By Tim Bandos, CISO at Digital Guardian, discusses a range of simple but effective security tips that financial institutions can use to help employees protect sensitive data in a home working environment.
The importance of data in the financial sector has grown exponentially in recent years, with more and more institutions waking up to the pivotal role it plays in understanding customers, predicting trends and improving overall operational efficiency. However, as reliance on data continues to increase, so too does the need for proper data protection, which in many cases, is still lagging behind where it should be. Adding to this, the seismic shift in work habits over the last 12 months has seen much of the flow of data move out of institutions themselves and into the homes of remote working employees, where it can be much harder to control.
Understandably, the situation has many organisations worried, not least because of the threat of hefty fines and reputational damage resulting from even a minor data breach. Fortunately, there’s a number of relatively simple security tips and behaviours that institutions can pass onto employees, helping to maximise data protection, both for themselves and for their customers. Below are six of the most effective:
- Make passwords complex and different for every application/account
The humble password is still the first (and often only) line of defence against cybercrime. Unfortunately it is also the most overlooked layer of data protection. Strong passwords should contain uppercase and lowercase letters, numbers and special characters. Employees should also avoid using easily guessed words or alphanumeric combinations, such as the names of pets, birthdays, or other information that can be easily found by looking at a Facebook profile or performing a quick online search.
- Enable two-factor authentication wherever possible
Two-factor authentication (2FA) is a great additional layer of security in the event that a hacker or fraudster manages to successfully guess a password. Once enabled, it requires a second verification step, such as the answer to a secret question or a personal identification number (PIN), which is usually sent to a second trusted device for added security. 2FA is now much more widely available than it used to be, with nearly all major application providers offering it. Consequently, employees should opt to enable it whenever the option is available.
- Install any new patches as soon as they become available
Every day, a slew of new vulnerabilities are found in even the most popular and widely used online tools/applications. Fortunately, the likes of Microsoft, Amazon and Google have an army of security professionals at their disposal to create new security patches that close these vulnerabilities as soon as they are found. However, the patches only take effect once installed, which is why it’s crucial for employees to install them immediately. Any delay just extends the window that criminals have to exploit the vulnerability, therefore increasing the risk to the entire organisation.
- Never click on suspicious emails or links
Another security 101 lesson that’s easy to forget in a chaotic home working environment. If employees receive an email from an unknown source they shouldn’t open it, and they certainly shouldn’t click on any links or file attachments contained within it. If unsure, hovering a cursor over an email link will bring up a box stating exactly where the link goes (which often differs from the text in the email received). Clicking on an infected link can have dire consequences, potentially compromising the organisation’s entire network and allowing attackers to steal all kinds of sensitive data. As such, it’s vital that employees are regularly reminded of the importance of strong email discipline, particularly when working from home.
- Never give out personal information to unknown individuals
This applies in all aspects of life, not just working environments. Social engineering is another method criminals regularly use to glean sensitive passwords and information from unsuspecting employees. Often they will pretend to be a bank, credit card company, or other reputable entity and use scare tactics to make victims hand over information. For instance, they might say ‘we’re calling from your bank because we suspect fraudulent activity is in progress on your account. If you provide your card details now we can verify your ID and block the activity right away’.
Employees must always be vigilant to this kind of approach. If in any doubt about the authenticity of the caller, they should hang up and call the organisation they claimed to be from back via authorised channels.
- Turn computers off at the end of each day
Most employees think nothing of simply shutting their laptop when they finish work, which puts it in sleep mode. However, for the sake of the extra 30 seconds it takes to boot up the next morning, it is much more secure to switch it off completely. This is because leaving computing devices switched on overnight, and most often, connected to the Internet, leaves them vulnerable to rogue attacks, whereas shutting them down completely immediately eliminates this threat. As such, organisations should always encourage a complete switch off at the end of each day.
As the value of data continues to soar throughout the financial industry, the need to effectively protect it has never been greater. In recent years, many organisations have invested significant sums in robust on-premise data security solutions, only to see the seismic shift to home working render them redundant. However, all is not lost. By taking the time to educate employees on the importance of data security and having them adhere to the tips above, organisations can be confident that their data remains safe during this unprecedented time.
Tim Bandos, CISSP, CISA, CEH is CISO and VP Managed Security Services at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that targeted stealing highly sensitive data. A majority of his career was spent working at a Fortune 100 company where he built an Incident Response organization and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.