Skip to main content


Most Popular Blog Posts of 2019

Now that we have closed the books on 2019 - let's take a few minutes to review the most popular blogs that we posted in the past year. Below is a list of our top 10 most viewed 2019 blog posts. Catch up on any you missed!


1. Four Steps to Better Business Continuity Plan Testing

Always Remember to Plan Ahead

Your organization’s critical business processes might be negatively affected by a variety of reasons often beyond your control. If a disruption does occur, it’s extremely important that your organization has a plan in place to address any potential issues and ensure that your organization is still able to serve your customers.

However, if you’ve never enacted your BCP, it’s hard to be confident that your plan will be sufficient. Testing helps to continuously improve your ability to successfully recover from various scenarios. Follow these steps to build a better BCP testing program and ensure you are prepared for any situation.

Read the post here.



2. FTC Proposes Changes to GLBA Safeguards Rule

FTC Logo

The Gramm-Leach-Bliley Act (GLBA) was passed in 1999, and the Federal Trade Commission (FTC) issued the Safeguards Rule and the Privacy Rule in 2002, requiring financial institutions to document and implement an Information Security Program to protect customer information. The last 15+ years have been spent making sure financial institutions in the United States are adequately protecting customer information through examinations, assessments, and tests.

Since GLBA and the Safeguards Rule are now old enough to drive, the first major changes to these rules and regulations have been proposed. On March 5th, 2019, the FTC announced proposed revisions to the Safeguards Rule, including an expansion of the companies covered by the Rule and requiring specific controls to secure customers’ information, including encryption and multi-factor authentication.

Read the blog here.



3. A Review of The New FFIEC BCM Booklet 

Document Review

As you may have already seen, the FFIEC pushed out a press release informing the public of the new Business Continuity Management (BCM) Booklet on November 14, 2019. Major updates to FFIEC booklets usually lead to many questions regarding what was changed, potential new requirements, or even if your current Business Continuity Plan has fallen out of compliance from the new release.

Don’t worry – we’ve got you covered. We’ll dig into all of the important changes to the FFIEC Business Continuity Management Booklet and answer your burning questions.

Read the blog here.



4. Vendor Management: How Should I Categorize My Vendors?

Network Diagram

Think about the average user in your organization. What percentage of the time are they using a third-party vendor’s product or service? How much of your day-to-day work is performed using at least partially outsourced products and services? From the vendor that supplies our hardware and networking equipment, to the operating system on each PC, to the additional software installed on workstations and servers, to the vendor that supports the software, a third-party vendor is potentially involved every step of the way.

With so many vendors involved in your operations, any critical function or informational asset in your organization could be at least partially dependent on the regular, secure, and consistent operation of a particular third-party vendor’s product or service. Maintaining an efficient vendor management program is a necessity for a responsible organization’s understanding of outsourcing risk. Your vendor management program can be a headache or an asset, depending on how effectively you manage it.

Read the blog here.



5. What Documentation Should You Review for a Critical Vendor?

Document Review

How do you get assurance that a vendor is properly protecting your confidential customer information? Short of physically auditing or inspecting a vendor yourself, the best way to gain confidence in your vendor’s security posture is through the gathering of security-related documentation. So then – what types of documentation should you be looking for? Let’s dive into the two major components of vendor documentation to review: Due diligence documentation and contracts.

Read the blog here.



6. SOC 2 vs. SOC for Cybersecurity Reports

If you’ve been involved in any sort of vendor review process at your organization, you’ve surely heard of or had the pleasure to review a SOC (System and Organization Controls) Report. There are actually a variety of different types of SOC reports, including SOC 1, SOC 2, and SOC 3, as well as the newest member of the team – the SOC for Cybersecurity. While each report has its own purpose, we’re going to dive into the difference between the SOC 2 and SOC for Cybersecurity reports. Specifically, we’ll look at the purpose of and differences between these two SOC reports, and which SOC your organization should be requesting during your next vendor review.

Read the blog here.



7. Microsoft Office 365 Security Suggestions

Cloud Computing

If you have been wondering if Microsoft Office 365 is safe to use, especially since it is cloud-based, you aren't alone! It is a topic we get asked about frequently. To help put your mind at ease, we put together a list of Microsoft Office 365 Security Suggestions to help your organization practice strong security and mitigate risk. The tips provided will improve the overall security of your instance of Office 365.

Read the blog here.



8. Technology Service Provider Contracts (FIL-19-2019) 


You might think you have vendor management and business continuity figured out, but don’t be so sure. The FDIC’s Financial Institution Letter (FIL-19-2019) highlights observations from recent examinations revealing that financial institutions may be unaware of the gaps that often exist between a technology service provider's contract and your institution’s expectations. In an effort to understand the institution’s risks, contracts should be reviewed for business continuity and incident response language. Long-term and automatically-renewing contracts are at higher risk for these coverage gaps.  

Read the blog here.



9. Eight Emergency Preparedness Testing Scenarios

Engage your team and test your emergency preparedness with eight testing scenarios. Scenarios cover a variety of situations, including malware attack, unknown media,  physical security, power outage, ransomware attack, and website hack. 

Each scenario includes:  
- Ground Rules 
- Documentation 
- Scenario  
- Discussion Questions  
- Injects (additional information pertaining to the situation) 
- Lessons Learned Follow Up Discussion Questions

Read the blog here.



10. Threat Advisory - Consumer Account Takeover: Credential Stuffing

Threat Advisory

SBS CyberSecurity has been made aware of a credential stuffing attack affecting financial institutions. This attack targets consumer bank accounts and has resulted in financial losses. The frequency of these attacks has increased over the past couple of months, and the attack itself is difficult to detect, as it does not readily appear on SIEM, IDS, or IPS reports. 

Read the blog here.


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, January 8, 2020
Categories: Blog