Malware

In the past, viruses were created with the sole purpose of wreaking havoc on the infected systems. A large fraction of today’s malware, on the other hand, are designed to generate revenues for the creator. Spyware, botnets, and keyloggers steal information from your system or control it so that someone else can profit. In other words, the motivation for making them is now more attractive than before.

Keyloggers can reveal your usernames, passwords, PIN numbers, and other authentication information to their creators by recording your key strokes. This information can then be used for breaking into various accounts: credit cards, payment programs (like PayPal), online banks, and others. You’re right, keyloggers are among the favourite tools of individuals involved in identity theft.

Much like the viruses of old, most present day malware drain the resources, such as memory and hard disk space, of contaminated systems; sometimes forcing them to crash. They can also degrade network performance and in extreme cases, may even cause a total collapse.

If that’s not daunting enough, imagine an outbreak in your entire organisation. The damage could easily cost your organisation thousands of euros to repair. That’s not even counting yet the value of missed opportunities.

Entry points for malware range from optical disks, flash drives, and of course, the Internet. That means, your doors could be wide open to these attacks at this very moment.

Now, we’re not here to promise total invulnerability, as only an unplugged computer locked up in a vault will ever be totally safe from malware. Instead, this is what we’ll do:

  • Perform an assessment of your computer usage practices and security policies. Software and hardware alone won’t do the trick.
  • Identify weak points as well as poor practices and propose changes wherever necessary. Weak points and poor practices range from the use of perennial passwords and keeping old, unused accounts to poorly configured firewalls.
  • Install malware scanners and firewalls and configure them for maximal protection with minimal effect on network and system performance.
  • Implement regular security patches.
  • Conduct a regular inspection on security policy compliance as well as a review of the policies to see if they are up to date with the latest threats.
  • Keep an audit trail for future use in forensic activities.
  • Establish a risk management system.
  • Apply data encryption where necessary.
  • Implement a backup system to make sure that, in a worst case scenario, archived data is safe.
  • Propose data replication so as to mitigate the after effects of data loss and to ensure your company can proceed with ‘business as usual’.

Once we’ve worked with you to make all these happen, you’ll be able to sleep better.

Other defences we’re capable of putting up include:

Check our similar posts

What GDPR Means in Practice for Irish Business

The General Data Protection Regulation (GDPR) is a European directive aimed at ring-fencing consumer data against illegal or unnecessary access. There is nothing to discuss or debate with local politicians, or the Irish Data Protection Commissioner for that matter. As a European directive, it has over-riding power. To obtain an English version, please visit this link, and select ?EN? from the table of languages.

As you reach for your tea, coffee or Guinness after sighting it, you will be glad to know the Irish Data Protection Commissioner has the lead in turning this into business English we understand. The following diagram should assist you to obtain a quick overview of the process we all have to go through. In this article, we briefly describe what is inside Boxes 1 to 12. The regulation comes into force on 25 May 2018 so we have less than a year to get ready.

The 12 Essential Steps to Implementing the General Data Protection Act

1. Create awareness among your people of what is coming their way. The GDPR has given our regulator discretion to dish out fines up to ?20,000,000 (or 4% of total annual global turnover, whichever is greater) so there is determination to make this happen.

2. Become accountable by understanding the consumer data you hold. Why are you retaining it, how did you obtain it, and why did you originally collect it. Now you know it is there, how much longer will you still need it? How secure is it in your hands, have you ever shared it?

3. Open a communication channel with your staff, your customers, and anyone else using the data. Share how you feel about how accountable you have been with the information in the past. Explain how you plan to comply with the GDPR in future, and what needs to change.

4. Understand the personal privacy entitlement of the subjects of the information. They have rights to access it, correct mistakes, remove information, restrict its use, decline direct marketing, and copy it to their own files. What needs to change in your systems to assure these rights?

5. Issue a policy for allowing consumers access to their information you hold. You must process requests within a month, and you may not charge for the service unless your cost is excessive. You may decline unfounded or excessive demands within your policy guidelines.

6. Adapt to the requirement that you must have a legal basis for everything you do with, and to consumer data. You need to be in a position to justify your actions to the Irish Data Protection Commissioner in the event of a complaint. Having a legitimate interest is no longer sufficient.

7. Ensure that consumer consent to collect, use, and distribute their data is ?freely given, specific, informed, and unambiguous.? From 25 May 2018 onward, this consent will be your only ground to do so. You cannot force consent. Your benchmark becomes what the GDPR says.

8. Issue rules for managing data of underage subjects. This is currently under review and we are awaiting results. Put systems in place to verify age. Set triggers for where guardians must give consent. Make sure age is verifiable. Use language young people understand.

9. Introduce a culture of openness and honesty, whereby breaches of the GDPR are detected, reported, investigated, and resolved. You will have a duty to file a GDPR report with the Data Protection Commissioner within 72 hours, thus it is important to fast track the process.

10. Introduce a policy of conducting a privacy assessment before taking new initiatives. The GDPR calls for ?privacy by deign?, and we need to engineer it in. This may be the right time to appoint a data controller in your company, and start implementing the GDPR while you have time.

11. You may also need to appoint a data protection officer depending on the size of your business. Alternatively, you need to add managing data protection compliance to an employee?s duties, or appoint an external data-protection compliance consultant.

12. Finally, and you will be glad to know this is the end of the list, the GDPR has an international flavour in that multinational organisations will report into the EU Lead Supervisory Authority. This will manage the process centrally while consulting national data authorities.

The GDPR is a project we all need to complete. If we are out of line, it is in our interests to get things straightened out. Once everything is in place, the task should not be too onerous. Getting there could be the pain.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
2015 ESOS Guidelines Chapter 6 – Role of Lead Assessor

The primary role of the lead assessor is to make sure the enterprise?s assessment meets ESOS requirements. Their contribution is mandatory, with the only exception being where 100% of energy consumption received attention in an ISO 50001 that forms the basis of the ESOS report.

How to Find a Lead Assessor

An enterprise subject to ESOS must negotiate with a lead assessor with the necessary specialisms from one of the panels approved by the UK government. This can be a person within the organisation or an third party. If independent, then only one director of the enterprise need countersign the assessment report. If an employee, then two signatures are necessary. Before reaching a decision, consider

  • Whether the person has auditing experience in the sector
  • Whether they are familiar with the technology and the processes
  • Whether they have experience of auditing against a standard

The choice rests on the enterprise itself. The lead assessor performs the appointed role.

The Lead Assessor?s Role

The Lead Assessor?s main job is reviewing an ESOS assessment prepared by others against the standard, and deciding whether it meets the requirements. They may also contribute towards it. Typically their role includes:

  • Checking the calculation for total energy consumption across the entire enterprise
  • Reviewing the process whereby the 90% areas of significant consumption were identified
  • Confirming that certifications are in place for all alternate routes to compliance chosen
  • Checking that the audit reports meet the minimum criteria laid down by the ESOS system

Note: A lead assessor may partly prepare the assessment themselves, or simply verify that others did it correctly.

In the former instance a lead assessor might

  • Determine energy use profiles
  • Identify savings opportunities
  • Calculate savings measures
  • Present audit findings
  • Determine future methodology
  • Define sampling methods
  • Develop audit timetables
  • Establish site visit programs
  • Assemble ESOS information pack

Core Enterprise Responsibilities

The enterprise cannot absolve itself from responsibility for good governance. Accordingly, it remains liable for

  • Ensuring compliance with ESOS requirements
  • Selecting and appointing the lead assessor
  • Drawing attention to previous audit work
  • Agreeing with what the lead assessor does
  • Requesting directors to sign the assessment

The Environment Agency does not provide assessment templates as it believes this reduces the administrative burden on the enterprises it serves.

Spreadsheet Risks in Banks

No other industry perhaps handles such large volumes of critical financial data more than the banking industry. For decades now, spreadsheets have become permanent fixtures in the front-line reporting tool sets of banks, providing organised information when and where needed.

But as banks enter into a period of heightened credit risks, elevated levels of fraud, and greater regulatory scrutiny, many are wondering if continued reliance on spreadsheets is a wise decision for banks today.

The downfall of Lehman Brothers which eventually led to its filing for Chapter 11 bankruptcy protection on September 15, 2008, served as a wake up call for many institutions across the globe to make a serious examination of their own risk management practices. But would these reforms include evaluating the security of user developed applications (UDAs), the most common of which are spreadsheets, and putting specific guidelines as to when they can – or cannot be – used?

Banks and Spreadsheet Use

Banks have been known to utilise spreadsheets systems for many critical functions because most personnel are well-acquainted with them, and the freedom of being able to develop customised reports without needing to consult with the IT department offers flexibility and convenience. In fact, more than having a way to do financial budgeting and analysing customer profitability, even loan officers and trade managers have become reliant on spreadsheets for risk management reporting and for making underwriting decisions.

But there are more than a few drawbacks to using spreadsheets for these tasks, and the sooner bank executives realise these, the sooner they can adopt better solutions.

General Limitations

Spreadsheets are far from being data base systems and yet more often than not, they are expected to act as such, with figures constantly added and formulas edited to produce the presumably right set of reports.

In addition, data integrity is always a cause for concern as most values in spreadsheets are entered as manual inputs. Even the mere misplacement of a comma or a negative sign, or an inadvertent ?edit? to a formula can also be a source of significant changes in the outcome.

Confidentiality risk is also another drawback of the use of spreadsheets in banks as these tools do not have adequate?access controls to limit access to only authorised individuals. Pertinent financial information that fall into the wrong hands can lead to a whole new set of problems including the possibility of fraud.

Risks in Trading

For trading transactions, spreadsheets can prove to be of immense use – but only for small market volumes. As trade volumes increase and the types vary, spreadsheets are no longer a viable solution and may likely become more of a hindrance, with calculations taking longer in the face of bigger transaction amounts and growing transaction data.

And in trading, there is always the need for rigorous computational functions. Computing for the Value at Risk (VaR) for large portfolios for instance, is simply way beyond the capabilities of spreadsheets. Banks that persist in using them are increasing the risk of loss on those portfolios. Or, they can be opening up?opportunities for fraud?as Allied Irish Bank (in the case of John Rusnak – $690 million) learned the hard way.

Risks in Underwriting

Bankers who use spreadsheets as their main source of information for underwriting procedures also face certain limitations. Loan transactions require that borrowers? financial data be centralised and easily accessible to risk officers and lending officers involved in making decisions. With spreadsheets, there is no simple and secure way of doing that. Information can be pulled from different sources – individual tax returns, corporate tax documents, partnership documents, audited financial statements – hence there is difficulty in verifying that these reports adhere to underwriting policies.

Spreadsheet control and monitoring

Financial institutions which are having difficulty weaning themselves from the convenience and simplicity that spreadsheets offer are looking for possible control solutions. Essentially, they want to find ways that allow them to continue using these UDAs and yet somehow eliminate the?spreadsheet risks?and limitations involved.

Still, the debate goes back and forth on whether adequate control measures can be implemented on spreadsheets so that that the risks are mitigated. Many services have come forward to herald innovative solutions for better spreadsheet management. But at the end of the day, there really is no guarantee that such solutions would suffice.

More Spreadsheet Blogs


Spreadsheet Risks in Banks


Top 10 Disadvantages of Spreadsheets


Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry


How Internal Auditors can win the War against Spreadsheet Fraud


Spreadsheet Reporting – No Room in your company in an age of Business Intelligence


Still looking for a Way to Consolidate Excel Spreadsheets?


Disadvantages of Spreadsheets


Spreadsheet woes – ill equipped for an Agile Business Environment


Spreadsheet Fraud


Spreadsheet Woes – Limited features for easy adoption of a control framework


Spreadsheet woes – Burden in SOX Compliance and other Regulations


Spreadsheet Risk Issues


Server Application Solutions – Don’t let Spreadsheets hold your Business back


Why Spreadsheets can send the pillars of Solvency II crashing down

?

Advert-Book-UK

amazon.co.uk

?

Advert-Book-USA

amazon.com

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today