3 Security Trends that will Continue in 2017

With the ushering in of another new year, I find myself acting nostalgic, wondering where the previous year went and of course pondering the year ahead. Here are three security and commerce trends which will continue in 2017.

  1. Healthcare Data Breach

According to the Privacy Rights Clearinghouse, healthcare data breaches in 2016 comprised of 290 incidents that were reported or discovered. In 2015, there were only 82, resulting in a 254% increase in 2016! Healthcare data has a high monetizability and will continue to be targeted, so we can expect this trend to continue in 2017.

An important factor in the increase of data breaches is due to organizations not having security policies and procedures in place to protect their infrastructure. I’ve observed many healthcare organizations and service providers talk about having proper security assessments and penetration testing performed, even discussing the importance of a HITRUST certification, but only a handful actually have them done. Knowing where the vulnerabilities lie within your organization is a critical component in enhancing the security of your data.

  1. Hospitality – A Hacker’s Playground

Hospitality is another targeted sector that has had hundreds of incidents of data compromised and we will continue to see this happen in 2017. For many years I was able to work with breached merchants and advise them regarding security and forensic options. Unfortunately, many of these entities were the brand name hotels you and I often use during the course of standard business and personal travel.

I’ve observed the Hospitality industry continue to lag behind the retail sector both in terms of technology, as well as process and policy. PCI compliance in this sector isn’t necessarily an afterthought but is an overinflated self-assessment until the data breach occurs.

A classic example of a weak security policy that was in place at a prominent hotel that I stayed at during a business trip, is a photo that reads, If The Computer Shuts Down, the PW is [email protected]!. The photo illustrated a label on a hotel monitor with the password to login. Not only is this representative of a bad password policy but the entirety of the security culture at the hotel. This is the tip of the iceberg in the hospitality sector and will continue to facilitate hacks and data compromises of all sorts in 2017.

  1. A Positive Trend – EMV and US Retailers

EMV, a technical standard created by Europay, MasterCard, and Visa, increases the security of using credit cards during payment transactions. Credit card fraud is usually caused by “leaky” POS systems, but the use of EMV cards, or smart cards that have a chip or PIN, makes it difficult to clone a card and steal data.

In 2017, US retailers employing chip card readers will dramatically increase due to merchant liability incentives from Visa. By the end of the year, you should be able to insert your card in at least 4 out of 10 merchants visited. The one exception is gas pumps since Visa has granted exceptions until 2020, but many chains such as Maverik will start implementing the chip card readers sooner than later.

Whether your business is healthcare, hospitality or retail, these trends will continue to impact commerce and security this year. For more information on how you can improve your overall security stance and be prepared for 2017, contact us at [email protected] to speak to one of our security professionals.

Work for It: Earning Our Clients’ Business

Author: Scot Thrower, Business Development Manager at A-LIGN.

Feeling stuck in a relationship with your current audit and security solutions provider? It doesn’t have to be that way! A-LIGN provides compliance solutions without multi-year contracts or strings attached. While other providers lock you into costly, multi-year contracts that may lead to legal issues if you are not satisfied, A-LIGN offers its services without multi-year contractual obligations while maintaining flat fixed fees over a three-year term.

Many of our clients have told us that one of the reasons they made the switch to A-LIGN is because we do not make them execute a multi-year contract.  Once you’re locked in, the provider may not feel the need to give your business 100% of their time, effort, and energy.  There’s little or no penalty for supplying your firm with late or sub-par work.  This shifts power into the hands of the provider, not you, the client.  A-LIGN does not require its clients to sign multi-year contracts because we want to earn your business for each and every engagement, year after year.

At A-LIGN, our goal is to relentlessly exceed the expectations of our clients.  Our team of audit and security professionals will strive to ensure the quality of the work performed goes beyond the necessary.  We aim to deliver a quality final report, on time, while minimizing the strain on your resources.  A-LIGN will be all in for you, year in and year out, without ever needing a multi-year contract to keep you as one of our valued clients.

A-LIGN Offers:

  • Excellent service without multi-year contractual obligations
  • Competitive, fixed-fee pricing that stay flat over a term of three years
  • Innovative solutions for the changing audit landscape
  • Top-notch and verifiable client satisfaction

If you are receiving anything less than exceptional service from your current provider, please call us at 888-702-5446 or email [email protected]

More Passwords, More Problems: A Look into Biometric Authentication

What’s your password? Studies show that you likely use more than 15 different passwords, but more than half of you admit to using a weak password. So how do companies fare with inconsistent password usage and standardization? Even companies with incredible security practices can become vulnerable due to a forgetful employee who leaves their password on a sticky note under their mouse pad, or someone using the incredibly hard to crack password “password”. Hackers are becoming more adept, and as a result, companies must improve their digital security.

While technology has continued to improve, things like the traditional QWERTY keyboard have not changed in decades. Passwords are becoming clunky, laborious things that must be carried in the memory of the user and while two-factor authentication assist in ease, it is typically just a different combination of characters that takes up more time.

We get questions from our clients all of the time: How can we improve our own security? In light of data breaches at eBay (145 million users), Adobe (36 million users), JP Morgan Chase (76 million users), and many, many others – passwords have been at the forefront of the security discussion. Let’s take a moment to look at the future of password and identity protection, and what implications that may have on security.

The Pros and Cons of Biometric Identification

Fingerprint Biometrics

Fingerprint biometrics have gained incredible popularity since Apple unleashed it on the iPhone-using masses (94 million people use an iPhone), but they aren’t the only ones using the technology. Android mobile devices have also adopted the technology, and it is anticipated that approximately 50% of all mobile devices will move towards this technology by 2019. But how secure is the convenient, unforgettable, unduplicatable security? Maybe not as secure as you’d think.
With some technology companies leaving fingerprint data unencrypted, hackers are suddenly able to access print images remotely at a large scale. Phone hackers aside, what happens if your fingerprint data at a government agency is breached and suddenly anyone has access to your prints? You can’t exactly change your prints once they have been compromised, and experts have suggested that a simply high resolution photo of your fingers could be enough to gain entry to fingerprint-protected devices.

Facial Recognition

If we recognize each other through our faces, why can’t our technology learn to do it as well? Some credit card companies were even considering the complete removal of credit cards and moving wholly to facial recognition software.

However easy this technology would make our lives, it is unfortunately one of the least reliable and efficient technologies available at this time for personal identification purposes. A simple tilt in the head angle can throw off the technology, as can sunglasses, a change in hair, items obscuring the face and skin color, to name a few. Outside of the current technological hurdles, hackers are able to trick facial recognition through use of high-quality photographs, similar looking people and the hacking of the entire system.

Iris Scans

In every science fiction movie, there’s a retina scan that unlocks a door. But it may not be just science fiction anymore. Citibank is currently working with partners EyeLock LLC and Diebold in order to develop a card-less, screen-less, self-service ATM. All transactions occur on the mobile phone using near field communication or QR code technology, while the customer is authenticated using the EyeLock iris sensor.


In a similar vein, Microsoft recently released two phones featuring iris scanning authentication. But what are the risks of the new technology? The systems are often fooled by a high-quality image of the eye, making it an easy target for hackers. Until live-tissue verification exists for all of the technologies previously mentioned, it will continue to be easily tricked by hackers with replicated imagery.

Voice Biometrics

“Xbox, on.”

Voice command opens up a hands-free universe where logging into anything is as easy as a few simple words. One of the benefits is that authentication over the phone allows for remote authentication. But how long until a cybercriminal gets you on the phone, talking, to remotely unlock your account for them without your knowledge?

Voice command has other limitations. For example, users may not want to share their actions with those on the bus or in a quiet office. Or, consider struggling to log into an account at a loud rock show. In addition, vocal recordings are able to fool some of the more basic voice biometrics machines.

Where do we go from here?

The options aren’t all bad, but all pose their own risks. But what if you could combine any or all of those authentication factors? Combining factors allows for certain identifiers to be used in certain situations. For example, fingerprint and voice authentication when unlocking your vehicle – use fingerprint when you have your hands free and voice when you have your hands full.

The ability to pick factors that work for your lifestyle and the potential risk offers a glut of opportunity for information security experts to improve data security. Because we would all be better off in a world where the easy account reset questions no longer exist.





A-LIGN Security and Compliance Services To Present Webinar, “Reducing Audit Impact by A-LIGNing PCI DSS, SOC 1 & 2 Requirements”

Gene Geiger, Director at A-LIGN Security and Compliance Services will present a webinar to share practical recommendations for improving overall audit efficiency which will lead to reduced audit impact, audit costs and audit fatigue.

The presentation will take place on April 18, 2012 from 1-2 pm EST. All individuals/organizations are invited to attend the webinar. The goal of the discussion is to equip organizations that undergo multiple compliance audits annually with guidance on how to better prepare for, schedule and undergo audits from external auditors.

Mr. Geiger will give an overview of the most common compliance standards that organizations face, and discuss similarities between the standards that can be leveraged to improve audit efficiency. He will also provide examples where the requirements of PCI DSS, SSAE 16 (SOC 1) and the Trust Principles of SOC 2 overlap and how to then use the overlapping requirements to reduce the impact of the audit on your organization. The webinar will conclude with practical recommendations that all organizations can employ to improve the audit process while strengthening the internal control environment.

Registration for the webinar is complimentary. Persons wishing to register for the webinar can click here to register online or contact A-LIGN at [email protected]

Click here to view the recording.


A-LIGN Security and Compliance Services, an information security audit and consulting company, is founded on the key principle that an unparalleled client service experience is the greatest differentiator amongst professional service firms. A-LIGN is registered with the PCI Security Standards Council as a Qualified Security Assessor Company. We specialize in assisting clients meet industry and government requirements including PCI DSS, FISMA, FFIEC, HIPAA, ISO 27002 and SOC 2 Compliance. In addition, we provide information technology management services to assist clients with security policy development, vendor management reviews and Information Security Officer outsourcing. With a unique blend of industry and audit experience, our security professionals have expertise in implementing as well as auditing information technology controls at companies ranging in size from small organizations, to Fortune 500 corporations.

A-LIGN’s team has provided services to companies in a multitude of industries, such as Application Service Providers, Banking and Financial Services, Communications, Data Center Providers, Energy and Utilities, Government, Insurance, Managed Services and Technology, Non- Profit, Professional Services and SaaS. A-LIGN’s executive team has extensive experience in the information security and IT auditing fields, has held key positions with Big 4 accounting firms and holds numerous certifications including Certified Public Accountant, Certified Information System Security Professional, Certified in Financial Forensics, Certified Information Systems Auditor, Certified Internal Auditor and Qualified Security Assessor.