By Rich McRae and Judy Farmer, Eide Bailly R
Keeping your financial institution safe is critical to your success. Without the right security measures and procedures in place, your financial institution can be at risk of cyberattacks, embezzlement and more.
In uncertain times when employees may be working remotely and processes and procedures have changed dramatically, your financial institution’s security is even more important to ensure your business and employees are kept safe.
Cybersecurity is Key
Financial institutions and other businesses that hold people’s sensitive information are prime targets for cybercriminals. Having a proactive approach to cybersecurity is a great way to ensure your customers’ and employees’ data remains safe.
“Technology has helped create enhancements for regulatory compliance and fraud prevention, although it seems as we get more sophisticated with fraud prevention, those trying to commit fraud get more sophisticated as well.”
– Mark Daigle, President and CEO, First National Bank of Durango
Of course, creating a proactive approach can be a challenge. This is a team effort and everyone in your financial institution needs to play a vital role in keeping information safe. There are best practices in two areas that you can start with today to increase your organization’s proactivity: email and internet, and physical devices.
Email and Internet Best Practices
Email and the internet are a key piece of how financial institutions operate and communicate.
Four ideas to help make these areas more secure from cybersecurity threats:
- Think Before Clicking
Investigate email links before clicking it. Once a link has been clicked, there’s no going back — malicious software can now be installed on your computer. Don’t click links unless you know and trust the source and are certain of where links are sending you. If you are unsure about a link, contact the sender before clicking or send it to your financial institution’s IT help desk to investigate. - Secure Browsing
Pay attention to the letter “S.” That simple letter makes all the difference when it comes to secure web browsing. “Http” stands for hypertext transfer protocol, while the “s” at the end stands for — you guessed it — secure. It’s essential to ensure “https” is displayed in the URL you visit, as it shows the authenticity of the security certificate of that webpage. If you access a webpage without a certificate or with an expired one, there is a chance you are visiting a webpage that could contain viruses, malware and more. - Cautious Surfing
Don’t surf the internet if you are using an account that has administrator privileges. If you pick up malware using a computer with these privileges, you have given the malware the same administrator rights you have on your user account. Also, consider the Wi-Fi network you are using. Make sure it is secured and password protected. - Strong Passwords
While having a password of “123456” or “password” may be easy to remember, having more complex passwords can make a huge difference in protecting your data and your financial institution. Strong passwords should:
- Contain at least 12 characters, including upper- and lowercase letters, numbers and special characters
- Be unique to the user — never share them
- Not be reused on multiple accounts
- Change every 60 to 90 days
Physical Device Best Practices
The actions of your everyday staff, whether they are on-site or working from home, are critical keys to a robust cybersecurity program. Here are some best practices related to your staff and their devices that can help prevent any attacks.
- Lock It Up
Every time you step away from your computer, lock it up. While it may seem like a trivial practice, you would be surprised at how often it is not done. Computers contain sensitive information and processes and when left unlocked, there is a possibility that a hacker could have access to the system. To avoid possible information leaks, remember to always lock your computer when leaving your desk. A quick tip: Press the Windows Key + L to lock your screen quickly. - Protect Your Device
Patching and repairing operating systems and applications is another important security practice. Although these patches and updates are released regularly from Microsoft and Adobe, there are times when patches are sent out off schedule to defend against other threats. As time passes and new threats are discovered, system updating and patching will be a constant security measure. This is especially true as employees are working remotely and may require additional programs and security systems. - The Importance of Education
Ensuring all employees are trained in the basics of network, system and information security is a massive piece of your financial institution’s cybersecurity plan. Having a basic understanding of security or identifying a potential threat can make an employee less likely to be a victim. Employees should be trained on security policies and their role in protecting information. They should also be aware of the expectations when it comes to personal use of company-provided equipment. This may include social media use and web browsing. You will also want to train your employees on social engineering and identifying these attacks, which come in the form of phishing emails, fake calls and more. - Back it Up
Disasters don’t usually come with much warning. Businesses often aren’t fully prepared for floods, fires, power outages or malicious programs. In these cases, it is possible for businesses to lose information and data stored on devices. The best way to ensure this data is safe is to automatically back up all data daily and store the backups in a secure, off-site location. - Be Smart with Your Smartphone
Smartphones are another avenue hackers may use to access sensitive data. In the financial institution world, bankers may often be traveling and communicating with clients while on the go using their smartphone. Remember to avoid connecting to unsecured Wi-Fi, use strong passwords, and turn off Bluetooth when you aren’t using it.
Watch for Common IT Problems
Many banks rely on a third party for their IT services. However, financial institutions need to know how to check on that third party’s work.
Common Scenarios
A financial institution that has gone through a replacement of its security systems, such as security cameras and access systems, may have a potential threat. Many times, those cameras or locks are easily accessed by unauthorized people. This happens when system vendors create user logins for the bank to use but leave the administrator accounts at default or leave the passwords blank.
Software patching continues to be a problem for financial institutions, especially when a third party is responsible for it. These problems may exist in Microsoft apps, Java, Adobe and many other applications. The vulnerabilities in these apps have been discovered in some substantial breaches, which have occurred worldwide.
Other systems at risk for security breaches include scanners, phone systems, storage systems, routers and network switches, among others. A person can access these using vendor default credentials, which gives them the power to delete the financial institution’s data storage. Smart TVs and electronic signs are also easily hacked, and the hacker may display malicious content and lock the owner out.
Peace of mind begins with understanding the risk and how to make a strategic plan for prevention, detection and resolution. We’ve created a guide to give you tips to weather the cybersecurity storm.
Utilize HR to Prevent Fraud
Human resources are usually brought into the picture after the act has been discovered. However, having a solid HR plan from the start can minimize the chances of fraud occurring and less severe effects if fraud does occur.
Begin fraud prevention, starting with the hiring process. Background checks on new hires can help your institution avoid negligent hiring and verify information on a candidate.
Placement services can also be used by smaller organizations to find, vet and verify potential candidates, which helps lessen the business burden.
Items to consider when vetting potential candidates to avoid becoming the next victim of fraud or embezzlement include:
- Verifying education and professional credentials
- Performing background checks that include criminal and credit checks
- Investigating for any wage garnishments, liens or judgments that may be indicative of prior embezzlement history
- Researching for news articles online that may uncover any prior employment activities
You may also want to consider implementing a whistleblower hotline, which provides a confidential way for employees to report wrongful behavior. Not only do hotlines prevent illegal and fraudulent behavior, but they can also detect issues before they become severe and can help reduce losses. In some areas, a whistleblower hotline allows for tips to be submitted anonymously for all manners of wrongdoing, including:
- Financial: Mistakes and criminal activity can occur in many areas — accounting procedures, lending discrepancies, billing errors and more.
- Ethical: Issues considered to be ethical breaches include code of conduct violation, physical theft, intellectual property theft and more.
- Privacy and Security: can include identity theft, confidentiality breaches, customer database hacks and tampering with electronic door locks, to name a few.
“When it comes to where we are going in the future, it’s about adapting to change. We don’t do banking as we did 50 or 150 years ago. We don’t even do banking as we did 15 years ago. Everything is going to change around us, and we have to continue to change along with it.”
-Susan Whitson, EVP, First National
The Importance of Internal Audit No Matter Your Bank’s Size
No financial institution is too big or small to be a fraud victim. Systems of internal controls allowing management to measure performance and an internal audit program to ensure controls are implemented to protect your institution.
The Federal Reserve System, OCC, FDIC and NCUA guide internal audits; all financial institutions must adhere to regulatory requirements regarding internal controls. Organizations’ internal control system consists of management’s environment and procedures, ensuring key business objectives risks are identified, evaluated and reduced. These include the reliability of financial reporting, operational effectiveness, regulatory compliance and safeguarding of the institution’s assets.
Components of Internal Control
- The control environment sets the tone of the organization, influencing the control consciousness of its people. Foundation for all other components of internal control, providing discipline and structure.
- Risk Assessment — business’s analysis and identification of relevant risks relating to the achievement of its objectives. This forms a basis for determining how the risks should be managed.
- Control activities — procedures and policies which help ensure that management directives are carried out.
- Information and communication are the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.
- Monitoring is a process that assesses the quality of the performance of internal control over time.
It is important to remember that independence is critical to the internal audit function. To accomplish the audit function’s objectives, personnel must maintain total independence from your management or other employees.
Recovering Lost Data
Dealing with attacks on your financial institution is tough, and there are many aspects to consider in the recovery period. Recovery money is important, but another issue is data loss and your potential obligation to report it.
Forensic accountants help you recover data in many ways:
- Coordinating with legal services that are well versed in cybersecurity and reporting requirements.
- Investigating information from email accounts and preserving and analyzing workplace devices used by those with compromised credentials or used by those who may have internally committed fraud.
- Collaborate with your IT department (which could be third-party or internal) and obtain logs to investigate and put preventative steps to mitigate future risk.
The safety of your financial institution’s data and employees is critical to your success. As your organization navigates through the changes of operating during COVID-19 and beyond, it’s more important than ever to make sure your financial institution is protected.
Rich McRae and Judy Farmer,
Eide Bailly R
This story appears in Issue 4 2020-2021 of the Colorado Banker Magazine.