Articles

When you consider your bank's security awareness training, what comes to mind? Maybe you think of an hour-long lecture you present (or attend) on an annual basis. Maybe you think of an online program you watched or a lengthy document you read. Whatever may come to mind, it is important to ask the question: How effective is this training?

TD Ameritrade Institutional and the Financial Planning Association Research and Practice Institute published a study in September 2016 describing how advisory firms manage cybersecurity awareness training. The results were not far from what I have come to know from time I have spent with banks. The study showed the vast majority (88%) of respondent firms said they spend two hours or less annually in on-going cybersecurity awareness training. Fifty percent of the same group said they conduct this training semi-annually or annually.

Intrusion Detection Systems (IDS) have been around for over thirty years, dating back to the Intrusion Detection Expert System (IDES) in the mid 1980's. Intrusion detection technology continued to evolve with the introduction of Host-based, Network-based and Network behavior analysis systems. Additionally, systems capable of blocking malicious traffic, Intrusion Prevention Systems (IPS), originated from IDS.

Intrusion Detection and Prevention Systems (IDPS) traditionally have been hosted on systems dedicated to the task of detecting and responding to malicious network traffic. Over the last several years, security appliances that fill multiple roles such as firewall, VPN, Internet filtering, antivirus, and IDPS have been placed on the market by multiple vendors. These devices, also known by the name Unified Threat Management (UTM), may not always provide true IDPS services since the device may not have adequate system resources or may require additional licenses or hardware modules. This can leave a device owner believing they are protected by and IDPS, when in fact they are not.

In 1982, a Coke machine at Carnegie Mellon University was modified to connect to the Internet and report inventory and temperature status. In 1985, the first alleged use of the term "Internet of Things" was by Peter T. Lewis before a technical panel organized by the FCC and U.S. Department of Commerce Minority Enterprise Telecommunications Seminars. It is only in recent years, however, that the Internet of Things, or IoT for short, has really taken off and influenced our daily lives.

Assessing risk is all about extrapolating meaning from potential. In other words, look at what could happen and consider how those things would affect you. The process can be as complicated or as simple as you choose to make it. At the end of the day, risk assessments are a way to become aware of potential issues and of controls to alleviate those dangers. You do not have to think of every potential scenario. In fact, considering what is common covers the majority of threats.

Floods. Hurricanes. Tornadoes. Fire. Power outages. The zombie apocalypse (well, maybe not that one). You don't have to be in banking to know these threats exist in our world. Although they may not have an exhaustive, board approved Business Continuity Plan ready to go in an emergency, the average person has some awareness that disasters occur and an instinct on what to do:

"The hurricane is projected to make landfall – shutter the windows and head to aunt Martha's."

"There's been a fire – call 911, get out of the building, stop, drop, and roll."

Elementary, right? What about this one:

ADA website accessibility is a trending topic in the community banking industry. Why? Recently several financial institutions have received letters threatening lawsuits because banking websites are not "accessible." The Americans with Disabilities Act (ADA), enacted in 1990, is a civil rights law created to prohibit discrimination against individuals with disabilities. In 2010, the Department of Justice (DOJ) initiated the rulemaking process concerning website accessibility. This process consists of calls for public comments on proposed rules, impact and cost analysis, and finally acceptance into the federal register. Since 2010, the process has been continually delayed. As of right now, finalized rules are expected to be released sometime in 2018, leaving no clear guidelines to follow at the moment. Without these guidelines in place, how can your bank protect itself from opportunistic legal battles while committing to provide an accessible site to your customers? Accessibility policies and vendor management are the answer.

There has been a lot of attention on website ADA compliance over the past few months.  Several community banks have received demanding letters from law firms alleging the bank is violating the Americans with Disabilities Act (ADA).  Purportedly these letters claim that unless the bank modifies its website to meet the World Wide Web Consortium's Web Content Accessibility Guidelines (WCAG), the bank will continue to violate ADA.  So, what does this mean?  Let's take a look at some common questions banks are asking about ADA compliance.

What is ADA compliance?

If you spend much time with teenagers, you know they use a special version of the English language. A few months ago, I was introduced to the term "on fleek." Personally, I never liked it, but by the time I worked up enough courage to use the term in a conversation, I was informed, "Alyssa, 'on fleek' is so last year. Now, we say 'lit'." (Rolling my eyes here.) While both terms can be used to describe something "awesome," I tell you this to emphasize how difficult it can be to understand another language.

Raise your hand if you are tired of constantly changing your password and sticking to whatever arbitrary rules seem to be in place at the time. Okay, now put your hand down because you are most likely drawing unnecessary attention to yourself, especially if you are in a coffee shop or on your couch at home surrounded by family. Everyone seems to grumble about password length and expirations, but the truth is: strong passwords are a necessary complication and their use isn't going away anytime soon. If anything, password complexity guidelines are shifting to be even more stringent, although there may be some light at the end of the extremely long tunnel.