Safeguard your bank’s reputation and protect your clients.
Ensuring the security of your customers’ assets is always going to be one of your highest priorities. In the digital age, this seems like it’s getting more and more complicated. At PMC2018, Mike Flynn, examination specialist at the FDIC, discussed safeguards and programs your bank can establish to keep your employees informed and your customers safe.
1. Educate your clients.
Most customers don’t understand how fraud takes place—until it hits their bank or credit card accounts. And often, a customer (or even the bank) won’t notice a cyber attack the moment it occurs. It’s what happens months later with the data that’s been breached.
Don’t be afraid to provide education to your customers. For example, do they even understand the difference between information security and cybersecurity? Although both terms refer to processes used to protect and maintain a bank’s information assets and computer systems, cybersecurity includes the added components of preventing, detecting, and responding to attacks perpetrated using the Internet.
It’s definitely a paradox: You don’t want to upset clients by reminding them fraud is a possibility, but by not educating them, you’re keeping them in the dark—which doesn’t help anyone.
Education works. Think about how customers are more aware of suspicious ATMs than they used to be. This is because of education that banks have provided over the years. We need to do something similar with payments.
2. Educate your employees.
Think about what exactly risk means to your bank. What can happen to your organization in the event of a cyber-attack? In addition to basic business functions and losses, your bank’s reputation can take a hit.
It’s one thing to educate your customers, but also think about your employees. What kind of employee training is in place to increase awareness of proper cyber-safety practices and to protect employees who use email and the Internet? For example, malicious emails and websites are common initial entry points for hackers: What support do employees get when they receive a suspicious email?
Buy-in from all areas of your organization is crucial, too. Information security isn’t just IT’s job. Make it an issue that requires everyone’s input. And when you roll out any new technologies, make sure your compliance and risk folks are at the table, along with IT, operations, and marketing.
3. Develop layered controls.
Any single defense against a hacker could be flawed. No one control is foolproof: That’s why you need a series of defenses to mitigate threats. You must have several different lines of defense to cover any gaps in security: This is known as “layered controls.” They can be preventive, detective, and corrective. Make sure your bank has a sustainable and comprehensive program that maintains the security of your assets.
Also, have you implemented stronger authentication, for both your employees and your customers? Cyber security begins with basic dual-factor authentication. Standard security procedures that only need a username and password aren’t tough to hack. You need to make sure you at least have dual-factor authentication, which, in addition to username and password, requires a piece of information only the correct user should have or know.
4. Develop a comprehensive security strategy.
When it comes to technology, it’s easy to get complacent. Say your bank, or an employee at your bank, might not update their software version as often as necessary. It’s the kind of thing that’s simple to forgo or put off. But eventually, this kind of behavior will force you to replace the entire infrastructure all together. Your IT and security aren’t just a cost: They support your entire business.
Have you considered a broad range of possible threats to your organization? You need a plan for every kind of threat: In addition to technical failures, your bank may encounter natural disasters, power losses, robbery, and extortion. How does your institution ensure all critical data can be recovered in case of any kind of emergency?
It’s crucial to create—and maintain—a thorough incident response plan, which addresses all aspects of handling an emergency. It should list out tasks and who is responsible for them, and spell out all phases of the response, including containment, eradication, recovery, and evidence protection. Run through periodic drills and scenarios with your team to make sure you have a plan you can carry out when it happens. Get guidance on developing a cyber security incident response plan at our upcoming workshop or webinar.
These days, banks are being robbed, but it’s not in person. It’s behind the scenes, through ATM skimming and ransomware, but most often, payments—grabbing the money’s right at the source. These tips can help your customers stay secure and weather any threats.