Protect and secure data and data privacy is critical since most companies hold clients/costumers sensitive data, and protect that data is not only critical to its clients/costumes. Data protection is also critical for companies intellectual properties and reputation.

Data Protection Services

As more organizations move to hybrid or multi-cloud IT strategy, managing data protection services has become increasingly more complex. Various systems, technologies and environments require different tools for data protection management, and many IT teams find they must use a variety of tools to perform backup operations. In addition to greater inefficiency and rising costs, this intensive focus on data protection services diverts IT teams from higher value tasks and other strategic priorities.

Data Protection Simplified by CyberSecOp LocVault services

To simplify data protection services, CyberSecOp offers a Managed Data Protection solution that can protect digital assets across all your environments. Powered by Locvault's best-in-class data backup and recovery software, CyberSecOps Managed Data protection services help simplify data protection by enabling IT teams to use a single tool for backup and restore processes.

Efficiently Protect, Manage and Recover Your Data

• Protect, manage and access the information you need with a heterogeneous data protection solution

• A single interface manages data at a fraction of the time, effort and cost required by separate point products

• Simplify data management in complex networked storage environments with a consistent way to locate and manage data and applications

  With Privacy and Data Protection, CyberSecOp LocVault will help you protect your sensitive business data and help you meet compliance requirements related to data storage and protection.

  We’ll also help you assess your risk, create custom policies to encrypt and restrict access to sensitive data, and report on data access — helping to ensure that your important data remains protected. Speak with an expert

Humans remain the weak link in corporate data protection

Humans remain the weak link in corporate data protection, but you might be surprised that it isn't only rank-and-file employees duped by phishing scams who pose risks. Some companies are lulled into a false sense of cybersecurity by vendors. You read that right, Some enterprises believe the shiny new technologies they've acquired will protect them from anything.

As we continue to build defense in depth and deploy security appliances utilizing AI and other emerging technologies, attackers will continue to pivot to the perennial weak spot: the users. Recently I hosted the Social Engineering Capture The Flag competition at Hackfest in Quebec, and similar to last year, the results were sobering. Every single targeted company had employees that gave detailed information over the phone on their OS and service pack level, and 88 percent gave detailed information on the browser they were using. Three quarters went to a URL that they were given over the phone. The information that the companies bled was disheartening but not shocking. Until we train employees to trust their instincts and tell them it's okay to say no to a customer, things won't change. In the current environment where companies ask their customers to leave a positive review online, employees increasingly feel less empowered to terminate a call they feel is suspicious. Your friendly neighborhood hacker is happy to exploit this weakness.

Billions being send on security tools

The threat of cyber crime has created a significant increase in interest on the topic of cyber security, with organizations spending billions of dollars to protect themselves against a fast evolving array of current and potential future threats. Many spend heavily on monitoring, surveillance and software; however, they often neglect the risk exposure created by their own people – and, in this digital age, by their customers.

Businesses are losing the fight, pay ransom, or lose their lively hood

Businesses are forced to make exceedingly difficult decisions. On one hand, it feels wrong to negotiate with the cybercriminals and give them what they want. On the other hand, the looming financial hit and business interruption is typically far more detrimental than the payoff amount. If business owners don’t engage with the ransomers, they face the prospect that they, and their employees, may lose their livelihood. I see ransomware as a continuing cyber threat in 2019 and beyond. It’s up to business owners to implement the best security practices and ensure that their employees are properly trained to identify and avoid potential threats.

Why Managed Detection & Response Provider may be the right move

Companies outsourcing security need Managed Detection & Response providers (MDR) more than ever to improve cyber resilience. With the security landscape growing more complex, and the costs of maintaining adequate in-house security teams high, it makes sense for many companies to outsource the tasks of threat hunting and response to ensure that they can promptly identify potential threats and react swiftly to mitigate damages. Managed Detection & Response providers often integrate tools such as Endpoint Detection & Response and other solutions to detect threats, analyze risk, and correlate threat data to pinpoint patterns that could indicate a larger attack.

How to choose the right Manged Detection & Response Provider

Smart moves: you’re making them. How do we know? For one, you’re investigating ways to close the gaps in your threat detection and incident response. Which makes sense, given that assembling the talent and tech to thoroughly thwart attackers requires more than most organizations can commit to. Even smarter, you’re checking out Managed Detection and Response (MDR) Services, an increasingly popular solution which combines expertise and tools to provide monitoring and alerting, as well as remote incident investigation and response that can help you detect and remediate threats.

9 things to look our for when choosing a Managed Detection & Response Provider

1. Your Managed Detection & Response Provider should combine numerous data inputs from security detection tools, threat intel feeds, third party data sources, and the IT asset database to identify not only where there is a threat but its risk compared to others in the queue.

2. Assess your company's present and future technology needs and initiatives. Qualify, quantify and communicate those needs throughout your company. Is the Managed Detection & Response Provider able to address your range of needs?

3. Technology strategies should encompass people and processes as part of the organization's mission and strategies. Do they offer ongoing employee training as part of their service?

4. Does the Managed Detection & Response Provider continuously assess your organization's performance for meeting objectives? You want a partner that focuses on continuous evaluation and improvement of your objectives.

5. Review your company's goals and mission. Ensure they are clear and concise and can be communicated to all organizational stakeholders as well as your new IT partner.

6. Perform annual policy and process reviews to assess organization's readiness for external reviews and incident response.

7. Identify and create teams within your organization to define current challenges and align initiatives to those challenges.

8. Through playbooks and pre-defined workflows, you can quickly assess and begin to remediate security incidents based on best practices. Ask a Managed Detection & Response Provider if they include such materials as part of their package.

9. CIOs/CISOs should have unprecedented transparency to all aspects of the security environment. Through dashboards and visualization techniques, CIOs/CISOs will be more easily able to communicate with Managed Detection & Response Providers which vulnerabilities and threats exist and the risks of inaction.

What is Compliance

Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations.

Business and Compliance

When it comes to a business and corporate management, compliance refers to the company obeying all of the legal laws and regulations in regards to how they manage the business, their staff, and their treatment towards their consumers. The concept of compliance is to make sure that corporations act responsibly.

The pressure to comply with constantly changing regulatory, third-party, and internal guidelines can be overwhelming. Being unprepared to manage risks yet meet mandates can lead to economic consequences and legal liabilities. Both can contribute to a significant financial impact and hurt to your reputation, which could prove even more damaging. You may be exposed to threats you’re not yet familiar with that could be putting your company’s reputation at risk—and even jeopardizing its future.Many major companies within the United States are subject to some type of security regulation.

Complying to regulatory compliance

Regulations that contain information security requirements are intended to improve the information security level of organizations within that industry and many organizations would welcome such information. The difficulty comes in determining which regulations apply and in interpreting the requirements of the regulation. The regulations are not written in a way that is easily understood by the average business person so many times a security professional is needed to understand the requirements and how to best implement them. Professionals have experience implementing systems, policies, and procedures to satisfy the requirements of the regulation and enhance the security of your organization and some have obtained credentials such as (CyberSecOp Information Security Practitioner) that signify their understanding of the regulations. Often the requirements are given in general terms leaving the company to determine how to best satisfy the requirements.

For those organizations without a robust security department, we provide a Virtual CISO offering with expertise in the following:

• ISO 27001/27002

• NIST & NIST Cybersecurity

• GDPR

• CCPA

• FedRamp

• NY DFS Requirements 23 NYCRR 500

• FFIEC Handbook

• FERPA

• HIPAA/HITECH

• Hi-Trust

• PCI-DSS

What is Phishing?

Phishing is the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information, or to install malware on the victim’s machine. Phishing is a common type of cyber attack that everyone should learn about to protect themselves.

Phishing Attack Prevention:

Why are so many companies vulnerable to phishing? Not having the right tools in place and failing to train employees on their role in information security.

Employees possess credentials and overall knowledge that is critical to the success of a breach of the company's security. One of how an intruder obtains this protected information is via phishing. The purpose of phishing is to collect sensitive information to use that information to gain access to otherwise protected data, networks, etc. A phisher's success is contingent upon establishing trust with its victims. We live in a digital age, and gathering information has become much easier as we are well beyond the dumpster diving days.

How do I protect against phishing attacks?

Free Email Protection

Free protocols that help organizations improve email security; Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) were developed. SPF cross-checks the sender’s IP address with an approved list of IP addresses, and DKIM uses an encrypted digital signature to protect emails. While these are both individually effective, they have their own set of flaws. DMARC, developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email and has a mechanism that sends the domain owner a report whenever an email fails DMARC validation.

But here’s the thing: a recent report from phishing specialist Agari states that only 1/3 of the Fortune 500 have configured DMARC.

User education

One way to protect your organization from phishing is user education. Education should involve all employees. High-level executives are often a target. Teach them how to recognize a phishing email and what to do when they receive one. Simulation exercises are also key for assessing how your employees react to a staged phishing attack.

Security technology

No single cybersecurity technology can prevent phishing attacks. Instead, organizations must take a layered approach to reduce the number of attacks and lessen their impact when they do occur. Network security technologies that should be implemented include email and web security, malware protection, user behavior monitoring, and access control.

How does phishing work?

Phishing starts with a fraudulent email or other communication that is designed to lure a victim. The message is made to look as though it comes from a trusted sender. If it fools the victim, he or she is coaxed into providing confidential information, often on a scam website. Sometimes malware is also downloaded onto the target’s computer.

What are the dangers of phishing attacks?

Sometimes attackers are satisfied with getting a victim’s credit card information or other personal data for financial gain. Other times, phishing emails are sent to obtain employee login information or other details for use in an advanced attack against a specific company. Cybercrime attacks such as advanced persistent threats (APTs) and ransomware often start with phishing.

Types of Phishing

Deceptive Phishing. The term "phishing" originally referred to account theft using instant messaging but the most common broadcast method today is a deceptive email message. Messages about the need to verify account information, system failure requiring users to re-enter their information, fictitious account charges, undesirable account changes, new free services requiring quick action, and many other scams are broadcast to a wide group of recipients with the hope that the unwary will respond by clicking a link to or signing onto a bogus site where their confidential information can be collected.

Malware-Based Phishing refers to scams that involve running malicious software on users' PCs. Malware can be introduced as an email attachment, as a downloadable file from a web site, or by exploiting known security vulnerabilities--a particular issue for small and medium businesses (SMBs) who are not always able to keep their software applications up to date.

Keyloggers and Screenloggers are particular varieties of malware that track keyboard input and send relevant information to the hacker via the Internet. They can embed themselves into users' browsers as small utility programs known as helper objects that run automatically when the browser is started as well as into system files as device drivers or screen monitors.

Session Hijacking describes an attack where users' activities are monitored until they sign in to a target account or transaction and establish their bona fide credentials. At that point the malicious software takes over and can undertake unauthorized actions, such as transferring funds, without the user's knowledge.

Web Trojans pop up invisibly when users are attempting to log in. They collect the user's credentials locally and transmit them to the phisher.

Hosts File Poisoning. When a user types a URL to visit a website it must first be translated into an IP address before it's transmitted over the Internet. The majority of SMB users' PCs running a Microsoft Windows operating system first look up these "host names" in their "hosts" file before undertaking a Domain Name System (DNS) lookup. By "poisoning" the hosts file, hackers have a bogus address transmitted,taking the user unwittingly to a fake "look alike" website where their information can be stolen.

System Reconfiguration Attacks modify settings on a user's PC for malicious purposes. For example: URLs in a favorites file might be modified to direct users to look alike websites. For example: a bank website URL may be changed from "bankofabc.com" to "bancofabc.com".

Data Theft. Unsecured PCs often contain subsets of sensitive information stored elsewhere on secured servers. Certainly PCs are used to access such servers and can be more easily compromised. Data theft is a widely used approach to business espionage. By stealing confidential communications, design documents, legal opinions, employee related records, etc., thieves profit from selling to those who may want to embarrass or cause economic damage or to competitors.

DNS-Based Phishing ("Pharming"). Pharming is the term given to hosts file modification or Domain Name System (DNS)-based phishing. With a pharming scheme, hackers tamper with a company's hosts files or domain name system so that requests for URLs or name service return a bogus address and subsequent communications are directed to a fake site. The result: users are unaware that the website where they are entering confidential information is controlled by hackers and is probably not even in the same country as the legitimate website.

Content-Injection Phishing describes the situation where hackers replace part of the content of a legitimate site with false content designed to mislead or misdirect the user into giving up their confidential information to the hacker. For example, hackers may insert malicious code to log user's credentials or an overlay which can secretly collect information and deliver it to the hacker's phishing server.

Man-in-the-Middle Phishing is harder to detect than many other forms of phishing. In these attacks hackers position themselves between the user and the legitimate website or system. They record the information being entered but continue to pass it on so that users' transactions are not affected. Later they can sell or use the information or credentials collected when the user is not active on the system.

Search Engine Phishing occurs when phishers create websites with attractive (often too attractive) sounding offers and have them indexed legitimately with search engines. Users find the sites in the normal course of searching for products or services and are fooled into giving up their information. For example, scammers have set up false banking sites offering lower credit costs or better interest rates than other banks. Victims who use these sites to save or make more from interest charges are encouraged to transfer existing accounts and deceived into giving up their details.

CEOs and cybersecurity: are they the road block?

Senior executives may be the weakest link in the corporate cyber security chain and are a primary target of hackers, fraud and phishing scams, says report. it also should be know that the are the road block to approve budget for information security, and most often security takes back sit to profit.

Report by many source and research done by many firm identity senior executive has the road block to good security within their firms, Many CEOs think they are immune to hackers, at least that’s what a new report According to the report, these findings are ironic given that CEOs are the ideal victim.

Senior Executive Are You the Weakest Link?

According to the report, Are You the Weakest Link? How Senior Executives Can Avoid Breaking the Cybersecurity Chain, many senior executives ignore the threat from hackers and cyber criminals and often feel that security policies in their respective organisations do not apply to their unique position.

In reality, their often privileged access to company information makes their personal accounts extremely valuable to exploit and heightens the need for extra care.

Professional hackers and adversaries will usually do a thorough investigation into a senior executive or board level director, including full analysis which could entail in-depth monitoring of the company website and associated social media accounts (including employees and their extended networks).

It appears that many CEOs commonly view cyber security as a responsibility for the IT department only. In reality, IT security has now become a remit for all individuals.

“All employees — especially those at the top of the corporate ladder — need to realise that cybercriminals use social engineering, email phishing and malware to access personal accounts, and C-level staff especially need to avoid becoming the weakest link in the cybersecurity chain by adhering to regularly updated, company-wide security policies regarding data sharing and backup,”

“Reviewing corporate policies, with a focus on people, premises, processes, systems and suppliers will provide valuable insights into which areas to improve, and by championing a ‘security first’ corporate culture, organisations and their senior executives will be well positioned to avoid the high financial costs, reputation damage and unexpected downtime that could result from a cyberattack or data breach.”

Cloud Security - Cloud Cyber Security

Of the large amount of data that has been moved to the cloud, a huge segment of it has been compromised. The compromised data includes election data, financial information like bank cards, health data, etc. Maintaining integrity and security continues to be a significant challenge for cloud platforms. [3]

In an attempt to provide extra security for cloud data, many cloud service providers (CSPs), have launched extensive cloud security technologies. Google has announced ‘shielded VMs’ to prevent hostile attacks. Even with these security technologies in place, however, users still have a large role to play in keeping their data safe.

In many cases, IT teams have recognized the lack of control when data is placed in the cloud. This lack of control is a symptom of the absence of an overarching security strategy. The challenge presents itself when an organization transfers data to the CSPs without maintaining any additional backup, as this could result In the loss of data at times. Stressing on the importance to maintain an additional backup of data. [3]

Another common challenge with the cloud is the unclear point-to-point access. Access permissions are complicated when an organization’s data is placed on a third-party cloud server. Planning and strategizing the access controls around crucial data is as important as defining the access points and control measures. Security in the cloud is different from on-premises security, making it complex due to the various rules implemented and security issues faced, such as failure to encrypt data. Access to the cloud server should be defined on a point-to-point basis. That means that access to data should be restricted based on the requirement of every individual, whether management or staff, should be clearly defined. A flow chart explaining the access points should be shared with the CSP to bring them on equal understanding to avoid conflicts.

Securing Your Data on the Cloud

The main objective of cloud security is to keep data secure, sharing the responsibility between the provider and the client. Here are some good practices that can be implemented to leverage the benefits of cloud services.

a) Encryption of Data

End-to-end encryption of data in transit

For high-security processes, where the data is highly confidential, all interactions with servers should happen over a secure socket layer (SSL) transmission. To ensure the end-to-end encryption of data, the SSL should terminate within the CSP’s network. Comprehensive encryption, when performed at the file level, makes cloud security stronger. All data should be encrypted before being uploaded to the cloud.

Encryption of data when at rest

Even when data is at rest, encryption should be enabled. This helps in complying with regulatory requirements, privacy policies, and contractual obligations related to confidential data. Before registering with your CSP, security policies should be verified with an auditor. AES-256 is used for encrypting data in the cloud and the keys should be encrypted with master keys in the rotation. Field-level encryption will also help keep the data secure.

b) Robust and Continuous Vulnerability Testing and Incident Response

A good CSP contract includes regular vulnerability assessment and incident response tools that extend to devices and networks. The solutions given by incidence response tools might enable automated security assessments to test system weaknesses. CSPs should be able to perform scans on demand.

c) End-user Device Security

Securing cloud-connected end-user devices is an often-overlooked component of a well-rounded security program. When utilizing infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) models, deploying firewall solutions in your end devices to protect the network perimeter is very important.

d) A Private Cloud and Network are Best

Opting for a cloud environment which is private and where you can have complete control over access to your data is the preferred method as opposed to using a multi-tenant instance. Also, opt for cloud storage or software-as-a-service (SaaS) which belongs to only you and is not shared with others. These personal clouds are called virtual private clouds (VPC) and all traffic to and from these VPCs can be routed to the corporate data center. This can be done through an internet protocol security (IPsec) hardware VPN connection.

e) Compliance Certifications

The two most important certifications that you should consider are SOC 2 Type II and PCI DSS.

SOC 2 Type II is a type of regulatory report that defines the internal controls of how a company should safeguard its customer data and operation controls. SOC2 deals with regulatory compliance, internal risk management processes, and vendor management programs. It confirms that a cloud service has robust management as it is specifically designed to ensure higher standards of data security.

PCI DSS – PCI DSS stands for Payment Card Industry Data Security Standard and is important to organizations that deal with credit card transactions. Meeting this standard helps keep cardholder data safe from fraud. It ensures that sensitive data stored in a cloud is processed and transmitted in a secure manner. It impacts security policies, procedures, software design, network architecture, and various protective measures.

Leading public cloud providers like Microsoft and Amazon offer proprietary credential management tools to provide legitimate access and keep intruders away from sensitive data. Having sophisticated tools can help ensure the security of your data in the cloud.

Defense is a matter of strict design principles and security policies scattered over various departments. By implementing the above key guidelines as part of your cloud strategy, you are on your way to securing your data in the cloud.

Ethical Hacker for Secure Cloud Storage

An ethical hacker is a skilled trained professional who knows how to locate the vulnerabilities in target systems, including cloud storage platforms and networks. The term ‘ethical’ differentiates a black-hat hacker from a white-hat hacker.

CCPA Data Privacy

The California Consumer Privacy Act of 2018 (CCPA) into effect. This new consumer privacy law comes post Europe’s General Data Protection Regulation (GDPR) and, for some, is seen as a smaller version – without the option to opt-out of data collection all-together that the GDPR has.

CCPA is a consumer privacy law that will be coming into effect on January 1, 2020. The bill – which is aggressive for American privacy policy standards – will put guidelines on personal information collection and post-data-acquisition data usage by businesses.

Come 2020, the California Consumer Privacy Act (“CCPA”) may significantly impact businesses’ data practices, with new and burdensome compliance obligations such as “sale” opt-out requirements and, in certain circumstances, restrictions on tiered pricing and service levels. The breadth of personal information covered by the CCPA, going beyond what is typically covered by U.S. privacy laws, will complicate compliance and business operations.

Who need to comply with CCPA

Companies, especially those outside of California, may wonder whether they are subject to the CCPA. CCPA applies to for-profit entities that (1) have greater than $25 million in gross annual revenues; (2) annually handle personal information of 50,000 or more consumers, households, or devices; or (3) derive 50% or more of annual revenue from selling personal information. These criteria will result in a wide swath of businesses being subject to the CCPA. For example, a website might only need 137 unique visitors from California per day to reach the threshold of 50,000 consumers. That website’s collection of data through cookies may be captured by the CCPA’s broad definition of personal information. And given the third criterion focused on revenue percentage, even very small businesses that regularly exchange data, for example in the online ecosystem, might be captured if their activities are deemed to be a “sale” under the CCPA.

CCPA PRIVACY OVERSIGHT

The CCPA will impose substantial compliance obligations on all businesses that handle personal information of California consumers. Such obligations may pose particular challenges for the ever increasing array of businesses that leverage consumer data for analytics, profiling, advertising, and other monetization activities, particularly as the compliance requirements are not easily gleaned from the statutory language. Addressing these challenges will require creative, thoughtful approaches and may potentially involve industry-wide coordination to develop and advance practical solutions.

CyberSecOp CCPA privacy consultants incorporates your CCPA compliance requirements, powered by a unique combination of deep privacy expertise developed over two decades, proven methodologies refined through tens of thousands of engagements, and powerful technology operating at scale for 20 years.

WHAT DO SECURITY CONSULTANTS DO?

Security consults deal with various threats to physical and computer security. Security threats come in many forms such as computer hackers, terrorists, and attacks on physical assets. There are specializations for security consultants of building security, natural and man-made disaster prevention, or with computer security issues.

Some of the roles security consultants may do for companies or private individuals are installing physical protections of video surveillance and alarm systems. Physical security risks are issues for many companies and security consultants may determine physical security risks such as threats of violence in the workplace, the stability of a building during tornadoes, earthquakes, fires, or other natural disasters, and development of evacuation plans for personnel during emergencies. Security consultants also may advise on building maintenance issues.

What services does a security consultants provide?

Security consultants can also help to incorporate security changes at all levels of the company. Based upon the security audit that’s conducted, a security consultant, if allowed to, can implement various new security measures and procedures throughout the company, which can include security related to:

• Analyzing areas that are currently exposed and if they have had their security compromised in the past;

• Performing a gap analysis in order to determine if any areas of a company’s current security does not meet accepted industry standards;

• Gauging the work environment through performing interviews with important personnel and company employees;

• Providing a list of recommendations based upon found security vulnerabilities, which includes security measures that should be incorporated.

• Policies and procedures;

• Electronic surveillance and alarm systems;

• Security personnel.

A security consultant will work closely with management for the purposes of transparent communication and to make sure that any security changes that are implemented are done so within the allotted budget. The degree to which a security consultant can incorporate security changes depends largely upon this, in addition to the management’s instructions.

CyberSecOp Security Services has been providing expert security consulting services for decades. Make sure to contact us today to ask about our advanced security consulting services, which will be personalized to your company’s particular needs.

The Department of Health and Human Services has released voluntary cybersecurity practices to the healthcare industry to move organizations “towards consistency” in mitigating cyber threats.

According to HHS, the four-volume publication guides “cost-effective methods that a range of healthcare organizations at every size and resource level can use to reduce cybersecurity risks.” It is meant to raise awareness of cyber threats and provide vetted practices.

“Cybersecurity is everyone’s responsibility—it is the responsibility of every organization working in healthcare and public health,” says HHS Acting Chief Information Security Officer Janet Vogel. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

HHS Headquarters in Washington, D.C.

Mandated by the Cybersecurity Act of 2015, HHS convened more than 150 cyber and healthcare experts from government and industry to develop the recommended practices as part of the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership.

“The healthcare industry is truly a varied digital ecosystem—we heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” says Erik Decker, industry co-lead and chief information security and privacy officer at the University of Chicago Medicine. “That is exactly what this resource delivers; recommendations stratified by the organization's size, written for both the clinician and the IT subject matter expert.”

In addition to the main document, which lays out the five most relevant and current threats to the industry, the publication also recommends ten cybersecurity practices to help mitigate these threats. It also includes two technical volumes geared for IT and security professionals: Technical Volume 1 focuses on cybersecurity practices for small healthcare organizations. In contrast, Technical Volume 2 focuses on techniques for medium and large healthcare organizations.

Only a few days ago, Microsoft released an emergency Internet Explorer patch bundled in a cumulative update. The patch was rolled out to fix the zero-day vulnerability in Internet Explorer first discovered by a

However, it seems like the patch is creating more problems than fixing them. Out of many known issues, as mentioned by Microsoft in the changelog, one can be regarded as a more severe issue since it is leaving many Lenovo laptops unbootable after installing the patch.

Microsoft mentions that the issue is only affecting Windows 10 users who have a Lenovo laptop that has less than 8 GB RAM. On the other hand, few sources tell that the issue has only affected PC’s that are still on the 1607 version, or Windows 10 Anviersary Update (2016). 

Considering only enterprise PCs have the ability to delay updates, they are most likely have been affected by the unbootable issue.

If you have installed the latest “KB4467691” cumulative update on your PC, and are facing the same issue, here are some steps that Microsoft wants you to follow —

Restart the affected machine using UEFI. After this, disable Secure Boot and then perform restart.

If BitLocker is enabled on your computer, you may have to go through BitLocker recovery after Secure Boot has been disabled.

Information and Cyber Security Consulting Services: Cyber security systems and principles are designed to safeguard company data, websites and web applications from attackers seeking to disrupt, delay, alter or redirect the flow of data. These attackers vary in target, motive, levels of organization, and technical capabilities, requiring public and private organizations to adopt ever-increasing measures to prevent cyber attacks. CyberSecOp is an award winning US based to Cyber Security Consulting Company.

The following are some important do’s and don’ts for advisers to keep in mind when executing on the action steps in your cybersecurity plan:

Make use of all tools available from your broker-dealer or custodian. The securities industry is investing tens of millions of dollars in cybersecurity, making tools and resources available to advisers and their teams. Actively seek out those tools and become known at your firm for your interest in and commitment to cybersecurity.

Eliminate weak links in your system. Hackers will be turned away from your systems that use strong passwords and encryption. Don’t let users share passwords. In addition to PCs, encrypt
all thumb drives, cell phones and tablets. And set untended computers to lock automatically after a set number of minutes.

Take preparation, training and review seriously. Put effort into your plan, review it seriously on a regular basis, document that review, and make sure that all staff – including even those who don’t usually deal with clients or their information – are regularly trained and updated on cybersecurity policies and procedures. Since staff carelessness or inattention can be the weakest link
in the defense chain, make sure that you and your staff never download an attachment or accept a request if it can’t be verified.

Be alert to things that don’t feel right. Suppose, for example, that a staff member receives a phone call from someone saying he’s from Microsoft tech support and has noticed a computer virus on your system. Even if the employee isn’t aware that reputable tech support operations don’t work that way, he or she should immediately sense that the call is out of the ordinary and somehow amiss. Given that feeling, the employee should hang up immediately and not let the unidentified caller connect to the firm’s system. Similarly, if you or staff receive an e-mail from a client saying they’ve been mugged on vacation or have lost their wallet or passport, most likely their e-mail has been hacked. Contact that person via landline or cell phone and confirm the story.

Educate your users and clients in how to communicate safely. Advisers should require multifactor authentication (use of a token or other identifier beyond password or ID) for client communication through Gmail, Yahoo! and other major providers. This will protect them, and you, from hackers.

Don’t keep cybersecurity a secret. The financial advice business is competitive, but there is one area where cooperation, not competition, is paramount: cybersecurity. Discuss the issue frequently with peers and share any ideas you have.

Don’t lull yourself into thinking cybersecurity is someone else’s problem. Be alert to news and developments in cybercrime and cybersecurity and seek more information and update plans and programs accordingly. Start by identifying your three biggest potential threats and get to work addressing them.

HIPAA Modernization of Security Standards

The Health Insurance Portability and Accountability Act, better known (if not always spelled correctly) as HIPAA, was signed into law by President Bill Clinton in August 1996.

A lot has changed in the two decades since – in the ways consumers interact with health systems and the ways technology is transforming care delivery and the patient experience. So maybe it's time to give the privacy law a refresh, said the American Medical Informatics Association and the American Health Information Management Association.

WHY IT MATTERS

As access to personal health information is easier than ever, with smartphones now ubiquitous and apps and connected devices proliferating by the day, both AMIA and AHIMA have voiced support for HIPAA modernization.

In a joint appearance on Capitol Hill, in a presentation about unlocking data for patient empowerment, experts from the two groups highlighted how healthcare has a lot of catching up to do to serve a population used to online shopping, travel booking, review sites and more.

Webinar: The Future of Medicine: Protecting Privacy Without Impacting Quality of Care

Toward this vision of improved patient experience, AMIA and AHIMA said U.S. policymakers should take steps to update HIPAA to enable greater data access and portability – something that looks more likely than it did even a few months ago.

It could be done in a couple different ways, they said. First, potentially, by establishing a new concept of a health data set, with that HDS comprising all the clinical, biomedical and claims data maintained by a covered entity or business associate.

Another option is to revise HIPAA's existing "designated record set" definition, requiring certified health IT products to provide that amended DRS to patients digitally – enabling in a way that enables them to use and reuse their data.

They explained that a new definition for HDS would support individual HIPAA right of access and guide the future development of ONC's Certification Program so individuals could view, download, or transmit to a third party this information electronically and access this information via application programming interface.

Revising the existing DRS definition, meanwhile, offer more clarity and predictability for both providers and patients, AMIA and AHIMA said.

THE LARGER TREND

Even as the availability and maturity of consumer technology has improved, "more than two decades after Congress declared access a right guaranteed by law, patients continue to face barriers," said Dr. Thomas Payne, medical director, IT Services at UW Medicine. "We need a focused look at both the technical as well as social barriers."

AMIA and AHIMA called a broader conversation regarding consumer data privacy, and called on Congress to "extend the HIPAA individual right of access and amendment to non-HIPAA Covered Entities that manage individual health data, such as mHealth and health social media applications. The goal is uniformity of data access policy, regardless of covered entity, business associate, or other commercial status."

Moreover, the groups said regulators should clarify existing regulatory guidance related, for example, to third-party legal requests, such as those by lawyers looking for information without appropriate patient permissions.

ON THE RECORD

"Congress has long prioritized patients' right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles," said Dr. Doug Fridsma, president and CEO and AMIA. "But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined."

"AHIMA's members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape," said AHIMA CEO Wylecia Wiggs Harris, in a statement. "The language in HIPAA complicates these efforts in an electronic world."

CyberSecOp assist clients with managing privacy risk while keeping thier existing controls as effective and efficient as possible to withstand a complex privacy risk environment. We focus on testing, and training based on common employee mistakes and remediate gaps in the process, eeping your systems in line with current regulations,

The revolution that has taken place over the past 20 years has had an impact on both consumers and enterprises. The devices and applications that millions of individuals use on a daily basis contain increasingly more complex information, within a constantly evolving technological environment. The growing digital innovation trends such as cloud computing, big data and the IoT create new opportunities to communicate and exchange information. However, this massive amount of confidential data must consequently be managed and secured efficiently and continuously.

How can a company guarantee the security of its data and of its users' data? What solutions are currently available on the market that can help enterprises optimize the management of information while maintaining their privacy?

CyberSecOp, an american base market leader in the Managed Security Service Provider industry, responds to the companies' need for security, offering a range of solutions and services designed to help customers identify cyber security risks in order to mitigate and monitor them over time.

Through its diverse solutions portfolio, CyberSecOp provides the right mix of technology, processes and sector-specific knowledge, supporting customers during the initial planning phase, from design to implementation, in order to identify the best solutions both in terms of process, as well as technology. The company’s strategic partnerships with key suppliers and expertise with market technologies guarantee customers a solution that provides effective operational coverage, on-premise or remote, with vertical expertise throughout the duration of the project and during the delivery of services.

Moreover, thanks to a Cyber Security Operations Center (CSOC), the delivery of timely services and continuous security monitoring are seamlessly integrated to reduce cyber security-related risks. The service is designed to offer the customer a growth-oriented path aimed at improving the company’s overall security position and risk level awareness.

The Industry 4.0 evolution and the arrival of the IoT have significantly increased the complexity and the level of risk to which all enterprises are subject, necessitating an efficient management of corporate security. In a changing environment characterized by increasing opportunities, while at the same time offset by an exponential increase in associated risks, the availability of CSOC services represents an essential guarantee of security.

MSSP Cybersecurity & Managed Detection and Response

Managed detection and response enables a proactive approach to security with its ability to detect and fully analyze threats and promptly respond to incidents.  CyberSecOp Threat intelligence is one of the key aspects our security consultants used to help organizations make decisions on how to combat threats. Through managed detection and response, organizations can take advantage of the threat intelligence capabilities of security experts.

How Managed Detection and Response Provides Effective Threat Intelligence

• Capture full visibility across your entire IT environment

• Detect the most advanced threats (known and unknown) designed to bypass your traditional perimeter security controls, even when no malware is used

• Expose threat actors currently hiding in your environment

• Gain 24x7 monitoring by an advanced team of security experts that are specially trained to analyze advanced threats, determine the severity of any incidents and provide actionable guidance to remediate

• Quickly elevate the alerts that matter most so you can focus limited resources where it matters most

Managed Detection and Response Service

Managed Detection and Response (MDR) is an all-encompassing cybersecurity service used to detect and respond to cyber-attacks. Using the best of signature, behavioral and anomaly detection capabilities, along with forensic investigation tools and threat intelligence, human analysts hunt, investigate and respond to known and unknown cyber threats in real time 24x7x365. Get Managed Detection and Response Services for your business www.cybersecop.com.

Ransomware is the leading cyberattack experienced by small and medium-sized businesses (SMBs), according to a survey of more than 2,400 managed service providers (MSSPs) conducted by data protection company Datto.

Datto’s State of the Channel Ransomware Report provides unique visibility into the ransomware epidemic from the perspective of the IT Channel and the SMB clients who are dealing with these infections on a daily basis. The report provides a wealth of detail on ransomware, including year-over-year trends, frequency, targets, impact, and recommendations for ensuring recovery and continuity in the face of the growing threat.

Key findings from Datto’s “State of the Channel Ransomware Report” included:

• 79 percent of MSSPs reported ransomware attacks against customers.

• 85 percent indicated that victims had antivirus software installed, 65 percent reported victims had email/spam filters installed and 29 percent reported victims used pop-up blockers.

• 89 percent are “highly concerned” about ransomware attacks.

• 92 percent predict the number of ransomware attacks will continue at current, or worse, rates.

• MSPs ranked phishing emails as the top ransomware delivery method, followed by malicious websites, web ads and clickbait.

• The average requested ransom for SMBs is roughly $4,300, while the average cost of downtime related to such an attack is approximately $46,800.

• The number of MSPs reporting OS/iOS attacks increased by nearly 500 percent year over year in the first six months of 2018.

No single solution is guaranteed to prevent such attacks, Datto indicated. Conversely, SMBs require a multilayered approach to identify and stop ransomware attacks before they cause brand reputation damage, revenue loss and other problems.

How Can SMBs Address Ransomware Attacks?

CyberSecop offered the following recommendations to help SMBs safeguard their data and assets against such attacks:

• Leverage business continuity and disaster recovery (BCDR) technology. BCDR technology won’t stop ransomware attacks; instead, it helps an SMB determine how to limit downtime and maintain operations despite a ransomware attack.

• Provide cybersecurity training. By offering regular and mandatory cybersecurity training, an SMB can ensure all of its employees can identify and avoid potential phishing scams that otherwise lead to such an attack.

• Employ a dedicated cybersecurity professional. It may be difficult for an SMB to hire a full-time cybersecurity professional. Fortunately, working with an MSSP allows an SMB to receive cybersecurity monitoring and other security services.

Data Breaches Ransomware and Cyber Attacks

It’s unrealistic to think that you can completely avoid cyberattacks and data breaches, so it’s vital to have a proper data recovery plan in place. You can also tighten your defenses significantly by ensuring all of your network devices are properly configured, and by putting some thought into all of your potential network borders.

Data Recovery Capability

Do you have a proper backup plan in place? Have you ever tested it to see that it works? Disaster recovery is absolutely vital, but an alarming number of companies do not have an adequate system in place. A survey of 400 IT executives by IDG Research revealed that 40% rate their organizations’ ability to recover their operations in the event of disaster or disruption as “fair or poor.” Three out of four companies fail from a disaster recovery standpoint, according to the Disaster Recovery Preparedness Benchmark.

A successful malware attack can lead to altered data on all compromised machines and the full effects are often very difficult to determine. The option to roll back to a backup that predates the infection is vital. Backed up data must be encrypted and physically protected. It’s also important that a test team routinely checks a random sampling of system backups by restoring them and verifying data integrity.

Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

The default configurations for network devices like firewalls, routers, and switches are all about ease of use and deployment. They aren’t designed with security in mind and they can be exploited by determined attackers. There’s also a risk that companies will create exceptions for business reasons and then fail to properly analyze the potential impact.

The 2015 Information Security Breaches Survey found that failure to keep technical configuration up to date was a factor in 19% of incidents. Attackers are skilled at seeking out vulnerable default settings and exploiting them. Organizations should have standardized secure configuration guidelines applied across devices. Security updates must be applied in a timely fashion.

You need to employ two-factor authentication and encrypted sessions when managing network devices, and engineers should use an isolated, dedicated machine without Internet access. It’s also important to use automated tools to monitor the network and track device configurations. Changes should be flagged and rule sets analyzed to ensure consistency.

Boundary Defense

When the French built the Maginot Line in World War II, a series of impregnable fortifications that extended along the border with Germany and beyond, it failed to protect them because the Germans invaded around the North end through neutral Belgium. There’s an important lesson there for security professionals: Attackers will often find weaknesses in perimeter systems and then pivot to get deeper into your territory.

They may gain access through a trusted partner, or possibly an extranet, while your defensive eye is focused on the Internet. Effective defenses are multi-layered systems of firewalls, proxies, and DMZ perimeter networks. You need to filter inbound and outbound traffic and take caution not to blur the boundaries between internal and external networks. Consider network-based IDS sensors and IPS devices to detect attacks and block bad traffic.

Segment your network and protect each sector with a proxy and firewall to limit access as far as possible. If you don’t have internal network protection, then intruders can get their hands on the keys to the kingdom by successfully breaching the outer defenses.

The real cost

A lot of businesses argue that they can’t afford a comprehensive disaster recovery plan, but they should really consider whether they can afford to lose all their data or be uncertain about its integrity. They may lack the expertise to ensure that network devices are securely configured, but attackers don’t lack the skills to exploit that. It’s understandably common to focus on the outer boundary of your network and forget about threats that come from unexpected directions or multiply internally, but it could prove costly indeed.

Compared to the cost of a data breach, all of these things are cheap and easy to set up

Cyber Insurance - Is a must have - you will need it.

It’s every healthcare organization’s nightmare to get the call that their data has been breached or hacked. As a result, many have turned to cyber insurance to protect assets and business operations.

As cyber policies and carriers lack a universal policy, there’s an even greater worst case scenario: An organization is breached, and the policy doesn’t cover what the leaders thought it did. Now, not only is the healthcare provider strapped with the burden of the breach, it wasted money on a useless cyber insurance policy.

To get a better grasp on how to choose the right policy, Healthcare IT News asked attorney Matthew Fisher, partner with Mirick O’Connell, and Jane Harper, Henry Ford Health System’s director of privacy and security risk management, to outline the biggest policy mistakes -- and how to avoid them.

Mistake #1: Rushing the process

When buying a policy, a carrier will provide a questionnaire that will evaluate your organization’s security posture, program, tools and policies. The biggest mistake is to rush the pre-policy process to see the rates and what the carrier will cover, explained Fisher.

Organizations need to be conservative with how they answer the questions, as “it could be a ground for denial, if you don’t have the policies you said you have in place,” said Fisher. “You have to make sure you’re not unintentionally misleading the insurance company when it comes to coverage.”

Often these questionnaires attempt to create a black and white policy and “it can be tough to answer correctly,” explained Fisher.

“Your ability to be as transparent and truthful upfront is critical to the nonpayment discussion,” said Harper. “If you tell the insurance company that you have everything in place and are compliant, if you tell them that and then you have an issue, and you weren’t truthful, it ends up being a legal battle.”

“When you submit your checklist that they have you fill out, meet with the underwriter to make sure you understand what you’ve documented,” she added. “You also need the copy that was provided to the insurance company because it will come back into play when you submit the final documents.”

For example, if you say you have a specific control in place, and you actually don’t, Harper explained that can create a situation where “they thought they had an understanding of something, but they didn’t.”

“Be honest, transparent and accurate -- because they can deny your policy if you were inaccurate or misleading in your responses,” she said.

Mistake #2: Lax, incomplete risk assessment

It’s easier to prevent a misleading or false statement to an underwriter, when an organization has a strong assessment and inventory of the processes and tools on the system. But far too often, hospitals “don’t know everything about the control environment,” explained Harper.

“When you talk about protecting an system and preventing a cyber incident, you have to have a good understanding of the organization’s overall control environment,” Harper said. “It’s key, as the longer it takes you to identify that you’ve had an incident, it leads to more exposure and the longer it takes to recover.”

But it’s also important to remember to update this inventory or assessment when buying new tools, merging with other organizations, hiring new staff and the like, Harper explained.

“Think about all of the activities and operations that happen,” she said. “And every three years, you’re updating a cybersecurity checklist -- that may not be frequent enough.”

For example, Harper explained that an organization filling out the policy questionnaire may have all of the right elements in place. But if another tool was purchased and the controls weren’t updated or the control was removed and the underwriter was not notified, there could be a problem.

“If those controls played into how the underwriter rated you: that can be key,” said Harper. “Think about your own home: you get additional discounts when you have a burglar alarm. So if you get one, and let them know, you may get a lower rate…  But if you no longer have that control, you have to tell the carrier.”

“It’s the same kind of practice that we want to get into when we get into cyber insurance for our organization,” she added.

Mistake #3: Failing to involve the right people

Many organizations understand that security needs to exist outside of the IT team. In the same vein, it’s crucial when buying a cyber insurance policy that the same mentality is applied to make sure all of your bases are covered.

“Make sure you are talking to the right individuals,” Harper said. “The appropriate key stakeholders are not only involved with the evaluation process - how many patients, how much data, etc. -- but also the responses to the questions the policy is going to ask.”

“Risk folks typically talk about it as it relates to patients,” she continued. “Those folks are key, but in addition, you need your privacy and security risk professionals, security officers, IT leader, your key business leaders/owners and those driving the data. It’s key.”

Also crucial? Making sure the facilities team is involved, as there can sometimes be a cyber incident based on a physical issue. Harper explained that “often people tend to focus on things like electronic PHI, but there’s physical PHI. If there’s a break in at a warehouse and data is stolen, OCR considers that a breach.”

Mistake #4: Failing to understand coverage

Far too often organizations make large assumptions as to just what cyber insurance will cover. Fisher explained that these leaders are often shocked to learn that they did not receive the full spectrum of coverage they wanted.

“Relying on blind faith on those terms, or what the broker or agent is telling you is a major mistake,” said Fisher. “It’s always up to up to you to go into something with eyes fully wide open to make sure you know what you’re actually buying.”

Harper took it a step further and laid to rest a common misconception when it comes to coverage: “Insurance will not cover fines and penalties associated with noncompliance. If you’re not complaint, and you didn’t do risk assessments, cyber insurance won’t protect you from that, so don’t expect it.”

Projecting the overall cost of a ransomware attack can be tricky for security executives considering the many factors that can come into play when responding to and recovering from one. Information from numerous previous incidents show the costs go well beyond any demanded ransom amount and the costs associated with cleaning infected systems.

Ransomware is defined as a form of malicious software that is designed to restrict users from accessing their computers or files stored on computers till they pay a ransom to cybercriminals. Ransomware typically operates via the crypto virology mechanism, using symmetric as well as asymmetric encryption to prevent users from performing managed file transfer or accessing particular files or directories. Cybercriminals use ransomware to lock files from being used assuming that those files have extremely crucial information stored in them and the users are compelled to pay the ransom in order to regain access.

Ransomware History

It’s been said that Ransomware was introduced as an AIDS Trojan in 1989 when Harvard-educated biologist Joseph L. Popp sent 20,000 compromised diskettes named “AIDS Information – Introductory Diskettes” to attendees of the internal AIDS conference organized by the World Health Organization. The Trojan worked by encrypting the file names on the customers’ computer and hiding directories. The victims were asked to pay $189 to PC Cyborg Corp. at a mailbox in Panama.

From 2006 and on, cybercriminals have become more active and started using asymmetric RSA encryption. They launched the Archiveus Trojan that encrypted the files of the My Documents directory. Victims were promised access to the 30-digit password only if they decided to purchase from an online pharmacy.

After 2012, ransomware started spreading worldwide, infecting systems and transforming into more sophisticated forms to promote easier attack delivery as the years rolled by. In Q3, about 60,000 new ransomware was discovered, which doubled to over 200,000 in Q3 of 2012.

The first version of CryptoLocker appeared in September 2013 and the first copycat software called Locker was introduced in December of that year.

Ransomware has been creatively defined by the U.S. Department of Justice as a new model of cybercrime with a potential to cause impacts on a global scale. Stats indicate that the use of ransomware is on a steady rise and according to Veeam, businesses had to pay $11.7 on average in 2017 due to ransomware attacks. Alarmingly, the annual ransomware-induced costs, including the ransom and the damages caused by ransomware attacks, are most likely to shoot beyond $11.5 billion by 2019.

Ransomware Business Impacts Can Be Worrisome

Ransomware can cause tremendous impacts that can disrupt business operations and lead to data loss. The impacts of ransomware attacks include:

• Loss or destruction of crucial information

• Business downtime

• Productivity loss

• Business disruption in the post-attack period

• Damage of hostage systems, data, and files

• Loss of reputation of the victimized company

You will be surprised to know that apart from the ransom, the cost of downtime due to restricted system access can bring major consequences. As a matter of fact, losses due to downtime may cost tens of thousands of dollars daily.

As ransomware continues to become more and more widespread, companies will need to revise their annual cybersecurity goals and focus on the appropriate implementation of ransomware resilience and recovery plans and commit adequate funds for cybersecurity resources in their IT budgets.

Consider the following examples. The Erie County Medical Center (ECMC) in Buffalo, NY, last July estimated it spent $10 million responding to an attack involving a $30,000 ransom demand. About half the amount went toward IT services, software, and other recovery-related costs. The other half stemmed from staff overtime, costs related to lost revenues, and other indirect costs. ECMC officials estimated the medical center would need to spend hundreds of thousands of dollars more on upgrading technology and employee awareness training.

Public records show that the City of Atlanta spent almost $5 million just in procuring emergency IT services following a March 2018 ransomware attack that crippled essential city services for days. The costs included those associated with third-party incident response services, crisis communication, augmenting support staff and subject matter expert consulting services.

In Colorado, Gov. John Hickenlooper had to set aside $2 million from the state disaster emergency fund after ransomware infected some 2,000 Windows systems at CDOT, the state department of transportation, this February. In less than eight weeks, CDOT officials spent more than half that amount just returning systems to normal from the attack.

Not surprisingly, industry estimates relating to ransomware damages have soared recently. Cybersecurity Ventures, which pegged ransomware costs at $325 million in 2015, last year estimated damages at $5 billion in 2017 and predicted it would exceed $11.5 billion in 2019.

For security executives trying to prepare a total ransomware cost estimate, the key is not to get fixated on the ransom amount itself. Even if you end up paying it to recover your data—something that most security analysts advocate against—the actual costs of the attack in most cases will end up being greater.

Risk Facing Financial Services

Financial services institutions have changed significantly over the last decade – from utilizing technology in new ways to stay competitive and drive efficiencies, to adapting business practices in light of the global financial crisis and recent narrow interest margin markets.

As these businesses evolve, they’re faced with a new range of exposures that can result in significant and lasting commercial costs, and traditional exposures come to light in a different context. Crime has also changed for these businesses, with a growing number of attacks against financial institutions taking place online and through digital means.

To better understand this changing landscape, we’ve outlined the top risks facing financial institutions today:

Social engineering and funds transfer fraud

Some of the most frequent cyber claims made by businesses in the past year involved funds transfer fraud and some form of social engineering. Funds transfer fraud is often carried about by criminals leveraging fraudulent emails or phone calls to request the transfer of funds from a legitimate account to their own. In some cases, fraudsters will pose as a senior executive appearing to give urgent instructions to a junior employee. While financial institutions have greater control processes, including separation of responsibilities, both banks and their clients are at risk of falling victim to these types of attacks, and as long as they continue to prove successful, we expect this threat to grow in both frequency and severity. Financial institutions should consider employee training on these newer forms of fraud, including how to identify phishing emails. Banks should also be concerned about their customers’ susceptibility to social engineering fraud, and should consider education campaigns where relevant.

 Adherence to post-crisis regulation

Following the mortgage crisis in 2007-2008 and the subsequent global financial crisis, the regulatory burden for banks has increased significantly. This brings additional costs when meeting these new requirements, along with higher potential penalties if an institution fails to comply. In many instances, resultant fines and penalties following regulatory failures are uninsured or uninsurable. Financial institutions should seek cover where regulatory enquiry costs and expenses are covered.

 Falling prey to predatory banking

Financial institutions have found themselves in a narrow interest margin environment, which means the pressure on banks to generate revenue from non-interest earnings is intense. In some cases, the desire to drive revenue through new or existing products has led to instances of selling inappropriate products to consumers, resulting in significant consumer claims. Institutions must ensure that their products are suitable and that they meet the needs of the consumer and the consumer’s expectations. It’s also important for institutions to ensure their remuneration policies do not inadvertently encourage the miss-selling of products. The fallout from consumer protection scandals can be costly not only from a legal and regulatory standpoint, but also in terms of damage to the brand.

 Reputational damage

Predatory banking is only one type of behavior that can bring reputational harm to financial institutions. Large institutions can suffer backlash for a variety of misdeeds made public, for instance the failure in anti-money laundering controls by Wells Fargo or HSBC, who were hammered in the media for their behavior. On a smaller scale, for regional and community-based institutions, the power of social media can mean that reputational damage spreads far faster than ever before.

 Systemic instability

Nearly a decade later, the effects of the global financial crisis are still being felt by financial institutions around the world. Recent concerns over Deutsche Bank’s operational cut backs and stock price decline have shown there is still uncertainty around the performance of even the biggest financial organizations. Additionally, recent instability in Europe – particularly in Italy and Spain, as well as the still incomplete negotiation – could have effect elsewhere, including the US, where European headquartered institutions such as Deutsche Bank, Barclays and HSBC are systemically significant institutions.

 Challenger banks and new technology

The traditional banking model is increasingly challenged by newcomers trying to use technology to replace existing processes and disrupt the status quo. In the UK and Europe, challenger banks are gaining steam and traction among younger generations and early adopters. In the US, there are few online-only challenger banks, but there is increasing competition from payment processors, online non-bank lenders and other providers who are edging their way towards areas conventionally controlled by banks. The risk for traditional institutions will not only be economic, but they will also need to provide more services to their clients to ensure they are competitive and relevant, and they may need to reassess their cyber exposure as they put more systems online.