to employees. Second, it’s possible to protect the rest of the network from compromised desktops and laptops by segmenting the network and implementing strong authentication between user networks and anything of importance. According to Mortakis, this is the principle of least privilege. No users should be assigned administrative access unless absolutely needed. “If someone isn’t in human resources, they shouldn’t have access to HR files,” he explains. “In addition, there should be controls in place to alert you when an employee tries to access files they shouldn’t.” Another issue that comes with employees is that they want to use their own devices to access data. “There isn’t a complete solution to this issue,” Mortakis says. But there are some steps that can reduce the risk. “With data logging, you know when something has been downloaded, and remote-access controls can stop them from being able to download specific types of files.” Another area of concern is vendors, contractors, and other partners who use or have access to your company’s data. “Vendors entrusted with critical data need to have secure storage facilities with access controls, corporate security policies and testing, and certification, such as a Service Organization Controls (SOC) audit,” Moody says. “You need to ask probing questions and have written agreements on standards that are to be maintained.” IT Solutions Of course, there are steps best left to the professionals, beginning with automatically applying critical security patches (pieces of software designed to remedy vulnerabilities that have been identified in software) or updates to all systems and applications by investing in a patch-management solution. Patch management is a strategy used to determine what patches should be applied to which applications and when. Many vulnerabilities are remediated by simply applying the latest patches to existing systems. In addition, you must regularly back up data and verify the integrity of those backups. “Backups are critical in ransomware incidents; if you are infected, backups may be the best — or only — way to recover your critical data,” Mortakis explains. “The backups must also be secure and not connected to the computers and networks they are backing up.” Examples might include securing backups in the cloud, or physically storing them offline. With more data being stored in cloud environments and employees accessing that data from their own devices, consider implementing two-factor authentication, Moody says. With two-factor authentication, employees and other users are required to have not only a password and user name, but also something that only they have, such as a physical token. For example, if you have tried to log in to your bank account from a new computer, your bank may have texted you a code to enter before granting you access to your account information. To reduce risk, don’t keep sensitive information if you don’t need it, advises Mortakis. “Put in place a well-defined retention policy that limits the amount of time that sensitive data is stored.” An important step to ensure that data is secure is to test your system. Penetration testing, ethical hacking, and vulnerability assessments are useful tools for identifying hidden network and host vulnerabilities. “At ILG, we have our own team, and we also have a third party on demand,” Mortakis says. “I recommend performing all types — web and network layers, internal and external networks — of penetration testing at least annually. We perform twice-a-year penetration testing, quarterly internal network-vulnerability assessments, and monthly external networkvulnerability assessments. And that doesn’t count any additional testing we undergo for compliance purposes, such as PCI scans.” Where Credit Goes Through Because so many data breaches have targeted payment-card information, that’s an area of particular concern. “Developers should only work with a payment-card processor that has achieved the Payment Card Industry Security Standards Council’s highest level of certification: PCI Certification Level 1,” Moody says. “This certification provides them with reassurance that the processor can accept, process, store, and transmit credit-card information on their behalf in a secure environment.” In addition, if a company accepts credit cards at — for example — resorts, sales centers, and retail environments, it should have upgraded to EMV chip readers for credit cards by now. “As of October 2014, if a merchant doesn’t have EMV in place, they’re automatically deemed responsible for any breaches that occur,” Moody says. “If you’re still swiping, it’s way past time to adopt this technology, which has far superior security.” Judy Kenninger, RRP, heads Kenninger Communications and has been covering the shared ownership and vacation real estate industries for nearly two decades. Resources At AIFEducates.com, you can watch ARDA International Foundation’s Learning Center webinar on Consumer Financial Protection Bureau requirements, Risk Management Strategies: The Need for a Robust Compliance Management Program. Open Web Application Security Project is a worldwide not-for-profit charitable organization focused on improving the security of software. Similar to Wikipedia, it’s a community that shares information regarding best practices in software security and application tools. owasp.org The Payment Card Industry (PCI) Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account-data protection. pcisecuritystandards.org Verizon’s 2016 Data Breach Investigations Report examines more than 100,000 incidents, including 2,260 confirmed data breaches across 82 countries. With data provided by 67 contributors, including security-service providers, law enforcement, and government agencies, the report offers insight into cybersecurity threats. verizonenterprise.com/verizon-insights-lab/dbir/2016 The Visa Global Registry of Service Providers lists providers that adhere to strict security standards and are in compliance with PCI regulations. Visa recommends, “Clients and merchants should reference the site regularly as part of their due-diligence process and should only use service providers that are listed on the registry for outsourcing their payment-related services.” visa.com/splisting 10
THANK YOU We Couldn’t Have Done It WITHOUT YOU! This year’s International Shared Ownership Investment Conference was a great success, and we appreciate all of the sponsors, speakers, and attendees who helped make it happen. 18TH ANNUAL EXCLUSIVE EDUCATIONAL PARTNER CORPORATE SPONSORS PATRON SPONSORS SUPPORTING SPONSORS MEDIA SPONSORS