Pub. 9 2014-2015 Issue 4
November | December 2014 23 Extraordinary Service for Extraordinary Members. T H E P H R A S E “ I N F O RMA T I O N security” has a cloak-and-dagger feel to it. We’re fighting off the international cyber-criminal, or the diabolically brilliant Dorito-stained hacker living in his mom’s darkened basement, with evermore sophisticated tools. In practice, this leads businesses to underrate the more mundane threats to information security. The most common cause of data loss is plain old physical loss—someone leaves a laptop in a cab, a phone goes missing, or a break-in results in the loss of a computer with business information stored on it. A close second cause of data loss is internal loss. A good employee goes bad and takes data, with the intention of harming the bank or its customers. For financial institutions, physical loss presents particularly acute risks. An evildoer’s acquisition of your data may require you to notify customers in accordance with the Gramm-Leach- Bliley Act or other privacy laws. This can be expensive and embarrassing for institutions that seek customers’ trust. Here are some actions you can take now to reduce your exposure to these basic information security risks. Make sure employees have privi- leges to see only what they need. Employers rightly pride themselves on trusting their employees. Some em- ployees go bad, however, and they don’t tell you before they do. At that point, you do not want your low-level rogue employee to have access to sensitive information outside his or her func- tions. Limit or eliminate remote access to people who have no off-premise responsibilities. Know what your employees are doing on your system. When you consider new office tech- nology, choose systems that offer an audit trail—know who looked at which record when. Internal wrongdoers are much more easily tracked when their employers can prove that Employee X Common Sources of Data Loss Are You Prepared? Rick Jeffries , Cline Williams Wright Johnson & Oldfather LLP looked at a specific record right before the misdeed took place. Create solid BYOD policies. If you allow employees to work with their own phones, tablets, or comput- ers, create and enforce a strong BYOD (bring your own device) policy. Give your bank the right to detain BYODs for a reasonable period and to demand any password necessary to access and remove company data, even after em- ployment terminates. Enforce proper password discipline. No one should know anyone else’s password. Every employee should know this rule by heart. Sometimes, Sally tells Cindy her password so Linda can down- load a file, and Cindy causes all sorts of havoc with Sally’s credentials. In this day and age, employees should know without question that when someone asks for your password, it’s a direct threat to the bank. Encrypt everything that can be encrypted. Most operating systems provide for disk encryption for low or no cost. This is different than just requiring a password to log into your network. Disk encryption prevents someone from removing your hard drive and, with the aid of an inexpensive cable, reading ev- erything on it even if they can’t get past the login screen. With strong encryption, a bank that experiences physical loss of datamay be able to avoid customer notification for the simple reason that the thief will be functionally unable to review the data. Employees who use laptops—theirs or yours—should obey this policy. Strongly consider two-factor authentication. “Two-factor” authentication requires a user to combine two things with his or her identification in order to obtain Are You Prepared? — continued on page 24
Made with FlippingBook
RkJQdWJsaXNoZXIy OTM0Njg2