By Tyler Leet
When it comes to cybersecurity, a good offense is a key component of a good defense. Much like organizations, hackers continuously learn and hone their skills. So, it’s critical to keep up with the latest threats they deploy, identify potential vulnerabilities, and understand how your bank would respond to an attack. By examining vulnerabilities before a real hacker has the opportunity, your institution can take an offensive approach and mitigate cybersecurity risk.
How to Mitigate Your Bank’s Risk
How can financial institutions take steps to strengthen cybersecurity in the face of evolving threats? Here are several tips to mitigate cybersecurity risk for your institution:
1. Conduct Penetration Tests: During a penetration test, a tester identifies vulnerabilities or security weaknesses and then attempts to leverage them to gain deeper access into your network. Penetration tests often reveal eye-opening results by showing how many points of entry exist across your network.
While still valuable, a vulnerability scan or assessment offers a broader view than a penetration test; however, the results are much more generic. Since a penetration test is more manual and object-oriented, it provides directly actionable information to help you evaluate and resolve weaknesses likely to be leveraged by a malicious individual. Combining these with a layered security approach offers the most protection.
2. Remediate results. Don’t be afraid of the results from a penetration test or vulnerability assessment. Assessments aim to strengthen your approach, not to serve as a pass/fail benchmark. Your institution should analyze the results and remediate any issues for optimal effectiveness. Remediating any issues or critical vulnerabilities after an assessment is a key step in preventing bad actors from exploiting your weaknesses.
3. Prioritize cybersecurity education. Since cybersecurity is a business issue, employees outside the IT department play an important role in cybersecurity. From loan officers to tellers, employees have access to a myriad of systems and are potential targets as a result. While employees don’t have to be cybersecurity experts, it is still beneficial to practice good security hygiene. This is also a cost-effective measure, as the cost of educating users will almost always be less than the cost of dealing with a breach.
Hackers often rely on weak passwords or phishing attacks to gain system access, but educating your users on the latest tactics and common social engineering schemes — and how to report them when spotted — helps mitigate your risk of a successful attack. Ensure your employees and customers remain vigilant when they receive an unexpected email with an urgent message that includes a strange link or attachment, as this is a common hacker tactic.
4. Implement multi-factor authentication. One way to encourage hackers to move on to a different target is making it as difficult as possible to carry out their objective, which is often account access. Multi-factor authentication (MFA) is an excellent way to discourage hackers, as it requires more than a username and password to obtain account access. This additional information can include a token, text message, email, or biometric data such as a face scan or fingerprint. Not only should employees use MFA when accessing your systems and network, but your institution should encourage customers to enable this control on their financial accounts, email accounts, and even social media.
5. Implement patch management. Most bad actors use tools that take advantage of your system vulnerabilities, so it’s important to invest in routine vulnerability and patch management to shore up your defenses. If you remediate a vulnerability, bad actors don’t have an easy way to exploit it and will likely move on to low-hanging fruit elsewhere. Further, good patch management minimizes surface area and attack exposure. While updating your patches can be resource-intensive, it is worth it in the long run. This approach includes encouraging employees to update software, operating systems, applications, etc. to mitigate the risk of hackers taking advantage of any vulnerabilities.
6. Assess your risk. If done properly, risk assessments are a key component of a cybersecurity plan. A risk assessment helps an organization identify and manage financial, operational, and other risks associated with internal and external incidents. And proper risk assessments should be more than filling out a spreadsheet; they’re about the lessons learned along the way as you produce it. During this assessment, you should identify assets you need to protect and understand how controls in place work together. The resulting document should help you prioritize your limited resources.
7. Involve your leaders. Cybersecurity involvement should not be limited to your IT department. Since this issue touches nearly every part of your bank, it’s important to have board and senior management involvement. Senior management should be invested in understanding cybersecurity threats and have enough familiarity with the topic to ask credible questions to IT leaders. Further, they should serve as advocates for your cybersecurity plan and reinforce the importance of education and training at all levels.
When determining the appropriate cybersecurity investment, leaders should consider your institution’s individual objectives, risk assessment and risk appetite — or a representation of how much risk an institution is willing to accept. As an integral component of a holistic approach to IT, security and compliance, IT governance ensures that an institution’s technology and business objectives support its larger strategies.
Finding the Vulnerabilities Before Cyber Criminals
With evolving threats and opportunistic hackers, investing in cybersecurity for your institution should be a priority. Tools like penetration tests and vulnerability assessments should be components of your larger cybersecurity strategy and help you stay ahead of cyber criminals.
Leet is director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. CSI is a WBA Associate Member.