Whether you work from home full-time, go to the office a couple of days a week, or work full-time in the office, each of us have adjusted our routines to deal with this new lifestyle from the COVID-19 pandemic. With these adjusted routines, it is imperative that we check in on our security routines to ensure the safety of our information and customer information. Some of the tactics we have relied upon in the past can still be helpful to us today, even if our routines look different.
So, what does it mean to “check in” on our security routines? Consider these questions:
- What kind of habits make up a security routine?
- How can I monitor these habits and controls for myself and my employees as we encounter different types of risk every day?
- Is there guidance I can turn to for extra tips?
Change Passwords Frequently
Many institutions have implemented policies that force passwords to be changed on some sort of frequency to prevent fraudulent logins. Even if an account you use doesn’t have this type of policy in place, consider updating passwords for your frequently used accounts to ensure further security.
Don’t Share Passwords out of Convenience
If you’re an administrator, manager, or officer of some sort for your institution, you may have elevated administrative privileges for certain accounts. None of your passwords should ever be shared with anyone else, including those within your organization. This can lead to unauthorized access, misuse, alteration, and destruction of data.
Implement Multi-Factor Authentication
This is especially helpful for employees working from home who must access your institution’s network over a VPN. Home networks are not always as secure as the network of your financial institution, and your employees should have to verify their identity before accessing the company network from a different location.
Track Incidents
One of the best ways we learn is from previous incidents that have occurred. Whether it’s a phishing attempt, fraud from a customer, or ransomware, each incident should be tracked and analyzed thoroughly. Documenting the occurrence of incidents ensures you are prepared to handle that situation when it arises in the future.
Testing your institution’s response to downtime, closures, or inability to access information can be critical for when those situations occur in real life.
Schedule Regular Exercises / Tests
Testing your institution’s response to downtime, closures, or inability to access information can be critical for when those situations occur in real life. Are your employees prepared for how to continue critical operations if there’s a network outage, or if they cannot report to their normal job site? Documenting these procedures in a business continuity plan is a start, but executing those procedures helps you identify gaps and areas that need improvement.
If You’re Unsure, Verify Authenticity
Suspicious emails are still a common problem for many businesses. These phishing emails are dangerous to the well-being of your institution and the safety of customer information. If you receive an email from someone you do not know, or a strange email that you were not expecting, take the necessary steps to verify the legitimacy of the email. As you verify the legitimacy, do not click any links or open attachments that may be included in the email.
Schedule Annual Security Awareness Training
Improperly trained employees pose a large security risk to your institution. Even employees with low-level access to secure information should be trained to understand the importance of keeping information secure, and how to easily detect and report problems. Everyone at your institution plays a role in keeping customer and internal information secure, and creating an environment where risks can be taught, discussed, and used for educational purposes is vital. At least once a year, enroll all employees in security awareness training. As part of the security awareness training, conduct simulated phishing tests. If certain employees continuously fail your simulated phishing tests, take that as indication that additional security awareness training is needed.
What are my next steps?
As you check in on your security routine, remember that you can always refer to guidance for additional tools and verification. One of the best new references from the FFIEC is the “Authentication and Access to Financial Institution Services and Systems” guidance, published in August 2021. This guidance focuses on practices you can implement at your institution to keep your customers, employees, and third-party service providers secure in your banking environment. Review this guidance and determine how your institution can improve security practices here: https://www.ffiec.gov/press/pr081121.htm
Checking in on your security routine not only benefits your own knowledge and skills, but it benefits the overall well-being and security of your information, so your institution can continue to thrive and provide exceptional service.
Samantha Torrez has been working in the customer and IT service industry for almost 10 years. She has been with the Tandem Support Team for five years, building relationships with customers every day as they use the Tandem software. Samantha thrives on instilling comprehensive training for her teammates and customers and finding the best solution to each problem she encounters. She has spoken at several conferences and published several blog posts over her knowledge of vendor management, business continuity planning, and more.
