Data security doesn’t have to be expensive or frustrating. It’s an axiom worth remembering. By thoughtfully designing a data security program, banks can greatly reduce the risk of data breaches without spending a lot of money or interrupting business. Most security incidents require very little effort on the part of the hacker. In the 2013 Data Breach Investigations Report released by Verizon, 75 percent of all breaches were considered to be opportunistic attacks. That means that in a majority of instances, even a modicum of effort may have been enough to stop a breach.
The first step in data breach prevention is ensuring your employees clearly understand that data security is a critical element of their jobs. Fortunately, good programs don’t have to be laborious. The process should begin during new hire orientation with some simple training. Let employees know what behaviors to avoid (clicking on suspicious links in e-mails, sharing login credentials with other employees, etc.), what a potential security incident would look like and what to do if they see suspicious activity. For maximum impact, it’s important that data protection not be a once-a-year, just-for-compliance sort of activity. Instead, the message should be communicated throughout the year in everyday conversations, and in follow-ups by management as employees are doing their daily work. It’s an inexpensive yet highly effective approach.
Implementing a policy that mandates strong passwords is another tactic that typically doesn’t cost anything, and doesn’t require complex technology in the backend infrastructure to have a powerful impact. Ideally a password is not found in the dictionary. Instead, it should be a long mix of letters (in both uppercase and lowercase) interspersed with numbers and symbols. Bank systems should also require that passwords be changed on a regular schedule, at least twice each year. A security audit should be conducted to confirm compliance with the policy, since research shows that employees won’t follow this practice if left to their own devices. A recent poll conducted by antivirus software maker ESET and Harris Interactive found that 45 percent of respondents admitted they only change their passwords once a year, while 16 percent said they never change them.
Antivirus software is a best practice, and it is hard to imagine an organization that does not have antivirus protection at the server and desktop. Many challenges facing today’s organizations revolve around applying the latest antivirus protection to mobile devices, as these also can fall prey to malware from links in email, Internet browsing and other activity that occurs while the device is separated from the protection of the network. Ensure that mobile devices pass an antivirus scan each time they are allowed to rejoin the network. Even systems that update automatically need to be monitored to see which updates do not complete successfully. Produce and review a report that verifies which devices have not updated, and remediate these devices as they return to the network.
Give employees the tools to encrypt any data that is moved outside the protections in place across the network. Secure e-mail transmissions with encryption, and provide encrypted USB devices for any documents that must travel with employees. Do not permit unencrypted documents to be loaded onto laptops with unencrypted drives that may be lost, stolen or accessed surreptitiously while employees connect to public WiFi in hotels, airports and coffee shops. Encrypting documents on mobile devices can go a long way toward preventing a data loss from becoming a data breach that requires notification. Encrypted USB drives are available that are easy to use, inexpensive, and even allow a company to remotely wipe the documents from the USB drive if it is lost or stolen.
At the administrator level, there are some additional no-cost or low-cost things that can be done to further protect your institution’s information. Be sure that IT and contract IT services using administrator account privileges limit the use of those access credentials to only the activities that require them. It’s easy and common for someone with administrator-level access to use an administrator account every day, but it’s a potentially dangerous practice and scaling back on how frequently it’s used is free. Monitor administrator-level usage and confirm the activity is logged to read-only media, so that in the event of a breach you are positioned to receive early alerts on suspicious activity and contain the damage. The log files will provide you with evidence on what was and what was not accessed, to allow your response to be tailored rather than broad and sweeping. Lastly, if anyone has administrator-level login credentials that doesn’t really need them, remove them. Account permissions should be audited monthly to confirm they align with assigned responsibilities and current employee lists. It is all too common for contractors with special access to complete a project, but their access to remain in place after they have moved onto another project.
Deena Coffman is Chief Operation Officer for IDT911 Consulting and Information Security Officer for IDentity Theft 911.