This post will begin a series of 5 topics that I consider to be good candidates for increased regulatory scrutiny in the coming year. For each topic, I will make the case for increased scrutiny based on 3 criteria:
- Recent audit and examination experience,
- Regulatory changes, and
- Recent events.
In keeping with my policy of trying to provide clear actionable solutions to each challenge, I will also provide suggestions to keep you ahead of the trend.
The first topic is actually making its debut appearance this year, and although training has always been important for financial institutions, it only recently crept into the top 5. And this is really a two-part trend;
Employee training and Customer training.
First, the case for employee training. I have always placed the importance of this in the top 10, but a recent event and examination experience have moved this into my top 5. The recent event is the RSA breach, which I first wrote about here right after the news broke in March, and again here a couple of months ago. This turned out to be a rather standard social engineering attack conducted over a long period of time exploiting the trust of a single employee. The FFIEC defines social engineering this way:
Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset or as a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.
Additionally we continue to see employee security policy and awareness training questions in every pre-examination questionnaire, regardless of whether the examiners are Federal or State. With the increased use of social media by financial institutions, and the understanding that the employee is still the weak link in the security chain*, I predict increased need for, and emphasis on, employee training.
Customer training has always been a best practice, but it’s now a requirement. Also referred to as customer awareness and education, the case for customer training as a trend is two-fold. The first is the recent updated FFIEC guidance on Internet authentication. Customer training is listed as one of the effective controls that may be included in a layered security program for both retail and commercial account holders with Internet access capability (in other words, almost all account holders), and compliance starts in January. According to the FFIEC, customer training should contain, at a minimum:
- An explanation of what is, and what isn’t, covered under Reg E.
- Under what circumstances the institution may contact the customer and request log on credentials. This one is the most important, and even though the answer is probably “never”, it can’t be repeated enough.
- A strong suggestion that the customer perform their own risk assessment. (The verbiage in the guidance actually leaves out the word “strong”…I added it.)
- To go with the previous risk assessment, a list of possible controls that the customer may consider, including where they may get additional assistance. (Institutions may be tempted to offer their own assistance, but I recommend against it. Not only may this prove to be a resource drain, it may also inadvertently set you up for a liability claim if a customer does experience a breach.)
- A list of institution names and contact numbers for the customer to use in the event they notice suspicious account activity. Make sure to include off-hour contact information if applicable, as most recent exploits have occurred on weekends and other non-business hours.
The second reason for the importance of customer training is the realization by the fraudsters that customers are an easy target. As one recent example of this trend, Trusteer just issued a warning that fraudsters are actually setting up call centers to facilitate ID theft by targeting merchants. This goes way beyond simply installing malware and grabbing login credentials, this attacks the most secure elements in the transaction chain; controls such as the one-time passwords, IP blocks (black lists) and positive pay (white lists). Although the actual details of the attack are fascinating…and frightening…at its core this is really nothing more than an extremely sophisticated social engineering attack, and as such the standard social engineering controls apply.
In summary, re-examine your employee AND customer training and awareness programs, and plan on increasing your training in both areas in 2012. Make sure your customer training contains at least the minimum elements, and that you periodically repeat the training. Finally, conduct testing on both groups to validate comprehension where you can (easier for employees than customers), and document everything!