Jamie Davis, Product and Education Manager
There is a free newspaper publication in Atlanta called Creative Loafing that among other things posts items from the police blotters from the previous week. When I have the opportunity, I like to flip through and read the descriptions listed in the paper. I always find it humorous and amazing how idiotic and daring criminals can be. The quantity of these idiotic daring people is also amazing. For the sake of this article let’s refer to these people as NTBBBs (Need To Be Behind Bars). With such a large number of NTBBBs out there, when the economy takes a downward swing, it is not surprising that these people become less cautious. As the money crunch gets worse, people who would not associate with NTBBBs become NTBBS overnight. One of the hottest topics in banking for 2009 is insider threats. As pressure mounts in people’s personal lives, they are more likely to see lapses in security or abundance of trust as an opportunity to help their economic cause.
Because of all the NTBBBs out there, having security policies written and enforced is as important as ever. I’ve often heard that “locks keep an honest man honest”. Well, policies and security controls keep an honest employee honest. Can you stop someone who is determined from reaching his or her destination? Probably not, but you can keep the path from seeming so simple.
During this first quarter of 2009 take time to re-evaluate your security policies and controls. Do you have some that are written but not followed or enforced? Are employees allowed access to physical files or electronic documents that per a written policy they are not allowed to view? Are secured areas of the financial institution accessible to all employees regardless of the employee’s position?
Change physical access controls to remove excess access from employees. Develop security zones in your institution and define who has access to those zones. Change the locking systems in your bank to limit access to the security zones.
Also, take advantage of technology to control loopholes. Logical access controls has been an examiner buzzword for many of our customers. Though using such controls is not difficult to implement, some time and understanding is required. One of the easiest logical controls is to create job function groups in Active Directory and use these to control access to folders. By applying these file security restrictions to both shared folders and application folders, you can improve your network security. Typically, logical and physical controls can be done with limited cost to the financial institution.
Consider investing in inexpensive technology to control other security risks. Purchasing an endpoint protection program to lock down potential media leakage would be a great goal for 2009. The software is not extremely expensive and will help harden your network from security risks. Biometric software might be a great technology to consider in 2009. This might not only make your institution more secure but also make life a little easier. Would no longer having to remember 25 different user names and passwords be nice? Investigate new technologies that take advantage of thumbprints, retina scans, voice recognition, etc in order to allow access to machines and programs.
Another good tool for detecting unauthorized insider activity is SIPS, or Server Intrusion Protection. In the event that an end user introduced (either intentionally or unintentionally) malware into the network, this server-based service would alert the administrator once it started to spread, and at least stop it from attacking the servers.
As always, training is your number one weapon. Ensuring your employees know how to do their job, how to protect the customer, and what to look for as far as threats are concerned increases the likelihood that a NTBBB will be unsuccessful trying to steal from your institution. Not only will your examiners and auditors be impressed with the work you have done, you might just keep an honest person honest.