Jamie Davis, Education Manager
Social Engineering, phishing, hacking, cracking, trojan, worm, virus, spyware, data leakage, endpoint security, pharming, wardriving…the list goes on and on. Where does it end? Where does the spelling come from? Where do the words come from? Everyday there is a new buzzword and a new way for unsuspecting customers to be compromised. Worrying about how to stop one of these, much less stopping all of them, could be a full-time job. Instead of focusing on the individual security risk, approaching customer security as an all encompassing process will help break down the risk into more general categories that can be handled with a few simple rules and policies.
Train your customers – a few simple rules that will protect them on any website
- The bank will never ask for personal information in an email.
- The bank will never provide a link to their website via email. Inform them that they should always type the address or use their”Favorites” feature to visit the bank’s website.
- If the customer is ever unsure about an email, he/she should contact the bank immediately.
Train your employees – a few simple rules for employees to follow
- Never provide any bank or customer information over the phone without verifying the identity of the person requesting the information.
- Never allow anyone access to your computer or any secure access without verifying the identity of the person and company of the person requesting access.
- Never email customer information without encrypting the email.
- Never provide a link to the bank’s website in an email.
- Never request customers to respond with personal information via email.
Bank Rules – simple rules or policies to protect the bank
- Train and monitor adherence to policies.
- Lock down computers to only allow job related activities..
- Monitor Internet activity (incoming and outgoing).
- Ensure every machine has antivirus software.
- Ensure all software (bank applications, antivirus, Microsoft, etc) is up-to-date.
- Have a destruction and disposal policy (documents, computers, tapes/hard drives).
- Secure any data or access to data that exists outside of the bank
With the economy on shaky ground, you may think that the cost of addressing these issues is too high. However, if you break down the solutions, you will realize most do not cost anything. A small pamphlet or email given to each customer who does Internet banking can explain your bank’s policies regarding the website and email. Training employees on procedures will help minimize most risk involving them.
The cost of a security breach can be great. The reputation of the bank could be damaged not to mention possible monetary loss because of the breach. To examine further whether your bank is prepared consider the following examples.
A computer dies at one of your branches and you are on vacation. What would the Branch Manager most likely do with the computer?
A. Set it aside and hand it over to you once you returned.
B. Throw it away.
C. Give it to an employee to take home and use as spare parts.
Obviously, B and C could be a huge liability risk if the computer ended up in the wrong hands.
A man in his mid-twenties wearing a baby blue polo, khakis, and a computer bag comes into your bank and ask the CSR if he could check something on her computer because he was from Safe Systems and was there to perform a software upgrade that the Administrator had called in about. What would the CSR do?
A. Let the person on their computer.
B. Call you, but if you were not available, let him on the computer without even asking for identification.
C. Insist on talking to the Administraor to confirm the Safe Systems’ employee was expected before letting them on the computer.
Hopefully your employee would choose option C. What would your employees do?
A new customer in his 70s opens an account with the bank and asks to have Internet access to his account. Three days later he receives an email from the bank asking him to click on the link to the bank and login to activate his account. What information has been provided to this customer so he knows how to handle your communications?
A. He was asked to sign a 5-page wavier full of legal jargon.
B. He was given a pamphlet about the safety practices of the bank and sent an email reminding him of the key points of the bank’s security policies.
C. There is some information located on your website, if he looks for it.
Hopefully he received verbal and written communication about your bank’s email and website usage.
Though each example is fictional, they all represent legitimate threats that have in one way or another affected banks throughout the country. Do not think it cannot happen to you. Following the simple rules above would increase the number of times the answers to these examples would be the correct answer.