Authentic8 Blog Category: Cloud Browser

VPN for Secure and Private Web Access? Think Again.

Many believe a Virtual Private Network (VPN) will protect users against online privacy violations and web-borne exploits. But how far can you really trust VPN? A new report by Authentic8 provides answers that may surprise you.

*

VPN creates an encrypted data “tunnel” between the user’s computer and a secure server - on the corporate network, for example - that can also serve as a springboard to the web. Still, this secure tunnel is not sufficient. Over the more than 20 years that VPN has been around, its limitations have become obvious.

Yes, VPN can make connecting with networks and resources across the web more secure. What is often overlooked: VPN still allows web code to pass through to the locally installed web browser.

This opens the door for malware and spyware infiltration as well as data exfiltration, localization and de-anonymization by third parties. In last week’s blog post, we focused on the “online privacy” promise of VPN. We showed how

Financial Services: Blindspot Browser

For regulated investment firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has prioritized “cybersecurity with an emphasis on, among other things, governance and risk assessment, access rights and controls, data loss prevention [...] and incident response.”

While firms have significantly strengthened their compliance policies, their actual practices still reveal alarming gaps. Behind closed doors, compliance leaders in many firms I get to speak to admit that they lack the tools to sufficiently monitor, audit, and enforce employee web use policy.

Regulators expect firms to make a “reasonable” attempt to ensure oversight and remediate areas of weakness. So what’s getting in the way?

Securities and Exchange Commission (SEC)

The Web - Asset or Liability? It Depends On the Browser.

Whether research analysts or investment managers use business apps or social media, they rely on the locally installed web browser as their primary tool. It is the very same tool that increasingly leaves firms exposed to risks of data breaches and compliance violations online.

In a

Why Your Defender’s Paradigm Isn’t Working Anymore

Why does it seem like despite the ever-evolving technology and the billions of dollars being spent on cybersecurity, that the attackers are winning? Well, in two words: they are.

Despite our best efforts to disrupt cyber attacks, it’s the current paradigm that isn’t working, not just the technology we deploy. Below, I discuss the current “defender’s paradigm” - the predominant thought model that still informs the defensive behavior and security posture of large parts of the cybersecurity community - and examine how we got here and what we can do about it.

The current Defender’s Paradigm

The current defender’s paradigm is pretty simple: it’s the realization that the cyberwar is going to be fought on your network and preparing accordingly. The most valuable networks have thousands of endpoints, ever-changing rosters of users, and enclaves of incredibly valuable information distributed worldwide. As such, most organizations, either through concerted planning or trial and error, generally follow a six-step

Interview: SEC Compliance and the Internet

Key Issues for Investment Management Firms

What are the challenges regulated investment management firms are facing when using the internet?

We asked Jane Jarcho, the former Deputy Director of the SEC's Office of Compliance, Inspection, and Examinations (OCIE) and head of the National Investment Adviser and Investment Company Exam program, who recently joined the Promontory Financial Group as a consultant on regulatory and exam issues.

At the OCIE, Jane Jarcho oversaw its program areas, including Investment Adviser/Investment Company (IA/IC), Broker-Dealer and Exchange, FINRA and Securities Industry Oversight, and Clearance and Settlement. Ms. Jarcho also led the IA/IC examination program. Under her leadership, the number of IA/IC examinations increased by more than 100 percent.

The interview was conducted by Chirag Vasavada, Head of Business Operations at Authentic8.

*

Chirag Vasavada: Jane, given your tenure and experience across the SEC's program areas, you're in an ideal position to speak to the challenges faced by regulated entities today. The industry is under

5 Must-Read Resources for Compliance and IT Leaders in Investment Firms

Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.

While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past: the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.

This has created a growing compliance blindspot for buy-side and sell-side firms. At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.

Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple