Online Security Tips for Business

Your Online Security & Preventing Identity Theft

 

A Guide for Reducing the Risk of Data Breach and Fraud

 

Introduction

Fidelity Bank is committed to providing our customers with a safe and secure online operating environment.Sometimes even with the best security in place bad things can happen. Over the past few years cyber criminals have significantly increased their level of activity and their level of sophistication in order to attack banks and their customers. We have put together the following security guidelines to help our customers decrease their chances of falling victim to cyber-attacks.

These guidelines expand upon a three-part risk management framework developed by the United States Secret Service, the Federal Bureau of Investigation, the Internet Crime Complaint Center (IC3), and the Financial Services – Information Sharing and Analysis Center (FS-ISAC). Fundamentally, best practices for managing information security risks in terms of processes and controls center the following core elements:

  • Protect

  • Detect

  • Respond

The following best practices have been compiled for each of the recommended processes and controls under the Protect, Detect, and Respond framework. These best practices are not an all-inclusive list and are provided as guidance to assist in implementing processes and controls needed to reduce the risk of identity theft and fraud.

Cybercrime is a Significant Threat

  • Criminals target victims by various online scams such as sending malicious email attachments or malicious websites (including Social Networking sites).

  • Victims unknowingly install malicious software by clicking on a link embedded in an email or visiting an infected Internet site.

  • It is important to remember that electronic crimes are dynamic as cyber-criminals continually change their techniques. Additional changes in risk management processes and controls will be necessary as this type of theft continues to evolve.

Key Steps to Protect Your Data and Systems – This Applies to Systems Used to Perform Financial Transactions in Particular

  1. Install and maintain real-time anti-virus, anti-spyware desktop firewall and malware detection and removal programs; Use these tools regularly to scan your computer. Allow for automatic updates and scheduled scans.

  2. Install and maintain Spam Filters.

  3. Firewalls should be used and the rules should only allow services that are required for conducting business. Change the default passwords for your firewalls.

  4. Update, on a regular basis, all computer software (operating systems and all applications) to protect against new security vulnerabilities (patch management practices).

  5. Communicate to employees that passwords should be strong and should not be stored on the device used to access online banking. Passwords should also be kept in a secure place.

  6. Adopt advanced security measures by working with security consultants or dedicated IT staff;

  7. Periodically review employee access rights to internal and online systems, make sure access levels are appropriate for job responsibilities.

  8. Remove employee access promptly upon termination.

  9. It is highly recommended that users do not have administrative rights on their work computers to prevent unauthorized software from being downloaded (business owners should discuss this with their IT departments or service providers).

  10. Utilize resources provided by trade organizations and agencies that specialize in helping small businesses.

  11. Implement procedures to alert us if you suspect a problem.

  12. Download the bank provided anti malware detection software: Trusteer Rapport

  13. Subscribe to security education resources (See Appendix A).

It is highly recommend that you consider the following with regards to systems used to perform financial transactions:

  1. It is highly recommended that a dual control process is implemented, which requires one employee to setup a transaction and another to approve the transaction. If you have any questions about this type of control we will be happy to discuss this with you.

  2. Consider using a dedicated PC that is used exclusively for performing financial transactions. This PC should NOT be used for sending or receiving email or browsing the Internet.

Detect Issues Before They Become Serious

Detection is closely associated with protection, as some measures to protect against electronic theft will also be an indication that a theft is being attempted. You should be alert for some red flags related to computer and network anomalies:

  1. Passwords no longer work.

  2. Unexplained inability to log into online banking system.

  3. Sudden and dramatic loss of computer speed.

  4. Sudden changes in the way web pages, graphics, text or icons appear.

  5. Computer lock up so the user is unable to perform any functions.

  6. Unexpected rebooting or restarting of computer.

  7. Unexpected request for a one-time password (or token) in the middle of an online session.

  8. Unusual pop-up messages, especially a message in the middle of a session that says the connection to the institution’s system is not working (system unavailable, down for maintenance, etc.); “try back later” or “system is undergoing maintenance”.

  9. New or unexpected toolbars and/or icons.

  10. Inability to shut down or restart.

  11. It is VERY important to ensure that system and operating system logs are configured to capture critical security information. Monitoring these logs may prevent an issue from occurring and will help to determine what actually happened when or if an event does occur.

Respond

  1. You should immediately contact us if you suspect that online banking credentials have been compromised.

  2. Consider that your email may have also been taken-over and may not be a secure method of communicating information. Calling us is the best way to communicate that there may be an issue.

  3. Contact your IT Department or service provider and report the issue to them as soon as possible.

 


APPENDIX A

Information Security Resources

1. The Small Business Administration’s (SBA) website on Protecting and Securing Customer Information:https://www.sba.gov/blogs/how-small-businesses-can-protect-and-secure-customer-information;
2. The Federal Trade Commission’s (FTC) interactive business guide for protecting data:
http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html; and
3. The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses: http://csrc.nist.gov/publications/nistir/ir7621/nistir- 7621.pdf.

APPENDIX B

Be Aware

  1. Fidelity Bank will never directly contact you via email to install software upgrades. Such messages should be treated as fraudulent and you should permanently delete these messages and not click on any links.

  2. Messages or inquiries from the Internal Revenue Service, Better Business Bureau, FDIC, and almost any other organization asking you to install software, provide account information or access credentials are most likely fraudulent.

  3. Phone calls and text messages requesting sensitive information are likely fraudulent. If in doubt, you should contact the organization at the phone number that you obtained from a reliable source. You should not call phone numbers (even with local prefixes) that are listed in the suspicious email or text message.

APPENDIX C

Incident Response Plan

Since each business is unique, you should write your own incident response plan. A general template would include:

  1. IT Department / service provider contact numbers;

    • Fidelity Bank contact numbers:

      • Cash Management Operations 978.870.1472

      • Call Center 800.581.5363.

  2. Limit further unauthorized transactions:

    • Change user and administrative passwords;

    • Disconnect computers used for Internet banking;

    • Request a temporary hold on all transactions until out-of-band confirmations can be made;

    • Contact your insurance carrier;

    • Work with your IT Department, service provider, and dedicated information security specialists (preferred) to review your systems; and contact law enforcement if you suspect a crime has been committed.