"20 Must-Have" Employee Habits for Secure Banking
Employees play an integral role in protecting the assets of an institution, and as such, need to be adequately trained and made aware of the basic security practices which are frequently overlooked. A set-it and forget-it approach "we're protected because we have a firewall" to information security ignores end-users, who, if left untrained, remain the institution's weakest link.
Why are we emphasizing on best practices and effective employee habits?
Consider these every day work-place incidents-
"An attacker, posing as a member of the technical staff, calls an employee and says he is making few changes in the company's computer system and that this may affect the employee's account information. The attacker asks for the employee's name and password so that he can re-activate the account in case the need arises. The employee willingly and unsuspectingly passes the information to the attacker."
"A bank branch manager is working on a customer's loan application and is inputting confidential credit report information in Excel spreadsheet; a colleague stops by his office and invites him for lunch. He leaves for lunch without shutting down the program or "locking" his computer and even leaves the door to his office open."
"An employee while using his personal email account downloads an attachment sent by a stranger, knowing that downloading email attachments is prohibited by company policy he ignores and thinks no one will know about this act and goes on with his daily activities. Just a week later the company's network is hit with a virus which is traced back to his downloaded email attachment."
Following are simple every day habits which employees should practice to understand the basics of security and realize that everyone has a role to play in protecting an institution's assets and reputation.
- Passwords - choose wisely and use strong passwords
Do's -
Use numbers, letters, punctuation marks and symbols. (Example: Fl4#6r instead of Flower)
Change your password every 6 months
Don'ts -
Never write your password or share them
Do not use the same password on multiple systems
Do not use your social security number or last 4 digits of SSN in your password
- Email- can serve as a medium for e-mail viruses and other attacks
Do's -
Be cautious with attachments
Update your antivirus software regularly
Always scan attachments manually with antivirus software before opening them, only if they must be opened.
Don'ts -
Do not open attachments unless absolutely necessary, especially if they are sent by a stranger
- Web Surfing - may lead to theft of data and passwords and virus deployment.
Do's -
Minimize personal use of web browsing at work
Avoid cookies and software downloads
Do not visit chat rooms at work
Don'ts -
Do not use Web-based e-mail systems for the communication of any sensitive information
- Backups
Do's -
Schedule backups regularly, save often
Store all important files and documents securely on disks or CDs
- Malware - Viruses, Worms and Trojans
Do's -
Update anti-virus and anti-spyware weekly
Use the anti-virus software to run full disk scans monthly
Scan all floppies, CDs, or other external media that have been used on external systems
Be very careful with email attachments
- Instant Messaging
Do's -
Update IM software regularly
Don'ts -
Do not release any confidential information or illicit material
- PDAs
Do's -
Physically secure them
Use passwords and encryption
Disable wireless auto connection
- Telecommuting/Remote Access
Do's -
Use a personal firewall
Use encryption
Use a lower risk format to exchange documents, such as RTF or text files, which are not vulnerable to the transmission of viruses and other malware
Backup your files regularly on ZIP disk or CD-ROM. This measure ensures that vital information will not be lost in the case of viruses and general hardware failures
- Destruction of Sensitive Material
Do's -
Use high quality cross cut shredders to cut paper into fine/small pieces
CD-ROMs should be fed through a CD-ROM shredder
Floppy disks and backup tapes should be opened and cut into small pieces
- Clean Desk Policy
Do's -
Please keep your workspace neat. If it is messy, you may not notice when something is missing
Lock sensitive documents and computer media in drawers or filing cabinets
Physically secure laptops with security cables
Secure your workstation before walking away (Ctrl+Alt+Delete or windows key + l)
Don'ts -
Do not post sensitive documents. Examples include:
User IDs & Passwords
IP addresses
Contracts
Account numbers
Client lists
Intellectual property
Employee records
- Phishing/Identity Theft - both are actions attempted to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication or by using the identifying information of another person without his or her authority.
Do's -
Report all suspicious emails that you come across in your in box or strange calls all of which prod you to share information like your mother's maiden name, your birth date, and the last four digits of your SSN to appropriate office authorities
Don'ts -
Do not open attachments unless absolutely necessary, especially if they are sent by a stranger
Do not disclose any sensitive information including mother's maiden name, your birth date, and the last four digits of your SSN in any form of written communication or electronic media
- Work Station Security - an unlocked workstation is a violation of security policy and leaves the system open to compromise
Do's -
Please configure a password-protected screen saver to lock after 10 minutes of inactivity:
You should also lock your workstation before leaving your desk-
a. Press Ctrl + Alt + Del
b. Click on "Lock Computer"
- Don't Be Afraid to Say No
Do's -
When someone asks you to violate policy or procedure, hold firm and do what's right, management will support your decision
- Laptops - The loss of a laptop can cause irreparable harm to an institution. Laptops must be secured and used responsibly to prevent compromise of sensitive information or unauthorized network access.
Do's -
When leaving a laptop unattended in a hotel room or office space, lock it to an unmovable or extremely heavy object using its security cable
Use firewall software to defend against hacking attempts on public networks and the Internet
Anti virus definitions must be updated weekly to be effective. Keep your definitions current to avoid a system outage while you are traveling
Do not save passwords in files, web browsers, VPN clients or any other insecure software
Store passwords with encrypted password management software
- Visitor Escort - Unescorted visitors represent a serious threat to the security of an institution.
Do's -
Visitors must be escorted at all times. Watch visitors closely
If you need to step away, ensure that someone else accepts responsibility for watching the visitor
Frequent visitors should be given ID cards/ badges of some sort which they can wear so that they can be easily identified
At no time should a visitor be given access to the company network without formal authorization from the senior management
- Give Information on a Need to Know Basis - unauthorized disclosure of sensitive information represents a serious threat to an institution. Almost everyone has heard the expression "loose lips sink ships".
Do's -
Disclose sensitive information only to those that need it to perform their duties
Carefully consider distribution of information to business partners, consultants and clients. In addition to meeting confidentiality and need-to-know requirements, ensure that all information is protected under a non-disclosure agreement.
Don'ts -
Do not disclose sensitive information to coworkers unless they have a business related need-to-know. Key questions are "What are you using the information for?" and "Who will you share it with?"
Do not disclose sensitive information to friends, family or anyone who does not have a need-to-know.
- Appropriate Use of Corporate IT Equipment
Do's -
Handle office equipment and software with care and heightened sensitivity
Don'ts -
Do not alter any configuration of operating system and CPU without notification from authorized personnel
Do not use office equipment for personal purposes
- Piggy Backing & Tailgating - Piggybacking occurs when an authorized person allows someone to follow them through a door to secure area.
Tailgating occurs when an unauthorized person slips in through a door before it closes.
Do's -
If you find a door that does not automatically close or has a broken lock, contact building security
Don'ts -
Do not hold the door for anyone you do not know personally and make sure no one slips in behind you
- Personnel Screening
Do's -
Verification and background checks on permanent staff should be conducted at the time of job applications. This should include character reference, confirmation of claimed academic and professional qualifications and independent identity checks
All employees should be asked to sign confidentiality or non-disclosure agreement as a part of their initial terms and conditions of the employment process
- Computers
Don'ts -
Do not keep computers online when not in use, either shut them off or physically disconnect them from the Internet connection