Skip to Main Content

insightsarticles

Swarmbots, hivenets, and other stinging insects

03.23.18

With the rise of artificial intelligence, most malware programs are starting to think together. Fortinet recently released a report that highlights some terms we need to start paying attention to:

Bot
A “bot” is an automated program that, in this case, runs against IP addresses to find specific vulnerabilities and exploit them. Once it finds the vulnerability, it has the ability to insert malware such as ransomware or Trojans (a type of malware disguised as legitimate software) into the vulnerable device. These programs adapt to what they find in order to infect a system and then make themselves invisible.

Swarmbot
Now, think about thousands of different bots, attacking one target at the same time. That’s a swarm, or in the latest lingo, a swarmbot. Imagine a swarmbot attacking any available access into your network. This is a bot on steroids.

Hivenet
A “hivenet” is a self-learning cluster of compromised devices that share information and customize attacks. Hivenets direct swarmbots based on what they learn during an attack. They represent a significant advance in malware development, and are now considered by some to be a kind of artificial intelligence. The danger lies is in a hivenet’s ability to think during an attack.

Where do they run? Everywhere.
Bots and hives can run on any compromised internet-connected devices. This includes webcams, baby cams, DVRs, home routers, refrigerators, drones, “smart” TVs, and, very, very soon, (if not already) mobile phones and tablets. Anything that has an IP address and is not secured is vulnerable.

With some 2.9 billion botnet communications per quarter that we know of, attacks aren’t just theory anymore — they’re inevitable.

Organizations have heating and cooling systems, physical security systems, security cameras and multiple types of devices now accessible from the internet. Even community water, electric and telecommunications systems are vulnerable to attack — if they are accessible.

What can you do? Take care of your business—at home and at work.
At home, how many devices do you own with an IP address? In the era of smart homes, it can add up quickly. Vendors are fast to jump on the “connect from anywhere” bandwagon, but not so fast to secure their devices. How many offered updates to the device’s software in the last year? How would you know? Do any of the products address communications security? If the answer is “none,” you are at risk.

When assessing security at work, all organizations need to consider smart devices and industrial control systems that are Internet accessible, including phone systems, web conferencing devices, heating and cooling systems, fire systems, even elevators. What has an IP address? Vulnerable areas have expanded exponentially in the name of convenience and cost saving. Those devices may turn out to be far more expensive than their original price tag  remember the Target data breach? A firewall will not be sufficient protection if a compromised vendor has access.

Evaluate the Risks of Internet Accessibility
It may be great if you can see who is ringing your doorbell at home from your office, but only if you are sure you are the only one who can do that. Right now, my home is very “stupid,” and I like it that way. I worry about my wireless garage door opener, but at least someone has to be at my house to compromise it. My home firewall is commercial grade because most small office/home office routers are abysmally insecure, and are easily hacked. Good security costs money.

It may be more convenient for third-party vendors to access your internal equipment from their offices, but how secure are their offices? (There is really no way to know, except by sending someone like me in). Is your organization monitoring outgoing traffic from your network through your firewall? That’s how you discover a compromised device. Someone needs to pay attention to that traffic. You may not host valuable information, but if you have 300 unsecured devices, you can easily become part of a swarm.

Be Part of the Solution
Each one of us needs to eliminate or upgrade the devices that can become bots. At home, check your devices and install better security, in the same way you would upgrade locks on doors and windows to deter burglars. Turn off your computers when they are not in use. Ensure your anti-virus software is current on every device that has an operating system. Being small is no longer safe. Every device will matter.

Related Services

Assurance

Read this if you are at a financial institution that uses FedLine® Solutions.

In response to an evolving security threat landscape, the Federal Reserve Bank has implemented a Security and Resiliency Assurance Program (“Assurance Program”). Financial institutions that use FedLine® Solutions will need to take action before year-end to comply with Assurance Program requirements. Here’s what you need to know.

Required assessment to be completed annually

Financial institutions are already required to implement, maintain, and assess technical and procedural security controls to safeguard their FedLine® connections. Starting in 2021, financial institutions must conduct an assessment of their compliance with the Federal Reserve Bank's FedLine® security requirements and submit an attestation that they have completed the assessment. The deadline for submitting the first attestation is December 31, 2021. Moving forward, this assessment and attestation must be completed annually.

This assessment can be performed internally by an independent internal department/function such as an internal audit or compliance department. The Federal Reserve Bank may, in its discretion, require the assessment be conducted or reviewed by an independent third party. End User Authorization Contacts (EUAC) for each organization were sent an Assurance Program kick-off packet with requirements and instructions in January 2021 to assist with the process. 

Immediate action 

Evaluate the requirements for your financial institution’s Assurance Program assessment as soon as possible. Planning for the 2021 assessment should be well underway. If you would like to discuss the Assurance Program requirements or you’ve been notified that your financial institution needs an independent third party review, contact us today.

Article
The Federal Reserve's FedLine® Solutions Security and Resiliency Assurance Program

Read this if you are a timber harvester, hauler, or timberland owner.

The USDA recently announced its Pandemic Assistance for Timber Harvesters and Haulers (PATHH) initiative to provide financial assistance to timber harvesting and hauling businesses as a result of the pandemic. Businesses may be eligible for up to $125,000 in financial assistance through this initiative. 

Who qualifies for the assistance?

To qualify for assistance under PATHH, the business must have experienced a loss of at least 10% of gross revenue from January, 1, 2020 through December 1, 2020 as compared to the same period in 2019. Also, individuals or legal entities must be a timber harvesting or timber hauling businesses where 50% or more of its revenue is derived from one of the following:

  • Cutting timber
  • Transporting timber
  • Processing wood on-site on the forest land

What is the timeline for applying for the assistance?

Timber harvesting or timber hauling businesses can apply for financial assistance through the USDA from July 22, 2021 through October 15, 2021

Visit the USDA website for more information on the program, requirements, and how to apply.
If you have any questions about your specific situation, please contact our Natural Resources team. We’re here to help. 

Article
Temporary USDA assistance program for timber harvesters and haulers

Read this if your facility or organization has received Provider Relief Funds.

The rules over the use of the HHS Provider Relief Funds (PRF) have been in a constant state of flux and interpretation since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of June 14, 2021 on HHS’ reporting requirements. Key highlights:

These requirements apply to:

  • PRF General and Targeted Distributions
  • the Skilled Nursing Facilities (SNF) and Nursing Home Infection Control Distribution
  • and exclude:
    • the Rural Health Clinic COVID-19 Testing Program
    • claims reimbursements from HRSA COVID-19 Uninsured Program and the HRSA COVID-19 Coverage Assistance Fund (CAF)

This notice supersedes the January 15, 2021 reporting requirements.
Deadline for Use of Funds:

Payment Received Period

Deadline to Use Funds

Reporting Time Period

Period 1

4/10/20-6/30/20

6/30/21

7/1/21-9/30/21

Period 2

7/1/20-12/31/20

12/31/21

1/1/22-3/31/22

Period 3

1/1/21-6/30/21

6/30/22

7/1/22-9/30/22

Period 4

7/1/21-12/31/21

12/31/22

1/1/21-3/31/23

Recipients who received one or more payments exceeding $10,000 in the aggregate during each Payment Received Period above (rather than the previous $10,000 cumulative across all PRF payments) are subject to the above reporting requirements 

Responsibility for reporting:

  • The Reporting Entity is the entity that registers its Tax Identification Number (TIN) and reports payments received by that TIN and its subsidiary TINs.
  • For Targeted Distributions, the Reporting Entity is always the original recipient; a parent entity cannot report on the subsidiary’s behalf and regardless of transfer of payment.

Steps for reporting use of funds:

  1. Interest earned on PRF payments
  2. Other assistance received
  3. Use of SNF and Nursing Home Control Distribution Payments if applicable (any interest earned reported here instead), with expenses by CY quarter
  4. Use of General and Other Targeted Distribution Payments, with expenses by CY quarter
  5. Net unreimbursed expenses attributable to Coronavirus, net after other assistance and PRF payments by quarter
  6. Lost revenues reimbursement (not applicable to PRF recipients that received only SNF and Nursing Home Infection Control Distribution payments)

PORTAL WILL OPEN ON JULY 1, 2021!

Access the full update from HHS: Provider Post-Payment Notice of Reporting Requirements.

Article
Provider Relief Funds: HHS Post-Payment Notice of Reporting Requirements

Read this is you are at a financial institution and concerned about fraud.

The numbers tell a story: Financial fraud 

Back in 2016, BerryDunn’s Todd Desjardins wrote about occupational fraud at financial institutions. This article mainly cited information from a 2016 Report to the Nations (2016 Report) published by the Association of Certified Fraud Examiners (ACFE). Fast forward to 2021, and ACFE’s 2020 Report to the Nations: Banking and Financial Services Edition (2020 Report) displays that occupational fraud continues to be a concern.

Financial institutions account for 19% of all occupational fraud worldwide, up from 16.8% in the 2016 Report. These fraud causes have a median loss of $100,000 per case—down from $192,000 per case in the 2016 Report. Cases had risen slightly from the 2016 Report to 386—up from 368 cases.

What does a fraudster look like, and how do they commit their crimes? How do you prevent fraud from happening at your organization? And, how can you strengthen an already robust anti-fraud program? These questions, raised in Todd’s 2016 article, remain relevant today. 

A profile in fraud: Who can it be? 

One of the most difficult tasks any organization faces is identifying and preventing potential cases of fraud. This is especially challenging because the majority of employees who commit fraud are first-time offenders with no record of criminal activity, or even termination at a previous employer.

The 2020 Report reveals a few commonalities between fraudsters. The amounts from the 2016 Report are shown in parentheses for comparison purposes:

  • 3% of fraudsters had no criminal background (3%)
  • Men committed 71% of frauds and women committed 29% (69%, 31%)
  • 56% of fraudsters were an employee, 27% worked as a manager, and 14% operated at the executive/owner level (3%, 31%, 20%)
  • The median loss for fraudsters who had been with their organizations for more than five years was $150,000 compared to $86,000 for fraudsters who had been with their organizations for five years or less ($230,000, $74,500)

Employees who committed fraud displayed certain behaviors during their schemes. The ACFE reported these top red flags in its 2020 Report:

  • Living beyond means: 42% (45.8%)
  • Financial difficulties: 33% (30%)
  • Unusually close association with vendor/customer: 15% (20.1%)
  • Divorce/family problems: 14% (13.4%)

These figures give us a general sense of who commits fraud and why. But in all cases, the most pressing question remains: how do you prevent the fraud from happening?

Preventing fraud: A commonsense approach that works

As a proactive plan for preventing fraud, we recommend focusing time and energy on two distinct facets of your operations: leadership tone and internal controls.

It all starts at the top: Leadership

The Board of Directors and senior management are in a powerful position to prevent fraud. By fostering a top-down culture of zero-tolerance for fraud, you can diminish opportunity for employees to consider, and attempt, fraud.

It is crucial to start at the top. Not only does this send a message to the rest of the company, but frauds committed at the executive level had a median loss of $1,265,000 per case, compared to a median loss of $77,000 when an employee perpetrated the fraud. This is compared to a median loss of $500,000 and $54,000 per case, respectively, in the 2016 Report.

Improving your internal control culture

Every financial institution uses internal controls in its daily operations. Override of existing internal controls, lack of internal controls, and lack of management review were all cited in the 2020 Report as the most common internal control weaknesses that contribute to occupational fraud in the banking and financial services industry.

The importance of internal controls cannot be overstated. Every organization should closely examine its internal controls and determine where they can be strengthened—even financial institutions with strong anti-fraud measures in place.

We have created a checklist of the top 10 controls for financial institutions, available in our white paper on preventing fraud. This is a list that we encourage every financial leader to read. By strengthening your foundation, your company will be in a powerful place to prevent fraud. 

Get the keys to prevent fraud—free fraud prevention white paper

Employees are your greatest strength and number one resource. Taking a proactive, positive approach to fraud prevention maintains the value employees bring to a financial institution, while focusing on realistic measures to discourage fraud.

In our white paper on preventing financial institution fraud, we take a deeper look at how to successfully implement a strong anti-fraud plan.

Commit to strengthening fraud prevention and you will instill confidence in your Board, employees, customers, and the general public. It’s a good investment for any financial institution. If you have any questions, please contact our team. We’re here to help. 
 

Article
In 2021, an anti-fraud plan is the best investment your financial institution can make

Read this if you work in an alcohol control capacity for state government.

The COVID-19 outbreak has changed the alcoholic beverage industry significantly over the last 14 months. Restrictions forced people to stay at home, limiting their travel to restaurants, bars, and even some stores to purchase their favorite spirits. In at least 32 states, new legislation allowed consumers the option to buy to-go cocktails as a way to help these establishments stay in business. As a result, consumers took advantage of alcohol delivery services. 

There were two large shifts in consumer purchasing for the alcoholic beverage industry in 2020. The first was a shift from on-premise to off-premise purchasing (for example, more takeaway beverages from bars, breweries, and other establishments). The second was the explosion of e-commerce sales for curbside pickup and home delivery. A study by IWSR, an alcoholic beverage market research firm, stated that alcohol e-commerce sales grew 42% in 2020. The head of consumer insights for the online alcoholic beverage delivery service, Drizly, attributes this growth to the “increased consumer awareness of alcohol delivery as a legal option, as well as an overall shift in consumer purchasing behavior toward online ordering and delivery”. 

How state agencies responded

The move to an e-commerce model has impacted state agencies who regulate the distribution and/or sale of alcohol. States such as Oklahoma, Alabama, and Georgia recently passed legislation allowing alcohol delivery to consumers’ homes. In alcoholic beverage control states, where the state controls the sale of alcohol at the wholesale level, curbside pickup programs (New Hampshire) were implemented, while others started online home delivery services (Pennsylvania). 

In a fluid legislative environment, states agencies are working to meet consumer needs in a very competitive marketplace, while fulfilling their regulatory obligation to the health and safety of their constituents.

How alcoholic beverage control states can adapt

Now is an opportune time for control state agencies to keep pace with consumer demand for more flexible purchasing options, such as buying online with home delivery, or some form of curbside and/or in-store pickup programs. Every one of the 17 alcoholic beverage control states has passed legislation to allow the delivery of either beer, wine, and/or distilled spirits in some form, with some limitations.

While for some the COVID-19 outbreak has necessitated these more distant shopping experiences, the option of these sales channels has brought consumers flexibility they will expect going forward. This calls for control state agencies to act on this changing consumer demand. By prioritizing investing in and taking ownership of new sales channels, such as e-commerce and curbside pickup, control state agencies’ technology and logistics teams can develop strategies and tools to effectively adapt to this new demand. 

Adapting technology and logistics

Through technology, control state agencies can take advantage of e-commerce and curbside pickup sales channels, to drive more revenue. We recommend control states consider the following: 

Define the current capabilities to support an online sales strategy

An important first step is to define how to address constituents’ evolving needs as compared to the current e-commerce capabilities control state agencies can support. Considerations include:

  • Are current staff capable of developing and supporting new website capabilities to meet the increased demand on the website?  
  • How will the current customer support team(s) expand to support concerns from the new channels?
  • How will new e-commerce order volume be fulfilled for home delivery (including order errors, breakage, returns, etc.)?   

Control state agencies should complete current and future state assessments in each area above to confirm what capabilities they have today and which they would like to have in the future; which will allow for an accurate gap analysis and comparison to their future state needs. Once the current state assessment, future state strategy, and gap analysis are complete, control state agencies can define the projects required to support the future state requirements. 

Reevaluate existing fulfillment, inventory, and distribution processes

Each control state has existing product fulfillment, inventory and distribution processes, and information technology (IT) tools for delivering alcohol, to their own or licensed retail stores and businesses. These current processes and IT systems should be assessed as part of the current state capabilities assessment mentioned above, to help define the level of change needed to support the control state agency’s future needs in the e-commerce channel. Key assessment questions control state agencies should ask themselves include: 

  • Can the current IT systems (e.g., inventory management, customer relationship management [CRM], customer support/call center, financial, point of sale [POS], and website infrastructure) support required upgrades?
  • Can retail teams and today’s infrastructure support order taking, inventory, fulfillment, and buy online pickup in store programs?
  • How will warehouse and retail stores track and manage the e-commerce shipments and returns related to this channel?
  • If home delivery is part of the strategy, define how the delivery logistics will be met through state or vendor resources.
  • What staffing model and skill sets will support future business needs?
  • What is the total cost of ownership for these new e-commerce capabilities so that the short and long-term costs and profits can be accurately estimated? 

The answers to these questions will help to inform a future e-commerce strategy and accommodate the cost and staff impacts. 

Bring in online retail expertise

It is important to ensure that the control state agency has website and mobile capabilities to support today’s consumer needs. This includes the ability to order a wide range of products online for either home delivery or buy online pickup in store. The design of the website and mobile transactional capabilities is critically important to the success of this channel, the true growth in revenues. Being marketing focused (e.g., allowing consumers to view and order products, save items for later, and see similar products) will help drive traffic and sales on this upgraded channel. 

For control state agencies with a more static product website, consider purchasing a commercial off-the-shelf (COTS) e-commerce product with existing retail-focused website features, or contract with a vendor to build a website that meets more unique needs. The control state agency should bring in at least one online retail subject matter expert vendor to help set the direction, design the upgrades or new site, manage the project(s) needed to implement the online capabilities, and potentially manage the operational support of the website and mobile solution.

BerryDunn provides state alcoholic beverage control boards and commissions with many services along the IT system acquisition lifecycle, including planning, needs assessment, business process analysis, request for proposal (RFP) development, requirements development, technology contract development, and project management services. 

For the full list of steps to consider and to learn more about how you can successfully position your control state agency to adapt to the changing alcoholic beverage landscape, contact us.
 

Article
COVID-19 and the e-commerce explosion

Read this if you are a hospital or healthcare organization that has received Provider Relief Funds. 

The long-awaited Provider Relief Fund (PRF) Reporting Portal (the Portal) opened to providers on January 15, 2021. Unfortunately, the Portal is currently only open for the registration of providers. The home page for the Portal has information on what documentation is needed for registration as well as other frequently asked questions.

We recommend taking the time to review what is needed and register as soon as possible. Health Resources & Services Administration (HRSA) has suggested the registration process will take approximately 20 minutes and must be completed in one session. The good news is providers will not need to keep checking the Portal to see when additional data can be entered as the Portal home page states that registered providers will be notified when they should re-enter the portal to report on the use of PRF funds.

Access the portal

The Provider Relief Fund (PRF) Reporting Portal is only compatible with the most current stable version of Edge, Chrome and Mozilla Firefox.

Article
Provider Relief Fund (PRF) reporting portal

Read this if you are at a rural health clinic or are considering developing one.

Section 130 of H.R. 133, the Consolidated Appropriations Act of 2021 (Covid Relief Package) has become law. The law includes the most comprehensive reforms of the Medicare RHC payment methodology since the mid-1990s. Aimed at providing a payment increase to capped RHCs (freestanding and provider-based RHCs attached to hospitals greater than 50 beds), the provisions will simultaneously narrow the payment gap between capped and non-capped RHCs.

This will not obtain full “site neutrality” in payment, a goal of CMS and the Trump administration, but the new provisions will help maintain budget neutrality with savings derived from previously uncapped RHCs funding the increase to capped providers and other Medicare payment mechanisms.

Highlights of the Section 130 provision:

  • The limit paid to freestanding RHCs and those attached to hospitals greater than 50 beds will increase to $100 beginning April 1, 2021 and escalate to $190 by 2028.
  • Any RHC, both freestanding and provider-based, will be deemed “new” if certified after 12/31/19 and subject to the new per-visit cap.
  • Grandfathering would be in place for uncapped provider-based RHCs in existence as of 12/31/19. These providers would receive their current All-Inclusive Rate (AIR) adjusted annually for MEI (Medicare Economic Index) or their actual costs for the year.

If you have any questions about your specific situation, please contact us. We’re here to help.

Article
Section 130 Rural Health Clinic (RHC) modernization: Highlights

Editor’s note: Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

Last month, the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2019. The report addresses key issues facing banks and focuses on those that pose threats to their safety and soundness. According to the report:

  • Bank financial performance is strong due to a favorable credit environment and the longest economic expansion in U.S. history.
  • Capital levels have reached historical highs.
  • Return on equity was above its 2006 pre-crisis level for the first time at 12.7%.
  • Net income grew 8.22% from the same period a year ago; however, net interest income grew only 4%, as loan growth is below historical averages and an increasing number of banks are facing a flat or declining net interest margin.
  • There is continued weakness in residential and commercial real estate loan growth.
  • Delinquent and nonperforming loans remain below their long-term averages.


Banks can thrive even with economic uncertainty

While these trends indicate that 2019 was by and large an excellent year, banks cannot afford to be complacent, as 2019 also saw increasing risks to the industry. For instance, in 2019 there was much discussion of the future cessation of the London InterBank Offer Rate (LIBOR). The OCC has indicated it will increase its regulatory oversight regarding the anticipated cessation, to ensure banks assess their exposure to LIBOR and are appropriately planning their transition from the widely used benchmark rate. The Financial Accounting Standards Board (FASB) is also working on a project to address accounting issues that could arise from the transition from LIBOR.

And, although 2019 continued the longest economic expansion in US history, economic uncertainty exists due to, in part, the US-China trade conflict and ongoing Brexit discussions. This economic uncertainty has caused volatility in the interest rate environment. Aside from the yield curve inverting in 2019, banks also saw the Federal Funds target rate increase 25 basis points prior to decreasing 50 basis points. Given the typically asset-sensitive nature of banks’ balance sheets, the current interest rate environment will also put pressure on net interest margins. The current volatility of interest rates has caused the OCC to conclude interest rate risk is currently at heightened levels. 

Net interest income continues to be the most significant driver of net revenues for community banks, comprising nearly 80% of net revenues. With a difficult interest rate environment and lackluster loan growth in residential and commercial real estate, banks may face a difficult path ahead. Banks should tread cautiously, especially if this uncertainty persists. Asset-liability management will need be a significant focus (more than usual) as banks try to position themselves to not only maintain profitability through this uncertainty, but also come out stronger than before. Specifically, if lower rates persist, asset growth will need be a priority over deposit growth to maintain profitability at lower net interest margins. If loan growth continues to wane, this will prove to be difficult.

Innovations to compete with new lending sources

Adding to the list of threats to performance is the increasing amount of alternative financial resources available to borrowers. Banks have traditionally been the only source of credit for borrowers. However, technology has rapidly changed that landscape. Person-to-person (P2P) lending (also known as crowd lending, or social lending), allows people to borrow funds directly from another person, cutting out traditional lending sources (banks). Additionally, blockchain technology, if the hype is accurate, has the potential to eliminate the need of a financial intermediary altogether. 

Banks are adapting to this competition and to customers looking for more convenience and alternative services by offering new, unique services that differentiate themselves from others and provide added value to the customer. Banks have delivered through remote deposit, ATMs, and interactive teller machines (ITMs). Banks will need to continue to adopt innovative services to remain competitive. 

For instance, banks could offer video conferencing services, in which customers could have a live conversation with a bank representative through their smartphone. This convenience would allow a customer to conduct a transaction, such as apply for a loan, from the convenience of their home, while still maintaining human interaction throughout the transaction. Such a service would help banks compete with digital channels offered by non-banks, such as Quicken Loans, which is now the largest mortgage originator in the United States.

Strategies to protect against technological risks

These services all require the use of existing and new technologies, which have caused banks to hold more personally identifiable information (PII) digitally across an increasing number of digital platforms. As noted by the OCC, this digital exposure has created persistent cybersecurity risks for banks. Adopting a robust cybersecurity framework is no longer an option. 

Banks should bring cybersecurity to the forefront of their strategic planning. Any strategic plan must consider cybersecurity implications, as a single disaster can be detrimental to a bank’s reputation. And, given this rapidly changing environment, the cybersecurity conversation must be ongoing through relevant bank committees and the board of directors.

Furthermore, these technological solutions require partnerships with businesses that banks would not traditionally partner with. Financial technology (fintech) companies don’t just pose as a competitor to traditional banks. Many fintech companies are offering their technological solutions to traditional banks. However, outsourcing technological solutions to fintech companies and other businesses does not relieve a bank from performing its own due diligence and ensuring those companies meet the bank’s standards. 

Banks should evaluate potential vendors to ensure they comply with the bank’s vendor management policy. Since environments are constantly changing, this evaluation should be ongoing. Many vendors now provide System and Organization Controls (SOC) reports which detail the control environment at the vendor and involve independent third-party testing of those controls that exist at the vendor. SOC reports can provide a useful starting point for evaluating a vendor’s ongoing compliance with the bank’s vendor management policy. However, it is not a substitute for ongoing communication with a vendor.

There is no doubt 2019 was a successful year for banks. But past performance is not a guarantee of future success. Banks face many challenges, risks, and uncertainties, of which only a few have been outlined above. The current landscape may be challenging but it is also filled with opportunity. Banks should consider expanding their services, adopting new technologies, and partnering with other companies to leverage their strengths. Doing so should help position themselves for an exciting decade ahead.

If you have specific concerns about challenges facing your institution, please contact the team

Article
Banking and finance: 2020 challenges and what to do to overcome them

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Article
Five IT risks everyone should be aware of