Industry Insights by Ann Nickolas, Vice President, National Accounts, Shred-it
With so much confidential information in their trust, it seems obvious that banks and other financial institutions would have stellar data security strategies in place. However, with one in four financial institutions admitting that they’ve never trained their staff on information security policies or do not even have information security policies in place, quite the opposite appears to be true.
While many businesses are increasingly investing in digital security safeguards in light of heightened cyber attacks, physical data is often overlooked. As a result, many financial institutions have gaps in their information security strategies as they neglect to address the ways in which physical data should be safely handled and processed in the office, subsequently leaving themselves susceptible to the threat of a range of negligent employee behaviors.
With August 5 marking the start of National Fraud Awareness Week, there is no better time for financial institutions to take a second look at their existing information security protocols and ask themselves whether or not they’re covering all their bases when it comes to the protection of both digital and physical data. To create an all-encompassing security strategy, there are several aspects that financial institutions need to consider:
Knowledge is power—Invest in employee training. With 25 percent of information breaches caused by employee error, it’s evident that the need for employee training around the treatment of physical data is widely needed; however, a shocking 30 percent of financial firms admit that they don’t train employees on physical information security best practices.
It’s important to create guidelines for managing physical data as it pertains to handling confidential documents and devices containing sensitive information both inside and outside the office. With two in five financial institutions admitting that employees have lost items containing sensitive customer data—including mobile phones, laptops and company USB drives—it’s clear that financial institutions need to be proactive in establishing a culture committed to data security at all levels.
Leaders can develop a continued culture of information security by developing a data security plan that details how employees should handle the sensitive information they interact with regularly, whether this means encouraging employees to double-check that they have all notes and paperwork in their possession when traveling outside the office or simply advising that all confidential documents and devices be securely locked away or shredded before being discarded.
Furthermore, offering ongoing training opportunities for employees is essential to driving these messages home and embedding these principles into everyday work functions. Conducting regular information sessions, especially for new employees, is a great rule of thumb to inform new hires of your individual security standards and expectations. Regular training sessions will also serve as an opportunity for seasoned employees to refresh their knowledge. As a supplementary precaution, leadership should implement regular review procedures to identify any issues and assess employee progress following training sessions.
Create a compliance checklist. Like most businesses that work with private and confidential information, financial institutions are heavily regulated and need to be aware of the different privacy laws and legislation impacting the industry. For example, the Gramm-Leach Bliley Act covers the protection and privacy of consumer information in the financial services industry and requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data.
It’s helpful to develop a security policy handbook that employees can use to understand existing and new industry regulations. The General Data Protection Regulation (GDPR), for example, came into full effect in May and will impact financial institutions that process information belonging to EU citizens. In regards to GDPR, the handbook should articulate that any employee who obtains information from EU residents must keep a record of the category of data collected/received and document how long it has been stored before being securely destroyed. This guideline should also detail the safest information-storage and destruction methods for this data, in both physical and digital formats.
By documenting these strategies and guidelines, businesses can ensure that day-to-day processes are in compliance with industry regulations, including making updates to the way client information is received, treated and transferred, both internally and to third-party businesses.
Keep confidential information under lock. The paper trail of sensitive information that banks and financial institutions generate is not always considered to be as risky as the computers and devices containing digital data. However, the first step toward establishing a culture committed to data security is to identify your business’ information security strengths and weaknesses. This should include reviewing how physical data is processed and handled. The most vulnerable physical information often lies in unassuming places—think printers, messy desks, old storage bins and employee recycling bins that are scattered and unattended throughout the office. These risk points are vulnerable to both insider and outsider threats because they could contain documents that share sensitive client and company information.
To prevent breaches or non-compliance, it is helpful to develop a document-management process that details how to organize physical documents securely for storage, retrieval and record-keeping. Key areas to include within the document-management process:
- Determine a lifespan for physical documents. Financial institutions must keep tabs on what and how sensitive materials—from W-2s to bank and insurance statements—are being stored within the office in order to maintain compliance and avoid the risky pile-up of confidential documents.
- For documents that need to be filed, make sure they’re being kept in secure, locked filing cabinets and that only critical employees have access to the locked console.
- Think twice before tossing. For any documents that need to be discarded, ensure they are securely shredded before throwing them in the trash.
Ultimately, the widespread damage resulting from a breach or non-compliant behavior can make or break a business, no matter its size. Consider National Fraud Awareness Week as an opportunity to develop an environment that prioritizes data security and ensure that your employees are equipped with the knowledge your business depends on to maintain compliance and security. Your reputation and longevity depends on it.
With a history of senior leadership roles in companies like Compass, Cintas and Coca-Cola, Ann Nickolas offers a unique perspective on information security and privacy challenges. She is vice president of Shred-it, which offers products, services, policies and training to help businesses secure their financial information.
Published in Bankers Digest August 6, 2018