jump to navigation

7 Cybersecurity Risks for 2014 February 5, 2014

Posted by Ishmael Chibvuri in I.T Risk Management, Internal Audit, Risk Management.
add a comment

7 Cybersecurity Risks for 2014


Computer Password Security Hacker

With each new year, comes a new round of cybersecurity risks.

To help businesses best prepare for the year ahead, risk mitigation and response solutions firm Kroll has identified seven trends that indicate a changing tide in cyber standards. These changes will require organizations to take stronger actions and safeguards to protect against reputational, financial and legal risks.

“Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion,” said Tim Ryan, a Kroll managing director and Cyber Investigations practice leader. “Without the right tools and policies in place beforehand, they find themselves suddenly under intense pressure to investigate, track and analyze events.”

Kroll predicts that the new cybersecurity issues for 2014 will include:

National Institute of Standards and Technology (NIST) and similar security frameworks will become the de facto standards of best practices for all companies: Cybersecurity strategies largely designed for companies that were part of the “critical infrastructure” will become more of an expectation for everyone, from conducting an effective risk assessment to implementing sound cybersecurity practices and platforms. Organizations that don’t follow suit may find themselves subject to shareholder lawsuits, actions by regulators and other legal repercussions.

Alan Brill, senior managing director at Kroll, said this trend will move the United States in the direction of the EU, where there is a greater recognition of privacy as a right.

“As new laws evolve that reflect the NIST guidelines and look more like the EU privacy directive, some U.S. companies will find themselves ill-prepared to effectively respond to the regulations,” Brill said. “To minimize their risk, organizations will have to get smart on these standards and make strategic business decisions that give clients and customers confidence that their information is protected.”

The data supply chain will pose continuing challenges to even the most sophisticated enterprises: It is not unusual for companies to store or process the data they collect by using third parties. However, the security that these third parties use to safeguard their client’s data is frequently not understood by businesses that hire them until there is a breach. Companies will need to vet their subcontractors closely and get specific as to the technical and legal roles and responsibilities of these subcontractors in the event of a breach.

“Companies should know who they are giving their data to and how it is being protected,” Ryan said. “This requires technical, procedural and legal reviews.”

The malicious insider remains a serious threat, but will become more visible: Whether it was Shakespeare’s Caesar or America’s Benedict Arnold, people have long known the pain of betrayal by those they trust. Information technology simply made the betrayer’s job easier. In 2014, a significant number — if not almost half — of data breaches will come at the hands of people on the inside. However, as the federal government and individual states add muscle to privacy breach notification laws and enforcement regimes, these hidden insider attacks will become more widely known.

Ryan said the insider threat, which often goes unreported, is insidious and complex.

“Thwarting it requires collaboration by general counsel, information security and human resources,” he said. “SEC breach disclosure of ‘material losses’ may be the model for rules requiring a company to be more transparent and answerable for allowing bad actors to go unpunished.”

Corporate board audit committees will take a greater interest in cybersecurity risks and the organization’s plans for addressing them: With more and more data breaches — from theft of trade secrets to loss of customer information — in the headlines, corporate audit committees are beginning to focus on the connection between cybersecurity and an organization’s financial well-being. As such, these committees will expand their attention beyond the financial audit process to also include the organization’s strategic plans for protecting non-public information. They will also look at risk-mitigation plans for responding to a possible breach.

“As corporate boards carry out their fiduciary responsibilities, they must also protect the company from possible shareholder lawsuits that allege the company’s cybersecurity wasn’t at a level that could be reasonably viewed to be ‘commercially reasonable’ and that incident response plans weren’t in place to mitigate the risk,” Brill said. “The challenge they face is determining what is a reasonable level of security and response, and who should make that call. Is it their IT team, an industry expert, an independent third party?”

Sophisticated tools will enable smart companies to quickly uncover data breach details and react faster: Company leaders realize that even the best firewalls and intrusion detection systems cannot stop all attacks. But technological progress that occurred over the last 12 months will enable companies to unravel events and see with near–real-time clarity what’s happened to their data and how much damage has been done.

Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion, Ryan said. Without the right tools and policies in place beforehand, they find themselves suddenly under intense pressure to investigate, track and analyze events.

“We’ve seen a dramatic improvement in response technology over the last year,” Ryan said. “Companies have never had a better opportunity to enhance their existing protocols with a methodology that can mean an informed and timely response.”

New standards related to breach remediation are gaining traction and will have a greater impact on corporate data breach response: Credit monitoring will no longer be the gold standard in breach remediation in 2014, as lawmakers, consumer advocates and the public at large continue to raise questions about the relevancy and thoroughness of this as a stand-alone solution. These parties will demand a more effective alternative. While no legal guidelines currently exist for consumer remediation, the FTC and states like California and Illinois are already offering guidance that suggests a risk-based approach to consumer remediation will be the way of the future.

“That’s not to say that credit monitoring is useless, because it’s a valuable tool when it aligns with the type of data exposed,” Brill said. “Rather, companies will need to gain a better understanding of their actual breach risks, how the breach could actually affect their customers, and the best way to remedy those specific risks and provide better protection to the affected consumers.”

As cloud and BYOD adoption continues to accelerate, implementing policies and managing technologies will require greater accountability: The development and evolution of cloud services and BYOD have moved at a whirlwind pace, leaving IT departments scrambling to get out in front of the technologies and employee usage. In 2014, IT leaders will need to work closely with senior leadership and legal counsel to adapt corporate policies in a way that addresses changing legal risks, while effectively meeting the needs of the organization.

Brill said that up until now, cloud and BYOD adoption has been like the Wild West — uncharted, unregulated and facing few restrictions.

“While it’s implausible to anticipate every possible risk presented by the use of the cloud and BYOD, companies that have integrated these technologies into their corporate policies, IT security and risk-management plans will be much better prepared to fulfill their legal obligations,” Brill said. “Organizations must realize that even if they don’t want to deal with this, they’re not going to have much choice.”

Originally published on BusinessNewsDaily


Risk Managers Get Certified October 28, 2013

Posted by Ishmael Chibvuri in Enterprise Risk Management, Risk Management.
add a comment

Jeremy Greenfield

As companies assess the lessons of the global financial crisis and look for ways to safeguard their firms against the effects of another one, demand has surged for risk managers—professionals who analyze the risk in transactions, from investments in treasury bills to credit default swaps, and make recommendations about whether to move forward.

With the profession in the spotlight, several industry organizations are vying to provide a standard certification for the field, which the U.S. Bureau of Labor Statistics predicts will grow in the next several years, in part due to the increasing complexity of financial transactions.

While no certification is required to practice risk management—and many companies don’t require one—there has been a jump in the number of people signing up for certification exams.

“You have to have the hard skills. [Getting certified] is a way of getting more familiar with the concepts,” says Gideon Pell, the chief risk officer at New York Life Insurance Co.

The Global Association of Risk Professionals and the Professional Risk Managers’ International Association—a group created by former GARP volunteer officials—are two trade associations to offer certification exams.

The tests, dubbed the Financial Risk Manager exam and the Professional Risk Manager certification, require about 500 to 600 hours of study, and are passed by roughly half or fewer of those who take them, the groups say. Fees for the two-part GARP exam total $1,250, while the Professional Risk Managers’ four-part test costs $500.

An experienced risk manager can often earn the designations with a few months of study, while it can take more than a year for those who are new to the field. Both courses of study require a proficiency in understanding financial markets, the mathematical basis for risk management, current risk management techniques and behavioral ethics, experts say.

Two other groups, the Risk and Insurance Management Society and the Society of Actuaries, also offer certifications geared toward risk managers which are less focused on financial risk than the FRM and PRM.

More than 23,000 people registered for the Financial Risk Manager exam in 2009, a 69% jump over 2008, according to the group. The other groups say they have also seen an uptick in interest.

Risk manager Dave Ingram, who has FRM and PRM certifications, as well as another from the Society of Actuaries, says his certifications have helped him convince possible clients of his expertise, win new business and perform his job at a higher level.

Mr. Ingram, a vice president at Willis Re, a division of international insurance company Willis Group, says there are still times when he talks to a client who hasn’t worked with him before who needs assurance. “The certifications go a long way there,” he says.

A certification can also be a powerful résumé builder. Richard Meyers, chief executive of Richard Meyers & Associates Inc., a N.J.-based risk-management talent search firm, says that certifications such as the FRM or PRM can be the difference between getting a job and not.

“It reflects the extent of their professional commitment,” says Mr. Meyers. “As a recruiter, I’m very attracted to people that have the credentials on their résumé,” he adds.

When it comes to deciding which certification to get, factors like cost, convenience and employer considerations might be more important than course-work. That’s largely because the two main designations are nearly identical, says Mr. Meyers. “When you really get down to it, [they are] hybrids of each other.”

Other risk management designations that are more suited for enterprise risk managers—who work more broadly with risk issues across companies, rather than just in finance—include the RIMS Fellow, the Chartered Enterprise Risk Analyst, the Certified Risk Manager and the Associate in Risk Management.

“The RIMS Fellow designation combines general risk management knowledge with business courses. It’s a very broad certification,” says Mary Roth, executive director of RIMS, which stands for Risk and Insurance Management Society.

In some cases, companies offer rich incentives and rewards to achieve certifications. BDO International Ltd., an international tax and accounting firm with more than 2,700 employees, has a program that helps to pay for certification fees and classes—which can cost as much as $2,530 when study courses are included.

The company also has a “flex” program that allows employees to adjust their work hours when studying for the exams, says Jennifer Salzman, a managing director with BDO’s risk advisory services group. “We do take [designations] into account when we hire and do performance evaluations,” says Ms. Salzman.

New York Life requires that all professionals in its risk management department achieve the FRM or PRM within 18 months of their start date and covers the entire cost of the exams as well as any study materials.

We provide “the tangible help in terms of passing the exam,” says Mr. Pell. He also takes certifications into account when determining starting salaries, raises and promotions.

New York Life pays for the cost of materials, classes and exams, and with 70% of the department already holding certifications, mentors are available to those pursuing the designations, Mr. Pell says.

Corrections & Amplifications

Jennifer Salzman is a managing director with the risk advisory services group of BDO Seidman LLP, an accounting firm that is the U.S. member of BDO International Ltd., a global network of independent accounting firms. In an earlier version of this article, Ms. Salzman was incorrectly identified as an employee of BDO International, which was misidentified as an international tax and accounting firm

—–Jeremy Greenfield is an editor for FINS.com

Source: http://online.wsj.com/news/articles/SB10001424052702304370304575152212605720290

Techies ride Zim’s internet wave October 25, 2013

Posted by Ishmael Chibvuri in I.T Risk Management.
add a comment
Developers have little knowledge about how to turn their ideas into dollars, but this is changing.

Zimbabwe has been named as one of the most dynamic countries in the world, with above-average growth in information technology over the past year. (Shepherd Tozvireva)

On the benches outside the pub overlooking the cricket greens at Harare Sports Club, they hunch over laptops, selling ideas as diverse as how to sell cattle and how to help urban dwellers cook traditional meals.

It is a long way from Silicon Valley in California, but, amid a boom in social media use, Zimbabwe is seeing the emergence of a fast-growing start-up scene.

A few years ago Limbikani Makani was a bored IT manager at a non­governmental organisation. He quit his job and set up TechZim, a tech news website that is hosting a “start-up challenge”, attended by dozens of tech developers.

The interest has grown since the first event, which was held two years ago, reflecting the growing number of developers in Zimbabwe.

“We have created a launch pad for these entrepreneurs, enabling them to accelerate their start-ups to a level where they can make revenue,” Makani says.

Teledensity, the ratio of telephones to the population, stood at 91% in February, a big jump from 14% in 2008. Over the same period, mobile access has risen from about 11% to nearly 100%.

Access to the internet
In 2000, only 0.4% of Zimbabweans had access to the internet. Now the figure has risen to 40%, according to official data.

Usage is also rising as access grows. Opera, one of the world’s ­largest mobile browsers, says Zimbabwe is one of its fastest ­growing ­markets, and had the highest numbers of “page views” in Africa in 2011.

And last week, the International ­Telecommunications Union named Zimbabwe among 12 “most dynamic countries” in the world that have recorded above-average growth in information and communications technology over the past year.

In the boom, developers are stirring; the numbers are growing, and so is the range of their ideas.

Last year Allister Banks set up RLMS, or the Remote Livestock Marketing System, a start-up that allows trade of livestock online.

“We have traded close to $4-million so far,” Banks says.

Paying lobola via RLMS
On his website Banks invites users abroad to pay their lobola cattle via RLMS. He has a selection of cattle on display on the site, from which, he says, a prospective groom can choose.

“If there is no space in the in-laws’ residence for the cattle, don’t worry. Each animal you choose and buy can be ear tagged, branded, entered into a national database, kept at one of our partner farms, looked after.”

And then there is ZimboKitchen, a service that delivers tutorials such as “how to make plain sadza”, and gives recipes for other popular Zimbabwean dishes such as beef trotters, or muboora, pumpkin leaves stewed in peanut butter.

There is also TestLabs, a service that provides local high school students and teachers with relevant exam revision tools.

Some of the websites and apps are already popular, but the challenge is to help developers make money.

Investors are conservative and hesitate to gamble on start-ups, most of which are run by “green, fresh-out-of-college dreamers”, as one bank chief executive described them.

Free downloads
For now, most of the apps are free to download. Developers themselves have little knowledge about how to turn their ideas into dollars, a gap the likes of Makani are trying to bridge.

“The two sides don’t speak the same language,” he says.

The techies also struggle to be taken seriously.

“Our society demands that you have an actual job,” developer Pardon Muza says, making finger quotes to show his annoyance.

Muza is one of many developers building an online payments site.

“You have to put up with being asked when you’ll get a proper job, wear a tie and work normal hours and stuff.”

But Makani says developers are now increasingly focusing on building services that don’t just sound cool, but bring solutions that can earn them money.

“Initially, we focused on pure innovation in terms of technology and utility, but this has evolved into a more practical approach where strong market potential overrides technology that is used just for the sake of using cool technology,” Makani says.

Source: http://mg.co.za/article/2013-10-18-00-techies-ride-zims-internet-wave/


How to Unlock the Keypad on a BlackBerry Curve February 27, 2013

Posted by Ishmael Chibvuri in I.T Risk Management, Latest Articles!!!.
add a comment

By an eHow Contributing Writer
Many people depend on their Blackberrys to store
information, access media via the Internet, and stay in touch
with friends and family. With so much information on these
devices, security measures have been put in place to
protect the media. One of these devices is a “Lock/Unlock”
feature which prevents those who don’t know the
password from accessing the keypad. Here is a simple
method for unlocking the keypad on your Blackberry Curve.
Moderately Easy
Things You’ll Need:
Blackberry Curve
Computer with Internet access (optional)
Accessing the Blackberry Curve Keypad
1. Access the Blackberry’s main menu.
2. Enter the password in the “Lock/Unlock” screen. The
password you enter is the same one chosen in the inital
program setup of your Blackberry Curve.
3. Click “Enter” after you’ve inputed the code, and your
Curve keypad should now be unlocked.
Unlocking the Blackberry Curve Keypad Without a
4. Enter a random code into the “Lock/Unlock” screen on
your Blackberry Curve. This is to be done if you can’t
remember and/or don’t have a record of your Curve’s
password. A message will appear that reads “Incorrect
5. Repeat the process, each time entering another
incorrect password. After the tenth incorrect
password is entered the internal computer will wipe the
Blackberry Curve handset of all its information and
unlock the keypad.
6. Clear out of the “Lock/Unlock” screen, and you are now
ready to use your Curve. However, the information you
had stored on the Blackberry will now be erased. An
easy way to safeguard against lost Blackberry
information is to backup all files on your PC (Blackberrys
are only compatible with the Windows operating
system) via the “Desktop Manager” program on your
Blackberry Curve.
Tips & Warnings
Resolved question
How to unlock the Keypad of Blackberry 8310 Curve


Information Technology Risk Management Careers April 9, 2011

Posted by Ishmael Chibvuri in Latest Articles!!!, Project Management.
add a comment

Project Managers

Information technology (IT) is now an essential part of most large corporations and institutions. With this new dependence on IT comes a certain level of risk in terms of both the day-to-day operations of the company’s computers and the security of the data on those computers, particularly any proprietary data.

The introduction of new technology can also have a significant impact on the way a company functions and upon staffing and budgeting. A career in IT risk management will take all of these factors into account when planning corporate- or organization-wide projects.

The main IT risk management careers will be as an IT project manager or as an IT risk management consultant. Depending on which career path is chosen, there are various educational requirements and qualifications which can be obtained. Salary will be based on qualifications and hands-on experience and can entail ranges from above average to extremely generous compensation depending on the size of company. Salary and benefits will also depend on the amount of technology and therefore inherent risk involved in the corporation or institution and whether the person is an employee or a special consultant.

%d bloggers like this: