Information Security Training for Bank Employees

Written by: Bill Fulks • Edited by: Michele McDonough
Published May 8, 2010

A look at some of the best security practices for employees of banking institutions.

Bank Security

Information security awareness for bank employees is very important in maintaining a secure banking institution. I have over five years experience working for a large bank, so I am very familiar with their security policies. I started out working in the fraud department, then moved on to technical support. Whether it is with building security or computer security, banks take these matters very seriously.

Employee Screening

Giving someone a job at a bank will provide them with access to some of the most private and personal details regarding the lives of the bank’s customers. For this reason, you want to make sure that you are hiring trustworthy employees that do not have any kind of shady activities in their past. Make sure all references check out and verify previous employment and education mentioned on the prospective employee’s resume, because you never know who might be trying to infiltrate your financial institution.

Strong Passwords

click to enlarge

One of the most important elements of information security awareness for bank employees is the implementation and enforcement of a strong password policy. This entails using alpha numeric standards for passwords that force employees to use passwords that are not easily guessed. It also involves regularly updating passwords for banking systems, preferably on a monthly basis. All it takes is one password to access some systems that could provide a snoop with tons of information on customers or the bank itself, so it is very important to keep things locked down.

You should also make sure your employees are not taking shortcuts by writing passwords on notes and leaving them anywhere near their desk, as this happens often. At the bank where I worked, most people had to manage four different passwords for four different systems. We regularly had to change people’s passwords because they either forgot them or locked themselves out of a system. Although most employees will look upon the frequent password changes as an annoyance, it is an unfortunate necessity in keeping the bank’s systems secure.

Lock Down Workstations

click to enlarge

With fake virus scanners and keyloggers being so prevalent on the internet, it is common practice to limit or disable online access to certain computers within the bank system. Because many malware programs are designed to circumvent even the most up to date security software, it is sometimes necessary to cut off internet access altogether for employees like tellers who don’t need online access as part of their job. For those who do have online access, a strict internet usage policy should be enforced.

Another big problem is unattended workstations that are left logged in. A security policy should be enforced that requires users to either log out or lock down their computer while they are away from their desk. This includes bathroom and lunch breaks as well as when the employee leaves at the end of their shift. Leaving a computer logged in is like leaving the front door of your house wide open while you are away.

Know Your Fellow Employees

Passwords and online security policies aren’t the only important factors in raising information security awareness for bank employees. Another big issue is knowing who actually works for the bank. One scenario my bank used in training was where someone would sneak into an office and pose as a member of technical support, then sit down at an empty desk and start digging around in the system.

Bank employees should question any unfamiliar person in their area, or at least make sure someone in management is able to identify who is sitting at a desk. Sometimes all it takes is a nicely dressed person with a toolkit and a fake ID badge to get on a system for a few minutes and breach all kinds of security measures while everyone else around them remains oblivious.

Bill Fulks May 9, 2010 10:44 PM

Gary

Gary, your examples there show that passwords aren't the only factor in keeping things secure in banking. You can make all the password rules you want, but it won't be enough as long as people are surfing the net, infecting machines with keyloggers, hiring untrustworthy employees, and so on. Biometrics are great, but also add more expense to the system. Thanks for the comment!

Gary Hinson May 9, 2010 3:33 PM

Passwords

I'm puzzled, Bill, by your insistance that changing passwords frequently enhances security when you admit that employees resort to writing their passwords down in an attempt to remember them. Surely it's better to help them choose a long, strong and memorable password that they do NOT need to change for a decent period (at least 3 months)? Or to use a password vault program to help them manage their passwords securely?

Oh and for bank tellers, I'd suggest that biometric authentication, or some other form of two-factor authentication, is a reasonable response to the risks of unauthorized use.