Cyber Safety Month: The Un-Crackable Password

How easy is it to hack into a bank’s digital assets? It should be pretty difficult, right? Compared to a federal bank, how secure is your company? Depending on who you have on staff, the answers might be surprising.

Hackers and data miners are the bank robbers of the new millennium. Ever since the dawn of the internet revolution, the world’s corporations have been at risk to losing money to these new cyber criminals. It’s an issue that is covered in some regularity by the healthcare industry, but 2012 has seen an increase in interest from the nation’s financial firms. IT experts and CSO’s, and company owners are all asking the same question: What is keeping our investment safe, and how much danger are we really in?

9 times out of 10, the fate of your company’s financial data lies in the hands of a single word.

The simple password has been a staple of digital security from the very beginning, but the methods for creating the best security have changed drastically over the years. Remember when we were all advised to throw in the occasional capital letter, exclamation point, or string of numbers?

Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.

Wait, what?

As it turns out, the techniques that the best hackers use to break into your company’s finances are designed to tackle random strings of letters and numbers. Chances are, if you randomly typed six letters and numbers on your keyboard as a password, a hacker could infiltrate your company within 1 month of trying. 

From Baekdal

Instead, security experts are suggesting combinations of random words. By putting three words together, like LightbulbChairWindow, you create a password which is effectively un-crackable. Unfortunately, a smart hacker can just as easily get into your company’s vault by simply asking the right person.

So what is the solution? A group of scientists and security experts got together at this year’s USENIX Security Symposium to present a password so secure, even the users don’t know what it is.

The method is based on something called “implicit learning,” the fact that human beings can learn things without being conscious of it. Think of riding a bike—you can do it effortlessly, but you’d be hard-pressed to explain how. Stroke victims or Alzheimer’s sufferers can learn things implicitly even when their explicit memory is severely damaged.

The new method involves training company users to execute a specific string of characters by typing them out on a keyboard. After numerous repetitions, they become faster at typing that string, but there are too many characters in it for it to be committed to memory. Now, when asked to type a longer string of random characters which includes the password, they will automatically type the password string more quickly. The speed at which they type, rather than the keyword itself, tells the computer that they have access. It’s a complex, and somewhat confusing strategy, but it seems to work.

For more information on the un-crackable password, click here.

For more of Merrill Corporation’s Cyber Security Month, click here.

-------------------------------------------------------------------------------------------------------------

Merrill Corporation is proud to offer XBRL Complete, a suite of services that meets - and has options to exceed – the mandated requirements for XBRL for mutual funds. For more information, please click here or call 866-367-9110.

Cyber Security Month: How Safe Are America’s Banks?

Over the past few weeks, we’ve pointed out that GRC (Governance, Risk, and Compliance) and ERM (Electronic Risk Management) have become major talking points in the finance industry. The heads of US financial institutions have been going out of their way to track down GRC experts, and reliance on compliance-friendly services has increased dramatically. A new report from Global Finance may explain why. FierceFinance.com took a look at the Global Finance list.

Indeed, Global Finance takes a look at the top 50 safest banks in the world. Unfortunately, there are only five U.S. banks in the top 50, and the highest ranking U.S. bank, Bank of New York Mellon, comes in at 29. Of the big national consumer banks, only Wells Fargo made the list, ranking 48, behind CoBank ACB, U.S. Bancorp, and Northern Trust.

Unfortunately, the data doesn’t look any better when you remove the 'global' element. According to Global Finance, “Canadian banks are the best performing in North America with seven banks in the top 50 compared to five from United States.”

The major threats making US banks unstable are in the realm of online crime and a lack of digital security. For example, US banks are being targeted by increasing numbers of international hackers referred to as ‘phishers.’ This particularly strategy of cybercrime involves building a clone of an online bank portal in an effort to trick users into supplying their account information. American banks have spent $3.3 Million this year in an effort to cull the threat. Another study, by KPMG, discovered that simply publishing a website is enough to give hackers all the tools they need to take down a financial institution.

The old adage goes, “Things need to get worse, before they get better.” These days, “worse” doesn’t seem too appealing. Join us next week, as we look at a few of the ways that banks are skipping the darkest, and heading straight for the dawn.

-------------------------------------------------------------------------------------------------------------

Merrill Corporation is proud to offer XBRL Complete, a suite of services that meets - and has options to exceed – the mandated requirements for XBRL for mutual funds. For more information, please click here or call 866-367-9110.

It’s a Dangerous World for Finance

If recent headlines have anything to say, it’s that the finance industry is in the middle of the security Dark Ages. As we’ve mentioned recently, risk management is on the top of everyone’s minds, and cyberspace is once again an industry buzzword. Unlike the 90’s, the internet is now being seen as a less of a profitable frontier, and more of a criminal battleground.

When you think about it, even the term ‘risk management’ is pessimistic. Risk can never be truly eliminated; only managed. In the electronic world, that means IT security, ERM (Electronic Risk Management), and data. Unfortunately for the banks of the world, according to ZDNet and ICT security market analyst Ang Poon-Wei, they’re going about it all wrong.

Risk management policies should be more "strategic and proactive", instead of "tactical and fear-driven", according to security watchers, who note despite the growing awareness over the importance of IT security, its approach can still be improved.

According to Ang Poon-Wei, ICT security market analyst at IDC, in the past, due to the costs incurred by IT security, many organizations often leave it out of discussions until the last minute or unless it is mandatory for government, risk and compliance. Today, the need to include IT Security in risk management discussions is becoming apparent to organizations of all sizes and verticals, he noted.

So what are these “proactive” strategies banks are supposed to be using?

Join us next week, as we begin CyberSecurity Month; a four-week blog series investigating the state of financial security in an online world. We’ll be taking a look at some of the biggest headlines in the financial ERM world, and exploring how those security tactics and failures can help make your financial institution a safer place.

-------------------------------------------------------------------------------------------------------------

Merrill Corporation is proud to offer XBRL Complete, a suite of services that meets - and has options to exceed – the mandated requirements for XBRL for mutual funds. For more information, please click here or call 866-367-9110.

Forbes Study Reveals: GRC is Top of Mind

Forbes recently released the results of a survey showing the amount of resources that financial companies are devoting to risk management. After the financial crisis that took hold of the country in 2008, what theyfound shouldn’t be too surprising.

Most of the 192 U.S. executives from consumer and industrial products, life sciences, healthcare and technology/media/telecommunications industries that were surveyed said their organizations were looking at reorganizing and [reprioritizing] their approach to risk within the next 12 months; a whopping 91 percent reported that they plan to reorganize their approach to risk management over the next three years.

What is the cause of this new business priority? Volatility. Forbes’ report shows increased volatility across 11 key risk areas. Perhaps unsurprisingly, financial, strategic, and operating risks were of the highest concern. The Forbes report is free to download, and should be required reading for anyone in the finance or compliance industry.

Click here to register and download the Forbes White Paper, and click here for more information on GRC from Merrill Corp Financial Experts.

-------------------------------------------------------------------------------------------------------------

Merrill Corporation is proud to offer XBRL Complete, a suite of services that meets - and has options to exceed – the mandated requirements for XBRL for mutual funds. For more information, please click here or call 866-367-9110.

GRC Gains Academic Momentum

“In the years since the passage of the Sarbanes-Oxley Act in 2002, people liked to joke that the real name of the act was the accounting professionals full-employment act,” says Fierce Compliance IT, in a recent news brief. Today, compliance and risk management have become key cornerstones in almost any business model, particularly in the finance sector.

At Merrill Corporation, we’ve always kept a close eye on GRC, and we couldn’t help but notice when the country’s first academic course in corporate compliance was announced at the University of Houston. Fierce Compliance delved a little deeper into what this means for the industry.

So we're seeing more in the manner of enterprise risk management courses and seminars as well as new specializations in financial risk management. In the U.S. anyway, this trend has been firmly underway for years. In September 2010, for example, Harvard Business School launched a new executive education program, Risk Management for Corporate Leaders: Integrating Best Practices for Superior Strategy Execution, "to help senior executives understand the importance and necessity of robust risk management systems to the long-term success of their organizations."

What is the cause of this sudden interest? The long-lasting financial crisis, for one. Experts are predicting that the echoes of this crisis will keep GRC experts in the ‘highly-desirable’ category for years to come.

-------------------------------------------------------------------------------------------------------------

Merrill Corporation is proud to offer XBRL Complete, a suite of services that meets - and has options to exceed – the mandated requirements for XBRL for mutual funds. For more information, please click here or call 866-367-9110.