Pub. 11 2014 Issue 1

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G N E W M E X I C O R E A L I Z E D R E A M S Spring • 2014 17 2. Is a plan in place to communicate your bank’s procedures to your customers and offer to assist them in safeguarding accounts? Consider sending notifications to customers by mail rather than or in addition to email. When Target notified customers that free credit monitoring services would be available to them, many were dubious of the emails received, suspecting spam. A letter may offer additional credibility. 3. In addition, provide suggestions on steps to take to pre- vent their systems and accounts from being infiltrated. Educate your customers (and your employees) on the dangers associated with opening attachments or clicking on links in unsolicited emails. Remind them to be vigi- lant in monitoring emails as they may see an increase of spam/phishing emails, some possibly posing as a bank or breached retailer. Encourage that they only download reputable apps ontomobile devices. Be aware of so-called “electronic wallets” as many are designed to harvest bank credentials for others’ malevolent use. 4. With the increase of spam/phishing comes the potential increase of DDoS (Distributed Denial of Service) attacks on systems, used as a distraction to divert staff resources and attention from the criminal’s real goal—fraudulent wire transfers. The following are some basic reminders to help prevent DDoS attacks: • Be up-to-date with security patches and anti-virus soft- ware on desktop/laptop machines and servers. Ensure that workstations utilize host-based IPS technology and/ or application whitelisting to prevent the execution of unauthorized programs. • Monitor for spikes in website traffic as these may indicate potential DDoS activity. Implement a plan to ensure that employees handling wire transfers are notified so that wire transfer requests can be more closely scrutinized. • In addition to bank-hosted security software for browser security and protecting online sessions, consider software that detects, and possibly removes malware from your customer’s machine. Ensure employees do not leave USB tokens in computers connecting to payment systems. Do not allow employees to freely access the Internet or emails on the same computers used to initiate payments. Conversely, do not allow employees to access administra- tive accounts from home computers connected to home networks. • Consider implementing time-of-day login restrictions for employees with access to payment systems. Monitor em- ployee logins that occur outside normal business hours. • Restrict access to wire transfer limit settings. Reduce em- ployee wire limits in automatedwire systems by requiring a second employee to approve larger wire transfers and limit systems fromwhich credentials used for wire autho- rization can be utilized. If wire transfer anomaly detection systems are used, consider changing “rules” to detect this type of attack and, if possible, create alerts to notify bank administrators if wire transfer limits are modified. • Review intrusion detection and incident response proce- dures and consider conducting a mock scenario testing exercise to ensure familiarity with the plan. Secure and/or store manuals offline or restrict access to training system manuals with enhanced access controls. We encourage you to not take a wait-and-see approach. From all appearances, cyber-related crimes will only continue to increase in breadth and scope. Consider joining established groups such as FS-ISAC, Community Institution Council and Payments Risk Council to take advantage of security alerts and information they share. Talk with your peers–get involved with organizations such as the American Bankers Association, state bankers associations and others to help you and your staff learn and determine best practices and steps for your bank tomitigate risk for both your bank and your customers. n NMBA-endorsed, ABA Insurance Services is a secure, stable source of D&O, bond and Property & Casualty coverage for financial institutions. The bank-owned, banker directed insurance program has been supporting the banking industry for nearly 30 years. For the 24th consecutive year, a distribution from the program’s reinsurer has been declared, totaling $79.0 Million to date. For more information, visit abais.com or contact ABA Insurance Services’ Richard Flenner at 800-274-5222 or rflenner@ abais.com. Twitter @ABAInsSvcs “ Talk with your peers–get involved with organizations such as the American Bankers Association, state bankers associations and others to help you and your staff learn and determine best practices and steps for your bank to mitigate risk for both your bank and your customers. ”