Best Practices in Risk Management

SAWRiskAssessmentFollowUP

Previously we discussed risk assessment and how, while it is both an IT and human undertaking, most risk assessments need to start and end with business processes. After you have conducted a risk assessment, it might seem that you simply need to review the assessment and determine which risks should be reduced or eliminated. While this is true, managing risk goes beyond responding to a risk assessment process. In this article, we’ll take up the topic of risk management, which involves dealing with a continuum of risks.

Categorizing Risk
Before you can begin to manage risk, it can be helpful to segment your potential risks into categories for further definition and review. Typically, risks can be placed in one of three categories:

  1. Known Knowns are risks are a part of our industry, business, or simply part of our lives. For example, almost every business using electronic payments the danger lies in being hacked, losing customer credit or debit card information, or having funds misdirected by a criminal – or even by human error.
  2. Known Unknowns are risks that cannot be foreseen, but can be understood. For example, while the risk of a computer/network system being hacked is a known risk, it is unknown who will do it, where it will come from or the purpose of the hack.
  3. Unknown Unknowns are risks you only see in hindsight only. Recent technology events that fit this class of risks include the “poodle’ and ‘heart bleed’ vulnerabilities. Both of these highly technical vulnerabilities actually existed in thousands of computer systems for decades but were completely innocent until someone discovered they could be exploited for malicious intent. It is quite possible that many more of these unknown unknowns exist in the computer systems we rely on every day.

Risk Management Practices
With these three categories in mind, you can establish risk management practices for your business. When considering the first two categories, your risk assessment can help you rank and rate each risk, its potential to occur and, if it occurs, the magnitude of its impact. From here, risk management policies can help you handle risks effectively and in a reasonable manner. For example, if a very low probability risk would have catastrophic results for your business, it may be a matter of policy that your company would work at reducing or eliminating that risk regardless of the risk assessment score.

Risk management is an active and ongoing process. Once policy is in place, a set of operating standards are needed to set expectations for IT and other staff who deal with risks. Standards may include existing controls or new controls to help reduce or eliminate risks. For example, one operating standard could be to have an out of band authentication (a process of secure verification of your staff member) on any online corporate funds transfer. Beyond existing controls, risk management standards could include requiring risks of a certain magnitude will be handled within a set number of days. If the risk is not resolved within that time frame, management can review and discuss why the risk is not yet reduced, and take additional action or, in some cases, decide to extend the time to cure the risk.

Once risk is reduced, it’s important to complete a review of the ‘residual’ risk, that risk which cannot be eliminated. For example, using out of band authentication reduces the risk of a bad actor transferring funds, but there is still the risk of human error in posting the funds, transferring to the wrong person or entity, and the like. These risks may then be addressed through procedures or processes.

Processes establish the methodology for meeting policy requirements at the level set by standards. In the funds transfer example above, using out of band authentication reduces the technology risk that money will be stolen. However, internal processes still need to be established to reduce the risk of human error. Moreover, and while disturbing to consider, more incidents of employee theft have been cited in recent years. Therefore, separation of duties and normal, traditional human control mechanisms are just as important as technical risk management.

The following six steps briefly summarize the risk management process:

SecurityGraphic

Risk management needs be an ongoing and integral part of your business management today. Technology risks are often more than purely IT issues and involve humans who conduct every part of your daily business. Especially when processes involve money, it is important to have these processes tied to policies and standards, which creates a measurable and defined set of risk management capabilities. Finally, while all three are tied together, it is important to manage risk dynamically as the risk environment changes

5 Tips for Secure Use of Business Online and Mobile Banking

SAWBOLB

We can never overstate the importance of protecting your online security, especially when it comes to your business’s use of Online and Mobile Banking. These top tips from our Electronic Banking Specialists to help reduce security threats:

  1. Never share log in IDs and passwords. Each individual user under the business should have a separate log in and password.
  1. Delete inactive/dormant profiles. Remove inactive users, whether former employees or accountants. In Merchants Bank Online Banking, you can make these kinds of updates through the Preferences tab.
  2. Never have your browser or phone remember passwords. Always type in your password. While it may seem a bit inconvenient at times, it greatly increases the security of your account information.
  3. If logging in on a mobile device, be sure your phone or tablet is password protected. In case your device is lost or stolen, you don’t want the fraudster to have access to information you have on your device.
  4. Be sure to keep contact information up to date for yourself and other users. It’s very frustrating to request a password reset and not receive it due to a bad email address. To update your information with Merchants Bank, give us a call.

Bonus Tip for Business Online Banking Supervisors and Business Owners: Review your company users annually, checking what access they have to which accounts. Also, review debit cards the account may have open and close any cards that are no longer used. Both of these quick reviews will help reduce fraud on business accounts.

To learn more about our Online and Mobile business banking options, click on the appropriate link below:

Fraud: It’s Social

SAWSocialEngineering

Mitigating fraud is especially critical to business success today. Regardless of what industry you’re in, the threat of fraud impacting you or your customers is ever-present. The impact may be financial, loss of trust, damage to reputation, or all of these. And the perpetrators of fraud are growing both in number and in sophistication, which leads us to the topic of social engineering.

One definition provided by Techtarget.com lists social engineering as “an attack…that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.” While awareness of social engineering is growing, the actual theft of money and confidential information obtained through social engineering is growing faster. According to the FBI, thieves stole nearly $750 million in (email phishing) scams from more than 7,000 companies in the U.S. between 2013 and 2015.

Social engineering uses the good will of employees and customers, who often believe they are being helpful, to acquire confidential information. How does this evolve into a crime? Social engineering data is taken from a broad and meaningful set of sources by deceiving users to disclose information and from publically available sources such as Facebook or professional aggregation sites such as spokeo.com or, by purchasing stolen data that is readily for sale online. This information is analyzed in conjunction with other data to enable serious crimes that may be perpetrated later on. Once a criminal has enough information, they no longer need to steal money by brute force, but simply log on as an employee, posting real credentials and security information, and steal money in what appears to be a legitimate transaction. So what should a business do to prevent fraud that may go undetected for some time?

Companies are now employing best practices that extend beyond the fraud software used in today’s business operations —they include the integration of deep technology controls and dynamic cybersecurity practices into more traditional risk management techniques. The success of this effort depends on the ongoing, up-to-date expertise of a company’s staff with respect to rapidly changing security threats. Staff training and scenario planning need to be a constant effort with reminders to people throughout the organization to be on the lookout for the unusual request or event.

Even with strong training and due diligence, a fraud event may well occur. When it does, the business should have a three-part response:

  1. Halt the event
  2. Assess the damage
  3. Address how to recover.

Finally, complacency is not acceptable. The nature of fraud will continue to evolve, creating new threats that need to be combatted with a proactive, disciplined approach by both businesses and the customers they serve.

Why Your Business Should Conduct a Risk Assessment

SAWRiskAssessment

Risk is inevitable. It’s simply part of any business, and because of that, managers often believe that understanding risk is an organic process that is either self-evident or intuitive, and based on the nature of the business itself. It’s not a bad approach because it tends to focus on business functions and not just the technology. But by themselves, intuition and experience are inadequate. And because they’re inadequate, a formal risk assessment process is critical to managing the growing, changing, and challenging threat environment that continues to evolve at the frenetic pace of technology today.

A structured risk assessment consists of three basic steps:

  1. Identify and define the risks to be assessed.
  2. Decide how likely it is that each risk will occur.
  3. Decide the magnitude of the impact to the business if a given risk does occur.

Notice that steps two and three are decisions. It’s not always easy to determine just how likely it is that a given risk will occur. Unless we have a good set of data to back up our evaluation, we can only reason, applying common sense to understanding each risk.

Yet to understand and communicate risk throughout the organization it should be quantified. This can be accomplished using a simple risk scoring methodology we are all familiar with. For example, if we use a 1-5 ranking system, we can let 1 = low and 5 = high. Then if a risk is very likely to occur, we rank it a 5. If the risk would have a serious impact on the business, we rank that a 5. Finally, we multiply the 2 together for a risk score of 25. Using this approach over and over we can develop a hierarchy of risks that cascade from high to low, and prioritize which of those to address first. At the same time, it’s important not to make all decisions based on the risk score alone.

Let’s say a risk is very unlikely and we rate it a 1, but if it occurred, the impact on the organization would be catastrophic so we rate that a 5. The total risk score is a 5 and judging by the number alone, should be low on the list of risks needing remediation. At this point we need to look past the numbers and determine our organization’s risk appetite. If we’re willing to live with a risk having potentially catastrophic results, then we would likely not develop a disaster recovery plan nor would we have a disaster recovery site because the risk of complete loss of the data center is usually very low and the cost of a fully functional back up site is high. But most organizations understand that essentially all catastrophic risks need to be addressed and while the scoring approach is very helpful, it cannot be used in a vacuum, leading us back to the application of intuition and experience.

In short, a risk assessment is a structured process used in identifying and classifying risks, deciding what and how much to do about them. Once we’ve agreed on the assessment and classifications, we can focus on the two remaining aspects of risk management: risk remediation and, once that is accomplished, agreement that the remaining (or, residual) risk is acceptable.

Identity Theft: Your Path to Immortality

SAWIDTheft

One of the most insidious outcomes of today’s electronic crime is identity theft. Having your identity stolen usually results in months or years unwinding the false and often damaging actions taken by hackers pretending to be you. In many ways, id theft is among the most personally invasive crimes today, and certainly it is when considering the list of electronic crimes.

The road to identity theft is often made up of several small trails that hackers use to “assemble” your identity and use it for financial gain. Hacking email is only one element of the sophisticated e-criminal’s toolkit. They also search and assemble other information found online in social media or in publicly available ‘aggregation’ sites where personal information is gathered from sources including local, county, state, and national information sites.

While much of this information is public, it can be used to augment private information obtained through hacking or through simply buying personal data from criminals housing data from massive breaches involving social security numbers, credit or debit card numbers, or personal login information. Because id theft is the result of a process and not often a single breach of data, the best route to prevention is diligence.

It’s easy to ignore online security because it often involves deliberate and sometimes tedious steps. But failing to follow good security practices will only make it easier for criminals to gather and assemble a “virtual you.” And as has been proven over and over again, once online, information can live forever. To manage the personal risk, standard security practices should be kept in the forefront of your online activity. Among those things you should be doing are the following ten practices:

  1. Reduce the amount of information you share on social media.
  2. Change passwords to your financial institutions periodically, whether or not the financial institution requires it.
  3. Do not use the same password for multiple sites.
  4. Extend the complexity of passwords by using pass phrases and making them harder to hack such as: Th1$isH^rder2hacK.
  5. Check your financial institution balances frequently to review transactions.
  6. Maintain a valid subscription to a virus and malware service on your computers.
  7. Use options such as out of band authentication when completing online financial or other transactions involving personal information.
  8. Never go to a site by clicking on a link in an email or attachment – login by going directly to the URL of the site you wish to visit.
  9. If you suspect your computer has been compromised, take it to a qualified expert for evaluation.
  10. Back up your computer regularly, keeping several copies from different time frames so that if you are compromised, you can reinstall a previous version.

You can find additional resources online through organizations such as Privacy Rights Clearinghouse, an online consumer advocacy site that provides a host of information to help deter id theft and steps to take if it occurs.

Managing your personal online security does take some effort. But failing to do so may result in id theft that is devastating and will take on a life of its own and one that is difficult to terminate. If you’re looking for immortality, this may not be your best option.

Practical Security Tips to Help You Stay Safe

SAWSecurityBasics

Learning the basics can help protect you from identity theft and fraud, in addition to implementing some practical security tips. First, it’s important to know the difference between these two concepts. Identity theft is when someone uses your personal information without your permission. In comparison, bank or credit card fraud is when an account is opened fraudulently in your name and unauthorized charges are made.

So how does Merchants Bank protect you from both? We use a combination of safeguards to protect your information, which include employee training, encryption of information, and fraud detection programs. Learn more on our website.

It’s also your responsibility to take steps to protect yourself. Here are our top practical security tips for your home, office, money management habits and online practices.

At Home or Work:

  • Always lock your vehicle and, if kept in your vehicle, power down mobile devices so your GPS signal cannot be tracked.
  • Put private information away when others will be in your home or office.
  • Keep a list of your credit cards, account numbers, expiration dates and customer service or fraud department telephone numbers in a secure place away from the cards for easy access.
  • Shred all financial statements, credit card offers and any unused cards.
  • Never keep your Social Security card in your wallet.

When Managing Your Money:

  • Don’t keep large balances in checking accounts that have checks or a debit card connected to them. Transfer excess funds to a savings account instead.
  • If you are not going to use checks, do not order any.
  • Carefully check through your credit card and bank activity regularly and immediately report unusual activity.
  • Set up text or email alerts (https://www.youtube.com/watch?v=aPVP1FeaqSk) from your bank for certain transactions, such as transactions over $500.
  • Sign up for eStatements to reduce the likelihood of paper statements being stolen.

Online:

  • Do not provide your personal information to anyone (phone or online), unless you are the one who initiated the call and are familiar with the business.
  • Change your password frequently, using a combination of letters, numbers and special characters when possible. Do not share them with others.
  • Be cautious when entering a login ID and PIN online, especially on a public network. Make sure you are on a secure website.
  • Never have a website remember your password to log in.
  • Add virus protection software on your computer if you don’t already have it. Once it’s added, make sure the software on your computer is up-to-date, which can be easily managed by enrolling for automatic software updates.
  • Be careful what you post on social media websites and check your privacy settings. Criminals can use public information such as birthdays, high schools, colleges, pet names, and email addresses to steal your identity.

If you suspect fraudulent activity on your Merchants Bank account(s), contact your local Merchants Bank immediately.

To receive email fraud and scam alerts from Merchants Bank in your inbox, sign up here.

Protect Yourself Against Ransomware

SAWRansomware

One of the fastest growing threats to personal computers or business computer systems is called ransomware. This type of attack locks up your computer (or a group of computers), leaving you unable to use it, until you pay the fraudster ransom. Usually the attackers will release your computer once the ransom is paid, but they often leave behind a form of invisible malware so they can hold your computer hostage again. Ransomware programs are being created daily to outsmart computer users by appearing as harmless emails, documents or attachments.

What is ransomware?
Ransomware is malicious software that puts an encrypted “jail” around your files. Once the jail in place, the ransomware makes accessing or using the files impossible. When the ransomware has successfully infiltrated your computer, the malicious software will ask for a ransom (in the form of some currency, dollars, Bitcoin, etc) in order to unlock the files for use. Ransomware will slowly affect every file on your computer – and in the case of a business, the attached computer network. In some circumstances, the ransomware will also delete your files from your computer if you do not pay within a given amount of time.

How is ransomware spread?
Ransomware is mainly distributed through email and may be embedded in Microsoft Office documents or PDFs.

 How can I prevent a ransomware attack?
Your diligence in reviewing your emails and other communication channels is one of the best steps you can take. Use these tips:

To Protect Yourself:

  • Ensure that you are only opening emails from people you know. If you don’t know the sender, delete the email immediately.
  • Ensure that you are only opening documents from people you know. If you were not expecting an email or document from a particular person, verify by phone with the sender before you open anything.
  • If you receive an email asking you to “enable content” or “enable macros,” do not enable either.
  • Verify the business and identity of anyone who calls claiming to perform computer maintenance. If you do not know the company, collect basic information over the phone and verify the information through a third party source like the Yellow Pages.

 To Protect Your Business:

  • Educate your staff on the two tips above regarding emails and email attachments.
  • In some cases, you may receive a phone call from someone claiming to be computer support, Microsoft or another entity. Do not allow anyone other than verified staff or contracted third parties to performance maintenance on your computer network.

For more information on the growing threat of Ransomware, visit the Federal Bureau of Investigation’s website.