Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам.

Retail Data Security: Preparing for the Top Threat for Holiday Breaches

Posted on by

holiday shopping retail risk

Here’s the question of the season: What is the true cause of the retail breaches we read about year after year? While malware or ransomware may get most of the scary security press, they aren’t in fact the main culprit. The primary cause of most retail breaches is, by far, stolen credentials. These are the usernames and passwords of employees, contractors or partners of a retail firm. Victim firms such as Target Corp., Home Depot, eBay and others have fallen prey to similar attacks in recent years: a trusted insider’s credentials were stolen and hackers used those to access the network. In some cases, the credentialed access led to the installation of malware on card reader systems, while in others, hackers took different paths.

The point is clear, however: the access credentials of trusted insiders are in fact the biggest risk factor for a breach in the retail sector. Verizon’s annual data breach survey, released earlier this year, confirms this, with credential attacks identified as the top source of data breaches as 63% occurred via weak or stolen credentials.

This isn’t a particularly new insight. The Target and Home Depot breaches, both via stolen vendor credentials, happened more than two years ago.

And yet, as the Verizon report indicates, large firms are still quite vulnerable to credential attacks. Why is a credential-based attack so hard to detect? The point of the attack is to impersonate a valid user (an employee, contractor or some other insider) going about his or her daily job. When a financial analyst logs into a financial system using her regular ID and password, for example, we do not expect an alarm to sound.

The retail environment has some unique factors that make detection more difficult.

For example, retailers employ large numbers of seasonal workers, so knowing whether a particular person should be allowed near a secure server in the back room of a store may be difficult. The general buzz and chaos in retail stores may weaken security checks, and sheer volume of transactions, returns, special orders, and the like can distract employees and open up security gaps.

There are, however, concrete steps that can be taken.

The first is simple: most if not all retailers have two networks, one corporate and one retail (in-store). Human resources, research and development, accounting, and other corporate functions operate on the corporate network. Point of sale systems, cashiers, and store managers operate on the retail network. In theory, these networks are completely walled off from each other, using two-factor authentication and other security systems. A temporary sales clerk should not be able to access the payroll system at corporate headquarters and download employee social security numbers, just as an HR specialist at headquarters should not be able to access the credit card database within a store point-of-sale (POS) server. This is especially sensitive since many retailers haven’t yet rolled out chip-and-pin readers. If a card number is stolen from a POS system, it’s usable in many places.

A basic check would be to ensure that the two-factor authentication system between the corporate and retail networks is working correctly, is updated with patches, and is applied as broadly as possible. However, this is not always the case, and there have been instances where hackers have been able to steal a corporate user’s credentials (using a keylogger or other type of malware) and then bypass the authentication system to connect to hundreds of in-store POS systems. Perhaps the system configuration has “drifted” over time and needs re-certification. This is an easy check on network security risk.

Another step relates to context—in other words, understanding what is normal. As mentioned above, a retailer during the holiday season manages chaos on a daily basis. It is too easy for attacks to slip by without notice during the noise and commotion. Recall the advice given to New Yorkers after 9/11: “If you see something, say something.” While relying on employees to notice unusual behavior is fine, a better approach is to augment humans with smart technology that understands normal behavior and can raise an alarm when behavior is suddenly not normal.

For example, a specialist in IT is accessing hundreds of POS systems in multiple stores via the corporate network. Is that okay? It is hard to say. Perhaps he is doing it as part of a backup process or maybe he is helping restore systems after a failure. Without knowing what is normal for this person, as well as for his peers, it is very difficult to judge the riskiness of his actions. Behavioral analytics systems are built for this problem. They analyze past behavior and build baselines, just as VISA and MasterCard do for every credit card owner. When an employee suddenly starts logging into store POS systems but has never done so before, behavioral baselines can provide the context needed to alert that this user might in fact be a hacker.

Retailers are getting better about security every year, improving risk management processes and rolling out new security technologies. Credential attacks remain the top threat for retail breaches, however, and retail firms must both verify their processes and also look to new solutions, such as behavioral analytics, to close the risk gap.

Wells Fargo: What Should Have Happened

Posted on by

wells-fargo

When Wells Fargo fired 5,300 employees in September for inappropriate sales practices, then-CEO John Stumpf approached the scandal with an outdated playbook. In response to the $185 million in fines levied by regulators, he first denied any knowledge of the illegitimate accounts. Attempting to mitigate press fallout by distancing the company from a group of “bad eggs” acting independently is not the answer, however. Even if Stumpf had maintained this assertion of innocence, changes in the risk environment over the past few years demand a proactive approach.

Rather than simply deflecting responsibility in these situations, executives must be able to accomplish two things:

• Provide historical evidence of due diligence and risk management (if such a program was actually used)
• Demonstrate how the company is adjusting its policies and/or implementing new policies to ensure a similar incident doesn’t happen in the future

In 2010, the SEC’s Proxy Disclosure Enhancement (rule 33-9089) explicitly made boards of directors responsible for assessing and disclosing risk management effectiveness to shareholders. It mandates the use of risk monitoring systems to demonstrate that existing controls (mitigation activities) are effective. Under this rule, “not knowing” about an activity performed by employees is considered negligence.

buy phenergan online blockdrugstores.com/wp-content/uploads/2023/10/jpg/phenergan.html no prescription pharmacy

This is a crucial development; negligence carries the same penalty as fraud, but it does not require proof of intent. The Yates Memo (2015) gave the SEC ruling more “teeth” by requiring organizations to provide the Department of Justice with all the facts related to responsible individuals.

As a result, many companies have suffered significant penalties and frequently criminal charges, even though their executives were allegedly unaware of illicit activities. Consider the emissions scandal at Volkswagen and fines paid (to the SEC) by global health science company Nordion Inc. In both instances, deceptions were perpetrated by individuals below the executive level, but senior management’s inability to detect/prevent the incidents came back to bite them.

How to Prevent Risk Management Failures at Your Organization

John Stumpf’s approach should have started with an admission of Wells Fargo’s failure in risk management processes across the enterprise, followed by evidence that a more effective, formal enterprise risk management process is being implemented. For example, risk assessments must cascade from senior management down to the front lines and across all business silos. This ensures that the personnel most familiar with operational risks (and how to mitigate them) can keep the board informed.

In other words, instead of simply apologizing and attempting to provide restitution, Stumpf should have demonstrated that Wells Fargo is taking proactive risk management measures to protect its many stakeholders.

buy hydroxychloroquine online blockdrugstores.com/wp-content/uploads/2023/10/jpg/hydroxychloroquine.html no prescription pharmacy

It is the company’s duty to ensure that something like this never happens again.

The scandal is predictably following the same track as have previous failures in risk management: it starts with regulatory penalties, then leads to punitive damages, class action lawsuits, and finally, criminal charges and individual liability, depending on the particular case.

buy bactroban online blockdrugstores.com/wp-content/uploads/2023/10/jpg/bactroban.html no prescription pharmacy

The key to this pattern is the absence of adequate risk management, which means negligence under the new enterprise risk management laws, regulations and mandates passed since 2010.

The good news is that avoiding serious, long-term consequences is possible if proper actions are taken. For example, by providing a historical record of risk management practices, Morgan Stanley avoided regulatory penalties when an employee evaded existing internal controls. Other corporations that can provide evidence of an effective risk management program (risk assessments, internal controls that address risks, monitoring activities over these internal controls, and an electronic due-diligence trail) are largely exempt from punitive damages, class-action lawsuits, and possible jail time.

When implemented proactively, effective risk management systems have and will continue to prevent scandals, regulatory fines, litigation and imprisonment. For a more in-depth analysis of the Wells Fargo scandal, read the LogicManager blog post “The Walls Fargo Scandal is a Failure in Risk Management.”

Establishing Company Gift-Giving Guidelines

Posted on by

With increased regulatory oversight around the globe, companies’ external and internal gift-giving are under scrutiny. With the holiday season upon us, it is up to organizations, no matter what the size, to clearly state policies and leave no question about what is and what is not allowed. Establishing monetary limits for gifts given and received is also a good idea.

According to a report by Thomson Reuters:

While bribery and corruption charges are widespread, it’s important to note that bribery is not synonymous with gift-giving. When it comes to gift-giving, businesses cannot offer, promise or give anything of value, directly or indirectly, to a foreign official for the purpose of obtaining or retaining business. Corporate gifts need to be carefully evaluated to ensure they do not appear to violate these prohibitions.

Internal gifting policies vary from company to company, and while there is no one-size-fits-all approach, it is extremely important that organizations have policies in place and that employees are aware of what those policies are. No matter how well-intentioned a gift, the potential exists that it falls outside of the appropriate boundaries.

holiday-1

Organizations need to be clear about what types of gifts are acceptable and what are not.

holiday-2

Both employers and employees should also be aware of what constitutes a bribe and what types of bribes to watch out for.

holiday-3

Regulatory bodies are holding companies accountable, and depending on the countries involved, regulatory fines can range from prison terms to millions of dollars in fines.

holiday-4

holiday-5

Best Practices for Protecting Against Fraud

Posted on by

detecting fraud

In 1987, during arms control negotiations between the United States and the USSR, President Ronald Reagan popularized the phrase “trust but verify.” The maxim is pithy and oft-quoted, but for companies looking to mitigate risk and financial fraud, it should be reworded slightly to “Verify and monitor continuously.”

Fraud is often hard to detect—the Association of Certified Fraud Examiners (ACFE) estimates that the average fraud goes undetected for years. Some of the largest and most damaging frauds, including Bernie Madoff and Allen Stanford, spanned a decade or more. Fraud is also costly; it is estimated that U.S. businesses lose 7% of annual revenues to fraud, and it is responsible for one out of three business failures. The financial implications of fraud are bad enough, but reputational damage can be equally harmful.

Fraud is a potential danger for companies in all industries. In a survey my firm conducted in 2012, nearly 40% of private equity firms said they had experienced fraud. The statistics are sobering, but there is much that companies can do to protect themselves.

The biggest trend we are seeing is that corporate boards are implementing a tip line, which is a great way for employees and others to anonymously report wrongdoing. ACFE studies show 42% of frauds are uncovered through hotlines. You want employees to come forward and tell you what is wrong to give CEOs a chance to fix it. The average EEOC complaint costs between $50,000 and $100,000 in legal fees to settle, not to mention the potential damage to morale and reputation—wouldn’t you want a heads up to fix it before it gets to that?

Instituting rigorous hiring practices, including screening temps and contract workers, is another important tool in preventing fraud. It is not realistic to have the same level of scrutiny for an entry-level employee as you would for a senior executive, but the best way to avoid fraud is by carefully culling the bad apples before they are hired.

buy apixaban online medilaw.com/wp-content/uploads/2015/03/jpg/apixaban.html no prescription pharmacy

Look for criminal or regulatory issues, limited references, job-hopping, trouble making eye contact and a pattern of lawsuits. A number of our clients have begun to ask us to vet their information technology hires. The IT department has access to the most sensitive files and so it is imperative to investigate potential hires in that department.

Every firm should also have a code of conduct, which describes the culture of a company and what is expected of each employee in terms of actions and conduct. Each company is different, but some rules are universal: sexual harassment cannot be tolerated; discrimination against anyone based on color or religion is strictly forbidden; the workplace should be free of illicit drugs and alcohol; and employees cannot accept gifts from customers or vendors. Consequences for violating any of these codes should be clearly spelled out.

A system of basic financial checks and balances is another way to protect against fraud. Even in smaller firms, the same person should not be in charge of both accounts payable and accounts receivable. Larger payments from the company should be signed by two executives. Regular meetings should be arranged with IT officials to insure that cyber-crime is being monitored at all times.

buy avodart online medilaw.com/wp-content/uploads/2015/03/jpg/avodart.html no prescription pharmacy

Also, consider installing security cameras to serve as a deterrent for rogue employees.

buy cellcept online medilaw.com/wp-content/uploads/2015/03/jpg/cellcept.html no prescription pharmacy

In the wake of the Madoff scandal, the role of compliance officers has taken on greater importance. Compliance officers often have a seat at the C-level table and are valuable in helping companies to stay on the right side of regulations. As discussed, however, the best way to prevent fraud is by having several layers of protection.

Preventing fraud is an ongoing endeavor that requires a commitment to maintaining vigilance each day. Some red flags are easier to spot than others. Some of the most common “tells” of disgruntled or risky employees who may commit fraud include:

  • Living beyond their means
  • Financial difficulties
  • Too-close relationships with customers or vendors
  • Secretiveness
  • Drug or alcohol problems
  • Major stressors, like family problems, including divorce and bankruptcies

In the event that fraud is suspected, every company needs to have a playbook to help guide their actions. This should include having a process to address a tip or complaint, leveraging the expertise of investigators and attorneys and following a plan that keeps the company operating with minimum disruption.

The vast majority of companies prefer to keep things quiet and resolve matters in a private setting. No company wants to have one of its employees be the subject of a “perp walk,” where the alleged offender is shown by the media in handcuffs accompanied by police on their way to being charged.

The surge in cyber-crime is proof that fraud never truly disappears; it just changes shape and form. Therefore, it is up to each company to become a hardened target and make fraudsters want to look for an easier mark.