process in place.

It’s obvious that a disaster can strike anywhere and anytime. What’s less obvious is that a natural disaster doesn’t have to happen for a financial institution to implement its DR plan. For instance, a server room and all the equipment inside could become damaged by a fire or flood. A power outage or loss of a communications line could take out an institution’s phones, email, and internet. This could be devastating because communication is such an integral function of a financial institution.

Not knowing how long a power outage will last can further complicate the issue. If the outage stretches over a few hours or days, the institution should be thinking about implementing its DR process. But making that call can be difficult. That’s where having an outside team of DR experts available can be helpful. For example, we can help institutions quickly leverage Microsoft Azure for cloud site recovery. We can also assist with ongoing monitoring, maintenance, and testing to ensure the viability of their DR plan.

Real DR Stories from Community Banks

For example, a tornado struck one of our community bank clients and severely damaged its main office. The branch was rendered completely inoperable, unable to serve customers or employees. Fortunately, the critical servers that were housed in the building were not destroyed, and we were able to relocate them to a different branch location. The bank operated the servers from that site for a year while the main office was being rebuilt. Ultimately, we returned the servers to their original location and made the necessary reconfigurations to get everything functioning again. Moving the severs to a different place allowed the bank to avoid failback, which can be the most complicated aspect of the disaster recovery process.

Another DR scenario involves a financial institution on the South Carolina coast, where hurricanes frequently make landfall. In this case, a hurricane demolished the main office and completely flooded the location. As a result, the institution lost its servers, internet connection, and ability to communicate. The bank’s DR strategy relied on using 4G to restore internet connectivity, but the cell towers were down. Thankfully, the network had an old telecommunication circuit that we were able to get turned on and operational. So, after we dealt with the communication curveball, we were able to get the network—and bank—up and running again.

Community Bank in Alaska Shares Insights

It’s often the physical environment that determines the disasters that an institution may encounter. Potential hazards for Fairbanks, Alaska-based Denali State Bank include flooding from nearby rivers, jolting earthquakes, and volcanic eruptions on the Aleutian Chain. Therefore, Denali State Bank—which has $380 million in assets and 150 endpoints across five branches—focuses on ensuring that it has critical IT staff and services available during a disaster.

As part of its DR solution, the bank maintains a designated alternate site—one of its branches—that sits on a separate portion of the power grid. Denali also uses cloud-based Microsoft Azure, which makes it easy to run and test critical functions. During testing, the bank can shut down all connections to its main office (including large SQL servers), quickly spin up everything virtually through Azure, and establish connectivity through a Safe Systems co-location facility. This helps to ensure that vital functions will work properly to support the institution after a disaster.

Get more community banking DR insights. Listen to our webinar on “After a Disaster: Real Community Banking Recovery Stories” to make sure your institution is better prepared for an unexpected negative event.

29 Apr 2021
The 4 “Rs” of Disaster Recovery

The 4 “Rs” of Disaster Recovery

The 4 “Rs” of Disaster Recovery

Organizations can be impacted by a natural or manmade disaster at any time. Having an effective approach to disaster recovery (DR) can help banks and credit unions meet their regulatory obligations, better protect themselves from the impact of a significant negative event and enhance their ability to bounce back and continue operating in the aftermath of a disaster.

There are four “R’s” when it comes to disaster recovery that every financial institution should focus on: Recovery Time Objective (RTO); Recovery Point Objective (RPO); Replication; and Recurring Testing. Here’s why each of them is integral to DR:

RTO

RTO, the longest acceptable length of time that a computer, system, network, or application can be down after a disaster happens, is a crucial facet of DR. Established RTOs essentially represent trade-offs, with shorter RTOs requiring more resources and ongoing expenses. When setting RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. Ideally, financial institutions will have RTOs predetermined before a disaster strikes, and the RTOs will be included in the institution’s Business Impact Analysis (BIA) as part of the business continuity planning process. Following a disaster, the recovery process will depend on the type of institution, technology solutions, and business functions as well as the amount of data involved. Institutions with an outside vendor guiding their disaster relief efforts typically have a more streamlined and less stressful recovery process.

RPO

The RPO represents the amount of time between a disaster occurring and a financial institution’s most recent backup. If too long, and too much data is allowed to be lost, it could result in substantial damage. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. The Information Security Officer (ISO) and management must define exactly how long they are willing to go without having a copy of their data available. As banks and credit unions become more dependent on technology, however, their tolerance for not having critical functions available shrinks. Increasingly, financial institutions are turning to outside vendors to bolster their recovery solutions, but they must ensure that those third-party providers are adequately equipped to satisfy their RPO requirements.

Replication

Effective DR replication is essential because it allows an exact copy of an institution’s data to be available and remotely accessible when an adverse event happens. DR requires the duplication of data and computer processing to take place in a location not impacted by the disaster. The best practice is to have one backup onsite and another offsite in a different geographic region—somewhere that is not likely to be affected by the same disaster. Options for recovery can take various forms: fully redundant systems at alternate sites; cloud-based recovery solutions (either internally developed or outsourced); another data center; or a third-party service provider; according to the Federal Financial Institution Examination Council (FFIEC).

Recurring Testing

Recurring testing allows banks and credit unions to pinpoint key aspects of their DR strategy and adjust as needed to accomplish their objectives. Thorough testing of a financial institution’s core applications should be done annually — while they are functioning normally — to generate the most meaningful feedback. The institution should employ a variety of tests and exercises to verify its ability to quickly resume vital business operations in a disaster situation. Regular testing can reveal possible problems in the institution’s DR plan so that it can immediately address these issues. The aim is not necessarily to pass each test or exercise, but rather to find and fix flaws before a disaster occurs.

Read more about how your bank or credit union can be better positioned to recover from a disaster. Download our “4 Rs of Disaster Recovery” white paper.

22 Apr 2021
Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

As part of business continuity management (BCM), banks and credit unions must ensure they can maintain and recover their operations after a catastrophic event happens. Their BCM strategy should outline all the significant actions they intend to take after a natural disaster, technological failure, human error, terrorism, or cyber attack. The goal is to lessen the disaster’s impact on business operations, so the financial institution can continue running with minimal loss and downtime.

Disaster recovery (DR) is essentially the IT part of the business continuity plan. It should address the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software needed to get operations back to normal, based on the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

The Need for a Comprehensive DR Solution

Financial institutions must have effective DR measures in place to ensure they can deliver the resources their employees need to continue serving customers after a disaster. That’s why having a comprehensive DR service is so critical. The simplest and most cost-effective way to accomplish this is with a cloud-based solution.

With DR in the Cloud, institutions are always prepared to respond to natural and man-made disasters as well as infrastructure and technology failures. The Cloud allows institutions to access their data—no matter what kind of disaster strikes. This could be crucial if a severe storm does damage to an entire city and multiple locations of a community financial institution. The institution would not be able to handle DR on-site, making the Cloud the most viable option. The March 25th outbreak of tornados in central Alabama is a good example of the potential need for cloud DR. The tornadoes tore into hundreds of miles of Alabama forest and neighborhoods, causing significant damage, according to the National Weather Service.

The Cloud provides major benefits in any DR situation, including ease, expediency, and efficiency. If institutions have been doing ongoing backups, they can leverage the Cloud to initiate DR right away. The process is quick; recovery can take minutes instead of hours or days as it did for older DR solutions. However, it’s important to set up DR processes so that they are not subject to issues that can impact the institution’s main system. Take, for instance, the rapidly increasing problem of ransomware. It’s important to have cloud DR services structured so that the DR backups cannot also be infected with the same ransomware.

Essential Aspects of a DR Service

Another essential element for a cloud DR service is testing. The test results should be documented and available for Management and the Board of Directors to scrutinize. This can help institutions ensure their expectations are being met by the DR service. Institutions that are not using a comprehensive DR service are more likely to delay the testing and validation steps that are critical to business continuity planning (BCP). It’s basic human nature: IT admins tend to prioritize addressing urgent day-to-day issues over doing routine testing.

So, either testing doesn’t get done regularly or it doesn’t happen at all. A third-party DR service with a team of experts available can make sure testing gets done at the proper time. Another important issue for institutions is having IT staff available with the appropriate knowledge when a disaster strikes. With an external service provider, someone with the right expertise will always be there to execute the disaster recovery. So, the success of the institution’s DR plan will not depend on the availability of just a few employees.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. It can give financial institutions the best bang for their buck. Not using cloud DR can be cost-prohibitive for many institutions, considering the hardware and software requirements, maintenance, ongoing testing, and documentation required. Ultimately, a cloud DR solution from an external service provider can give institutions the comfort of knowing their DR plan is being adequately tested and will work during a real disaster.

15 Apr 2021
Latest Microsoft Updates Show Importance of Patch Testing

Latest Microsoft Updates Show Importance of Patch Testing

Latest Microsoft Updates Show Importance of Patch Testing

In early March 2021, Microsoft published some cumulative updates for different versions of Windows 10, including KB5000802. Unfortunately, the new updates and patches caused a variety of problems, including workstation crashes when printing, problems opening emails in Outlook, and some vendor products, such as Fiserv’s Navigator, not displaying correctly.

As a result, many people could not use printers from several popular brands such as Kyocera and Ricoh, and the new patches caused some users to experience the dreaded “Blue Screen of Death” (BSoD) when they clicked on the “print” option in some apps. Ultimately, Microsoft addressed the issue and rolled out a fix for the printer problems.

Importance of Patch Testing

The problems associated with Windows 10 KB5000802 serve as effective real-world reminders of the importance of patch testing as these issues could have been avoided by implementing proper testing procedures. Vendors are constantly releasing patches to correct software problems, improve performance and enhance security. But as the recent Microsoft incident clearly shows, patches can sometimes trigger new problems while trying to address existing ones.

All of this demonstrates why it is so important for banks and credit unions to test patches before installing them. Ideally, financial institutions should create a test group of the different kinds of machines and applications used in their environment and then apply any newly released patches to the elements in the group. Besides being a pragmatic approach, utilizing a test group also adheres to guidelines of the Federal Financial Institutions Examination Council (FFIEC), and it helps effectively protect institutions from downtime, security breaches, and IT issues.

Value of a Third-Party with Financial Industry Expertise Managing Patches

The problems surrounding the latest Microsoft patch also illustrate the value that a qualified third-party IT expert like Safe Systems can bring to community banks and credit unions. Through our meticulous testing process, which includes more than 2,000 machines running a wide variety of banking and lending applications, Safe Systems was able to identify both general PC issues and banking application issues related to the patch. This regimented testing process, which follows FFIEC guidance, enabled Safe Systems to minimize the impact on more than 25,000 financial institution devices. As a result, clients were able to avoid major hassles and headaches with a vast majority of their devices.

Safe Systems issued an official notification about the situation, spelling out the specific problem, impact, resolution, and action required for customers and eliminated the patch from the environments of clients that were having trouble. Customers using NetComply One to manage patches didn’t need to take any additional action—unless they still had problems after the patch was removed. For clients with lingering complications, Safe Systems’ fully staffed Network Operation Center (NOC) was available to resolve their issues quickly.

Safe Systems’ proactive actions to neutralize possible issues relating to the patch is a prime example of the benefit of our NetComply One solution. Part “product” and part “service,” NetComply One is a comprehensive patch management solution that offers quarterly advisement from Safe Systems experts. It provides valuable reporting and insight into potential issues to help community banks and credit unions pass audits and exams. To learn more about how NetComply One can help your financial institution, click here.

18 Feb 2021
Is Your FI Ready to Move to the Cloud? | Webinar Recap

Webinar Recap: Is Your FI Ready to Move to the Cloud?

Is Your FI Ready to Move to the Cloud? | Webinar Recap

With organizations in virtually every industry employing cloud computing to enhance their infrastructure, cloud adoption is becoming mainstream. But is your bank or credit union ready to make the move to the Cloud?

Before you attempt to answer this question, start with why you should be considering the Cloud. There are significant benefits to using cloud-based solutions: guaranteed uptime; rapid scalability for expanding or reducing resources; flexibility for reprovisioning; and improved redundancy. Another important—but often undervalued—reason for moving to the Cloud is ease of use. The Cloud simply makes it easier for IT administrators to do their jobs and easier for financial institutions to manage infrastructure costs. Instead of buying, owning, and maintaining physical data centers and servers, institutions can procure IT resources over the Internet on an “as-needed” basis with true “pay-as-you-go” pricing. This kind of arrangement can be especially appealing to a de novo, a growing bank, or any institution wanting a more efficient, cost-effective way to manage IT-related expenses.

In addition, cloud systems offer the key advantage that they’re built from the ground up to cater to remote users. Bank and credit union employees can access the same tools, applications, and resources using the Internet whether they’re working on-site, from home, or in another location, making the Cloud the ideal tool for both remote work and collaboration.

Determining When to Make the Move

So how do you know if your financial institution is ready to move to the Cloud? The main indicator is whether management is supportive of the idea or feels implementation would be too burdensome. If your institution can’t manage the research, preparation, and challenges involved with cloud migration, it may not be the best time to make the transition.

One obvious sign that you are ready for the Cloud is if your organization is steadily growing and needing to augment resources. Perhaps you’re looking at expanding to new servers or rethinking your current architecture. Maybe it’s a situation where you’re tired of being stuck in a cycle of dealing with replacement projects for new servers. If you’re looking at replacing multiple servers that are running out of warranty, it could be the opportune time to move some of that workload up to the Cloud.

Transitioning Slowly

Moving to the Cloud can be a complex undertaking, but the good news is that your institution doesn’t have to make the leap all at once. In general, it’s best to be slow and methodical. This strategy can involve transferring one aspect at a time over several years. We are seeing a number of institutions start with moving their disaster recovery solution to the Cloud or using a “brick-by-brick” approach by migrating one or two servers at a time.

Don’t forget, the Cloud isn’t just a new tool, it’s a whole new world. Once your institution makes the jump to the Cloud, you need to monitor and manage the systems in the Cloud going forward. As with everything in IT, some adjustments may be needed over time. If you engage with a trusted partner for cloud services, they may be able to assist with your ongoing monitoring and management of your resources in the Cloud.

For more insights about cloud migration, watch our webinar on “Are You Ready to Move to the Cloud.”

28 Jan 2021
Why De Novo Banks Should Choose the Cloud

Why De Novo Banks Should Choose the Cloud

De novo banks have enough to be concerned about as they struggle to get established: raising capital, selecting a core system and products, getting enough personnel in place—and keeping everything afloat until they begin to thrive. Opting for the Cloud is one of the most prudent decisions a de novo bank can make.

Ease and Speed

A key benefit of employing the Cloud is the ease and speed of implementation, which is especially advantageous for a de novo with a tight timeline to get up and running. The Cloud also affords a de novo the ability to choose technology solutions based on its unique specifications. Rather than trying to estimate and make provisions for future growth, the bank can select cloud services according to its current requirements and as the de novo grows or reduces its operation over years, it can make the necessary adjustments to fit. In a real-world scenario, if a bank needs the capacity to process more loans, a cloud provider can instantly ramp up to meet that demand.

Cloud services also provide de novos with the cost-saving flexibility to forgo extensive infrastructure investments upfront and help avoid the expense of maintaining and replacing outdated hardware over time. Working with a major cloud provider means de novos will always be using the latest and best technology. This supports more predictable technology costs, especially when working in tandem with a managed cloud provider that can minimize the need for retaining a larger IT staff.

Disaster Recovery

Financial institutions—no matter how new they are—must have a strategy in place for restoring their IT infrastructure, data, and systems following adverse events, such as natural disasters, infrastructure failures, technology failures, the unavailability of staff, or cyber attacks, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

When a de novo chooses the Cloud to support its banking system, it simplifies many of the typical aspects of disaster recovery (DR). Cloud-based DR allows institutions to replicate the data in their main offices and transmit it to a safe location that staff can access during a catastrophic event. Having continuous replication means there’s minimal lag time when switching from live to DR mode. Plus, the Cloud makes it easier for IT staff to go live, run tests, and complete tests more thoroughly. Ultimately, cloud services can help de novos go beyond merely addressing disaster recovery, to instituting steps for disaster avoidance.

Here are some other compelling reasons for de novos to embrace the Cloud:

  • Security: A de novo bank has access to more security resources with the Cloud, making it easier to incorporate the best practices that regulators expect. Major cloud providers like Microsoft, Google, and Amazon maintain an army of security experts; they simply can offer more robust security than small de novos can build on their own.
  • Compliance: Leading cloud vendors are well versed in regulatory compliance issues, and de novos that use managed cloud providers receive a comprehensive solution that can further enhance compliance and vendor management.
  • Flexibility: With cloud services, de novos not only gain the advantage of being able to manage their IT infrastructure from anywhere, but they also gain the capability to easily turn on/off cloud services allowing them to quickly explore new ideas or diagnose problems within their environment.

The simple truth is that a de novo bank could never build an IT infrastructure on par with what it can accomplish through the Cloud. And working with a managed cloud service provider like Safe Systems can make using the Cloud even easier, leaving bankers free to focus on banking.

23 Dec 2020
Banking Bits and Bytes

What You Need to Know About Securing Exchange Online: Connecting to Exchange Online

What You Need to Know About Securing Azure AD

Technical Level: Beginner/Intermediate
Note: Previously, we discussed PowerShell basics. Later in this series, we’ll discuss security concerns.
TL;DR: In order to properly secure Exchange Online, you need to know how to traverse and manipulate settings with PowerShell. In this guide we cover the installation of the EXOv2 module, using the module to connect to an Exchange Online instance, and running some basic commands.

Exchange Online Security with PowerShell

In this post we are going to pick up where we left off last time. Now that we have the basics of PowerShell under our belt, we can go ahead and install the newer ExO V2 Module and then use that module to connect to an Exchange Online instance. Finally, we will go over a few simple commands just to verify the connection has been established.

Exchange Online V2 Module Installation

If you follow the link above for the EXOv2 Module you will find the installation instructions point you to the PS Gallery page for the module.

Securing Exchange - Code Example

The PS Gallery has a few ways to install the module.

Securing Exchange - Code Example

If your package manager is already set, you can enter the following statement to begin the installation of the module:


Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3

Note: In this case, -RequiredVersion is a switch parameter (I just call them switches) to indicate the version you are looking to download. You don’t have to specify the version when you run the command.

If you run the command you should see that PowerShell prompts you to confirm the installation. I would show you that with a screen grab, but I was met with an error:

Securing Exchange - Code Example

I decided to include this error because you will inevitably run into errors when trying to run command logic. Being able to troubleshoot based on the error description is pretty much a necessity with PowerShell and thankfully the error messages are mostly useful. In this case, even though I had uninstalled the Exchange Online V2 Module previously, there are some remnants of the module still in place on my system. PowerShell won’t let me override existing commands with commands from a new module, unless I give explicit permission with a switch. In this case, I ran the following command to get the module installed:


Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3 -AllowClobber

Securing Exchange - Code Example

This time there was no error and I was just brought to the next line. I am kind of a cautious guy, so this lack of feedback is disconcerting. How can we tell if the module was really installed? A valid question to which there is a valid response: the Get-InstalledModule command. You can use the following command to verify the installation:


Get-InstalledModule ExchangeOnlineManagement

Securing Exchange - Code Example

Tips and Tricks

Once you get into using various modules it can be difficult to keep track of all the different module names. Thankfully, the Get-InstalledModule command is pretty versatile. If you know at least part of the module name you can surround it with wildcards (the * symbol) to have PowerShell find any module that contains the text between the wildcards. For example, running the command below will also show us that the Exchange Online Management module is installed:


Get-InstalledModule *Exchange*

Securing Exchange - Code Example

Exchange Online v2 Module – Connecting to Exchange Online

Now that the module has been installed, we can use it to connect to an Exchange Online instance. There are a few different types of connectivity options depending on the type of workflow you are using to connect to Exchange Online. For these examples, the assumption is that you are an administrator for a single instance of Exchange Online. Without delegated rights or service principals to worry about, connecting is straight forward. Use the following code and an account with enough access to connect to Exchange Online:


Connect-ExchangeOnline

Securing Exchange - Code Example

Since the new ExO V2 module supports modern authentication, if your account has MFA enabled, you will be asked to sign in with modern authentication:

Securing Exchange - Code Example

Securing Exchange - Code Example

Securing Exchange - Code Example

After you successfully authenticate, you will be brought back to a new line:

Securing Exchange - Code Example

Once again this is one of those things you are just going to have to take on good faith that the authentication was successful. If it wasn’t, you will be prompted with an error.

Get Over Here!

In general, there are three basic command archetypes within Exchange Online: Get, Set, and New. Get commands are basically read operations. They get values/properties and are really pretty harmless to run so this is where we will start.

Note: Set commands are all about modifying existing values/properties and New commands are about creating new values/properties. Both have some inherent risk so we will cover them in a future post.

Let’s use our new connection to grab the mailbox objects for all our users. Use the following code to utilize the new v2 cmdlets to gather all mailboxes:


Get-EXOMailbox

Securing Exchange - Code Example

Side bar: I am really impressed with the new cmdlets! They are just so much faster than the old ones and since there is full backward compatibility you don’t have to take my word for it, you can run the old one and the new and see the time difference yourself!

Ready For A PowerShell Picnic?

My number one recommendation for new NOC analysts and administrators unfamiliar with PowerShell is always to fool around with it and the more you work with it, the less intimidating it will be. With that in mind, it is time to reach back to our previous picnic themed post and pull the concepts from that picnic basket and start eating a PowerShell sandwich made from mailbox statistics.

The command to get mailbox statistics using v2 cmdlets is:


Get-EXOMailboxStatistics

Securing Exchange - Code Example

Yea I kind of set you up for failure on that one but I had a good reason I promise! The command failed but the reason why it failed is important and so is the resolution. Both can be found in the red text of the error but to make it a bit easier to read and understand, I have included the important bits parsed here.

The reason for the failure is “Identity is a mandatory value to provide for running Get-ExoMailboxStatistics.” What this means is we tried to run the command, but it has a mandatory switch that must be provided for the command to run properly.

Note: You can find out which switches are required by looking at the documentation for the command either online — honestly, using your favorite search engine and searching for the command to get to the Microsoft documentation page for the command is your best bet for this option — or straight from within PowerShell with the get-help command.


Get-Help Get-EXOMailboxStatistics -Full

The suggested resolution is:

You can specify identity by using either of the following

  1. Any one of the three available parameters: Identity, ExchangeGuid, UserPrincipalName.
  2. ExchangeGuid and DatabaseGuid.

What this means practically speaking is that the command was not intended to be run to gather statistics for all mailboxes in the organization at once. It requires a specific mailbox and then it will gather the statistics for just that one mailbox. That is the intent of the command but I really would not want to type that command a hundred times just to be able to view the statistics for all my users.

The acceptable identity parameters are Identity, ExternalDirectoryObjectId, or UserPrincipalName. All three are properties that are provided in the default set of properties for a mailbox object. In other words, when we run the command to get mailboxes, the objects that are returned have the information we need to be able to run the mailbox statistics command.
You can see this in action with the following code logic:


Get-EXOMailbox | Get-EXOMailboxStatistics

Securing Exchange - Code Example

Bring Home the Leftovers

Ok, seriously I am kind of running out of picnic metaphors so I may have to switch it up in the next post. Lets wrap up this PowerShell picnic by exporting the data for easier consumption. For me, there are two trains of thought here depending on what I plan to do with the data. If the plan is just to view the data, then pipe the results to an export-csv command and you are set.


Get-EXOMailbox | Get-EXOMailboxStatistics | Export-Csv -NoTypeInformation -Path “c:\temp\EXOMailboxStats.csv”

Securing Exchange - Code Example

If you plan to use that data for more PS commands (in the same session), then store it in an object first and then export the data. This way you won’t have to spend time gathering it again.


$exoMailboxStats = Get-EXOMailbox | Get-EXOMailboxStatistics
$exoMailboxStats | Export-Csv -NoTypeInformation -Path "c:\temp\EXOMailboxStats.csv"

Securing Exchange - Code Example

Conclusion

That about sums it up (pun totally intended). In this post we went over installing the new ExO V2 module, using the module to connect to Exchange Online, and then using our new connection with some small scripting logic to gather mailbox statistics.

Get commands really are important because they are what will show you all your current Exchange Online properties. There are so many properties though, so which ones are important to look at??? Join us next time around as we solidify our grasp of the get commands and start to look at security related properties that could help show you if your users have been compromised!

05 Nov 2020
How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

Banks and credit unions of all sizes experience some level of turnover or unexpected absence that can affect internal positions. When the IT administrator role is impacted, it can cause the most disruption, especially for smaller community institutions, as many have limited resources and may rely on only one employee in the role. When an IT administrator leaves, he or she takes with them the institutional knowledge and expertise gained through working with the FI’s unique IT infrastructure and network management processes. To lessen the impact, it’s up to the institution to effectively build continuity into its IT strategy and pay attention to the strategic decisions being made by the IT team.

In a recent Safe Systems webinar, we discussed the importance of continuity in IT and ensuring effective management of the network through transition periods. In this blog post, we highlight three key areas of focus to achieve continuity and keep the institution operating efficiently.

1. Strategic Decisions

We have seen financial institutions fall victim to the “power of one”, where the IT admin has all the knowledge and authority to make IT strategic decisions alone. Then when they leave, the rest of the institution doesn’t have a clear view of what’s been done to the network and how to properly maintain it.

Some IT admins prefer to try new technologies and add more automation to the institution’s processes. While others might stick to their comfort zone and not push for new IT tools. While it’s important to provide an appropriate level of autonomy to the IT admin, it is critical to also have a system of checks and balances in place and to examine the benefits and consequences of these decisions closely to ensure the institution has the right tools to succeed .

2. Strategic Management

For IT personnel to be successful, it is important to outline what your institution wants the IT admin to accomplish and let them know what success will look like when they achieve these goals. Some key questions to consider include: What are the desired outcomes you’re expecting from IT? Is the goal to spend their time and budget on efficiency projects, redundancy projects, or security projects? In other words, what is your tolerance for downtime, security risks, or ineffective and slower processes? How will these goals be measured?

Once these expectations are established, the IT admin should be given the freedom to do what they need to do to achieve the institution’s goals but there should also be a clear chain of command to provide oversight and to evaluate their work.

You do not want to let an employee’s expertise (or lack thereof) impact your technology or for the institution’s security to be affected negatively. Define clear objectives for your IT personnel, whether that’s uptime, recovery time objectives (RTOs), redundancy, budgeting, or specific controls you’d like to have in place to ensure the institution is operating securely.

3. Strategic Plan

Make sure the expectations and objectives you set for IT personnel align with your strategic plan. According to the Federal Financial Institution Examination Council (FFIEC), “strategic IT planning should address long-term goals and the allocation of IT resources to achieve them. Strategic IT planning focuses on a three- to five-year horizon and helps ensure that the institution’s technology plans are consistent and aligned with the institution’s business plan. Effective strategic IT planning can ensure the delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace. The IT strategic plan should address the budget, periodic board reporting, and the status of risk management controls.”

When discussing the strategic plan with management, it’s important to identify the key areas of improvement and provide information on price, level of risk, and what exactly the institution is trying to accomplish. Sometimes having an outside perspective can help push key initiatives along and get them into the budget for the year ahead.

To learn more, download the recording of our webinar, “Understanding The Lifecycle of the IT Administrator: Ensure Effective Management of Your Network.”

02 Nov 2020
The Impact of Digital Banking During the Coronavirus Pandemic

The Impact of Digital Banking During the Coronavirus Pandemic

The Impact of Digital Banking During the Coronavirus Pandemic

The coronavirus (COVID-19) pandemic has drastically reshaped the way banks and credit unions operate today. While financial institutions value face-to-face interactions with their customers and members, social distancing requirements and other safety precautions have caused retail banking to go almost entirely digital. This change impacts not only how financial institutions conduct their business and interact with customers and members, but also how they keep their institutions secure.

In this blog post, we outline 3 key ways the pandemic has impacted the industry and consumers, and how financial institutions are managing these changes in real-time while ensuring they continue to operate effectively for their employees, customers, members, and other stakeholders.

1. Know Your Customer

For banks and credit unions, know-your-customer (or member) procedures are a key function to establish a customer or member’s identity, understand their financial activities, and evaluate the level of risk to the institution. Traditionally, before opening an account, completing a transaction, and/or sharing private information, many financial institutions have relied on at least some face-to-face interactions. For community financial institutions, know-your-customer has gone well beyond best practice to become a competitive advantage. Many (if not most) community institutions pride themselves in knowing their customers by name!

However, due to the COVID-19 pandemic, financial institutions need to find ways to verify their customers’ identities and retain that personal touch using digital channels. Consumers want a frictionless banking experience where they feel trusted and can quickly receive the products and services they need, but they also want to avoid feeling like just another number. Institutions must balance managing remote transactions that could increase their security posture, against technology and policies that positively identify customers without alienating them. As a result, some financial institutions are leaning towards increased security by starting to adopt a “zero-trust” stance where every individual and transaction is considered suspicious unless proven otherwise.

2. Technology Updates

To protect customers and members during the pandemic, banks and credit unions have moved from in-branch, face-to-face interactions to using remote channels such as online, telephone, ATM banking as well as the drive-through to serve their customers. Our experience has been that many institutions that may have technology upgrades on their roadmap two or three years down the road have had to accelerate those projects. Others have added new initiatives to increase their remote capabilities and enhance their electronic services. However, all this likely requires tighter security protocols for customer verification. This can be challenging for smaller financial institutions that rely on more traditional in-branch visits to provide services to their customers or members, particularly if branches are closed or observing limited hours and services. It is up to these institutions to find the right balance of physical and digital solutions to ensure customers and members receive the same level of service they were accustomed to prior to the pandemic.

3. Digital Adoption

The COVID-19 pandemic has driven consumers to rely more heavily on digital channels for their banking needs. This has accelerated digital transformation for financial institutions in the U.S. as their customers demand solutions that allow them to quickly and easily complete transactions remotely. To meet this demand, financial institutions have reevaluated their traditional strategies, implemented and even accelerated digital initiatives, and are more inclined to not just enable but encourage digital capability for their customers. As they encourage consumers to adopt new solutions and remote tools, it will be critical to assess the risk of these solutions and develop controls to keep the network safe and protect sensitive, financial information.

Banks and credit unions must be able to provide the products and services their customers and members need all while keeping information secure, even in the midst of a pandemic. Having a solid plan to guide how you manage operations can make all the difference. One final thought, when the dust settles and things go back to “normal”, the steps you’ve taken to enable digital engagement with employees and customers will be considered resilience measures to mitigate the impact of a future event of this nature. Resilience will be a focus for regulators in future examinations.

To learn more about pandemic planning and best practices, download our latest white paper, “Navigating the Coronavirus Pandemic: Best Practices for Pandemic Planning and Key Lessons Learned.”

22 Oct 2020
Why Safe Systems Made the Switch from Java to Amazon Corretto for Network Management

Why Safe Systems Made the Switch from Java to Amazon Corretto for Network Management

Why Safe Systems Made the Switch from Java to Amazon Corretto for Network Management

Java is a programming language and computing platform first released by Sun Microsystems in 1995. On April 16, 2019, Oracle (who owns Java and its development) changed its client-based Java model from free to fee-based. This created a huge issue in the marketplace because so many businesses, consumers, applications used Java and based their code off of Java. So now, to get Oracle’s version of Java requires a fee per device. Many companies are facing an update and licensing management issue as they are forced to track who in their organization has Java; who needs it; and whether there are enough licenses. At this point, they must update only the computers who have purchased licenses.

It seemed like overnight, supporting and updating Java went from “not a big deal” to a headache for a lot of IT people. Luckily several companies saw the issue and began creating their own Java client based on the open source code that was released for Java. Several major players like IBM, Amazon, and even Oracle started creating their own versions of Java. Safe Systems researched which of these versions would be supported by the core providers and software vendors in the financial industry, and Amazon Corretto emerged as a top choice because it is free to use and is backed by a reputable company.

What’s Next?

At the end of December 2020, Safe Systems has decided to no longer support the fee-based version Oracle offers of Java as we now have no way to confirm if a license has been purchased or not. Instead, we have worked with financial institutions and have adopted Amazon Corretto as a supportable alternative to the Oracle fee-based version. Safe Systems will support, update, and report on Amazon Corretto as part of our third-party patching program with NetComply™.

Safe Systems did not make this decision lightly. We worked with multiple institutions using various banking applications to ensure that this could be a widely accepted switch in the industry. We spent hundreds of man hours testing and implementing the appropriate changes to ensure this is a smooth transition. We are happy to say that we can successfully support Amazon Corretto as a key application that in turn supports your critical banking applications.

NetComply is built around monitoring, alerting, automation, and supporting your machines, but it is also about keeping key applications fully patched so that your network is as secure as possible. We encourage each of you to confirm all of your applications work with Amazon Corretto before switching. If they do, there is nothing left to do but sit back and let NetComply take it from there.

18 Jun 2020
Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

  • Review all guidance and issues related to their institution and become familiar with any changes that might impact them
  • Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments
  • Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

  • Analyzing potential threats
  • Assessing the technology required
  • Managing access controls and security
  • Conducting regular data recovery test
  • Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”

04 Jun 2020
I’m New to Banking Technology – What Do I Need to Know?

I’m New to Banking Technology – What Do I Need to Know?

I’m New to Banking Technology – What Do I Need to Know?

The reality for the community banking industry is that often, institutions are limited in staff size, especially in IT. As a result, employees are sometimes placed in an IT role without any prior experience and they are forced to learn the “ins and outs” of information technology quickly to ensure that the institution stays in compliance and the IT environment is secure.

This can be a daunting task for a financial institution employee who’s been placed in an IT role for the first time. From our experience working with more than 600 community financial institutions, there are four key steps that someone who’s new to banking technology needs to know to quickly get up to speed on all things IT:

Step 1: Determine the Financial Institution’s Current State

When stepping into an IT role from another department, the first thing you must do is get a strong understanding of the current state of the institution and how the IT infrastructure is set up. Key questions include:

  • What does the IT infrastructure look like?
  • What technology is currently in place?
  • Is there hardware or software that is reaching end-of-life?
  • Are network schematics and data flow diagrams up to date and accurate?

Look at all the policies and procedures currently in place and understand what management has approved for the information technology program and how the environment is organized. It’s important to know exactly where the bank is from an IT perspective because without this knowledge you won’t be able to troubleshoot potential issues or plan strategically for where the financial institution needs to be to meet compliance guidelines.

Step 2: Review Vendor Relationships and Responsibilities

It is critical to know exactly who is responsible for each IT activity. Many community banks and credit unions use a variety of vendors, including core providers, cloud providers, managed services providers, and others. It’s important to understand which vendors are involved with all your hardware, software, and IT services and review the service level agreements (SLAs) which are typically found in the contract to be clear on what the vendor should be providing to the institution. This is crucial because if an issue arises you need to know if it is your responsibility to handle it internally or if you should reach out to a vendor for support. Make sure you are clear about what the institution’s vendors are responsible for, when to go to them for help, and which activities are your responsibility under the SLA.

Another key part of this role is vendor management. As a new IT admin, you have a shared responsibility for monitoring and managing the institution’s vendors and weighing the risks each one poses to the institution. To keep the network compliant and secure, you need to thoroughly evaluate potential vendors; identify critical vendors and services; implement an effective risk management process throughout the lifecycle of the vendor relationship, and report appropriately to senior management. Some key best practices include:

  • Developing plans that outline the institution’s strategy;
  • Identifying the inherent risks of the specific activity, and the residual, or remaining, risk after the application of controls;
  • Detailing how the institution selects, assesses, and oversees third-party providers;
  • Performing proper due diligence on all vendors;
  • Creating a contingency plan for terminating vendor relationships effectively; and
  • Producing clear documentation and reporting to meet all regulatory requirements.

Having a proactive plan in place will help you effectively manage vendors and have a clear understanding of the level of criticality and risk for each service provider. Properly vetting and managing vendors will reduce risk for the institution, while also ensuring compliance requirements are met successfully.

Step 3: Understand the Institution’s IT Organizational Structure

How IT roles are structured within a community bank or credit union varies by the institution, but many financial institutions have an IT administrator, information security officer (ISO), chief information officer (CIO), and an IT steering committee to support IT activities. It’s important to learn how the institution is set up and understand what the ISO and CIO are responsible for so you can work together to ensure the institution’s environment is operating securely and efficiently. It’s also important to make sure all ISO duties are separated from other IT roles at the institution to maintain compliance with FFIEC requirements.

At some point, every functional area of a bank or credit union touches IT in one way or another so understanding how every system, application, and functional area within the institution operates and relates back to IT enables you to help the staff by troubleshooting the different issues each department may experience.

Step 4. Review Recent Audits and Exams

Another way to determine the current state of the financial institution is to review all recent IT audits and exams. Determine if there were any findings or recommendations made by a regulatory agency and make sure that this has been addressed and remediated appropriately. With this information, you can tell if there are any current issues or pain points and start to make strategic plans or address specific issues as they arise.

Financial institutions are held accountable for FFIEC compliance and must manage regulatory activities including reporting effectively. New IT personnel should become familiar with FFIEC guidance and understand what is required to meet regulatory expectations and perform well on future audits and exams.

With these steps, new IT admins can gain a deeper understanding of information technology and what their key responsibilities are at the financial institution to ensure the community bank or credit union can successfully meet examiner expectations and keep operations running smoothly.

14 May 2020
Key Benefits of Cloud Infrastructure for Banking IT Operations

Key Benefits of Cloud Infrastructure for Banking IT Operations

Key Benefits of Cloud Infrastructure for Banking IT Operations

Cloud technology has been driving efficiency and innovation across many industries for years and today, many community banks and credit unions are adopting cloud services for their IT operations.

In a recent webinar, Safe Systems presented an overview of cloud infrastructure and the key benefits to financial institutions. Here are a few points to keep in mind if you’re thinking about implementing cloud services:

Data Centers

Cloud service providers, like Microsoft Azure or Amazon Web Services, have some of the best data centers in the world, providing space, power, cooling, and physical security. You no longer have to worry about the management burdens of an on-premise solution or co-location when your servers and applications are hosted in a secure cloud environment.

Lifecycle Management

The cost of server hardware does not end with its purchase. There are hidden costs of tracking which assets are still healthy, supported, and under warranty. Replacing aging equipment every few years often requires a complex project that impacts availability and takes time away from meeting more important objectives. With cloud services, you can eliminate lifecycle management of your server equipment, enabling you to focus your effort on higher-value projects that drive your business.

Availability

When you adopt cloud services, the availability of your critical application infrastructure and data is the responsibility of the cloud provider. The major cloud providers are able to attract and retain the best talent in the world to keep systems healthy and secure. They deliver your services from a highly resilient network of multiple data centers, vastly reducing your dependency on any single datacenter.

Flexibility

  • Experimentation
  • If your goal is to develop a specialized project for your institution, a platform like Microsoft Azure has many different services to make it easy for you to test scenarios or try new ideas without investing in hardware or navigating the justification and purchase order process. You simply visit the website, turn on a resource, and experiment. Later, you’re able to turn it off with no further commitment.

  • Fast Turnup and Fast Turndown
  • Cloud services enable you to get up and running fairly quickly in this new environment. Instead of having to order hardware and wait for it to be shipped or spend time setting up the solution, you can go from having an idea to having the solution turned on literally within a few minutes. Fast turndown is equally important. When you no longer need the solution, you can simply turn it off, and more importantly, the billing ends as well.

  • Elasticity
  • The elasticity of cloud service means that you can add capacity when you need it and remove expense when you don’t. For periodic computing tasks, like month-end processes, extra computing power can be added to your cloud services and then removed after the job is complete. This is more cost-effective than building an infrastructure that is sized for the busiest day of the year.

  • Serverless Functions
  • Lastly, large cloud providers have many advanced functions that can provide community banks and credit unions with new capabilities like serverless computing. Some workloads that traditionally required a dedicated server, like a Microsoft SQL database, may be able to move into a serverless alternative like Azure SQL. This creates the opportunity to start reducing the quantity of Windows Server instances that need to be patched and maintained.

Cloud infrastructure allows community banks and credit unions to reduce servers, internal infrastructure, and applications that would typically have to be hosted on-premises, in addition to the associated support each one requires. It also enables you to experiment and find the right services that fit your institution’s corporate strategy and IT objectives.

To learn more about cloud services, including cloud-based disaster recovery, watch our webinar recording, “The Cloud: Recovery and Resiliency is Just a Click Away.”

07 May 2020
How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

Disaster recovery is a concern for all financial institutions, regardless of size or location, and is essential to protecting data, infrastructure, and overall business operations. In addition to having a thorough disaster recovery (DR) plan, community banks and credit unions need to have a solid site recovery environment to facilitate a quick return to normal business operations, in the event of a natural disaster or other disruption.

Cloud disaster recovery solutions are growing in popularity among many community banks and credit unions. However, it is important to understand the key differences in site recovery models to determine the best fit for your institution.

In a recent webinar, Brendan McGowan, Chief Technology Officer at Safe Systems, outlined the three most common site recovery models available to community banks and credit unions today and discussed key considerations when implementing each.

In-House Site Recovery

When using an in-house site recovery model, financial institutions commonly have a virtualized server environment. These machines often run in a VMware vSphere environment which sits on top of a storage array. On the DR side, there is essentially a clone of the production environment to receive the replicated data. This works well for many financial institutions, however, there are a few considerations to keep in mind.

House Site Recovery

With in-house site recovery, you’ll need to:

  • Have redundant hardware in the DR environment at an additional cost.
  • Purchase an additional facility like a co-location or branch for DR.
  • Oversee hardware and software lifecycle management for both production and DR environments.
  • Set up dedicated connectivity like multi-protocol label switching (MPLS) to point replication to the DR environment.
  • Conduct regular maintenance to ensure all replications are healthy and perform periodic testing.
  • Have significant expertise and talent to make sure the system works correctly and consistently.

Cloud Site Recovery

In this model, the production environment remains the same, but the hardware and software used in the DR environment are replaced with a cloud-based solution. With cloud site recovery, financial institutions don’t have to pay for servers and computing time until the day they need to turn on the disaster recovery solution. Until then, the institution will only be billed for the amount of storage it consumes.

Cloud Site Recovery

When you use a cloud site recovery solution like Microsoft Azure Site Recovery, you create a storage pool to receive replication from a small server on-premise, which is the cloud site recovery replication server. The replication server works by having each of your production servers send its data changes in real-time to the cloud application server. This server is compressing, encrypting, and deduplicating all of the incoming data and continuously shipping it securely to your cloud site recovery storage pool.

With the cloud site recovery model, you no longer have to:

  • Deal with redundant hardware on the DR side since everything is stored in the cloud.
  • Manage hardware and lifecycle management on the DR-side.
  • Pay for separate facilities since the data is in the cloud, and you can store your data anywhere in the world.
  • Worry about dedicated connectivity because you can send all of the replication over the internet with a simple virtual private network (VPN).
  • Handle all of the maintenance or have the expertise required to run the system.

Cloud-Native Resilience

In the cloud-native site recovery model, both the production and disaster recovery environments are in the Cloud. To set up the cloud environment, using Microsoft Azure, for example, you can sign up for Azure Virtual Machines, which would correlate to VMware vSphere in your environment. After that, you can set up your production virtual machines.

Cloud-Native Site Recovery

At this point, you can register for cloud site recovery for your institution’s individual virtual machines. Once you’ve selected your machines for replication, the system automatically moves that data to whichever Azure zone you select so you get to choose some zone disparity.

In the cloud-native resilience model:

  • There is no Azure site replication server as there was in the cloud site recovery model.
  • Since both environments are cloud-native, all the data is in the cloud and you need not worry about a replication server. Simply check a box to turn it on.
  • In addition, file backup is also a simple checkbox for each server, providing you the option to choose the location to store the data.

Migrating to cloud-based services is a great option to reduce maintenance; significantly speed up the disaster recovery process; and improve overall operations for your institution. If you are interested in implementing a cloud-based disaster recovery solution, Safe Systems can help you determine the right environment for your institution.

To learn more about disaster recovery and moving to the Cloud, watch our recorded webinar, “The Cloud: Recovery and Resiliency is Just a Click Away.”

01 May 2020
Combating Business Email Compromise and Protecting Your Remote Workforce

Combating Business Email Compromise and Protecting Your Remote Workforce

Combating Business Email Compromise and Protecting Your Remote Workforce

Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).

Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:

What is business email compromise and how does it work?

Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.

These attacks have two main categories:

  1. Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.
  2. Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.

Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.

There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:

A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.

The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.

How Can Financial Institutions Defend Against These Threats?

Prevent

The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.

Mitigate

The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:

  • Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.
  • DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.
  • URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.
  • Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).

These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.

Respond

The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.

To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”

23 Apr 2020
Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

For many financial institutions, it has been a challenge to keep IT operations moving efficiently during this pandemic. Since community banks and credit unions are considered an essential business, they are required to continue to serve customers and members. This can be difficult when employees are unavailable or are forced to work remotely from their homes for the first time. Many financial institutions have questions about how to efficiently manage their remote workforce, while keeping the institution secure and employees, customers, and members safe.

To address these questions, Safe Systems’ Information Security Officer, Chuck Copland, VP of Compliance Services, Tom Hinkel, and Chief Technology Officer, Brendan McGowan held a live panel discussion last week covering ways financial institutions can manage banking IT operations during a pandemic. In this blog, we’ll cover a few of the top questions from the panel:

1. How would you suggest making sure that remote access vendors are vetted quickly but thoroughly?

For many financial institutions, remote access was limited before the pandemic because this technology either didn’t support critical functions or wasn’t a priority at the time. Now, remote access is very important to continue business operations efficiently, and many community banks and credit unions are evaluating options for larger scale use. To do this effectively, you first need to consider all of the risks associated with remote access and the potential impact on your organization. This helps you get a quick baseline of the controls you’re going to require, which will then inform your vendor review.

While some institutions may be in a rush to get remote access tools up and running, it is important to stick to your normal vendor review process and take the time to thoroughly evaluate third-party risk. If you do have to sacrifice the integrity of your normal due diligence process and cut some corners to choose a vendor quickly, understand that there will be a resulting change in your institution’s risk appetite, or your acceptable risk. Make sure this is updated and that the executive management team including the Board sign off on the your new risk appetite.

2. What are some lessons learned about remote access for financial institutions during this pandemic?

It can be difficult to determine which remote access tool fits best with your institution’s unique security and regulatory needs. First, you should identify the best way for your staff to access the network whether it’s through a virtual private network (VPN) or an application for remote access, like a telecommute remote control tool. A VPN is a piece of software that lives on a computer that your user has at home — preferably a bank or a credit union asset and not their personal home PC.

When a user connects through a VPN tunnel, typically the computer gives access to the local network at the institution. With telecommute remote control tools, like LogMeIn and Splashtop, the user is working from a local computer at the office. These tools limit the abilities of the computer from interacting with the institution’s local network, often, making it a secure option for organizations that don’t want employees to have direct access to the network. Because each tool achieves a different goal, you will want to determine exactly what your team needs to conduct remote work efficiently, effectively, and securely.

There are also several collaboration tools and meeting tools to consider which can help different teams within your institution communicate and collaborate on projects internally and meet with each other or speak with external users outside of your organization.

What are you hearing from examiners? How are exams continuing during the pandemic?

We’re seeing that all examinations have either been pushed back to a later date or changed to a remote visit. In the climate that we are in, examiners are expecting institutions to make accommodations to customers that may be negatively affected by this pandemic and ensure they have access to other critical products and services.

But what happens when the dust settles, and we go back to a more normal set of circumstances? What will examiners expect then?

Most likely, we expect them to be looking for a mature “lessons learned” document that financial institutions create to show what they have learned over the course of this particular pandemic event. We can certainly see guidance changes coming out of this, with regulators having a new set of expectations for financial institutions going forward. Right now, we are all concerned with just getting through this challenging time but all financial institutions need to document what they are doing and the lessons they have learned along the way. They also need to create a report for the Board and the executive management team recommending any necessary changes to mitigate the impact of a pandemic, should one happen again in the future.

If you’d like to find out what other questions were answered during the live panel, watch our recorded webinar, “Ask Our Experts: Managing Banking IT Operations During a Pandemic.”