When we first start working with new institutions, it is not unusual for us to see them struggling because they have focused their efforts on remediating controls that were found to be missing...

In December 2023 the US Justice Department announced that they had disrupted operations of ALPHV/Blackcat, a ransomware group that was responsible for many of the most prolific attacks in 2023....

There have been multiple consent orders issued recently which have made it clear that regulators are starting to enforce new third-party risk management guidance issued in the middle of 2023,...

Every institution should have an internal penetration test performed annually. The goal of the penetration test is for the tester to try to gain administrative access to the network. In our...

Your institution likely performs periodic incident response tabletop exercises to help ensure you are ready when an incident occurs. At the beginning, the participants of the exercises were...

We are often asked what length passwords should be. The answer that we give in general is that we would like user passwords to be at least 14 characters and complex, and that administrator passwords...

As attackers are finding new ways to get around multifactor authentication in Microsoft 365, conditional access is becoming more important. Conditional access refers to a set of policies in M365...

If you are a board member of a bank or credit union, how do you know that the cybersecurity program of the organization is being managed effectively? I often try to put myself into the shoes of a...

On June 6th, the Federal Reserve, FDIC, and OCC released new interagency guidance on third-party risk management. The new guidance, based on existing OCC guidance from 2013 and 2020, calls for a...

All organizations have (or should have) a firewall that blocks unexpected communications from the Internet to internal network hosts. But what about blocking unexpected communications from Internal...