The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

It’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

• 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
• 63 percent said that a separate risk committee on the board oversaw risks.
• 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren’t doing this.
• 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
• Of this 30 percent, less than half actually use it to supply limits to the board and management.
• The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren’t getting fully used.
• And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
• 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
• 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
• 53 percent want more understanding of newer risks like cyber security issues.
• Senior execs want the board to have more training in overseeing the risk appetite and related issues.
• 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
• Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

The biggest threat to your data may not come from external hackers. Find out how to guard against intentional or accidental internal cyber breaches.

The NSA leaks we keep hearing about are a constant reminder of just how vulnerable data is and how this vulnerability can result in data breaches by organization insiders. As Reuters reported, “Edward Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator.” It's apparent now that the nation’s most significant intelligence and security team failed to install the most up-to-date, anti-leak software.

This news coincides with two recent reports that show insiders are becoming the most significant reason data breaches proliferate. While threats to data security and privacy are often perceived to come from the outside via criminal hackers, recent research has marked internal threats as equally dangerous to customer/client data—whether breached on purpose or by accident.  

According to a recent Forrester Research report titled “Understand the State of Data Security and Privacy,” 25 percent of survey respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year at their company, while 36 percent of breaches were caused by employee mistakes, making it the current top cause of most data breaches. 

Another report, from MeriTalk, which focuses on the federal government, found that 49 percent of breaches happen when employees bypass existing security measures, such as when they're Web surfing or downloading email or other files. If the federal government can't protect itself against data leaks, how can small-business owners expect to adequately protect their business data? Let's take a look at how these data leaks are happening to find out how you can protect against them.

We're at a point where companies interested in protecting their data have invested significant resources into fighting off network attacks from outsiders by incorporating numerous layers of security, such as firewalls, antivirus software, antispyware, antiphishing software and security awareness training, but they're leaving their data vulnerable to their employees. Companies may have malicious, Edward Snowden-like insiders who hack the network for information, including fellow employees’ passwords.

Or, on the less malicious end of the spectrum, employees may just make simple mistakes that leave the network vulnerable to data breaches. Because of this “hidden” vulnerability, company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside. Additional risks revolve around savvy employees who might have good intentions but may make the network vulnerable when they go outside existing security measures. They may find themselves forced to do this because of restrictions that prevent them from getting their jobs done.

The Meritalk study found: 

• 66 percent of federal network users believe security is time-consuming and restrictive.
• 69 percent say their work takes longer because of additional cyber security measures.
• One in five users report an inability to complete work because of security measures.
• 31 percent of users work around security measures at least once a week.

Forrester found:

• 36 percent of breaches stem from inadvertent misuse of data by employees. 
• 42 percent received training on how to remain secure at work, which means 58 percent haven't had training at all. 
• 57 percent say they’re not even aware of their organization’s current security policies. 
• 25 percent say a breach occurred because of abuse by a malicious insider. 

The most important thing companies can do is to put the right security measures in place. Employees who need identification include those who are known to access critical data resources, such as those in accounting, human resources, administration, legal, personnel and account management as well as company officers and various contractors. Looking at data flow—that is, where data might be either vulnerable, shared across departments or bottle-necked—companies should work with each critical department to gradually implement security controls that create a delicate balance of security and productivity for day-to-day activities.

Data loss prevention begins with data discovery, classifying data in need of protection, and then determining what level of risk your company may face. Then you should complete a cost/benefit analysis and review the various technologies that can integrate with your existing systems. These include data loss prevention (DLP) technologies that provide real-time network activity monitoring, as well as system status monitoring from the inside out and the outside in.

The goal is to limit who has access to what data as well as determine why the person needs it. It's also important to look for your vulnerabilities from outside attacks. DLP can simultaneously determine when employees are circumventing security because the system may be prohibiting them from getting their job done. 

Other procedures and tools you might want to consider implementing include: 

• System-wide encryption
• Tools that report alerts and events
• Inspection access controls
• Password management
• Multifactor authentication
• Device recognition
• Data disposal for e-data, paper data and discarded devices
• Transparency

This last one is critical because the more transparent your network security and security policies are, the more effective each department will be when communicating its requirements, needs, wants and differences.  

The battle to fight criminal hackers from the outside must not hinder your employees' progress on the inside. At the same time, you must protect against internal threats from employees, which is an equally dangerous risk that your IT department must acknowledge—and work to secure quickly. 

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Today’s commerce occurs very much online, with products and services ranging from A to Z. Hence, these many online merchants have hundreds of millions of people around the globe registered with them for convenient purchases.

To verify authentication as the true user of these services, the registrant must supply personal data. If cyber criminals get ahold of this data, much of it can be changed by the user after the breach, such as user name, password and even the address they’ve been using.

However, the Social Security Number and date of birth cannot be changed. When cyber crooks get personal data off of these online retailers and service providers, it invades the customer’s privacy.

Online enterprises must take full responsibility for stolen data. It’s a real serious issue when permanent (“static”) data like DOB and SSN is breached, as opposed to temporary data like a password or answer to a security question.

Of course, the registrants to these sites do bear some culpability when they post their personal data in the public domain. But business sites make posting personal data a requirement to use their site. Unique data like the SSN should not be a requirement.

The online commerce world should know that such a requirement destroys confidence in current and potential customers, and that their competitors who abandon this practice will have the upper hand in gaining and retaining business.

More and more users are realizing that the security systems of online enterprises are weak, putting users at risk for identity theft—a risk that they’re catching onto.

NSS Labs, Inc., a world leader in information security research and advisement, has the following recommendations:

• Online businesses should limit requiring data that can be shared among other enterprises.
• Online enterprises should be designed with the anticipation of possible data breaches; this way they’ll minimize risk and be more prepared to mitigate problems.
• Third-party data breaches should be analyzed by online companies to protect users if data seeps out.
• “At risk” users should be able to be re-authenticated.
• Governments need to reassess the idea of using static data like DOB and SSN.
• Online enterprises must embrace the possibility that legislation will eventually make it illegal to require SSNs from users.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures

Can you name 10 ways you can get hacked this summer? I can.

Hotel Hacking

Those hotel electronic card locks for doors aren’t as secure as you think. A criminal attaches a little electronic gizmo beneath the lock, and presto, he’s in your room. You can’t stop this, but you can make the burglary worthless by not leaving valuables in your room. Always have your door locked overnight.

Car Hacking
Forget the bent coat hanger trick — that’s for rookies. But even a dimwitted thief could hack into your car this summer. For only $5, the thief buys a “black box,” a key fob spoofer, that electronically forces car doors open. Short of disabling your keyless entry, what you can do is park your car in lighted areas and keep valuable out of it. Or have your mechanic install a kill switch.

Credit Card Skimming
Criminals set up those card readers at stores with devices that will steal your card information. If you can’t pay with cash, use a credit card since there’s a delay in payment, whereas a debit card takes money from your account at the point of purchase. Keep a close eye on your credit card statements and bank account.

Hacking a Charging Phone
Avoid charging up your phone at a public kiosk. It doesn’t take a mental giant to install malware into these kiosk plugs. Once your phone gets plugged in, it’ll get infected. Use only your plug or wall outlets.

Finders Keepers Finders Weepers
If you happen to find a CD-ROM or thumb drive lying around in public, leave it be, even if it’s labeled “Hot Summer Babes at the Seashore.” You can bet that a crook left it there on purpose and wants you to plug it into your computer. You’ll end up installing malware that will allow the thief to remotely control your computer.

Phishing for Victims
You get an e-mail with a striking message in the subject line such as “Pics of you drunk at my party!” A percentage of people for whom these messages apply to will open the e-mail and take the bait: a link to click to see the photos. The link is malware and will infect your computer.

Wi-Fi Sharing
Using a public computer is always risky, as anyone can monitor your online actions. Hackers can even “make” your device go to malicious websites that will infect your device. Stay away from public Wi-Fi or use a VPN (virtual private network) like Hotspot Shield. A VPN will protect you summertime and all time at public WiFis.

Photo Geotagging
Every time you take a picture and post online, your location will be up for grabs in cyberspace, unless you’ve disabled your device’s geotagging.

Social Media
Beware of clickjacking and XSS. Clickjackers place a phony screen over an obscured malicious link, luring you to click. The hidden link then is triggered and gives the hacker your contacts, taking you to a malicious site. XSS puts a malicious script right in your browser that will install malware. So be judicious about clicking on popular videos and whatnot.

Airplane WiFi Hacking
Connect while 35,000 feet high and you can be revealing all sorts of private goodies. Airplanes lack online security. The aforementioned VPN is your best bet when connecting to airplane WiFi

Start your summer off securely by avoiding becoming a victim of hackers.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Malware is everywhere and isn’t about to disappear. The latest PandaLabs report says that last year alone, of all the malware that ever existed, cyber crooks created and distributed 20 percent of that. Malware comes in the form of Trojans, worms, viruses, adware/spyware and miscellaneous, with Trojans leading the pack.

Ransomware seems to be gunning for the top spot, though, with a recent resurgence.

What about 2014? The 2013 Annual Security Report anticipates that the Internet of Things and Android devices will head the headlines (Android continues to be a favorite target of cyber criminals).

PandaLabs foresees that Android will get socked by hundreds of thousands of new malware strains. In 2013, criminals unleashed over two million new malware threats for Android.
Another area of attack is social media, and in 2013, even large companies, movie stars and politicians were affected.
The Trojan is a true warrior, in that it’s responsible for three-quarters of attacks, says PandaLabs. There was a huge leap in the number of circulating viruses as well, and is attributed to basically two virus families: Xpiro and Sality, says Luis Corrons, the technical director for PandaLabs.

Sality has been around for quite some time, but Xpiro is the new virus on the block, and can infiltrate “executable files on 32-bit and 64-bit systems,” says Corrons.

We’re in the midst of the malware plague; never mind the Bubonic plague. The whole planet is under attack, but some countries more so than others. China is the most infected, along with Turkey and Ecuador: 54.03, 42.15 and 40.35 percent of compromised personal computers, respectively.

Of the 10 least harmed countries, nine are in Europe; the other is Japan. For Sweden, Norway and Finland, the percentage of infected personal computers is 20.28 percent, 21.13 percent and 21.22 percent, respectively.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

There are 10 basic ways a crook can easily rob your identity by getting at your credit card or open a new credit card in your name, but there are also ways you can prevent this from occurring.

Simple Thievery

Leave a window open and a thief can slide through, then steal your stuff. He can even slide an arm through your car’s open window while you’re filling the tank at a gas station. To prevent this, keep house windows closed as much as sensibly possible; keep important documents locked up; keep car windows rolled up and doors locked when you’re out; and keep your wallet/purse hidden.

Employee Records

Your employer has your private information and in some cases a credit card number, which an identity thief could get access to. To prevent this crime, ask your employer how your personal information is stored. Be on the lookout for things you’d never expect.

Change of Address

An identity thief may file a change of address form in your name. He’ll get all your credit card related mail or your Social Security number. To prevent this, watch for change-of-address notices in your mailbox. If you stop receiving credit card statements, call the company.

Social Media

Your online profile may have all the information a thief needs to steal your identity. Prevent this by deleting personal information. Give answers to the security questions of financial accounts that don’t appear on your social media pages.

Mailbox Theft

A crook can easily abscond with mail (incoming and outgoing) relating to your credit cards and bank account. To prevent, get a locking mailbox and don’t delay retrieving new mail. When mailing letters, use an official Post Office mailbox or go to the post office.

Dumpster Digging

If you see someone foraging through the trash, they’re not necessarily looking for food or cans or metal.  They can be searching for paper: a credit card statement, credit card offer or anything with your important numbers on it. To prevent, use a shredder, and go to electronic statements when possible.

Shoulder Snooping

The thief will peer over your shoulder to see your transaction (credit card number, password, whatever data is there). To prevent, cover your card number at a cash register and mask your PIN as you enter it in a keypad or ATM. When using your laptop for ecommerce, sit against a wall. If this isn’t possible, keep the screen at an angle that only you can view or get a 3M Privacy Filter. Google it.

Phony Call

The thief calls you, claiming to be a rep from your credit card company, asking you to confirm personal information. The thief then contacts your credit card company and poses as you…Please just HANG UP!! Call back the credit card company using the number on the back of your card to confirm any potential issues. Never give personal information over the phone if that person has called you.

Pickpocketing

These snakes slither in and out of crowds, often without being noticed, non-violent but very efficient. Prevent being their target by keeping your wallet hidden and not easily accessed.

Cloned Cards

Once all the damage is done and your card number is stolen, criminals can create exact duplicates of your card using foils and laminators burnt onto blank cards that can be purchased online.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Crooks want your health information. Why?

It’s called medical identity theft, and it’s not going away too soon. In fact, the ACA (Affordable Care Act) has only fueled the situation, says the Ponemon Institute, a security research firm.

This latest of Ponemon’s four annual Patient Privacy and Data Security studies reveals that sloppy behavior, like losing a laptop that has unencrypted data, is a primary cause of data breaches.

A crook would love this information because, “in the world of black market information, a medical record is considered more valuable than everything else," says Larry Ponemon, the Institute’s founder.

The study was sponsored by ID Experts, and its founder, Rick Kam, says that the “black market is being flooded with payment card data.” Health care data includes a Social Security number and personal health record—data that sticks around for a long time, versus a credit card number.

Breaches can also result from unsecured mobile devices, employee negligence and third-party contractors who can get their hands on the data.

But by and large, says Ponemon, health care employees are good people who sometimes just “do stupid things.” And the rushed nature of their jobs can compromise attention to security.

One hospital visit can net six to 10 companies having access to your data, says Kam. This includes the ambulance company, hospital, extraneous labs and the health insurance company.

If someone snatches your medical records, you’ll be in a major jam. For instance, the thief who claims to be you can get medical treatment for an STD—and that will go on your record. Worse, the thief may have a different blood type. What if you’re in an accident and need blood transfusions, and you end up getting the wrong blood type?

The proliferation of mobile devices makes it even easier for criminals to steal data.

The study showed that 88 percent of medical facilities permit employees to access patient data via their own mobiles (and what percentage of these employees do you really believe have encryption and other security measures in place?).

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.