The Halstead Bank :: Best Practices for Commercial Customers

Best Practices for Commercial Customers

The vast majority of cyber thefts begin with the thieves compromising the computer(s) of the businesses. Perpetrators often monitor the business’s email messages and other activities for days or weeks prior to committing the crime. Businesses are most vulnerable just before a holiday when key employees are on vacation. Another risk period is on a day the business office is relocating or installing new computer equipment. Employees may be distracted and think a problem conducting online banking is due to a new network or equipment. Therefore it is important and necessary for your employees to follow established security practices. To reduce your risks of theft, consider implementing some or all of the following security practices and controls:

Basic Security Practices and Controls

Provide continuous communication and education to employees using online banking systems. Providing enhanced security awareness training will help ensure employees understand the security risks related to their duties;.
Update anti-virus and anti-malware programs frequently;
Update, on a regular basis, all computer software to protect against new security vulnerabilities (patch management practices);
Communicate to employees that passwords should be strong and should not be stored on the device used to access online banking;
Adhere to dual control procedures;
Practice ongoing account monitoring and reconciliation, especially near the end of the day;
Adopt advanced security measures by working with consultants or dedicated IT staff;
Utilize resources provided by trade organizations and agencies that specialize in helping small businesses:

1. The Better Business Bureau’s website on Data Security Made Simpler: http://www.bbb.org/data-security;

2. The Small Business Administration’s (SBA) website on Protecting and Securing Customer Information:

http://community.sba.gov/community/blogs/community-blogs/business-law-advisor/how-small-businesses-can-protect-and-secure-customer-information;

3. The Federal Trade Commission’s (FTC) interactive business guide for protecting data: http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html;

4. The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf;

5. The jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” from the U.S. Secret Service, FBI, IC3, and FS-ISAC available on the IC3 website (http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf ) or the FS-ISAC website (http://www.fsisac.com/files/public/db/p265.pdf); and

6. NACHA – The Electronic Payments Association’s website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers: http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm.

Report suspicious activity you notice relating to your computer systems or use of your computer systems to the appropriate person and do so as quickly as possible. If you notice suspicious activity relating to accounts at The Halstead Bank or other information security related events, call 316-830-2226 promptly to report that activity to The Halstead Bank.

Warning Signs of Potentially Compromised Computer Systems

Account holders should be the most vigilant in monitoring account activity. You have the ability to detect anomalies or potential fraud prior to or early into an electronic robbery. Some visible warning signs that your system/network may have been compromised include:

Inability to log into online banking (thieves could be blocking customer access so the customer won't see the theft until the criminals have control);
Dramatic loss of computer speed;
Changes in the way things appear on the screen;
Computer locks up so the user is unable to perform any functions;
Unexpected rebooting or restarting of the computer;
Unexpected request for a one time password (or token) in the middle of an online session;
Unusual pop-up messages, especially a message in the middle of a session that says the connection to the bank system is not working (system unavailable, down for maintenances, etc.);
New or unexpected toolbars and /or icons; and
Inability to shut down or restart the computer.
Keep it up to date (i.e., latest signature files, product upgrades)
Be cautious when downloading and running programs or Java or ActiveX applets as they may contain unsecured data that cannot be filtered using firewall or anti-virus software, for example.
Use extreme caution when opening email received from unknown sources and pay special attention to any attachments. Do not execute an attachment from an unknown source. When in doubt...delete it without opening it.

Information Security, Risk Assessment, and Controls Evaluation

Loss of financial or sensitive personal information can create financial and reputational risks for businesses. It is vital that business owners safeguard their own and their customers' sensitive information. To protect that information we suggest considering the following:

Perform periodic risk assessments and controls evaluations. Identify your riskiest systems and/or exposures and identify controls that could be implemented to mitigate those risks (such as those listed above);
Breaches of credit and debit card information from retail business are common. Loss of that information or other sensitive personal information can create financial and reputational risks. The Payment Card Industry Security Standards Council was launched in 2006 to manage security standards related to card processing. Any merchant that accepts credit or debit cards for payment is required to secure their data based on the standards developed by the council. The PCI Security Standards Council's website https://www.pcisecuritystandards.org/security_standards/index.php notes that non-compliance may lead to lawsuits, cancelled accounts, and monetary fines. The website provides information for small business compliance.

Communication with Others

Use good judgment in communication with others, especially those you do not know.

Keep in mind that The Halstead Bank does not send emails or text messages or make unsolicited phone calls requesting user information. In the event of suspicious or other information security related events please contact us at (316) 830-2226 and ask for the Bank's Compliance Officer or Operations Officer.

Take Advantage of the Opportunities

The Internet is and will continue to be the source of many opportunities. Those who get the most out of those opportunities will be those who use them wisely. Although the foregoing list of guidelines is not exhaustive, it contains some key points that will help you use the Internet in a more secure manner. Use these guidelines along with caution and good judgment.