New Jersey’s Provident Bank expands staff training and email encryption to enhance information security
After the epidemic of high-profile nonbank data breaches last year, New Jersey’s Provident Bank took another look at its own security measures and considered ways to beef them up.
“Data protection has always been a major tenet for the bank,” says Nathan Horn-Mitchem, Provident Bank’s vice president and information security officer. But for the $8.5 billion-asset community bank based in Iselin, N.J., data protection isn’t always just about having the right technology protection.
“You can put a lot of tools in place, but you have to start with your user base,” he says, meaning, for Provident Bank, extra IT security training and tools for its employees.
In some ways, the relative small scale of Provident Bank and other community banks gives them an important cybersecurity advantage over sprawling megabanks and giant companies such as Target Corp. and Sony Pictures Entertainment, Horn-Mitchem says. A smaller scale makes IT security correspondingly more manageable.
Take, for example, the issue of managing administrative privileges for Provident Bank’s computing network. At many large companies, too many high-level “administrator” accounts give too many people direct access to databases, networks and other critical systems, Horn-Mitchem notes. It’s harder to keep track of and control more people, making it easier for attackers to get their hands on one system and then plunder or damage an entire system.
“We only have a handful of users with administrative privileges in our organization,” Horn-Mitchem explains. “They’re members of IT and my department. Activities are logged and our back offices are centralized, so everyone who has administrative privileges sits within a 30-second walk of each other.”
Additionally, Provident Bank’s administrator accounts are linked to individual employees, not to a generic “administrator.” If a hacker tries to use a privileged account of an employee who is not in the office, it would be immediately obvious, Horn-Mitchem points out.
Other kinds of system-access limitations are more effective at Provident Bank and other community banks, he adds. “We have six people at our bank who can get to Facebook, and that’s in the marketing department. If you’re a teller and the branch closes at 6 p.m., you can’t log in after 6:30. So if we see activity on that account, we know that it’s been compromised.”
To improve its in-house IT defenses further, Provident Bank decided to increase its employee training security. The bank also stepped up its internal anti-phishing campaign and added more security training of new employees.
The bank has run anti-phishing education campaigns before for its employees about daily cybersecurity precautions and procedures. It even sent fake emails to employees as unannounced exercises to keep them alert about when not to click on links or open attachments. “We’re pleased with how well the users do, not only not clicking the link but reporting the suspicious emails to my department,” Horn-Mitchem says.
Provident Bank long had a system in place for encrypting outbound emails, and a process by which its staff members could set security levels for their documents. But the system wasn’t perfect, and Horn-Mitchem’s IT security team was spending six hours a week reviewing outbound emails to make sure all outbound communications were appropriately encrypted.
“Other users didn’t always understand what their responsibilities would be if they were to send that data outside the organization,” he says.
“If you practice strong security habits at home, that behavior comes with you to the office.”
–Nathan Horn-Mitchem, Provident Bank
So the bank, helped by Ontario-based security vendor TITUS, switched the process around. Now, when an employee wants to send information outside the bank, he or she is prompted to classify the security level of that communication as confidential, sensitive or public. That allows the bank’s encryption system to apply the appropriate level of encryption to the communication.
Horn-Mitchem says by asking employees to decide the classification level of their files right when they send them really focuses their attention on the fact that someone outside the company is about to look at the document. Stopping to decide whether the information is sensitive or how sensitive it is doesn’t slow down employees very much, he says, but it does make them think. “There was increased awareness among our users about what the data was, and behavior moved to other places, like paper documents.”
The new process, implemented with the help of an outside security vendor, applies to all of the bank’s 1,000 employees, from senior management all the way down to its tellers.
Another benefit is that the time spent reviewing emails is less than one hour a week.
In the past, Provident Bank spent only a little time on information security with new hires. Now, that time has been expanded to more than an hour for each employee. But the employees aren’t taught about information security systems. Instead, they learn how to protect their own personal identities and financial information. The idea behind the hands-on training is to change the employees’ mindsets to be more security conscious.
“If you practice strong security habits at home, that behavior comes with you to the office,” Horn-Mitchem says.
As a result of the program, employees now ask Horn-Mitchem about particular processes, and even suggest improvements. “Finally, most of our employees are also customers of the bank,” he adds, “which means we all have skin in the game.”