Don’t Let Thieves Steal Your Institution’s Future
|By Patrick M. Porter, BKD, LLP|
|3/1/2006 – By Patrick M. Porter, BKD, LLP|
One of the most valuable items inside any financial institution is information. The financial services industry, like many other business interests, depends on accurate, timely information, but it’s also charged with protecting personal customer information, a responsibility it can never take too seriously
Stolen information can lead to multiple capers
Over the past decade, technological advances and the ability to communicate at increasingly higher speeds have led to better and faster methods of gathering and using information.
As you know, identity theft can happen when sensitive, personal information isn’t adequately protected, making it vulnerable to illegal use or transfer by criminals.
• Obtain employment under a false name
Be alert to vulnerabilities
Recent news coverage about the loss of customer information by large corporations underscores the potential for risk, including lawsuits and bad publicity.
“Pfishing,” an electronic form of social engineering, uses e-mails containing links to legitimate-looking web sites that pretend to belong to familiar companies.
When “marks” arrive at the site, they’re cleverly asked to submit sensitive information, and some do. Never respond to such e-mails and immediately report them to the company whose identity is used as a cover.
Criminals use other methods in an attempt to persuade customers to divulge passwords or other sensitive information. Educate your customers to beware of information-gathering phone calls from individuals pretending to represent legitimate-sounding entities. Conduct periodic staff training on how to respond to such calls.
Create and annually review a computer usage policy all employees must read and sign when they begin employment. Restrict online access to appropriate personnel and grant it to other employees as needed; revoke access when it’s no longer necessary.
Be sure to confiscate keys, identification cards and related items from terminated employees, and quickly eliminate their computer access. Remember to change system passwords regularly.
• Designate a media contact
• With your attorney, develop advance plans for meeting potential legal issues and for notifying law enforcement and customers, whose information could be compromised
• Create and enforce data-retention policies; destroy unnecessary data and properly store all other information
Hammer security risks
Routinely assess your system’s vulnerability to attack, and, if weaknesses are found, run tests to verify the areas most susceptible to intrusion.
Firewalls and data encryption can help reduce the risk of successful external attacks. As its name implies, an intrusion detection system can alert you to attempts to penetrate your system. For internal security, “key loggers” can monitor who accesses specific files and when.
Simply deleting data doesn’t remove it from a computer. Before you dispose of a hard drive, have a properly trained professional run a wiping program on the system to ensure all information has been disposed of.
Use other measures to protect information in paper form. When using a shredder to destroy documents containing personal information, use one that turns paper into confetti-sized pieces or consider using a commercial shredding service.
Stay one step ahead
New schemes and tools will always look for opportunities to steal sensitive data. To reduce your odds of attack, periodically assess your computer system and be prepared to revise your plan of defense. Such measures can and do save money and can help you avoid costly problems that have the potential to damage your institution’s reputation and financial well being.
Patrick M. Porter, senior consultant with BKD, LLP’s Indianapolis, Indiana office, is a member of BKD’s Fraud & Dispute Consulting team. Patrick assists in fraud prevention and investigation, electronic discovery and litigation support. He also provides internal audit support to clients in the banking industry. Contact the author at firstname.lastname@example.org.