Holiday Shopping Security Tips

Cyber Monday is the day when all employers cringe. They know that many employees will spend a portion of their work hours making online holiday purchases instead of working.

For employees who spend time making purchases either at lunch, break time, or at the end of the work day, here are some tips to stay safe on the largest online activity day of the year.

[1] Make sure your desktop computer, laptop, smartphone, or mobile device has some form of anti-virus protection.

[2] If you use your laptop or mobile device at a coffee shop or other location with free Wi-Fi, don’t use your credit card online until you are home or away from the free Wi-Fi.

[3] If you enter your credit card or other personal information online, make sure that the website in the browser starts with HTTPS and not just HTTP because the HTTPS encrypts the information you enter (credit card details, etc.)

[4] Do your research before you buy. Check out reputable sites such as Amazon.com to make sure you’re paying a legitimate price for your item. Also, don’t make any purchases from a site that doesn’t have a privacy policy – there should be an explanation as to how the site uses your personal information.

[5] If you use review sites such as Yelp, Angie’s List, etc., take the comments with a grain of salt – they may not be accurate.

[6] While apps may ask for access to your personal information, you can click “no.”

[7] Make sure to “disable” the GPS location-sharing function on your phone and mobile devices. There may be times when you don’t want your location included with your online activities.

[8] There will be many emails in your email box during the holiday season, so be careful when you click on what looks like an email confirmation for your purchases, when in fact, the email could contain a virus once you click “open.”

[9] Some sites request a password. Use a different password than what you use for your regular sites.

[10] Log off from a site once you complete your transaction.

Lastly, if you’re on the road on Cyber Monday and decide to use your laptop or mobile device while waiting for your plane, don’t use airport Wi-Fi. Hackers are setting up bogus access points to steal your info.

Do you have a favorite safety tip for Cyber Monday? Chime in and share.

Cross-posted from Tips4Tech

Two Decades of Malware

Some organizations view social networking in the business environment as a threat to security and a drain on productivity. But James Beeson, CISO of GE Capital, says that kind of thinking is all wrong.

While some see social networking as a waste of time that kills productivity, the “mobile generation” find it essential for collaboration and efficiency. The mobile generation is not going to turn back, so organizations need to get on board.

“Social networking is actually helping our security attention span,” says Beeson. “My kids are more aware of the bad stuff out there. It’s giving us a much better digital trail. We are getting a much better baseline of user activity, which can help us understand the new ‘normal’ so we can more effectively identify today’s abnormal activity.”

We’re not saying there aren’t big security risks associated with social networking; however, there are some basic steps organizations must take to protect themselves.

• Incorporate a social media policy with user guidelines
• Focus on data loss prevention
• Use security awareness training to educate employees on proper use, social media scams, and data protection

Social media isn’t coming to the financial services industry, it’s already here. The benefits far outweigh the risk, but only if you are committed to building a solid social media strategy with guidelines and policies that fit your business. What people need to remember is that those policies will never be something you can set and forget. You have to continually update those documents as the social media landscape changes.

How does your company feel about social media? Are they embracing it?

Securing mobile devices is one of the biggest challenges facing IT security professionals as cyber criminals turn their attention to this platform. Research firm IDC says global spending on mobile security is on track to balloon to $1.9 billion by 2015, up from $407 million in 2010.

“Businesses need to urgently secure mobile devices as employees increasingly mix work and play, but perhaps the biggest problem is awareness among users,” IDC said.

To reduce the risk and enhance mobile security, follow these tips:

Create Guidelines.

Establish and maintain a mobile device security policy that describes the expected behavior and guidelines that users should follow. This policy should define both corporate-owned and personal devices that may be allowed to access the enterprise network.

Avoid Public Wi-Fi.

Avoid connecting to unsecured Wi-Fi networks. Secure Web and email with SSL/TLS, Wi-Fi with WPA2, and corporate data with mobile VPN clients.

Control Access.

Use network access controls (NAC) to register, authenticate and review employee owned devices that have permission to access the corporate network.

Install Anti-Virus.

Tablets and smartphones are not shipped with on-board anti-virus, anti-spam, intrusion detection, or firewall apps. Although such apps are available, adoption has been slow. Research shows that 89% of people have installed security software on their laptop or PC, while only 9% have it installed on their mobile phones.

Encrypt your data

Use an email encryption solution to prevent access to corporate email data.

Lock the device

A remote lock and wipe service comes in really useful if your phone is ever stolen, as it helps you to retrieve or securely remove your data. This will also prevent data loss.

Accept the patches.

Similar to PCs, mobile phones need to be patched often to eliminate vulnerabilities found since the phone’s release.  Most devices can accept updates wirelessly others cannot.

Are you allowed to connect mobile devices to your corporate network? If so, what security measures does your company take?

Bank Companion, a leading provider of mobile banking software to banks, community banks and credit unions around the world today announced its partnership with Infosight, Inc. a leading provider of IT infrastructure, security and compliance solutions for financial institutions.

Research shows that an increasing number of financial institutions have made mobile banking as one of their top priorities. An Accenture Survey shows that banks can achieve an ROI as high as 300% when they enable their customers with new technologies such as mobile banking and mobile marketing. Yet financial institutions are barely scratching the surface of mobile banking because they need help orchestrating and understanding the full potential of mobile. The Bank Companion/InfoSight Partnership has been formed to help these institutions not only implement mobile banking but to leverage mobile marketing for greater revenues and profitability.

Commenting on the Partnership, Infosight President & CEO Tom Garcia stated:

“More and more people are turning to the convenience of mobile devices for their financial service needs, fueled in part by the adoption of smartphones and tablets such as the Apple iPad. The question now becomes how to generate ROI from mobile banking and what types of services to deploy. Based on consumer behavior, mobile marketing can transform mobile banking into a dynamic sales and communications channel with the ability to not only enhance customer loyalty but to also up-sell and cross-sell financial products and services.”

About Bank Companion
Bank Companion is an industry-leading mobile banking software platform that enables banks, community banks and credit unions to provide their customers with 24/7, anytime anywhere banking. Bank Companion gives financial institutions a competitive edge by integrating state-of-the-art technology with a host of innovative mobile marketing and advertising features. The result is a secure and scalable platform that helps your organization to increase loyalty, acquire new customers, cross-sell products plus much more. Visit us at: http://www.bank-companion.com

About InfoSight, Inc.
InfoSight, Inc. offers proven and affordable Managed IT Infrastructure, IT Security and Compliance services that protect and optimize how an organization’s critical information is processed, managed and stored. For more than 10 years, InfoSight has served organizations nationwide minimizing risk exposure and providing the highest levels of security assurance and IT regulatory compliance. Among the first in the industry to offer Managed Services, InfoSight’s offerings fit into any budget with minimal upfront cost or capital outlay and can be installed in-house or as a complete Managed Services offering. For more information, visit us at: http://www.infosightinc.com.

There’s a lot to learn from this infographic from MediaBistro, especially if you’re good at learning from others’ mistakes

The anatomy of being hacked via twitter

Database archiving is gaining traction as a technology that can significantly improve application performance and reduce storage costs. It is also being used as part of application decommissioning projects to preserve and enable access to associated older data.

Key Findings

• Database archiving products can offer good infrastructure cost reduction when implemented to manage application data growth.
• Database archiving products can be used to transparently access aging data by offering support for application business logic and by treating archived data in the context of business objects.
• Initially, deployments of database archiving products focused on application performance and storage optimization; more-recent uses include application retirement/decommissioning.

Recommendations

• Look for database archiving products that support the breadth of applications within your organization, inclusive of support for custom applications.
• Evaluate archiving products’ repository options, including alternate database and compressed file formats, and align them with your strategy for physical storage.
• Determine the requirements for policy enforcement and access to archived data, and perform user acceptance testing.

This information was provided from Gartner Research, to read the full report go here…Selection Criteria for Database Archiving Products

1. Enforce strong step-up authentication for risky activities:

It’s pretty clear that the FFIEC has shot down the most widely-used method of authentication – the Challenge/Response Questions – but they were nice enough to identify other means of stronger authentication. Included are “Out of Band” authentication and “Out of Wallet” authentication such as the RSA’s Identity Verification technology, as well as an one-time password technology such as RSA SecurID.

You need to ask yourself “what do we have?” vs. “what do we need?” This will help you choose the right authentication approach based on the application or service you’re applying it to. By using a variety of methods, you avoid deploying redundant layers, which leave gaping holes in other places.

2. Implement risk assessments into login & fund-handling transactions:

It’s about time the FFIEC not only recognized the threats to the consumers, but also commercial clients. Now that they’ve recognized these threats, they are pushing for more scrutiny on individual account and user activities. Once you tackle this requirement, you’ve accomplished what the FFIEC feels is most important; and luckily, there are a number of ways to address this, including InfoSight’s own services.

3. Lock your NOC:

This is a no brainer. Make sure security admins are aware of what individuals are or are not authorized to have access to a particular points in the system. Treat it like an audit activity and apply the correct access controls based on the outcome of the audit. It’s helpful and prudent to have an independent party review the security admin reports to ensure the necessary checks and balances are in place for managing a truly safe and secure system.

4. Develop a reoccurring risk assessment framework:

If you ever needed a shoulder to lean on, this is the time to engage the skills and experience of an IT security expert. It’s critical to build a relationship with your technology service provider that results in an ongoing process to review your authentication technology and ensure all the appropriate changes are applied.

5. Education is not a luxury, it’s a requirement:

Education is now a requirement for your staff. And, resulting from litigation over who is liable for wire fraud (the institution or the customer), banks are encouraged to provide Information Security Awareness Training for their customers, especially commercial clients. More and more institutions are offering Information Security Awareness Training to their commercial clients because it’s an excellent way to prove your effort to provide “reasonable security.” When you begin researching training options for your staff, and later for your customers, consider InfoSight-U. No one wants to buy training from multiple vendors. InfoSight-U provides an all-inclusive training solution for the diverse needs of your staff, as well as customized training for your customers.