Articles

Some of our apps are for fun things like accessing social media websites, and others are for utilitarian things like paying bills, managing insurance, or overseeing banking accounts. With apps like these having access to our most intimate details, we should closely monitor the apps we use and what these apps can access on our mobile devices.

You can determine the access you give to apps by going to your mobile device's settings. Consider the messaging application, Slack, as an example. Often used in professional office settings, Slack allows you to create groups and send messages. The mobile app for Slack can optionally access your Photos, Camera, and even Siri. Allowing apps like Slack the ability to access photos, camera, or other information is a reasonable choice since Slack uses this information to make the experience better, but other applications may not need to access this information.

Several years ago my wife and I enrolled in country western dance lessons offered in our community. I have a reputation for being challenged in the areas of rhythm and coordination, but it sounded like fun. Over several weeks we learned multiple dances ranging from the supposedly simple two-step to more complex dances. I learned that I could manage on a dance floor as long as I stuck to the basic dances like the two-step and that I never would have rhythm or coordination.

In 1984, a fantasy movie involving a young boy, a rock-eater, a weird dog-dragon hybrid, an entity known as The Nothing, and an assortment of other strange characters was released. This movie, titled The NeverEnding Story, is remembered by many people not only because of the story itself but because of the main title track which lingers long after the credits have rolled. After watching the movie, one could be caught belting out "NeverEnding Stooooooryyyyyyyy! Ah, ah, ah!" for anyone nearby to listen. While this song is easily adapted for a number of tasks in everyday life (never ending laundry, dishes, or bills), for those in IT roles it has become "NeverEnding Paaaaaattccheeeeees!"

One of the challenges community banks face in selecting an IT audit partner is the confidence they are comparing apples to apples when reviewing security-testing proposals. Not only do the definition of terms vary, some audit firms sell an "IT Audit" that is nothing more than a GLBA regulatory compliance audit. Though confirming your Information Security Program meets your examiners' expectations is important, an audit without a thorough internal network assessment really is not an IT audit. Your technical controls like patch management, malware protection, user access controls, Internet content filtering, file access controls, etc. are where the rubber meets the road. If these controls are not functioning as intended, it becomes a moot point you have them faithfully listed in your InfoSec Risk Assessment and Policies.

Several months ago, I stumbled across a comic that was a perfect representation of the battle institutions and IT departments face every day. It was a boxing ring, with a ring announcer introducing the participants in the corners of the ring. One corner contained firewalls, encryption, antivirus software, and other layers of data security while the opposing corner contained "Dave," a hapless user wearing a shirt emblazoned with the words "Human Error." This comic is both funny, because many of us know a "Dave," and disheartening, because no matter how much money and time are spent on network layout, configuration, and security, the harsh reality is it only takes one user on the other side of the mouse, clicking on the wrong item, to wreak havoc on your network. While incidents are still going to occur, they can be reduced with routine and thorough employee security awareness training.

"The sky is falling." This is how one security writer described the initial panic experienced by the IT world early this year. Two unprecedented vulnerabilities named Meltdown and Spectre were reported on January 3, 2018.

These two vulnerabilities were and are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms. There were several matters which made these vulnerabilities seem scarier than other vulnerabilities.

Technical Aspects of the Vulnerabilities

What is the Internet of Things (IoT)?

For the purposes of this article, you can think of the IoT as the global network of "things" that are connected to the internet. This includes the obvious things (e.g., smartphones, computers, wearables, etc.) and the less obvious (e.g., A.I. devices, office automation, coffeepots, smart TVs, etc.).

If you work in technology, you should be aware of the IoT, as it is certainly a trendy topic. As a trendy and often misunderstood arena, the IoT has not historically been discussed in-depth during security awareness training. This means that even if you are aware of the dangers presented by the IoT, your employees may not be as mindful.

You have probably heard this before now, but the greatest threat to an organization's information security is the people. Attackers are aware of the human element, and they create schemes to exploit us. The best way to combat this weakness is to train and test employees.

The goal of information security awareness training is to create a change in employee behavior and to create a security-minded culture inside your institution. A change in culture will not happen overnight, and it may take longer for some employees to make adjustments to their behavior, but it is possible.

The thought of reviewing a financial statement can be scary. While financial statements have similar elements, they are far from standardized and can be complicated to understand. Here are six tips to help simplify the scope of financial statement reviews.

Obtain Financial Statements

The first and easiest step in conducting a successful financial statement review is obtaining the financial statements.

Publicly Traded Companies are required to submit audited financial statements to the Securities and Exchange Commission (SEC) at least annually. The largest and most complex companies submit even more frequently. Often, these financial statements are published online and can be found with a quick web search. I find that searching "[Company Name] Financial Statements" or "[Company Name] Form 10-K" frequently turns up what I need.