written by Chris Griesemer
One overriding area of concern we see constantly is customer privacy. This has become one of the hottest topics with examiners lately. The examiners have a tendency to tell you to do something without giving any guidance. You will not receive an explanation on how to achieve their goals and sometimes they don’t even explain why.
Customer information is one example. Why does it need to be so secure? This question has a lot of answers, but this article will focus on the internal risks.
How would someone get customer information? There are always threats from outside intruders, but most financial institutions have sound firewalls and intrusion detection and prevention systems set up that make it very difficult to hack into a bank. Instead, your highest risk is on the inside (ex: an employee or other associate). There are many ways they could extract sensitive information but one high risk area that doesn’t get talked about enough is USB devices. These flash drives can hold a significant amount of information. Imagine this scenario: Some banks have a directory filled with loan applications saved as PDF files. That directory would fit nicely on a flash drive that would then fit nicely into the owners pocket as they walked out the door.
What would someone do with this information? Banks have everything an identity thief wants. Loan applications especially, have quality information that a good thief could utilize to steal one of your client’s identity. Once stolen, this information could be used to open a new credit account, purchase a cell phone service and even cause their victim, your client, to have warrants issued in their name for financial crimes that the identity thief committed.
Would you like to know what your identity is worth? Or how much it would sell for on the cybercriminal black market? Go to this website to determine your risk: http://www.everyclickmatters.com/victim/assessment.html
How do you prevent this from happening? First and foremost, live by the rule: minimal rights to do your job. In other words, employees only need access to directories that are needed to perform their job. If they don’t need access to a directory, take it away immediately. Secondly, it is possible to disable USB drives through your server and make USB drives inoperable on that work station. If you choose to disable USB drives on computers, make sure you add those procedures to the hardening section of your Information Security Program.
A few simple precautions can provide a lot of additional security. Please contact us with your questions or concerns.