"20 Must-Have" Employee Habits for Secure Banking

"20 Must-Have" Employee Habits for Secure Banking

Employees play an integral role in protecting the assets of an institution, and as such, need to be adequately trained and made aware of the basic security practices which are frequently overlooked. A set-it and forget-it approach "we're protected because we have a firewall" to information security ignores end-users, who, if left untrained, remain the institution's weakest link.

Why are we emphasizing on best practices and effective employee habits?

Consider these every day work-place incidents-

"An attacker, posing as a member of the technical staff, calls an employee and says he is making few changes in the company's computer system and that this may affect the employee's account information. The attacker asks for the employee's name and password so that he can re-activate the account in case the need arises. The employee willingly and unsuspectingly passes the information to the attacker."

"A bank branch manager is working on a customer's loan application and is inputting confidential credit report information in Excel spreadsheet; a colleague stops by his office and invites him for lunch. He leaves for lunch without shutting down the program or "locking" his computer and even leaves the door to his office open."

"An employee while using his personal email account downloads an attachment sent by a stranger, knowing that downloading email attachments is prohibited by company policy he ignores and thinks no one will know about this act and goes on with his daily activities. Just a week later the company's network is hit with a virus which is traced back to his downloaded email attachment."

Following are simple every day habits which employees should practice to understand the basics of security and realize that everyone has a role to play in protecting an institution's assets and reputation.

  1. Passwords - choose wisely and use strong passwords
    Do's -
    Use numbers, letters, punctuation marks and symbols. (Example: Fl4#6r instead of Flower)
    Change your password every 6 months
    Don'ts -
    Never write your password or share them
    Do not use the same password on multiple systems
    Do not use your social security number or last 4 digits of SSN in your password

  2. Email- can serve as a medium for e-mail viruses and other attacks
    Do's -
    Be cautious with attachments
    Update your antivirus software regularly
    Always scan attachments manually with antivirus software before opening them, only if they must be opened.
    Don'ts -
    Do not open attachments unless absolutely necessary, especially if they are sent by a stranger

  3. Web Surfing - may lead to theft of data and passwords and virus deployment.
    Do's -
    Minimize personal use of web browsing at work
    Avoid cookies and software downloads
    Do not visit chat rooms at work
    Don'ts -
    Do not use Web-based e-mail systems for the communication of any sensitive information

  4. Backups
    Do's -
    Schedule backups regularly, save often
    Store all important files and documents securely on disks or CDs

  5. Malware - Viruses, Worms and Trojans
    Do's -
    Update anti-virus and anti-spyware weekly
    Use the anti-virus software to run full disk scans monthly
    Scan all floppies, CDs, or other external media that have been used on external systems
    Be very careful with email attachments

  6. Instant Messaging
    Do's -
    Update IM software regularly
    Don'ts -
    Do not release any confidential information or illicit material

  7. PDAs
    Do's -
    Physically secure them
    Use passwords and encryption
    Disable wireless auto connection

  8. Telecommuting/Remote Access
    Do's -
    Use a personal firewall
    Use encryption
    Use a lower risk format to exchange documents, such as RTF or text files, which are not vulnerable to the transmission of viruses and other malware
    Backup your files regularly on ZIP disk or CD-ROM. This measure ensures that vital information will not be lost in the case of viruses and general hardware failures

  9. Destruction of Sensitive Material
    Do's -
    Use high quality cross cut shredders to cut paper into fine/small pieces
    CD-ROMs should be fed through a CD-ROM shredder
    Floppy disks and backup tapes should be opened and cut into small pieces

  10. Clean Desk Policy
    Do's -
    Please keep your workspace neat. If it is messy, you may not notice when something is missing
    Lock sensitive documents and computer media in drawers or filing cabinets
    Physically secure laptops with security cables
    Secure your workstation before walking away (Ctrl+Alt+Delete or windows key + l)
    Don'ts -
    Do not post sensitive documents. Examples include:
    User IDs & Passwords
    IP addresses
    Contracts
    Account numbers
    Client lists
    Intellectual property
    Employee records

  11. Phishing/Identity Theft - both are actions attempted to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication or by using the identifying information of another person without his or her authority.
    Do's -
    Report all suspicious emails that you come across in your in box or strange calls all of which prod you to share information like your mother's maiden name, your birth date, and the last four digits of your SSN to appropriate office authorities
    Don'ts -
    Do not open attachments unless absolutely necessary, especially if they are sent by a stranger
    Do not disclose any sensitive information including mother's maiden name, your birth date, and the last four digits of your SSN in any form of written communication or electronic media

  12. Work Station Security - an unlocked workstation is a violation of security policy and leaves the system open to compromise
    Do's -
    Please configure a password-protected screen saver to lock after 10 minutes of inactivity:
    You should also lock your workstation before leaving your desk-
    a. Press Ctrl + Alt + Del
    b. Click on "Lock Computer"

  13. Don't Be Afraid to Say No
    Do's -
    When someone asks you to violate policy or procedure, hold firm and do what's right, management will support your decision

  14. Laptops - The loss of a laptop can cause irreparable harm to an institution. Laptops must be secured and used responsibly to prevent compromise of sensitive information or unauthorized network access.
    Do's -
    When leaving a laptop unattended in a hotel room or office space, lock it to an unmovable or extremely heavy object using its security cable
    Use firewall software to defend against hacking attempts on public networks and the Internet
    Anti virus definitions must be updated weekly to be effective. Keep your definitions current to avoid a system outage while you are traveling
    Do not save passwords in files, web browsers, VPN clients or any other insecure software
    Store passwords with encrypted password management software

  15. Visitor Escort - Unescorted visitors represent a serious threat to the security of an institution.
    Do's -
    Visitors must be escorted at all times. Watch visitors closely
    If you need to step away, ensure that someone else accepts responsibility for watching the visitor
    Frequent visitors should be given ID cards/ badges of some sort which they can wear so that they can be easily identified
    At no time should a visitor be given access to the company network without formal authorization from the senior management

  16. Give Information on a Need to Know Basis - unauthorized disclosure of sensitive information represents a serious threat to an institution. Almost everyone has heard the expression "loose lips sink ships".
    Do's -
    Disclose sensitive information only to those that need it to perform their duties
    Carefully consider distribution of information to business partners, consultants and clients. In addition to meeting confidentiality and need-to-know requirements, ensure that all information is protected under a non-disclosure agreement.
    Don'ts -
    Do not disclose sensitive information to coworkers unless they have a business related need-to-know. Key questions are "What are you using the information for?" and "Who will you share it with?"
    Do not disclose sensitive information to friends, family or anyone who does not have a need-to-know.

  17. Appropriate Use of Corporate IT Equipment
    Do's -
    Handle office equipment and software with care and heightened sensitivity
    Don'ts -
    Do not alter any configuration of operating system and CPU without notification from authorized personnel
    Do not use office equipment for personal purposes

  18. Piggy Backing & Tailgating - Piggybacking occurs when an authorized person allows someone to follow them through a door to secure area. Tailgating occurs when an unauthorized person slips in through a door before it closes.
    Do's -
    If you find a door that does not automatically close or has a broken lock, contact building security
    Don'ts -
    Do not hold the door for anyone you do not know personally and make sure no one slips in behind you

  19. Personnel Screening
    Do's -
    Verification and background checks on permanent staff should be conducted at the time of job applications. This should include character reference, confirmation of claimed academic and professional qualifications and independent identity checks
    All employees should be asked to sign confidentiality or non-disclosure agreement as a part of their initial terms and conditions of the employment process

  20. Computers
    Don'ts -
    Do not keep computers online when not in use, either shut them off or physically disconnect them from the Internet connection




Around the Network