Carolina Bank Cracks the Security Code

Building a robust and effective security framework is an ongoing challenge for organizations large and small. Businesses that approach things too aggressively and lock down security too tightly make it difficult for employees and customers to complete tasks—and sometimes unwittingly encourage people to bypass protections. But leaving systems too open is a recipe for disaster.

“It’s critical to find the right balance,” says Robert Braswell, president and CEO of Carolina Bank, which operates nine branches and a residential loan production office in North Carolina. He adds that the bank focuses on personal connections and a high level of service, so balance is essential.

Many employees at Carolina Bank use laptops and other mobile devices to handle a variety of business transactions and interactions in the field. These include audits, sensitive data and the processes involving residential and commercial lending.

“We have staff with varying levels of IT sophistication, so we were looking for a common but easy way to use an authentication system that would provide a high level of security as well as usability,” Braswell explains. “And we had to ensure that only authorized employees could access documents and files from remote locations.”

Turning to Multifactor Authentication

After examining and reviewing the bank’s security practices, a security committee recommended a multifactor authentication approach. Not only would it provide a better and more secure way to manage data, it would also help boost compliance with industry regulations.

As a result, the bank turned to SMS Passcode, a multifactor authentication solution, to provide secure remote access to its Citrix and Outlook Web Access systems. SMS Passcode, which went live in December 2014, replaced a more basic system that required user names, passwords and a physical token.

Every time employees log into the bank’s IT system remotely, they receive a randomly generated text code on their mobile phone and use that to sign on. The one-time code is valid for only two minutes.

Employees obtain the code by logging into a secure Web page. The system instantly generates the code and sends the text message.

The bank also uses geofencing techniques to restrict access outside of the state. If an employee is traveling, he or she must notify IT so that it can temporarily register the exception.

“What makes this approach so powerful is that it doesn’t require a physical token, which can be forgotten or lost,” says Jessica Gourley, IT manager for Carolina Bank. “It works through a person’s smartphone, which is something they always have with them.”

Whereas software and systems that generate pre-issued passwords and codes can be more easily hacked, “one-time randomly generated codes are nearly impossible to compromise,” she says.

The solution has delivered clear, discernible benefits, particularly for a regional bank with a small IT team, Gourley reports. She says that it was easy to install, and it didn’t require a major revamp of IT systems or security practices. Moreover, she adds, the solution is cost-effective, and it’s easy to use and operate.

“It doesn’t require any training, and there are no complex steps for users or for IT,” Gourley says. Most importantly, “It offers a remarkably effective approach and a high level of security.”

Photo courtesy of Carolina Bank.