10
However, there are steps companies can take: First, email-
filtering software can prevent such emails from being delivered to
employees. Second, it’s possible to protect the rest of the network
from compromised desktops and laptops by segmenting the network
and implementing strong authentication between user networks and
anything of importance.
According to Mortakis, this is the principle of least privilege. No
users should be assigned administrative access unless absolutely
needed. “If someone isn’t in human resources, they shouldn’t have
access to HR files,” he explains. “In addition, there should be con-
trols in place to alert you when an employee tries to access files they
shouldn’t.”
Another issue that comes with employees is that they want to use
their own devices to access data. “There isn’t a complete solution to
this issue,” Mortakis says. But there are some steps that can reduce
the risk. “With data logging, you know when something has been
downloaded, and remote-access controls can stop them from being
able to download specific types of files.”
Another area of concern is vendors, contractors, and other part-
ners who use or have access to your company’s data. “Vendors
entrusted with critical data need to have secure storage facilities with
access controls, corporate security policies and testing, and certifi-
cation, such as a Service Organization Controls (SOC) audit,” Moody
says. “You need to ask probing questions and have written agree-
ments on standards that are to be maintained.”
IT Solutions
Of course, there are steps best left to the professionals, beginning
with automatically applying critical security patches (pieces of soft-
ware designed to remedy vulnerabilities that have been identified in
software) or updates to all systems and applications by investing in
a patch-management solution. Patch management is a strategy used
to determine what patches should be applied to which applications
and when. Many vulnerabilities are remediated by simply applying the
latest patches to existing systems.
In addition, you must regularly back up data and verify the integ-
rity of those backups. “Backups are critical in ransomware incidents;
if you are infected, backups may be the best — or only — way to
recover your critical data,” Mortakis explains. “The backups must also
be secure and not connected to the computers and networks they are
backing up.” Examples might include securing backups in the cloud,
or physically storing them offline.
With more data being stored in cloud environments and employees
accessing that data from their own devices, consider implementing
two-factor authentication, Moody says. With two-factor authentication,
employees and other users are required to have not only a password
and user name, but also something that only they have, such as a
physical token. For example, if you have tried to log in to your bank
account from a new computer, your bank may have texted you a code
to enter before granting you access to your account information.
To reduce risk, don’t keep sensitive information if you don’t need
it, advises Mortakis. “Put in place a well-defined retention policy that
limits the amount of time that sensitive data is stored.”
An important step toensure that data is secure is to test your system.
Penetration testing, ethical hacking, and vulnerability assessments are
useful tools for identifying hidden network and host vulnerabilities. “At
ILG, we have our own team, and we also have a third party on demand,”
Mortakis says. “I recommend performing all types — web and network
layers, internal and external networks — of penetration testing at least
annually.We performtwice-a-year penetration testing, quarterly internal
network-vulnerability assessments, and monthly external network-
vulnerability assessments. And that doesn’t count any additional test-
ing we undergo for compliance purposes, such as PCI scans.”
Where Credit Goes Through
Because so many data breaches have targeted payment-card infor-
mation, that’s an area of particular concern. “Developers should only
work with a payment-card processor that has achieved the Payment
Card Industry Security Standards Council’s highest level of certi-
fication: PCI Certification Level 1,” Moody says. “This certification
provides them with reassurance that the processor can accept, pro-
cess, store, and transmit credit-card information on their behalf in a
secure environment.”
In addition, if a company accepts credit cards at — for exam-
ple — resorts, sales centers, and retail environments, it should have
upgraded to EMV chip readers for credit cards by now. “As of October
2014, if a merchant doesn’t have EMV in place, they’re automatically
deemed responsible for any breaches that occur,” Moody says. “If
you’re still swiping, it’s way past time to adopt this technology, which
has far superior security.”
Judy Kenninger, RRP, heads Kenninger Communications and has been covering
the shared ownership and vacation real estate industries for nearly two decades.
Resources
At
AIFEducates.com
, you can watch ARDA International
Foundation’s Learning Center webinar on Consumer Financial
Protection Bureau requirements, Risk Management Strategies:
The Need for a Robust Compliance Management Program.
Open Web Application Security Project
is a worldwide
not-for-profit charitable organization focused on improving the
security of software. Similar to Wikipedia, it’s a community that
shares information regarding best practices in software security
and application tools.
owasp.org
The
Payment Card Industry (PCI) Security Standards
Council
is a global forum for the ongoing development,
enhancement, storage, dissemination, and implementation
of security standards for account-data protection.
pcisecuritystandards.org
Verizon’s 2016 Data Breach Investigations Report
examines more than 100,000 incidents, including 2,260
confirmed data breaches across 82 countries. With data
provided by 67 contributors, including security-service providers,
law enforcement, and government agencies, the report offers
insight into cybersecurity threats.
verizonenterprise.com/verizon-insights-lab/dbir/2016
The
Visa Global Registry of Service Providers
lists providers
that adhere to strict security standards and are in compliance
with PCI regulations. Visa recommends, “Clients and merchants
should reference the site regularly as part of their due-diligence
process and should only use service providers that are listed on
the registry for outsourcing their payment-related services.”
visa.com/splisting
THANK
YOU
We Couldn’t Have Done It
WITHOUT YOU!
This year’s International Shared
Ownership Investment Conference
was a great success, and we
appreciate all of the sponsors,
speakers, and attendees who
helped make it happen.
1 8 T H A N N U A L
PATRON SPONSORS
CORPORATE SPONSORS
SUPPORTING SPONSORS
MEDIA SPONSORS
EXCLUSIVE
EDUCATIONAL
PARTNER
1,2,3,4,5,6 8,9,10,11,12,13,14,15,16,17,...25