Modern Day Bank Robbers

3/17/2011

By John Sileo

The Sileo Group, Inc.

Banks are constantly under attack, and not just for the cash in the vault. The goldmine lies in the sensitive data you house, and criminals want it. Unscrupulous competitors want to hire the teller you just fired for the thumb drive full of confidential files they smuggled out. Data thieves salivate over your executives’ LinkedIn profiles, which provide background material for social engineering scams. Cyber criminals are digitally sniffing the wireless connection your customers use in cafés, airports and hotels to login and conduct banking business.

All businesses (not just banks) are under assault by forces that want access to your valuable data: identity records, customer databases, employee files, intellectual property; banks just keep more sensitive information than the average business. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach (average recovery cost: $6.75 million) and have no idea of how to stop a repeat performance. These are clear, profit-driven reasons to care about who controls your data.

Here are five Information Espionage Hotspots that your bank should address (or re-address) now:

1. Inadequate training. One of the costliest data security mistakes is attempting to train employees from the perspective of the company. This ignores a crucial reality: All privacy is personal. In other words, many people in your organization will not care about data security until they understand what it has to do with them.

Strategy: Give your people the tools to protect themselves personally against identity theft and social networking fraud. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied to business. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases and intellectual property. Go one step further and educate your customers, who are your first line of defense against fraud as they are generally the ones who detect it first and notify you.

2. Human weakness. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, greed or sense of urgency. Social engineering is the craft of extracting information out of you or your staff by pushing buttons that elicit automatic responses.

Strategy: Immunize your workforce against social engineering and poor decision-making. Fraud training teaches your people how to handle requests for login credentials, passwords, employee and customer data, unauthorized building access and an office full of information whose disappearance will land you on the front page of the newspaper. It also educates them on how much can be shared on social networking sites without putting the bank at risk. Don’t just invest in technology; invest in the training to use this powerful equipment safely.

3. Wireless surfing. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unprotected data being sent from your computer to the web. Whether the offender is an employee, executive or customer, the bank is generally the ultimate loser.

Strategy: Have a professional security audit firm perform a risk assessment of your entire computer network. It is amazing how many security audits turn up basic flaws in even the most data-conscious businesses. Here is a laundry list of settings that have been involved in recent data breaches:

• The use of weak (WEP or none) encryption instead of WPA-2 or better.
• The lack of MAC-specific addressing and unmasked SSIDs.
• The lack of computer security applied to smartphones.
• Poor password and auto-login management.
• Customers who don’t protect their networks, laptops and smartphones, thus compromising bank security.

4. Inside spies. Chances are you perform comprehensive background checks less often than you should when hiring a new employee. That is short sighted, as most of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out a “digital door” when no one is looking. Many employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer.

Strategy: Invest in a comprehensive background check using a product like CSIdentity SAFE before you hire instead of wasting much more money cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background (with their full knowledge) jumpstarts your intuition and discourages dishonest applicants from the outset.

5. Mobile data. In the most trusted research studies, 36-50% of data breach originates with the loss of a laptop or mobile computing device (smart phone, thumb drive, etc.). Mobility, consequently, is a double-edged sword; but it’s a sword that businesses will have to accommodate in order to compete.

Strategy: During the risk assessment mentioned above, implement strong passwords, whole disk encryption and remote data-wiping capabilities. Understand the new world of application (app) spying, tapping and malware. In addition, physically lock this goldmine of data down when you aren’t using it.

Your espionage countermeasures don’t need to be sophisticated or expensive to be effective. Targeting the hotspots above is a savvy, incremental way to keep spies out of your profit margins. But it won’t start working until you do.

John Sileo, of The Sileo Group, Inc., speaks professionally on identity theft, data breach and social networking exposure and is the award-winning author of Privacy Means Profit. His clients include the Department of Defense, the FDIC, FTC, Homeland Security, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets.