By: (Security+)
Publication: The Kansas Banker, June 2017

The Kansas Banker June 2017When you consider your bank’s security awareness training, what comes to mind? Maybe you think of an hour-long lecture you present (or attend) on an annual basis. Maybe you think of an online program you watched or a lengthy document you read. Whatever may come to mind, it is important to ask the question: How effective is this training?

TD Ameritrade Institutional and the Financial Planning Association Research and Practice Institute published a study in September 2016 describing how advisory firms manage cybersecurity awareness training. The results were not far from what I have come to know from time I have spent with banks. The study showed the vast majority (88%) of respondent firms said they spend two hours or less annually in on-going cybersecurity awareness training. Fifty percent of the same group said they conduct this training semi-annually or annually.

Read Full Article


Publication: Nebraska Banker, March/April 2017

Nebraska Banker March/April 2017

Intrusion Detection Systems (IDS) have been around for over thirty years, dating back to the Intrusion Detection Expert System (IDES) in the mid 1980’s. Intrusion detection technology continued to evolve with the introduction of Host-based, Network-based and Network behavior analysis systems. Additionally, systems capable of blocking malicious traffic, Intrusion Prevention Systems (IPS), originated from IDS.


Intrusion Detection and Prevention Systems (IDPS) traditionally have been hosted on systems dedicated to the task of detecting and responding to malicious network traffic. Over the last several years, security appliances that fill multiple roles such as firewall, VPN, Internet filtering, antivirus, and IDPS have been placed on the market by multiple vendors. These devices, also known by the name Unified Threat Management (UTM), may not always provide true IDPS services since the device may not have adequate system resources or may require additional licenses or hardware modules. This can leave a device owner believing they are protected by and IDPS, when in fact they are not.

Read Full Article


By: (Network+, CISA)
Publication: The Community Banker, Spring 2017


Community Banker Spring 2017In 1982, a Coke machine at Carnegie Mellon University was modified to connect to the Internet and report inventory and temperature status. In 1985, the first alleged use of the term “Internet of Things” was by Peter T. Lewis before a technical panel organized by the FCC and U.S. Department of Commerce Minority Enterprise Telecommunications Seminars. It is only in recent years, however, that the Internet of Things, or IoT for short, has really taken off and influenced our daily lives.

Read Full Article


By: (Security+)
Publication: The Kansas Banker, March 2017

Kansas Banker March 2017Assessing risk is all about extrapolating meaning from potential. In other words, look at what could happen and consider how those things would affect you. The process can be as complicated or as simple as you choose to make it. At the end of the day, risk assessments are a way to become aware of potential issues and of controls to alleviate those dangers. You do not have to think of every potential scenario. In fact, considering what is common covers the majority of threats.

Read Full Article


By: (ISACA Cybersecurity Fundamentals, CompTIA A+, Security+)
Publication: Colorado Banker, March/April 2017

Colorado Bank Mar/Apr 2017Floods. Hurricanes. Tornadoes. Fire. Power outages. The zombie apocalypse (well, maybe not that one). You don't have to be in banking to know these threats exist in our world. Although they may not have an exhaustive, board approved Business Continuity Plan ready to go in an emergency, the average person has some awareness that disasters occur and an instinct on what to do:

"The hurricane is projected to make landfall – shutter the windows and head to aunt Martha's."

"There's been a fire – call 911, get out of the building, stop, drop, and roll."

Elementary, right? What about this one:

Read Full Article


Publication: The Kansas Banker, Jan 2017

The Kansas Banker Jan 2017ADA website accessibility is a trending topic in the community banking industry. Why? Recently several financial institutions have received letters threatening lawsuits because banking websites are not "accessible." The Americans with Disabilities Act (ADA), enacted in 1990, is a civil rights law created to prohibit discrimination against individuals with disabilities. In 2010, the Department of Justice (DOJ) initiated the rulemaking process concerning website accessibility. This process consists of calls for public comments on proposed rules, impact and cost analysis, and finally acceptance into the federal register. Since 2010, the process has been continually delayed. As of right now, finalized rules are expected to be released sometime in 2018, leaving no clear guidelines to follow at the moment. Without these guidelines in place, how can your bank protect itself from opportunistic legal battles while committing to provide an accessible site to your customers? Accessibility policies and vendor management are the answer.

Read Full Article


Publication: Nebraska Banker, January/February 2017


Nebraska Banker Jan- Feb 2017There has been a lot of attention on website ADA compliance over the past few months.  Several community banks have received demanding letters from law firms alleging the bank is violating the Americans with Disabilities Act (ADA).  Purportedly these letters claim that unless the bank modifies its website to meet the World Wide Web Consortium's Web Content Accessibility Guidelines (WCAG), the bank will continue to violate ADA.  So, what does this mean?  Let's take a look at some common questions banks are asking about ADA compliance.

What is ADA compliance?

Read Full Article


By: (Security+)
Publication: The Colorado Banker, January/February 2017


The Colorado Banker 2017

If you spend much time with teenagers, you know they use a special version of the English language. A few months ago, I was introduced to the term “on fleek.” Personally, I never liked it, but by the time I worked up enough courage to use the term in a conversation, I was informed, “Alyssa, ‘on fleek’ is so last year. Now, we say ‘lit’.” (Rolling my eyes here.) While both terms can be used to describe something “awesome,” I tell you this to emphasize how difficult it can be to understand another language.

Read Full Article


By: (Network+, CISA)
Publication: The Kansas Banker, December 2016

The Kansas Banker December 2016Raise your hand if you are tired of constantly changing your password and sticking to whatever arbitrary rules seem to be in place at the time. Okay, now put your hand down because you are most likely drawing unnecessary attention to yourself, especially if you are in a coffee shop or on your couch at home surrounded by family. Everyone seems to grumble about password length and expirations, but the truth is: strong passwords are a necessary complication and their use isn't going away anytime soon. If anything, password complexity guidelines are shifting to be even more stringent, although there may be some light at the end of the extremely long tunnel.

Read Full Article


By: (CISSP, CISA, Security+) and
Publication: Nebraska Banker, November/December 2016

Nebraska Banker November/December 2016

One of the difficult tasks banks continue to face is how do you educate your customers on the importance of cybersecurity? You send inserts with your statements and provide pamphlets in your brick and mortar branch, but what is being absorbed?


On the other hand, when you are marketing, you target your audience through TV ads, flyers, magazines, tradeshows, signage, etc. – a variety of channels to reach a wide audience base. Try to think of educating your customers in the same way you would market to them. After all, one of the roles of marketing is to educate. As with marketing, you can't expect to educate your target audience about cybersecurity through just one channel. So here are some ideas and channels to consider for providing cybersecurity education:

Read Full Article