It’s particularly galling when a company specializing in security issues gets monumentally hacked. That was the case for Stratfor, which suffered a massive data breach just before the holidays that exposed thousands of client names, e-mail addresses and credit card numbers. Adding insult to injury, hacktivist group Anonymous revealed on Twitter that it was able to get at the data because the company hadn’t encrypted them, according to the Associated Press. Stratfor’s travails serve as a reminder to all companies that they need to get their cyber security policies and practices in order. Here are some issues to consider.

1. Beware of the mobile threat.

Mobile devices have become ubiquitous and more powerful. Companies can no longer just protect employees’ laptops, but must be aware of tablets, smartphones, iPods and anything else with a brain and wireless connectivity. Inadequately secured devices, if stolen, can give thieves access to corporate networks, allowing them to steal sensitive data.

Employees downloading new apps may download keystroke-logging software as well, giving hackers access to their credentials—but few people have anti-virus software installed on these devices.

“2012 is going to be a significant year for mobile threats enterprise-wide because so many devices are being adopted,” says Dave Marcus, director at security firm McAfee Labs. Companies “have to start looking at mobile devices like other devices—‘If it’s got data on it, it’s got my corporate data on it, then I’ve got to manage and secure it like every other device on my network,’” he adds.

2. Review privileges.

Do all users really need all the access rights they now have? Keeping privileges to a minimum limits the damage hackers can do if they get into a user’s account, as well as the damage employees can do on the way out the door.

Controlling privileges can also help with compliance since “most regulations, including SOX, HIPAA, GLB and PCI, have a clause on the level of access to key IT assets,” says Jim Zierick, executive vice president at security vendor BeyondTrust.

But privileges can be hard to manage, especially in big organizations with lots of applications. “Users are proactive about acquiring access they need or want, but rarely ask for access to be taken away even if they no longer need it,” says Michael Bennett, chief information officer for the U.S. unit of defense contractor BAE Systems.

One option is to roll out a centralized system to allocate and manage privileges, which allows for quick changes if employees are hired, fired, move internally or temporarily need special access for a project.

Companies should move beyond automated provisioning, access control and auditing solutions to add a new security control and abstraction layer that sits between the information and the people who use it, Bennett says. This allows the data to be displayed in a way that the particular user—and device—needs to see it, “while denying access to anything not specifically required by and permitted to the user,” he adds. “Apart from the huge security gains, this architecture makes it much simpler to support the many different kinds of access devices that users want to bring to work.”

3. Prepare for breaches.

No system is completely hacker-proof. If a security hole—or human error—allows key data to leak out, companies must be ready to deal with it quickly and effectively. And that’s going to require more effort than before.

The Securities and Exchange Commission’s guidance issued in October reminds public companies that breaches could be considered material events that need to be disclosed, says Richard Bortnick, an attorney at Cozen O’Connor. Private firms may be affected if they are suppliers or partners of a public company.

States are also rolling out or toughening up disclosure laws, including California, Bortnick says.

After a breach disclosure, companies should be prepared for lawsuits, says Bob Parisi, senior vice president at consultancy Marsh. As the result of a recent court ruling, plaintiffs no longer need to show actual harm or imminent threat of harm, but simply increased risk of potential harm to take their cases to trial, he says.

And lawsuits are now being filed faster, just days or even hours after a breach is disclosed rather than months later, Parisi says. Companies need to respond quickly to a breach, which may involve more than just offering credit monitoring to clients whose information has been compromised, he says, and remedies should be relevant.

“If you’re a hospital losing patient data, offering credit monitoring might not be the most appropriate response,” Parisi says. “If what you offer is the wrong remedy or no remedy at all, you’re basically waiving a red flag in front of the potential plaintiff class.”

4. Encrypt, encrypt, encrypt.

In the past, encryption slowed down systems and inconvenienced users, so it was used only to protect data traveling over the Internet. Technology has improved to the point where companies can encrypt data that’s stored on mobile devices, moving across internal networks, even stored inside databases, without adding lag or hindering productivity.

The new technology operates on a more basic level, even embedded into the hardware. If a breach occurs, the stolen information can’t be used and no disclosure is required.

One organization taking this approach is AGS Capital Group. “The risks and penalties of breach laws are increasing, so we are looking at increased and mandatory encryption on all employee computers and laptops,” says Allen Silberstein, CEO and chief investment officer at AGS. “So if the hard drive gets into the wrong hands, the information remains protected.”

5. Add new authentication mechanisms.

Most applications require only a user name and password. Companies have been reluctant to ask customers to use a second form of authentication, such as an additional password sent by text message.

As breach notification requirements and costs escalate, companies should take another look at second-factor authentication, says David Miller, chief security officer at Covisint.

In the past, the second form was often key-chain fobs that generated one-time passwords—and employees who misplaced their keys would be locked out of the system. But the solution now could be a cell phone.

“A mobile device can run a one-time password-generating app to supply a PIN for network access, hold a digital certificate that uniquely identifies the device or can receive an automatically generated text message with a one-time password to authenticate each login,” says BAE’s Bennett. “Using a mobile device that a user already has, as opposed to issuing another physical device for authentication, makes a lot of sense.”

For a look at what the Securities and Exchange Commission wants companies to disclose if they’ve been hacked, see SEC Provides Guidelines for Disclosing Cyber Attacks.

Article originally published at Treasury & Risk.

Apple CFO Peter Oppenheimer noted that “employee demand for iPad in the corporate environment remains strong,” at the company’s quarterly earnings call on Jan. 18. “Enterprise CIOs are adding iPad to their approved device list at an amazing rate,” Oppenheimer said. “Today, over 80% of the Fortune 100 are already deploying or piloting iPad, up from 65% in the September quarter. Some recent examples include JPMorgan Chase, Cardinal Health, Wells Fargo, Archer Daniels Midland, Sears Holdings and DuPont.”

Read full article in Treasury & Risk.

Consumer-friendly technologies like Web-based e-mail and instant messaging, Twitter and Facebook have all brought compliance challenges, with companies typically reacting after something has gone wrong. With virtual environments and meetings, however, companies can get ahead of the trend, setting guidelines and preferred platforms before employees start adopting their own. Enterprise-class platforms like Teleplace and ProtoSphere allow companies to control when new users are created and what areas they can access, and set such rules as dress standards for avatars and how to decommission avatars when employees leave the company. In addition, all content in the virtual environment is approved by the company, and often can be integrated with corporate directories, document repositories and work flow systems.

Read full article at Treasury & Risk.

Three years ago, when Yang Haitao, an experienced financial risk manager, moved to Shanghai to join Nanyang Commercial Bank (China), he knew it was going to be more than a routine job change. As senior risk manager for the subsidiary of Hong Kong-based Nanyang, Yang was to take charge of the bank’s implementation of the Basel II international capital standards.

Read full article in Risk Professional magazine (subscription required).

Last September, regulators issued new revenue recognition rules that allow companies to book product and service sales separately—a boost for the balance sheet, but a big accounting hassle. Prior to the new rules, effective 1Q of fiscal 2011, if a company sold a product bundled with a service contract, the revenue was allocated over the length of the service contract. In fact, even companies that offered services for free still had to book revenue from the sale as if it came in over the course of the contract.

Read full article at Treasury & Risk.

Our project is part of the MassChallenge global startup competition.

Companies have spent years beefing up their information technology governance, risk and compliance systems.  With cutting costs now top of mind in corporate America, here are six ways to make IT GRC systems more productive and less costly.

1. Automate access controls. Today, most companies use a manual process to add users to an application or cancel their accounts. Switching to an automated system can save significant sums and reduce the risks associated with unwanted access.

Read full article at Treasury & Risk.