A Cybersecurity Guide
Computer-related crimes affecting businesses and consumers are frequently in the news. While federally insured financial institutions are required to have vigorous information security programs to safeguard financial data, financial institution customers also need to know how to steer clear of fraudsters.
This guide, developed by the Federal Deposit Insurance Corporation, provides cybersecurity information for financial institutions’ customers and business customers on how to protect and maintain their own computer systems.
- Protect your computer. Install software that protects against malware, or malicious software, which can access a computer system without your consent to steal passwords or account numbers. Also, use a firewall program to prevent unauthorized access to your PC. While protection options vary, make sure the settings allow for automatic updates.
- Use the strongest method available to log into financial accounts. Use the strongest authentication offered, especially for high-risk transactions. Use passwords that are difficult to guess and keep them secret. Create “strong” user IDs and passwords for your computers, mobile devices, and online accounts by using combinations of upper- and lower-case letters, numbers, and symbols that are hard to guess and then change them regularly. Although using the same password or PIN for several accounts can be tempting, doing so means a criminal who obtains one password or PIN can log in to other accounts.
- Understand Internet safety features. You can have greater confidence that a website is authentic and that it encrypts (scrambles) your information during transmission if the web address starts with “https:/.” Also, ensure that you are logged out of financial accounts when you complete your transactions or walk away from the computer. To learn about additional safety steps, review your web browser’s user instructions.
- Be suspicious of unsolicited e-mails asking you to click on a link, download an attachment, or provide account information. It’s easy for cyber criminals to copy the logo of a reputable company or organization into a phishing email. When responding to a simple request, you may be installing malware. Your safest strategy is to ignore unsolicited requests, no matter how legitimate or enticing they appear.
- Be careful where and how you connect to the Internet. Only access the Internet for banking or for other activities that involve personal information using your own laptop or mobile device through a know, trusted, and secure connection. A public computer, such as at a hotel business center or public library, and free Wi-Fi networks are not necessarily secure. It can be relatively easy for cyber criminals to intercept the internet traffic in these locations.
- Be careful when using social networking sites. Cyber criminals use social networking to gather details about individuals, such as their date of birth, a pet’s name, their mother’s maiden name, and other information that can help them figure out passwords – or how to reset them. Don’t share your ‘page’ or access to your information with anyone you don’t know and trust. Cyber criminals may pretend to be your ‘friend’ to convince you to send money or divulge personal information.
- Take precautions with your tablet or smartphone. Consider opting for automatic updates for your device’s operating system and “apps” (applications) when they become available to help reduce your vulnerability to software problems. never leave your mobile device unattended and use a password or other security feature to restrict access in case your device is lost or stolen. Make sure you enable the “time-out” or “auto-lock” feature that secures your mobile device when it is left unused for a certain period of time. Research any app before downloading it. Consult your financial institution’s website to confirm where to download it’s official mobile application. (http://mypocketbank.net/)
- Educate yourself. To learn more about cybersecurity, visit the “Stop. Think. Connect.” resource guide at www.stcguide.com/resource-index.
- Protect computers and networks. Install security and antivirus software that protects against malware, or malicious software, which can access a computer system without the owner’s consent for a variety of uses, including theft of information. Also, use a firewall program to prevent unauthorized access. Protection options vary, so find one that is right for the size and complexity of your business. Update the software, as appropriate, to keep it current. For example, set antivirus software to run a scan after each update. If you use a wireless (Wi-Fi) network, make sure it is secure and encrypted. Protect access to the router by using strong passwords.
- Require strong authentication. Ensure that employees and other users connecting to your network use strong user IDs and passwords for computers, mobile devices, and online accounts by using combinations of upper- and lower-case letters, numbers, and symbols that are hard to guess and changed regularly. Consider implementing multifactor authentication that requires additional information beyond a password to gain access. Check with vendors that handle sensitive data to see if they offer multifactor authentication to access systems or accounts.
- Control access to data and computers and create user accounts for each employee. Take measures to limit access or use of business computers to authorized individuals. Lock up laptops when not in use as they can be easily stolen or lost. Require each employee to have a separate user account and prohibit employees from sharing accounts. Only give employees access to the specific data systems they need to do their jobs, and don’t let them install software without permission. Also, make sure that only employees who need administrative privileges, such as IT staff and key personnel, have them and regularly review their ongoing need for access.
- Teach employees the basics. Establish security practices and policies for employees, such as appropriate Internet usage guidelines, and set expectations and consequences for policy violations. Establish a top-down corporate culture that stresses the importance of strong cybersecurity, especially when it comes to handling and protecting customer information and other vital data. Ensure that all employees know how to identify and report potential security incidents.
- Train employees to be careful where and how they connect to the Internet. Employees and third parties should only connect to your network using a trusted and secure connection. Public computers, such as at an Internet café, hotel business center, or public library, may not be secure. Also, your employees shouldn’t connect to your business’s network if they are unsure about the wireless connection they are using, as is the case with many free Wi-Fi networks at public “hotspots.” It can be relatively easy for cyber criminals to intercept the Internet traffic in these locations.
- Train employees about the dangers of suspicious emails. Employees need to be suspicious of unsolicited e-mails asking them to click on a link, open an attachment, or provide account information. It’s easy for cyber criminals to copy a reputable company’s or organization’s logo into a phishing e-mail. By complying with what appears to be a simple request, your employees may be installing malware on your network. The safest strategy is to ignore unsolicited requests, no matter how legitimate they appear.
- Patch software in a timely manner. Software vendors regularly provide patches or updates to their products to correct security flaws and improve functionality. A good practice is to download and install these software updates as soon as they are available. It may be most efficient to configure software to install such updates automatically.
- Make backup copies of important systems and data.Regularly backup the data from computers used by your business. Remember to apply the same security measures, such as encryption, to your backup data that you would apply to the original. In addition to automated backups, regularly backup sensitive business data to a storage device at a secondary location that is secure.
- Pay close attention to your bank accounts and watch for unauthorized withdrawals. Put in additional controls, such as confirmation calls before financial transfers are authorized with the financial institution. In recent years, there has been an increase in unauthorized electronic transfers made from bank accounts held by businesses. A common scam is an account takeover where cyber criminals use malicious software, such as keystroke loggers, to obtain the IDs and passwords for online bank accounts and then make withdrawals. Another scammed called Business Email Compromise, targets businesses by forging payment requests for legitimate vendors and directing the funds to the cyber criminal’s account. Businesses are generally not covered by federal consumer protections against unauthorized electronic funds transfers. Therefore, your financial institution may not be responsible for reimbursing losses associated with theft if negligence on the part of your business, such as unsecured computers or falling for common scams, were factors in the loss.
- Don’t forget about tablets and smartphones. Mobile devices can be a source of security challenges, especially if they hold confidential information or can access your business’s network. If your employees connect their devices to the business’s network, require them to password protect their devices, encrypt their data, and install security apps to prevent criminals from accessing the device while it is connected to public networks. Be sure to develop and enforce reporting procedures for lost or stolen equipment.
- Watch out for fraudulent transactions and bills. Scams can range from payments with a worthless check or a fake credit or debit card to fraudulent returns of merchandise. Be sure you have insurance to protect against risks. Additionally, ensure that you report any irregularities immediately.
- Educate yourself. To learn more about protecting your business, visit the “Stop. Think. Connect.” resources for small businesses at https://www.dhs.gov/publication/stopthinkconnect-small-business-resources.
To download a free, quick reference guide to cybersecuity best practices, click here.