DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/660979
72 engineering, the attacker can mass engineer an attack with the knowledge that one user can compromise an entire network. Here are a few examples of the types of external security incidents of which organizations should be aware. » SPEAR PHISHING: email spoofing fraud attempt, targeting an organization, seeking unauthorized access to data; » WHALE PHISHING/WHALING: targets C-level users, or users with elevated access to sensitive data; » MALWARE/ANTI-VIRUS: malware is software that disables or damages a computer system; » DISTRIBUTED DENIAL OF SERVICE (DDOS): multiple infected systems are targeted at a corporate network or website causing a denial of service; » HACKTIVISM: the act of compromising a system for socially or politically motivated purposes; » EXTORTION HACKS: cybercriminals threaten to release sensitive data if an organization does not meet some demand; » RANSOMWARE: prevents access to data on a PC by encrypting it and requesting a ransom to unencrypt it. IDENTIFYING INTERNAL VULNERABILITIES A data breach occurs when sensitive, confidential, or protected information is obtained by an unauthorized individual or organization. Organizations can improve the security of sensitive data by focusing on controlling how employees access, transmit, and manage documentation. Here are three common areas where, when controlled, organizations can strengthen the protection of sensitive data. » SPREADSHEETS: ensure files are password protected, saved on network drives instead of local hard drives, and access is restricted to authorized users » EMAIL AND FILE ATTACHMENTS: effective email policies, spam filters, scanning email attachments, and encryption improve email security » IDENTITY LIFECYCLE: as users join the organization, move within the organization, and leave the organization their access is always appropriate to their job role and function Identity is a major attack vector for advanced threats, with compromised credentials being a significant enabler in successful attacks. Organizations need a reliable way to continuously determine that users are who they say they are before allowing access to sensitive data. Attempts to lock down systems and resources with strong authentication too often detract from the user experience, encouraging users to find workarounds that further increase risk. Today's authentication solutions need to be easy to implement wherever authentication is required and allow organizations to optimize the right level of security and convenience for the risks that are present. Organizations with successful authentication strategies will greatly strengthen their security posture while making users' lives easier in the process. Determining where an organization is vulnerable to the occurrence of a data breach or attack is the first step in protecting sensitive data. However, organizations need to invest in a proactive and flexible strategy that can evolve at the same pace of potential, and inevitable, threats to security. e financial services industry interacts with a myriad of third-party vendors to perform a variety of business services. Collaborative development, extended supply chains, and outsourced services are just a few ways in which third parties help deliver a competitive advantage. But these third-party interactions create new sources of risk that can significantly impact the organization if not managed proactively. Organizations who work with third parties must develop a systemic process for assessing, tracking, and managing third-party risk. In addition, they must incorporate information regarding risk into their organization's overall risk assessment and management strategy. Organizations that harness this risk are positioned to take advantage of the opportunities afforded by working with third parties to safely drive their business forward. PROACTIVE SECURITY e goal of any security program includes proactive protection against attack, a reduction in time to detect a breach, maintaining systems to protect sensitive data, and to have the appropriate procedures and systems in place for business continuity. e majority of security incidents are caused by human error related to lack of employee awareness and training. Organizations should take a holistic approach to security, however, the first line of defense begins with continual training. Establishing a 'Culture of Security' with your executive management and employees is critical. While investing in IT security is necessary, the best security teams in the world cannot protect against employee failure to recognize targeted attacks. e nature of social engineering means that the cybercriminal has to succeed only once, while your organization has to be successful in protecting against such attacks every time. Some suggestions to educate your workforce include: » Communicate regularly using relevant news articles to highlight security as a real threat to business » Use a variety of mediums to reach your entire audience » Spread the importance of safe online practices » Enforce adherence to security policies and procedures at all times Having security policies and procedures in place will provide your organization with a solid framework when it comes to managing security incidents. e ISO 27001 Information Security Management System (ISMS) provides such a framework for Information Security Management best practices helping organizations to: » Protect client and employee information » Manage risk to information security » Achieve compliance requirements » Protect the organization's brand image "In today's world, most organizations, regardless of size, will experience a security incident in the form of social engineering, a data breach, or malware."