In their report on the top connected device threats in 2016, Pwnie Express Surveyed over 400 respondents in the areas of information technology and security. Their results are a warning to all businesses:

• 86% of information security professionals are concerned with connected device threats, with most being more worried about these threats than they were a year ago.
• 40% report that their organization is “Unprepared” or “Not Prepared At All” to find connected device threats.
• 37% cannot even tell how many devices are connected to their networks.

(The Internet of Evil Things)

What is the Internet of Things?

In our recent post on Ransomware and the Internet of Things, we briefly discussed what the “Internet of Things” (IoT) is, and how we expect it to become increasingly vulnerable to ransomware. Examples of the IoT include any electronic device that is connected to the internet: cell phones, pacemakers, electronic components in factories, thermostats, cars, and more.

And we can expect the IoT to grow over the next several years. According to a 2016 report on internet security from Symantec, “In the USA, there are 25 online devices per 100 inhabitants, and that is just the beginning. Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016, and will reach 20.8 billion by 2020.”

What Kinds of Threats Can Be Expected?

According to Pwnie Express’s report, the major IoT device threats in 2016 will be related to:

• Unauthorized, accidental, or misconfigured access points;
• BYOD and the personalization of (formerly) corporate hardware; and
• Insecure, misconfigured, and vulnerable IoT devices.

Wireless access points can present several vulnerabilities, such as failure to modify default configurations. “Routers, switches, operating systems and even cellphones have out-of-the box configurations that, if left unchanged, can be exploited by individuals who stay abreast of such things.”  Brad Casey, Techopedia.com.

BYOD (Bring Your Own Device) policies can also leave your organization vulnerable. In addition to making a tempting target for hackers, users of mobile devices are often not as careful as they need to be when downloading apps. Even more worryingly, according to the report The Internet of Evil Things, “Most security professionals are not ready to monitor or detect less-common RF and off-network IotT devices, 87% cannot see Bluetooth devices, and 87% cannot monitor 4G/LTE devices in real time. Additionally, 71% cannot monitor off-network WiFi devices in real-time and 56% cannot monitor on-network IoT devices in real-time.”

Preparing to Protect Against Vulnerabilities

While many information security professionals seem to be aware of the threats they face from working with mobile devices and the IoT, surprisingly few seem to be prepared for it.

For example, The Internet of Evil Things states that 35% of respondents say that their organization has no BYOD policy in place. Further, while 65% of the respondents report that they have a BYOD policy, only 50% of them actually have a way to enforce these policies. Obviously, unenforced policies are an invitation to non-compliance and do not provide real protection.

While connected devices offer advantages in terms of flexibility for organizations, they also come with great risks. And with attacks still on the rise in 2016, protecting your business is more important than ever.

(Part 7 in our series on IT Compliance Concerns.)
In the earlier posts in our compliance series, we covered SOX, HIPAA, and PCI DSS compliance. Here, we will examine what GLBA compliance is and how it might affect you and your company.

GLBA stands for Gramm-Leach-Bliley Act. This act is also referred to as the Financial Services Modernization Act. The GLBA primarily repealed parts of the Glass-Steagall Act by removing prohibitions against banking, insurance, and securities companies that prevented them from acting as combinations of investment banks, commercial banks, and insurance companies. The GLBA also regulates how financial institutions handle the private information of individuals.

The three sections of the GLBA that cover privacy issues are the financial privacy rule, the safeguards rule, and the pretexting provisions. The financial privacy rule deals with the collection and disclosure of private financial information. The safeguards rule requires financial institutions to implement security provisions to protect private financial information. The pretexting provisions prohibit accessing such information under false pretenses. The GLBA additionally requires financial institutions to provide their customers with privacy notices explaining the information sharing practices of the institution (although this requirement may be modified with recent legislation at the end of 2015).

Which companies are affected by GLBA compliance?
Financial institutions are the companies primarily affected. For example, a retail company would not need to be concerned about complying with GLBA rules, even though they might still have other obligations to protect their customers’ information. According to the University of Cincinnati’s Office of Information Security:

“GLBA covers businesses such as banks, appraisal companies, mortgage brokers, securities firms, insurance companies, credit card issuers, income tax preparers, debt collectors, real estate settlement firms, and other companies that may have self-financing plans… GLBA indicates that any business ‘significantly engaged’ in financial activities is subject to GLBA.”

In addition to this, companies affected by GLBA rules may also require their service providers to also follow them.

What are the penalties for failing to comply with GLBA?
There are severe civil and criminal penalties for noncompliance. These can include both fines and imprisonment. And it is not just the companies that can be penalized. Officers and directors can also face these penalties.

A financial institution violating GLBA rules may face:

●    Civil penalties of not more than $100,000 per violation.
●    Officers and directors of such a financial institution will be subject to, and personally liable for, a civil penalty of not more than $100,000 per violation.
●    Such an institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both.

What does a business need to do to comply with GLBA?
Remember that compliance cannot be handled by your IT department alone. GLBA requires executive management to participate in responsibility for compliance.

Your company will need to keep your information security policies up-to-date, devote resources to continually identify potential risks, follow GLBA provisions for the release of both public and private information, be aware of whether it is necessary to provide annual privacy notifications, monitor the actions of third-party service providers, encrypt data, keep careful track of when it is time to destroy data, and possibly hire a lawyer or consultant to help with complexities.

Coming soon: Part 8 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About GLBA Compliance?”

To learn more about GLBA and related issues:

●    Gramm-Leach-Bliley Act definition.

Other posts in this series:
●    Part 1: Making Sure Your Business is SOX Compliant
●    Part 2: What Does Your IT Team Need to Know About SOX Compliance?
●    Part 3: What Does HIPAA Mean?
●    Part 4: What Does Your IT Team Need to Know About HIPAA Compliance?
●    Part 5: Is Your Company PCI Compliant?
●    Part 6: What Does Your IT Team Need to Know About PCI DSS Compliance?

If you want to know more about What is glba stands for, Feel free to contact us. We will assist you.