• Primer on Cyber-Security
  An AIT presentation offers tips on how to keep your computer system safe.
  
  By Jane Rickards
  
  

• Improved Rule on Financial Disclosure
  A revised regulation eases banks’ concern that required reports would violate client confidentiality.
  
  By Don Shapiro

Primer on Cyber-Security

An AIT presentation offers tips on how to keep your computer system safe.

Could using Facebook harm your career?

That was just one of the issues raised at a recent Overseas Security Advisory Council meeting convened by the American Institute in Taiwan. Entitled “Cyber Security Best Practices,” it was aimed at helping American businesses here keep their computer and Information and Communications Technology (ICT) systems secure.

Participating in social networking sites may be risky if one later seeks U.S. government security clearance, says an article in the public-service-orientated Federal Times that was cited at the seminar. Security officers typically investigate an employee’s close friendships and connections with foreign nationals, but “friends” listed on social networking sites are often only casual acquaintances that one may not really know much about. If suspect persons are carelessly added, security officers conducting the clearance may get the wrong impression.

David Eberhardt, AIT’s Regional Security Officer, noted problems that indiscreet entries on social networking sites could cause for employees at private firms as well – either damaging the company’s reputation or providing information that could be used by competitors for industrial espionage. Increasingly sophisticated technology is enabling people to scan millions of online social conversations at once, mining information for commercial or intelligence purposes.

David Gilmore, AIT’s Information Programs Officer, focused on ways U.S. businesses can keep their computer systems safe from cyber attacks that might be conducted by criminals, competitors, and malicious individuals, or even governments. Whereas previously most hacking “was done to disrupt the system,” he said, “now they want to stay in the system and take advantage.”

Gilmore noted that “spear phishing” – the criminally fraudulent process of acquiring information such as user names, passwords, and credit card details by masquerading online as a trustworthy source such as a bank – is becoming more common and more difficult to differentiate from the real thing. He urged companies to strengthen internal regulations and training to deter employees from inadvertently downloading files that could infect entire company’s system, and reminded them of the importance of constantly updating anti-virus and other security software.

Another major area of corporate vulnerability, Gilmore said, is through their websites. “Attacks against web applications are more than 60% of the total attacks on the internet,” he said. “If a website is compromised, the result can be a betrayal of customers.” While the greatest number of cyber-attacks originate from as well as target U.S. sites, the third-largest source of one particular type of attack – server-side HTTP attacks – is Taiwan, Gilmore said.

The seminar noted that the Maryland-based SANS Institute, which specializes in computer security training and professional certification, recommends 15 critical controls for companies. One of the most important is monitoring the use of unauthorized devices and software. Workplaces requiring strict controls should not permit outside flash drives or similar devices to be used in a secure network. Even the downloading of software from the internet or use of outside CDs and DVDs is not recommended.

SANS also specifies that employees should have access to IT applications and functions in the company’s computer system only on a “need-to-use” basis. Further, security is enhanced if employee accounts are deleted once the person leaves the company.

Another reminder is to be sure to “patch” – fix or update software problems – quickly in all instances. “Organizations take twice as long to patch application vulnerabilities as they take to patch operating system vulnerabilities,” Gilmore noted. Installing “malware” (malicious software) defenses such as firewalls, anti-spyware, and antiviral software is also crucial.

Most importantly, companies need to educate employees about the danger of cyber-attacks. Common mistakes people can make include not scanning files before they are opened or unwittingly downloading programs from the internet (sometimes users may think they are downloading content when in fact it is a program).

Attacks often come in emails containing malicious attachments. “The single biggest mistake users make is opening attachments,” Gilmore said. “It’s just that curiosity. You want to open it up and find out what it is.” That may be human nature, but it can put the computer system at risk.

By Jane Rickards

Improved Rule on Financial Disclosure

A revised regulation eases banks’ concern that required reports would violate client confidentiality.

In this column in last month’s magazine, a “mid-cycle review” of AmCham’s advocacy issues outlined the progress made since publication of the 2009 Taiwan White Paper in May. An announcement this month by the Financial Supervisory Commission (FSC) has made it possible to tick off one more of the White Paper issues as resolved.

The new development relates to Issue 4 in the Banking Committee’s position paper: “Respect client confidentiality and the differing conditions of foreign banks when requiring financial disclosure.” The Committee was responding to a March 23 amendment to the “Rules Governing Quarterly Disclosure of Material Financial and Business Information by Banks” in which the FSC required banks to disclose their top 10 concentrations of credit extensions at the “client group” level. That ruling prompted concerns in the industry that such public disclosure would violate banks’ legal obligation to maintain customer confidentiality. Unless banks were explicitly granted an exemption from secrecy requirements, “the amendment would expose banks in Taiwan to the risk of client complaints and even litigation,” the paper argued.

Following discussions between the AmCham-ECCT Joint Banking Committee and the FSC’s Banking Bureau, the FSC has now revised its position. A further amendment to the regulations, issued December 8, states that banks need only disclose their top 10 concentrations of credit extension by industry, rather than naming individual companies. “It is quite gratifying to see how dialogue with the regulator has brought satisfactory results in this case,” said AmCham President Andrea Wu.

By Don Shapiro