407-445-2414 info@wrmllc.com
What Organizations Can Do to Strengthen Their Cybersecurity Stance

What Organizations Can Do to Strengthen Their Cybersecurity Stance

The challenges of cybersecurity have been covered ad nauseum: the ever-increasing volume and sophistication of attacks, the shortage of skilled cybersecurity analysts, and the general inability to keep up with all that is going on in the cybersecurity market have all been well documented.

So, what can be done? Given all these conditions, how can a business better protect their operations and resources? The short answer is they can start using a combination of technologies, services and education to stem the impact of cyber-attacks on their organization.

Technologies Can Help Fill the Gap Created by the Skills Shortage
Organizations can look for technologies that are primed to automate and orchestrate responses to cyberattacks.

This is not a new concept – back in 2011, the US Department of Homeland Services described, in their paper “Enabling Distributed Security in Cyberspace,” an ecosystem where “cyber devices are able to work together in near-real time to anticipate and prevent cyberattacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state.”

This is very different from what most organizations have today. Typically, companies have a host of cybersecurity technologies, from firewalls and to that are working alongside, but not in concert with one another. Each solution is specialized to look for something – e.g. evidence of a distributed denial of service attack, indicators that a user’s credentials have been compromised, pointers to data being leaked via cloud apps, signs that a mobile device has been taken over, etc.

Each of these solutions requires someone to deploy, manage and maintain it, as well as make sense of the information it generates. The data these solutions produce and the people managing them often remain in a silo, making it hard for anyone or anything to see the complete picture to quickly and confidently take action, as appropriate. But change is coming.

Half of the respondents (55%) to a survey by Intel Security “believe cybersecurity technologies will evolve to help close the skills gap within five years.” Likely this will come in the form of advances in intelligence, automation and orchestration. We have already seen vendors dabble with artificial intelligence (AI) and machine learning to accelerate the identification of an attack and support the orchestration of more automated responses.

It has been particularly effective when entities or events can be easily incriminated or exonerated, such as in the incident response process. A large organization can average close to 17,000 alerts a week, which is why only one in five alerts ends up being something worth dealing with.

A solution, however, that can automate investigations and help prioritize subsequent activities is sustainable. Hence, we have seen an explosion in the IR automation market – the Enterprise Strategy Group found that 56% of enterprise organizations “are already taking action to automate and orchestrate incident response processes;” Technavio has the IR system market growing at a compound annual growth rate (CAGR) of 13%.

To truly ease the burden on cybersecurity analysts and improve the efficiency and productivity of their cybersecurity infrastructure, organizations need to look for and demand more of these kinds of innovations from their technology vendors.

Services Play a Viable Role in Augmenting Capabilities
The reality is there are always times when organizations, even those with SOCs that are skilled and staffed appropriately, may need a little help. This is where services come in; we are finding there is greater acceptance that augmenting resources with a service offering can be a good way to enhance the effectiveness of an organization’s cybersecurity strategy and implementation.

An outsider’s view can give organizations the knowledge they need, a fresh perspective or a new way of thinking that helps drive better decision-making and ultimately better security.

The problem is managed security services providers (MSSP) are having to staff up themselves to meet the demand, which is why we’ve seen some a lot movement in this space. For example, there has been FireEye’s acquisition of Mandiant, IBM’s acquisition of Lighthouse Security, and BAE System’s acquisition of SilverSky, etc.

Ultimately, being able to deliver the experience and know-how organizations need will help close the gap and strengthen overall security.

Educational Opportunities are Key to Bolstering General Awareness and Expertise
At the end of the day, nothing replaces the knowledge and expertise of an in-house analyst. Only they truly understand an organization’s nuances, putting them in the best position to effectively identify, contain and fully remediate many of the more sophisticated attacks targeting the organization.

Unfortunately, as we’ve already mentioned, these folks are in short supply, so organizations need to look across their IT organization to develop cybersecurity awareness and know how.

Training courses taught by experts with real-world experience and include lab time are invaluable for building the skills that will be applicable to strengthen the organization’s security stance. Virtual sandboxes (vSandbox) and Ultimate Test Drives (UTD) are also good tools to deploy. They allow attendees to test and work with solutions in a safe environment, so they can see firsthand how they can be deployed and used to improve the cybersecurity capabilities of the organization’s own environment.

Ultimately, to address the cybersecurity gap and all the threats that are targeting an organization, it will take a confluence of technologies, services and experiential learning. Together, organizations can deploy the skills and capabilities they need to keep up, and ideally get ahead, in this harried cybersecurity landscape.

Source: InfoSecurity Group
Author: Pradeep Aswani

5 Tips For Picking Password Management Software

5 Tips For Picking Password Management Software

How many passwords do you use for work? Five? 10? More? Most nonprofit staffers have too many passwords to remember them all. This leads to bad habits –writing them down on sticky notes, sharing them with colleagues, or reusing the same password over and over. These bad habits can put your organization’s data at risk.

Many nonprofits are turning to password management services such as Dashlane, LastPass, and Sticky Password. These tools allow you to use just one long, complex password behind which you can store all your passwords. Most tools can be configured to automatically enter the right password whenever you go to an account website or open an application.

Some people worry that putting all your passwords in one place is too risky because one hack opens the door to all your data. That’s a valid concern, but chances are that the encrypted system used to manage your passwords and the value-added services you get from a password manager will make you more secure than whatever you’re doing currently.

If you’re interested in implementing a password manager at your organization, here are a few of the features you should look for.

  • Enterprise Control. One of the biggest benefits of a password manager is the ability to manage every password user at your organization. Look for a service that allows you to turn off access for people who have left your organization and select the users who should and should not have access to specific accounts. A good system will allow you to maintain this admin-level control without giving you direct access to any password content.
  • Audits and Changing. Many password managers can guide users to choose stronger passwords. Some will audit your passwords and suggest ways to strengthen them. Many also allow you to schedule password changing and even automate password changes.
  • Two-Factor Authentication. A good password management vendor will understand your concern that one password in the wild can lead to dozens more roaming passwords. Two-factor authentication, a method that requires you to verify your identity in a second way, adds an extra layer of security to make it more difficult for a thief to get into the system.
  • Multiple Devices. Chances are your staffers want to use various operating systems and mobile devices. Look for a password manager that is compatible with PCs, Macs, and all the various mobile devices out there.

Source: The Nonprofit Times

Who You Gonna Call? Nonprofit Addresses Nonprofit Cybersecurity

Who You Gonna Call? Nonprofit Addresses Nonprofit Cybersecurity

What would you do if your nonprofit had over 500 W2 tax forms stolen electronically and put up for sale on the dark web?

This nightmare happened to one unnamed nonprofit, and their solution was to contact the National Cybersecurity Center, a nonprofit founded in 2016 by Colorado Governor John Hickenlooper. The NCC’s mission is to provide collaborative cybersecurity services and training. Their goals are to provide education, training, and response services. According to CEO Ed Rios, almost 90 percent of the attacks reported to the center have been mitigated.

What happened to those W2s? The NCC determined that the records were obtained via an email scam. To help with prevention, the NCC offered training to the nonprofit on identifying and avoiding such attacks in the future.

Rios stated that approximately 75 percent of attacks result from user error. Commonly known as PICNIC: Problem In Chair, Not In Computer, this term is popular with IT help desk employees to describe the non-IT workforce’s propensity to click first and ask questions later.

There are three pillars of the NCC’s work:

  1. The Rapid Response Center is a dedicated facility with experts, vendors, and partners to serve as a trusted resource during a time of security breaches. Their plan is to be the “one-stop shop” when immediate assistance is needed to solve an attack. The RRC is reached via 877-90-CYBER. Currently only available during business hours, the plan is to offer 24/7 assistance in the future.
  2. The Cyber Institute takes a think-tank approach to exploring emerging tactics and trends, encryption, and protocols available to better protect our electronic assets. Examples include cyber law, cyber budgeting, cyber communications, and other activities that a small or medium nonprofit or business needs to understand, both now and as technology evolves.
  3. The Cyber Research, Education and Training Center partners with K-12 and higher education to drive research and development and to provide cyber workforce preparation and education.

Statistics reveal that a single breach can cost up to $9 million for complete resolution, says Rios. Referring to the management level, he said, “50 percent don’t really know enough to even have a discussion.”

Regarding the cybersecurity workforce shortages, Rios further explained that cybersecurity skills can often be taught at the “tactical level” as opposed to the formal education perspective with degrees in computer science. As nonprofits face an increase in cybersecurity and other online threats, it behooves them to be aware of the dangers and the resources available to mitigate them.

Source: The Nonprofit Quarterly

Author: Jeanne Allen

The insurance industry needs social media data

The insurance industry needs social media data

In the era of 24-hour news coverage, and in the aftermath of highly publicized catastrophic events including hurricanes, earthquakes and terrorist attacks, insurance policyholders have very little patience for a protracted claims process.

At the risk of alienating customers, especially younger policyholders who grew up in a digital age, the insurance industry must adapt to keep up with the speed of business and increased expectations regarding how companies administer claims.

Consumer expectations aside, there’s also pressure from internal stakeholders who expect up-to-date evaluations of risk and more efficient business practices that drive down costs and create competitive advantages.

So, how can insurance companies redesign their business models, particularly the claims administration process?

Leveraging the wisdom of crowds

With these challenges in mind, innovative insurance companies increasingly see a reason to incorporate alternative data sources as an element of their insurance contracts. Given the prevalence of smartphones and the general public’s willingness to use their social media accounts to share events as they happen, real-time social media posts are often the fastest indications of a breaking event. In fact, governments, news agencies, and businesses commonly rely on social media to keep track of breaking news stories.

The real-time nature of social media dovetails with the need for insurance companies to pick up the pace when processing claims. When analyzed correctly, social media data can inform a parametrics insurance contract, triggering the payment of a predetermined amount when conditions exceed certain metrics, such as the wind speed associated with a hurricane or tremors accompanying an earthquake. In addition to natural disasters, alerts derived from social media could justify payouts of a parametric insurance policy covering a man-made event, such as a terrorist attack.

In short, when a significant incident impacts policyholders, a parametric contract that relies on social media alerts can generate a payment. And there’s an added bonus: After an event, the real-time information from social media becomes historical information that helps underwriters assess future policy risks.

A front-row seat to insured events as they unfold

As the recent hurricane in Puerto Rico or the 2017 terror attack in the Parson Green Underground station in London demonstrate, a spike in volume of real-time social media posts is a leading indicator of breaking news. In the simplest terms, social media posts emanating from Puerto Rico or in the vicinity of the Parson Green station provided compelling evidence of an incident. Over time, as the volume of posts grows, the evidence of a covered event becomes incontrovertible.

Nonetheless, insurance companies don’t need to wait until there’s a vast amount of social media posts to initiate the claims process. With the right tools in place to mine social media, insurance companies can be alerted to an event before the volume of posts surges exponentially.

Whether an insurance company relies on the first post to act or decides to wait until the volume of social media posts mushrooms, the corroborative nature of social media, including the analysis of geolocated posts, offers an up-to-date portrayal of events.

While incorporating alternative data as part of parametric insurance contracts may face organizational resistance, making use of social media data benefits those covered by policies, as well as the insurers themselves — removing the burden of assessing a loss solely off insurance adjusters and shortening the time needed to assess a loss and issue a payment. Customers who are helped quickly are also less likely to complain about service and may support the insurance company publicly, contributing to brand strength.

The rush to leverage social media alerts

Up until recently, the insurance industry has resisted the pressure to jump on the technology bandwagon. However, in the midst of unrelenting changes in consumer expectations, and the proliferation of online insurance upstarts determined to disrupt the industry, many insurance companies are in the process of overhauling their business models and embracing the latest technology.

In particular, the claims process is ripe for change. While the industry’s staid approach to claims used to suffice, today’s policyholders no longer deem it acceptable for insurance companies to take months to evaluate and pay out claims. In order to attract and retain customers, while reducing claims processing costs and creating competitive advantages over less refined competitors, insurance companies must build business models that allow for a faster, more agile response. That means looking beyond the traditional tools and approaches for a nimble solution with the potential to support the accelerated payouts policyholders expect.

Using alerts derived from social media provides claims processors with real-time, actionable alerts, including images and video that offer third-party evidence of an event and the extent of the damage, and consequently, the ability to expedite and automate policy payments. Insurance companies that tap into social media data to speed the claims process may impress policyholders by avoiding typical operational challenges and may help the strength of public brand perception.

The competitive landscape of shifting business models may propel many insurance companies to use social media data as an indispensable linchpin in their revamped claims administration process.

Source: Property Casualty 360

Author: Dillon Twombly

The Most Common Financial, Management Risks Facing Nonprofits

The Most Common Financial, Management Risks Facing Nonprofits

This resource discusses and provides examples of possible financial risk that a nonprofit organization may encounter. Nonprofit grantees may find this resource useful in identifying potential risks within their organization. The risks in financial management are any actions that result in the reduction in value or loss of any of the organization’s financial assets.

The management and protection of financial resources must be a concern for all nonprofit organizations—from the smallest all-volunteer group to a large, national association. Without adequate financial resources, an organization is unable to achieve its mission and may not survive. Financial resources or assets fall into three categories—money, goods, and services. Money consists of cash, checking and savings accounts, securities and other investments. Goods involve merchandise or stock, supplies, and equipment. Services are the programs and activities the organization offers to its clients. Accountants classify goods and services as resources because they have a value or may be used to create value or revenues.

The risks in financial management are any actions that contribute to the reduction in value or loss of any of the organization’s financial assets. The decrease can be from the actions of an internal source such as an employee or volunteer, or someone outside of the organization can perpetrate the loss—a burglar, “con man,” or client defrauding the organization. Every organization should be aware of the possibility of a financial loss and take the appropriate protective actions.

A financial loss can have a tremendous impact on a nonprofit. The loss of money can create a cash flow crunch and force the organization to reduce its spending. The actions may include eliminating staff or reducing the hours worked plus adjusting the services offered to clients. Besides reduced services, the nonprofit may experience negative publicity about the incident. The bad press can lead to a decrease in donations and the willingness of volunteers to work with the organization. Lastly, a financial loss can affect the reputations of the people involved. Often, the board dismisses an executive director if a large theft occurs on his or her “watch.” Members of the board are questioned by family, friends, associates, and others about the details of the incident and how could it happen to that organization. All of these factors make it imperative for every nonprofit organization to have the proper financial controls in place.

Categories of Risk

Fraud

Fraud, the intentional pervasion of the truth in order to induce another to part with something of value or to surrender a legal right, is the umbrella term for most financial losses. Fraud is the most common crime perpetrated against nonprofits. Theft is a generic term for the fraudulent taking of property. In insurance terms, theft means any act of stealing. Types of theft include:

  • Burglary – breaking and entering into a building for the purpose of committing a crime.
  • Swindling – convincing someone to give or entrust property to you using deceit or false pretenses
  • Forgery – the unauthorized making or altering of a writing so that it looks to be lawfully authorized
  • Embezzlement – taking property lawfully entrusted to you and converting it to your own use.

Someone inside or outside the organization can commit a fraud or theft of organizational assets or resources. An employee can embezzle funds, steal office supplies or merchandise, pad their expense accounts or create a fictitious company and bill the organization for services never rendered. An outsider can sell bogus merchandise, overcharge the organization for materials or services, or entice the organization to make bad investments. Imagination is the only limit to the ways to defraud an organization. Unfortunately, for every control or security system the organization implements, there is always someone smart enough to breach it. Catching wrongdoing before it translates to sizable losses is key. Therefore, in addition to establishing internal controls, nonprofits must be ever vigilant in monitoring its programs.

Investments 

The size and types of investments will vary with each organization. For the smaller organizations, investments might be cash on hand while large hospitals, colleges and universities may have sizable endowment funds. Regardless of the size of the investment funds, every nonprofit needs to control and monitor its investments. Many organizations lost money in the savings and loan crisis when banks and lending institutions closed. Another danger is that the organization may make poor investment decisions such as the purchase of junk bonds by Orange County, California that resulted in its bankruptcy.

The New Era scandal is another example of a bad investment decision. Another potential financial risk for an organization is investing in “politically incorrect” companies. If the nonprofit purchased stocks or bonds in a company that subsequently comes under public and media scrutiny, it may experience adverse publicity or a significant decrease in the value of the investment. Every board should establish an investment policy that will guide the nonprofit in its investment and financial decisions. Even an organization operating on a cash current basis should have a policy.

Misuse of Funds 

All nonprofits exist for a specific purpose with a defined mission. The board is responsible for ensuring that the organization stays focused on its mission. An excellent way to monitor an organization’s progress is through its use of funds. Many nonprofits receive gifts or funding with restrictions or limitations on its use. The improper use of these funds can cause the funder to withdraw the money, require repayment of the expended funds, and refuse to provide future funding.

A similar risk is the use of funds for purposes other than serving the organization’s mission. Funds inappropriately expended can lead to the loss of the organization’s tax-exempt status or other legal actions. As pressures continue to mount for nonprofits to meet social needs, it is often easy to lose sight of the organization’s mission.

Tax Liabilities

Although most nonprofits are “tax-exempt,” the government still requires them to pay many taxes. An organization must pay the appropriate employment taxes such as Social Security, FICA, and state and federal income taxes. Failure to pay these taxes will lead to large fines.

A nonprofit may also be responsible for charging and remitting sales tax on items sold. Also, unrelated business income is becoming a significant concern as nonprofits seek creative ways to raise funds. Every nonprofit is responsible for knowing and paying its tax liabilities.

Tax-Exempt Status

The IRS’s approval of tax-exempt status is not a right but a privilege that it can easily revoke. One possible challenge to the status is that the organization is not meeting the charitable purpose guideline. If the nonprofit uses its funds for reasons not related to its charitable purpose, it can lose its tax-exempt status.

Private inurement is another cause for losing the exemption. In one case, the IRS revoked the tax-exempt status for a child care center. The board, whose members were parents of the children in the center, set a fee structure substantially below market rates. The board made up the short-fall with tax-deductible “contributions.” The IRS ruled that it was unlawful private inurement, revoked its exemption and is investigating prior years.

Nonprofits have restrictions on the types of “political” activities they can undertake. The IRS guidelines bar any direct or indirect political activity. Lobbying is another area with restrictions. An organization may, however:

  • Communicate with its legislators as a constituent
  • Petition the government
  • Respond to governmental inquiries and testify before legislative and administrative bodies
  • Offer nonpartisan analysis of an issue to educate the public
  • A nonprofit cannot devote a “substantial part” of its activities to lobbying

Fundraising

The financial risks for fundraising are two-fold and extend beyond the theft of the money raised. First, an organization must protect itself from unscrupulous fundraising. Many organizations have discovered fictitious groups raising funds on their behalf. However, the organization never receives any of the money. An organization may also suffer losses stemming from injuries at a fundraising event staged by the fictitious group. Every nonprofit must guard against improper use of its name and logo, especially in regard to fundraising. The organization should respond quickly whenever it discovers someone using its name and logo without authorization.

The second issue concerns the selection and use of sponsors and cause-related marketing partners. An organization may spend hours and many dollars to negotiate a sponsorship arrangement only to later discover a flaw with the new partner. Although it did not involve a nonprofit, the Kathie Lee Gifford controversy regarding the use of child labor had a negative impact on sales. Imagine if your organization had been a partner in that deal. The potential damage to an organization’s reputation and goodwill could have a lasting impact. A nonprofit need to evaluate carefully its sponsors and partners to avoid a press relations incident and other losses.

Physical Assets

When discussing financial risks, most of the attention focuses on the loss of money or funds. However, all nonprofits have physical assets at risk. Every organization owns office furniture and other fixtures and equipment used to meet its mission that is subject to loss. A fire or flood can damage or destroy the office contents. Also, an employee, volunteer, computer hacker, or other person wanting to harm the organization can steal or damage its assets. In addition, some nonprofits may have warehouses of supplies whether it is a food bank, soup kitchen, sports organization, or mentoring program. The loss of the supplies could have a devastating effect on the organization’s mission.

The best protection is systems and procedures that limit the access to these assets. Computers contain not only a wealth of information but also confidential data. Control and limit access to the people with the “need to know.” Also, protect the organization’s supplies and merchandise. Although every employee “borrows” a pen or pad of paper, what about the merchandise (sweatshirts, briefcases, coffee mugs, books) that the organization sells to raise money? Many organizations lose money on merchandise sales due to the lack of inventory and access controls.

Risk Management Techniques 

One key to controlling financial management risks is the development and use of effective internal controls. Every nonprofit needs policies and procedures to control the access and use of its financial resources. The techniques involve general management controls and accounting controls.

General Management Controls

General management controls consist of the board’s and senior management’s responsibilities for establishing the proper oversight of financial operations. The board should require clear and informative financial reports and statements on a regular basis. The organization, if possible, should use a certified public accountant and have an outside independent audit. If it cannot afford an audit, it should at least have an outside party review its financial reports and accounting records. A word of caution, an audit is not designed to detect fraud. An audit’s purpose is to affirm the organization’s financial records and position.

The board should establish the appropriate financial polices such as investment and loan policies. Senior management and the board also must ensure that the proper financial and accounting procedures are in place. Lastly, the board and senior management should set the organization’s priorities and goals, keeping the nonprofit focused on achieving its mission.

Accounting Controls 

Accounting controls are the procedure used to safeguard the nonprofit’s assets. Proper accounting controls also provide reliable and accurate financial records. Both of these goals enable the board and senior management to monitor the organization’s financial operations.

The creation of adequate accounting controls should focus on four areas—authority and approval, proper documentation, physical security, and early detection. Authority and approval procedures require the identification of who has the authority to perform and approve certain transactions, such as approving invoices, expense accounts, signing checks, and dispensing supplies. Proper documentation is a part of the approval and authority process, in that every financial transaction should leave a “paper trail.” Physical security addresses limiting access to various physical assets (accounting records, personnel files, merchandise, supplies, and other equipment).

Organizations often ignore the early signs of wrongdoing. If the proper controls are in place, the systems should alert someone to possible fraud. Unfortunately, people tend to ignore the early warning signs and let the deceit continue. Everyone must follow the established procedures for the controls to work. Any deviation from the system will enable someone to defraud the organization successfully. Good risk management may prevent a financial loss or catch the culprit early in the process, thereby minimizing the loss.

Source: ECLKC