Don’t Let Thieves Steal Your Institution’s Future

By Patrick M. Porter, BKD, LLP
3/1/2006 – By Patrick M. Porter, BKD, LLP

One of the most valuable items inside any financial institution is information. The financial services industry, like many other business interests, depends on accurate, timely information, but it’s also charged with protecting personal customer information, a responsibility it can never take too seriously

Stolen information can lead to multiple capers

Over the past decade, technological advances and the ability to communicate at increasingly higher speeds have led to better and faster methods of gathering and using information.
But who hasn’t thought about how his/her institution might be affected if the information entrusted to it by customers was stolen because of inadequate safeguards, a lack of planning or inappropriate employee use.

As you know, identity theft can happen when sensitive, personal information isn’t adequately protected, making it vulnerable to illegal use or transfer by criminals.
Stolen personal information is generally used to open fraudulent credit accounts and to obtain loans, but did you know it’s also used to:

• Obtain employment under a false name
• Obtain rental housing
• Throw authorities off the trail in the event of arrest or the issuance of a summons

Be alert to vulnerabilities

Recent news coverage about the loss of customer information by large corporations underscores the potential for risk, including lawsuits and bad publicity.
Information can be stolen from either traditional paper files or their particularly susceptible electronic equivalent. Never treat personal information carelessly, no matter how many safeguards you have in place.

“Pfishing,” an electronic form of social engineering, uses e-mails containing links to legitimate-looking web sites that pretend to belong to familiar companies.

When “marks” arrive at the site, they’re cleverly asked to submit sensitive information, and some do. Never respond to such e-mails and immediately report them to the company whose identity is used as a cover.

Criminals use other methods in an attempt to persuade customers to divulge passwords or other sensitive information. Educate your customers to beware of information-gathering phone calls from individuals pretending to represent legitimate-sounding entities. Conduct periodic staff training on how to respond to such calls.

Create and annually review a computer usage policy all employees must read and sign when they begin employment. Restrict online access to appropriate personnel and grant it to other employees as needed; revoke access when it’s no longer necessary.

Be sure to confiscate keys, identification cards and related items from terminated employees, and quickly eliminate their computer access. Remember to change system passwords regularly.
Create and execute a defense plan for reducing risk and develop instructions for how to respond if sensitive information is stolen:

• Designate a media contact

• With your attorney, develop advance plans for meeting potential legal issues and for notifying law enforcement and customers, whose information could be compromised

• Create and enforce data-retention policies; destroy unnecessary data and properly store all other information

Hammer security risks

Routinely assess your system’s vulnerability to attack, and, if weaknesses are found, run tests to verify the areas most susceptible to intrusion.

Firewalls and data encryption can help reduce the risk of successful external attacks. As its name implies, an intrusion detection system can alert you to attempts to penetrate your system. For internal security, “key loggers” can monitor who accesses specific files and when.

Simply deleting data doesn’t remove it from a computer. Before you dispose of a hard drive, have a properly trained professional run a wiping program on the system to ensure all information has been disposed of.

Use other measures to protect information in paper form. When using a shredder to destroy documents containing personal information, use one that turns paper into confetti-sized pieces or consider using a commercial shredding service.
Monitor and restrict record storage areas to employees who need access to them to do their jobs, and consider securing such areas during nonbusiness hours.

Stay one step ahead

New schemes and tools will always look for opportunities to steal sensitive data. To reduce your odds of attack, periodically assess your computer system and be prepared to revise your plan of defense. Such measures can and do save money and can help you avoid costly problems that have the potential to damage your institution’s reputation and financial well being.
Make the protection of sensitive information—traditional and electronic—an ongoing part of your daily operations.

Patrick M. Porter, senior consultant with BKD, LLP’s Indianapolis, Indiana office, is a member of BKD’s Fraud & Dispute Consulting team. Patrick assists in fraud prevention and investigation, electronic discovery and litigation support. He also provides internal audit support to clients in the banking industry. Contact the author at pporter@bkd.com.

paper shredding services