When you hear the term “bank robber,” a leather-clad outlaw with a burlap bag in one hand and a pistol in the other likely comes to mind. However, modern bank robberies have evolved past Butch Cassidy and the Sundance Kid-style hold-ups. Instead of weapons and a getaway car, all they need is an understanding of computer network systems and a few stolen passwords to infiltrate a bank’s database and steal money. Crimes of this nature end in more loss than physical robberies, as well. Take the Carbanak malware campaign, for instance, which targeted multiple financial institutions around the world and concluded with a total of more than $1 billion being stolen.
According to the Herjavec Group’s 2019 Official Annual Cybercrime Report, cyberattacks on financial service institutions are on the rise, indicating that banks need to direct their security resources to testing their network systems on a more consistent basis. That’s where your annual IT audit comes in to play, and why you should build a strong, year-round relationship with your IT auditing firm.
Unfortunately, IT audits are notoriously dreaded every year because of their high-effort requirements. But for all the ways they are inconvenient, correcting the network and process weaknesses revealed by an IT audit can protect its customers, not to mention save a bank from reputational damage. For that reason, the partnership between a bank and its auditing partner can be a positive, beneficial one.
There are plenty of ways to take full advantage of your IT audit partner to both make your annual audit go smoothly and garner the most benefits for your institution. Here are a few tips:
Understand that the IT auditing process is going to strengthen your business.
Protecting customer data is one of the most make-or-break aspects of community bank success today. With the rise of online banking, a customer can change accounts quickly to nearly any other financial institution across the country, so prioritizing the protection of existing (and new) customer data couldn't be more important. Understand that if a negative practice within your bank is brought to your attention, that is the IT auditor’s way of trying to improve your system and keep your bank thriving. Approach the process and your IT audit partner with an open mind and a willingness to help accomplish what they need, and watch how quickly and smoothly the audit gets done.
Pick a partner who will ask tough questions.
When you look for an IT auditing partner, it may be tempting to settle for the cheapest or most convenient option. However, to ensure that the IT auditing process goes smoothly and successfully, it’s important to find a partner who will take the time to understand your bank and its individualized needs. A good audit partner doesn't just show up to do a job and collect a check; they should have your best interest in mind and be dedicated to your goals. Sometimes that means having difficult conversations about what your organization is doing (or not doing) in the best possible way. Sometimes it means taking the time to explain to the decision-makers at your institution how important cybersecurity is in today's environment. Sometimes it means being an ongoing resource to provide answers to questions, suggestions for controls, or even additional services to help improve your security posture over time.
Your IT auditing firm should send you a list of the information they need from your institution regarding your network and systems. If you have worked with the IT audit firm before, it’s a good idea to go ahead and compile the materials they will need before the process begins. List your IT assets, organize your paperwork, and think ahead about your main concerns. If you have adopted new systems, applications, or hardware since your last audit, be sure to have that information handy as well. Taking these steps will ensure the offsite portion of the process goes smoothly and quickly.
At the end of the day, remember that regular IT audits are a necessary step for running a successful financial institution. Consumers are hyper-aware of data privacy concerns, and they will likely factor security and data protection into their banking decisions. So, prioritizing the protection of customer data could not be more important.
Waldman is a co-founder of SBS CyberSecurity and executive vice president of IS Consulting and president of the SBS Institute. He can be contacted at firstname.lastname@example.org.