Blogs

1. Admit You Are A Target – Whether it is a data breach, ransomware, or some other event, know it can happen to you. Don’t ever say “It won’t happen to me.” Use the following action items to help mitigate your risk.1. Admit You Are A Target – Whether it is a data breach, ransomware, or some other event, know it can happen to you. Don’t ever say “It won’t happen to me.” Use the following action items to help mitigate your risk.
   
   
2. Use Password Managers – We all despise creating strong passwords every 90 days, and ensuring each application or website we access has a unique password. Password Managers allow your employees to use one passphrase (typically at least 20 characters) to catalog all their various logins and passwords. This helps promote password complexity, while reducing resets and lock-outs.
   
   
3. Limit Computer Based Training – Most companies use some form of computer based training. However, it is not always the best training solution. Try to incorporate live training whenever possible for Cyber Security.
   
   
4. Do Mock Phishing Attacks The Right Way – Mock phishing and social engineering attacks are a valuable training tool when they are used correctly. Keep in mind that people don’t like being tricked and, having too harsh of a penalty for being caught in what’s essentially a company sting operation, can adversely impact employee morale. 
   
   
5. Enforce Updates on Everything – Your operating system, applications, browsers, anti-virus, routers, firewalls, etc. all need to be up to date with the most recent patches or firmware to plug security exploits hackers are using. Automate the process as much as possible, and track your assets to ensure compliance by users.
   
   
6. Practice Good Vendor Management – Sometimes your employees are not the weakest link. Make sure you understand your vendor’s cyber security program, business continuity/disaster recovery plan, incident response plan, and review any recent security audits. 
   
   
7. Limit Outside Devices – Just because you have all the latest and greatest cyber security doesn’t mean your employees do. Access to the network, email server, or critical information with devices not under your control increases the risk of a data breach. Bring Your Own Device (BYOD) is cheaper in the short term, but can result in high data breach remediation costs.
   
   
8. Protect Sensitive Data – Understand your company’s data classification policy and follow it. Keep sensitive data (e.g., SSN's, credit card information, student records, health information, etc.) off of your workstation, laptop, or mobile devices. Securely remove sensitive data files from your system when they are no longer needed. Always use encryption when storing or transmitting sensitive data. Periodically review what data employees have access to and determine if it is required for their job duties.
   
   
9. Use Public Wireless Hot-Spots Wisely – It's pretty easy for someone who wants to intercept your data in a man-in-the-middle attack to set up a network called "Free Wi-Fi" or any other variation that includes a nearby venue name, to make you think it's a legitimate source. For example, if you're in a coffee shop or public library, make sure to verify the name of the network with staff or on signage before connecting. Creating a virtual private network (VPN) is one of the best ways to keep your browsing session secure. A VPN client encrypts traffic between your device and the VPN server, which means it's much more difficult for a would-be intruder to sniff your data.
   
   
10. Don’t Plug in Unverified USB Devices – Malware can be spread through infected flash drives, external hard drives, and even smartphones. Scan them from a segregated device before hooking them up to a network device, and then only when absolutely necessary. It is best practice to disable USB storage devices.

***

About Kevin Martin, CRCM, CAMS
Compliance Consultant, Compliance Anchor
https://www.acbb.com/compliance 

Kevin has over 15 years of experience in the mortgage lending and banking industries. Kevin is a graduate of Lebanon Valley College and earned his Certified Regulatory Compliance Manager (CRCM) certification in 2013 as well as his Certified Anti-Money Laundering Specialist (CAMS) certification in 2016.

Prior to joining ACBB Kevin worked for several national banks in lending or compliance management related roles and has spent time in consulting roles for financial institutions of various sizes. Kevin’s areas of concentration have included: BSA, mortgage lending, compliance management systems, information security, and vendor management.