The Garland Group

5 Tips for Improving Customer Service

Juston Glenn — Thu, 11 Mar 2010 07:13:04 +0000

Cleaning out some old files on my Macbook I came across some customer service notes from my days @XYZ bank (XYZ=Small/Mid size bank). These suggestions were submitted by Information Technology, Proof (Item Processing) and New Account users. I reduced the list to include the most common we see in our daily interactions with banks.

5 Ideas for Improving Customer Service

1) Have bank staff available to greet customers as they come in the doors.
2) Communicate organizational values periodically to all bank staff as well as customers. A mission statement would also be helpful in this regard.
3) Educate employees on all Bank services offered.
4) Initiate telephone training for new employees and as needed for existing employees.
5) Hold department meetings regularly in order to give supervisors a chance to hear what customers are communicating to employees.

The 5 suggestions listed are a good base for increasing customer relations and increasing the detection/prevention of social engineering attacks. These are good suggestions for small/Mid size banks that depend on customer service as their market niche.

Webinar – Vendor Management

Brad — Mon, 08 Mar 2010 13:00:17 +0000

Thanks to all that were able to attend our webinar today on Vendor Management. Also thanks to Denis O’Neil and presenter, Heath Stanley, for contributing such a hot button topic. Our webinar series fall on the 1st Friday of each month and next month (April 2nd @ 11am CST) we will be discussing ‘Enterprise Risk Management’.

Lastly, if you have any topics that you would like to hear about, please drop us a line in the comment section below!

Here are the downloadable slides as well.

Breaking Privacy Laws without breaking privacy laws?

Nik — Thu, 04 Mar 2010 13:00:38 +0000

Recently an Italian court found three Google executives guilty of breaking privacy laws for a video that was uploaded on YouTube in 2006. The video involved the bullying an autistic teenager. Why this gets a little…well interesting is: The video was not uploaded by any of the executives, they were not in the video, and the best part; the video was uploaded on YouTube just before Google even acquired them.

Full article here.

Obviously Google is a bit miffed and is in the process of an appeal. Me, I’m confused what this could mean for any of the hosting services currently out there. Granted the Google executive is the chief privacy officer…but how in the world are they supposed to monitor everything that goes online on a hosting site like YouTube? The scariest part is obviously being help accountable for the information that does go out. Depending if this stands or not should have some sort of impact on how many services would be able to continue.

So does that mean firms are to be held liable for everything that goes on their site? Or how come we haven’t heard anything even close to this back in the states? Many questions are being asked and I guess it was only a matter of time we started to hear about this. One thing that it does do is pose a serious question about the freedom the internet was built on.

I’ll leave with a comment made by Peter Fleischer from Google’s privacy counsel, “It is like prosecuting the post office for hate mail that is sent in the post.”

Tech demands of a new generation of consumers to reshape retail banking

The Community — Tue, 02 Mar 2010 14:58:43 +0000

Ongoing investment in technology by the retail banking sector is essential if the industry is to win the business of a maturing generation of tech-literate consumers who are forsaking traditional physical channels in favour of online consumption of financial products.

Separate studies of Gen Y consumers (those aged between 21 and 29 years of age) by Fiserv and Cisco reveal an up-and-coming generation of fiscally responsible young adults who are more comfortable operating in a digitally-connected environment than preceding generations.

Members of Gen Y are frequent users of online and mobile financial services, the research finds, are more likely to have debit cards and savings accounts than any other generation, and rely heavily on other people and online information when making financial product decisions.

See the rest at Finextra.com

Can You Tweet Securely?

eric — Mon, 01 Mar 2010 13:00:06 +0000

The cynical 140 character or less response to the question is simple: “You don’t need to lock the outhouse door.”

That’s the unfortunate position taken by many who ignore threats posed from data leakage, inappropriate content, lack of centralized IT control, loss of intellectual property, privacy concerns, regulation, and the general lack of confidentiality, integrity and accessibility controls. If past (and present) is any indication of the future, the changes needed to transform Twitter into viable platform for use in the enterprise may be on the horizon, but they’re a long way off. These core issues are compounded by both the explosive growth of the service and far too frequent attacks over the past year. To Twitter’s credit, they responded the most recent events by initiating password changes for users following suspicious accounts that were determined to be threats. While that is a valid reaction, it’s still just that, a reaction.

To better secure Twitter, you would need to address three fundamental aspects of information security: Identity, Authorization and Authentication.

One of the most immediate issues that became known as Twitter gained acceptance was that followers didn’t have a way to verify the identity of a user they were following. Anyone can create a Twitter account under any available name. Just for fun follow abevigoda for a few days. It’s a great gag: someone created a profile that impersonates the actor Abe Vigoda and posts a tweet daily proclaiming that he is alive. While that is fun, it illustrates how easy it has been for people with malicious intent can impersonate you or your company and spread false information. As I write this, Twitter has begun beta testing “verified accounts.” That’s definitely a step in the right direction, but is still concerning in the few accounts Twitter is taking the steps to verify. From their website, they state that they are “starting with well-known accounts that have had problems with impersonation or identity confusion. (For example, well-known artists, athletes, actors, public officials, and public agencies). We may verify more accounts in the future, but because of the cost and time required, we’re only testing this feature with a small set of folks for the time being. As the test progresses we may be able to expand this test to more accounts over the next several months.” They also state that currently they “are not accepting new business verification requests.” So what to do as a business and as a user of Twitter until this feature is ready for primetime? The simplest way to address this as a user is to be wary of who you follow, seek out Twitter accounts in “out of band” ways, i.e. from a company’s website or blog that you are sure is managed by the entity you want to follow or just ask them directly. As a business, be vigilant of your brand and identity. Search Twitter, use lists and monitor trending topics to see who is saying what about you (or as you) and notify Twitter support of accounts with a clear intent to confuse or mislead your customers so they can be permanently suspended.

Authorization is closely linked to identity and is a risk especially for organizations and businesses. Begin with the basics and decide what your policy for using Twitter should be, document it and make sure your employees and contractors are aware of the policy. The best recommendation I have is simply to restrict the business usage of Twitter to specific identified accounts that are authorized to speak on behalf of the organization. If you want to use Twitter to share information such as rate changes or information that requires oversight from compliance, make sure that approval of all messages go through the same publication processes that would be followed for print or website changes. As part of the education process with employees and contractors, ensure that they are aware of threats from data and information leakage posed by posting seemingly innocent tweets. What is considered acceptable behavior covers a wide range, there’s nothing wrong with your employees tweeting from their personal accounts that it’s cold in the office, but tweeting that the network has crashed and they’re waiting on someone to come fix it could provide information for a social engineer to use to gain knowledge of the inner workings of your environment.

It should go without saying that securing your Twitter profile relies on basic rules of strong authentication. Use a long, complex passphrase including alphanumeric and special characters, and change that passphrase as often as your password policy dictates. Although the temptation of convenience of linking Twitter to other services and applications, don’t entrust username and passwords to any third-party application.

While these three steps are the ways for you to securely use Twitter, there are numerous flaws and threats that Twitter must address before it is truly a platform that is secured and appropriate for enterprise use. Twitter’s largest security breaches over the past year were the result of a lax security posture within its own organization. An internal account used to manage their DNS records was compromised as well as documents used by Twitter corporate users were pilfered from a compromised Google Doc’s account. Cross-site scripting vulnerabilities have been identified that allow a malicious user to inject code into a tweet that would allow for the code to be executed on followers machines. These are all definite and real concerns that should be weighed while deciding on your organizations Twitter policy.

RiskKey User Spotlight: Mortgagebot

Courtney — Thu, 25 Feb 2010 20:00:02 +0000

As many of you know RiskKey has value beyond Risk Assessments and Controls Reviews… it can also be used for managing certain projects… especially those related to compliance. Mortgagebot is an industry leader in facilitating online mortgage applications. They use RiskKey to manage responses to various exams and controls reviews. All issues that Mortgagebot feels need a response will receive a corresponding recommendation. This allows them to assign individuals responsible, detail strategic plans and mitigating strategies for identified risks, and manage deadlines. RiskKey helps them stay on top of this by generating alerts as deadlines come due, and providing a centralized dashboard and snapshot of each project’s progress.

Could you use RiskKey? Details here!

The Balancing Act of USB Mass Storage Drives!

Nimal Gunarathna — Thu, 25 Feb 2010 13:00:13 +0000

USB flash drives are a very important part of our day-to-day activities. When a network is down, it provides an alternate method to copy/exchange files between computers. But in the strange world we live in, there is something dark underneath in any great invention, and there is no difference here. The great USB memory stick can be used by bad guys & gals for abusive practices. Not only is your network security at risk here, but your private or sensitive data can simply vanish out of your well protected private network to the wild world out there; who knows how it is going be used. Look at it this way, even if I am an employee of the institution, I can simply bring a contaminated USB memory stick and plug it into my network connected PC, and soon enough, the potential that the whole network could be infected with virus, worms or other unwanted malware skyrockets. The funny thing here is that the user may not be aware of what has happened here. Also, if the user is a bad person then on the way home he/she can take a copy of your highly guarded financial data!

The risks are enormous here, but we need to have a great balancing act between business needs and security, as both go hand-in-hand. In my opinion, the strategy should be based on one of the basic security principles; users should be given authorizations to services such as USB drives, CD/DVD, registry access etc. based on business needs as well as on the least privilege principle. This way you can minimize the potential security risks and continue to keep your business safe from intrusion!

Here is an article that explains how you could disable devices through Microsoft Active Directory Group Policy. Enjoy!

The Value of Collaboration

Natasha — Wed, 24 Feb 2010 03:43:27 +0000

Just recently a news headline screamed “Customers flock to iPhone banking!” I immediately thought the only way a bank could do this is through collaboration and partnering with third parties. Institutions that fail to understand this are leaving money on the table. After a recent chat with a financial institution I fear that many are still missing the new markets, new offerings and new bottom-line that collaboration delivers.

Our customers dictate the way we sell, the way we market, the way we do business. Our Gen Y customers insist on immediate: instant messaging, instant communication, instant customer service and instant banking. So banking as usual is far from the answer. I understand that financial institutions are conservative, not early adopters, and are hesitant in their approach to new product development; however, in today’s economy we cannot say “that’s just the banking industry.” FIs must push past the norm and push the envelope to take their institution to the next level. Collaboration opens this door and provides the vehicle you need to operate more efficiently, make better business decisions, gain business agility, and impact your bottom line.

New Markets
Collaboration gives FIs a wider market reach and access to a customer base that thrives on instant. Embracing social networks, putting banking centers in supermarkets, and mobile applications all help banks and credit unions attract and keep today’s customer. According to ABI Research around 407 million people worldwide will carry out financial transactions with their banks using their mobile phones in 2015.

New Offerings
Financial institutions can gain a competitive edge by bringing new innovative ideas to their product offerings, delivery methods, and customer service. Though research and development and innovation may not be their forte, FIs can partner with innovative third party companies to differentiate their offerings, and faster. In addition, social media and transparent borders allow for a global pool of shared ideas. We can learn a lot from the Asia-Pacific region with their 52.2 million mobile banking subscribers in 2009.

New Bottom-Line
New markets, new offerings and the reduced cost that collaboration brings directly impacts your bottom-line. Research done by Business Week showed that collaboration directly impacts a FI’s bottom line. 49% of FIs surveyed declared that their profitability increased with collaboration while 47% said their revenue growth increased.

So, FIs I urge you to step outside the box. Make collaboration a part of your culture and rub shoulders with cutting edge companies outside your region and even outside your industry. And if you have already taken the bull by the horn, do share with us all your successes and struggles.

To learn more about collaboration and how to incorporate into your culture click here!

The Only Fraud We’ve Seen in Online Banking….lately

Heath — Tue, 23 Feb 2010 18:57:58 +0000

It seems like we say it at least every other week, “The only fraud we’ve seen for online banking has been compromises at commercial customer sites.” And is evidenced by two breaches of high profile banks out of Dallas over the past month.

Plains Capital Bank had a breach at one of their customer’s sites, resulting in over $800,000 being transferred out of the bank and they turned around and sued their customer. PCB may get all their money back, but who wants to pay those court fees, lose a customer and fight that PR battle? In the other breach, the customer is suing Comerica and claiming that Comerica exposed them to phishing schemes. I’m anxious to see what happens in these cases and if banks and customers will turn lawsuits against each other over online banking breaches into a habit.

I mention these cases because they are the only ways that we have seen online banking accounts compromised over the past year or so, and it is becoming more prominent. Several of our clients have been breached by having their cash management customers credentials breached by either a keylogger, trojan, or rogue employee. I’d like to say that they can all be solved with a solid multi-factor authentication implementation, but the Bugat Trojan has found a way to circumvent Random Number Generating tokens.

There are still great risk mitigating ways to prevent your customer’s sites from being compromised including…

IP Restriction

USB Tokens and Random Number Tokens (it is better than nothing)

Text Message Codes or Callbacks

Customer Site Visits

Risk Assessing Customers

I believe this all goes to show banks that picking who you choose to do business with and properly training appropriate customer’s staff and cash management administrators can save bankers a lot of heartache. And from having to sue their customer.

Webinars – Next Generation Compliance

Brad — Fri, 12 Feb 2010 21:07:32 +0000

Thanks to all that attending today’s webinar on ‘Next Generation Compliance’. We hope it was informative and enlightening. As promised, here is the video recording of today’s webinar. We’d love any feedback you could add on the topic today as well as other topics you’d like us to discuss more about. Feel free to mention those in the comments below. Have a great weekend everyone!

For printable slides: Next Generation Compliance