Recently, First Bank & Trust of The Americas out of New York offered $500 to anyone who purchased a 3 year CD. It was a great deal because in the fine print it also allowed you to use the $500 to fund the CD!
Did you try to click either one of the links in the opening paragraph? If you did, you were just exposed to the oldest trick in the hackers book. Even if you didn’t click it, someone else did. Just so you know, there is no such bank or CD offer and those were blank links and we won’t try to trick you again.
In this episode, Jessica Stone talks with PrecisionLender’s VP of Information Security, Chris Nelms, about what you can do ensure the safety of your technology and data. Although every bank is different, your IT person will surely love you if you heed this advice.
Hi, and welcome to Lender Performance, your guide to becoming a better lender. I’m your host, Jessica Stone, Client Success Manager, here at Precision Lender. Thanks for joining us. Today I am joined by Chris Nelms, Precision Lender’s Vice-President of Information Security. Chris is our go-to for everything security related, and is really good about keeping the whole company up to speed on best practices for protecting data, hardware, and just really everything with our office, so we thought we’d have him come and share some of his advice with you all. Although every bank is different, your IT person will surely love you if you heed his advice. Thank you for being here with us, Chris.
Thanks for having me, Jess.
Chris, although you’ve joined us on a previous podcast, for those who have missed it, can you introduce yourself and what you do here at Precision Lender?
I’m Chris Nelms and I’m the VP of Information Security. I work with our clients in regards to vendor management and due diligence, but also review our threat and our risk appetite in our internal company, and work with our security.
Awesome. Okay, Chris, so to start off, what are some habits and guidance that you’d imagine a bank’s IT team really hope that lenders abide by?
Great question. There are a couple of things. One of the biggest things that I always recommend, and it seems simple, is never write your password down. I always make fun of the fact of when I’m working with someone new, always look under their keyboard for their password just to make sure they’ve not written it down.
Don’t bypass security. That’s one of the biggest things I can stress. Story where I worked at a bank where a lender spent all day trying to bypass security. We have a lot of software to prevent our folks from doing things that go against security rules, such as sending Social Security numbers out, account numbers, things in plain text and email.
Well, the lender actually was very happy that he bypassed our security measures, and the way that he did it was he took a picture of an account number and sent it to the customer via text on his phone. We had software in place to stop that inside of the email, to say, “Hey, this has been redacted. You can’t send this,” but he went a couple of ways around it just to get it to him when this could’ve been solved with a simple, “Hey, let’s talk to IT and see if what I’m doing is correct,” because we have a secure way of sending that to a customer.
Wow. Okay, so I’m going to take an opportunity there to say, as we’re kind of going through today’s conversation, for those listening, there are definitely two types of IT teams. There are a lot of people who are just kind of might execute on tasks and they have a project, or they have directions and they’re just going to go and execute and make sure that IT is resetting passwords and staying up to date and all that kind of stuff.
Other folks are lucky enough to have people like we have like Chris, who are really strategic thinkers in the space of information security and technology, and so this is a situation where we’d always say, “Just go to Chris.” Be proactive and if you have folks that you think are creative thinkers like that on your IT team, go to them and say, “Here’s the situation I’m experiencing. What should I do to help it?” In this situation, you had a way that you could have done it if they just came to you.
Sure, and IT and information security used to be operational, where you had processes in place that you could mitigate a lot of the risk, but now it’s a lot of forward thinking. What you were doing yesterday won’t work today, so it’s constantly changing and evolving.
Great. Okay, so you have a couple more, I think, tips and tricks for just kind of things people should be remembering.
Sure. Always lock your computer when you leave your office. Same goes for cellphones, if for some reason you have your company email in there. Don’t use your personal email address with communications to clients. It’s just a big no-no. A lot of people will just say, “Well, I can’t get it through my work email. Let’s send it through my personal.” There’s guidelines around that, and you just … It’s just bad practice altogether. Then when in doubt, potential spam is the biggest thing. The easiest way into a company is through random phishing attacks and for those who may not know what phishing is, it’s just an attempt to defraud you by pretending to be someone who you’re not. Just use good security practices around that.
Yeah, and I know in the case of Precision Lender, you would always prefer that we bug you and say, “Hey, does this look fishy? Does this look off?” Rather than kind of being like, “This looks okay.”
I would rather spend all day answering you guys, “Is this real or not?” than to have to worry about you guys clicking on a link that may be phishing and then that allows someone to access our company when they didn’t have access to begin with.
Okay, so that’s a great tip, Chris, so overall, stand by your IT team if you have a question. But for someone who’s opening up that email, when they’re initially evaluating it to see does that look weird or not, what are some ways to spot a phishing email or suspicious email?
Sure. The easiest one I can give to you guys to spot a phishing email is it provokes you in emotion: anger, fear, sadness, worry. We’ve all got those emails that says, “Your account’s going to expire. You’ve had some hacking, suspicious activity on your account. You need to act now.” Those things play on your fear. It’s like, “Oh no. I’ve been hacked,” or “Oh no. Someone has access to my information,” when truly it’s just, “I want you to click on this link as quick as possible without thinking about it.”
URLs that contain misleading domain name, there’s been some breaches in the news regarding that where they’ve had like or similar domain names. That’s something to always look for. The message contains poor spelling or grammar. We’ve all heard about the Nigerian prince who’s left you money. It’s an old one but good one. The message asks for personal information, user names and passwords, it wants you to re-authenticate or to verify something. Make sure that it’s truly from the company that you sent it from. You didn’t initiate the action.
For example, you’re thinking, “Man, it’d be really nice if IT would hook me up to the printer down the hall,” but you didn’t ask IT and you get an email that says, “You’ve now got access to the printer.” You have to make sure that you initiate the action. It’s not just going to come to you automatically. A message that makes unrealistic threats. “You will be fired for this. You’ll have this problem if you don’t comply,” the IRS scam that we’re going to levy your wages if you don’t reply to this email.
Again, and if something doesn’t look right overall, it doesn’t pass the sniff test, always ask IT. Again, they’re there to help you and to work through the problem with you.
Okay, so moving on, what do you think … I think, we talked about passwords and making sure we don’t write them down and hide them under our keyboards, which I know people do, what are some suggestions for ensuring strong passwords?
Don’t use the standards. Nothing with your name, nothing 1234, and I know a lot of folks hearing this may say, “Oh, I would never use 123456.” But there was a study done on the top ten passwords that came out awhile ago. 123456 was one of the top five passwords. Monkey was on there as well, football, some very odd ones, but again, password. People don’t want to remember their passwords because you have a million sites that you need to sign into. They’re trying to keep them all straight. Leading into that, never reuse the same password for multiple sites. I know for the ease and consistency, it allows you to remember it for those 30 days or 90 days before you have to change them again, but what that does is it creates …
If your password gets out, it allows the person who gets that password to log into multiple emails, multiple sites, and again, thinking about your email, you keep everything inside of there, so someone can just do a quick search and see that oh, you have a Google account. Oh, you have an account to Netflix, or to Flixster, or to this website, and with them knowing that password, they can try multiple sites and see what they can end up getting. The biggest thing, and again it’s not a catch-all, but use Two Factor when you have it. Two Factor is a way of saying, “Okay, if they have my password, they’re not going to have the secondary factor to get in.”
Can you give just for maybe people who don’t know what that is, talk through what Two Factor authentication means?
Sure. Going back to Two Factor, it’s a way of having a password but then a secondary device or action that you need to call in order to make the log-in.
Great. I know that for some folks that’s either a different application or a cellphone or something else like to your point, that if they’ve gotten your password, they hopefully don’t have your password and your phone, or and your …
Exactly. Exactly. Again, certain websites will say, “Okay, I’ve detected suspicious activity. We’re going to re-authenticate you and we need a secondary form of authentication,” which could be a text message. It could be an application, or a Google authenticator for example.
We talked about a lot of things that you should definitely be doing when you’re inside your office. There is even more layers of security, so when you’re outside of your office, you need to be making sure of even more things. What are some things that people should definitely be doing when they’re using the internet outside of their office?
The biggest thing that I’ve seen in my experience is we have all the software and firewalls and hardware inside of the bank, but then outside of the bank you’re really relying on your internal folks to use good judgement, so first off, check with your IT people to make sure what you’re allowed to do outside of the network. Some have policies where you can’t remote in from your home laptop, but be aware of what WiFi network you’re connected to. The reason for it is you don’t know who’s on the other side, who has access to that WiFi network, and really who’s listening. Always make sure you stay with your device.
You have your phone, you have your laptop on you, and then make sure those devices are encrypted. Again, that’s something you can check with your IT folks to make sure it’s allowed. Then don’t do anything to bypass the bank’s security. That’s the biggest take-away that I have. If they have rules in place, make sure you follow them. I know it may impede progress a little bit, but I think checking with them first, making sure what you’re allowed to do before you go on a vacation is always good. Again, if you’re on vacation, it’s always great to not take your laptop because you want to have a real nice vacation.
There you go. Okay, so we will end with, Chris, if, what advice do you have for IT teams, especially at banks for some things they can do to keep their team safe?
Sure. I’m going to go on my experience here. In the past, I have purchased firewalls, intrusion detection systems, intrusion prevention systems, and all these automated systems that keep hackers out. Well, the easiest way into an organization, specifically banks, is through the employees, because those employees, you can’t put a piece of software on them to say, “Hey, don’t click that link,” or “Don’t open that attachment.” The biggest thing that I would say is invest more in the human firewall and again, I think it’s Reading Rainbow: the more you know. The better off you are, so working with your employees, designing a robust security training that’s mandatory.
Banks normally have an IT security program, but it’s normally what’s called a BAI course, which allows them to click through a bunch of slides or a PowerPoint presentation, and then they answer some questions at the end. I think making that more engaging to the end user will allow them to retain it more. Make it fun, just because they learn better that way. Then the last thing is just because it worked yesterday does not mean it’s working today. The threats are evolving, the hackers are finding newer, quicker, faster, better ways, so you need to always stay on top of it and just because it worked two weeks ago, yesterday, a month ago, two years ago, it’s not going to work today. You’ve got to constantly reevaluate and plan on change.
Awesome. Well, thank you, Chris. I think we covered a lot of important topics today. That will wrap it up for us for this episode, so thank you again for listening. You can always find us at precisionlender.com/podcast. If you like what you’ve been hearing, please subscribe to our feed in iTunes, SoundCloud or Stitcher. We’d love to get ratings and feedback from you on those platforms. Thanks for tuning in. Until next time, I’m Jessica Stone, and you’ve been listening to Lender Performance.