4 Top Cybersecurity Takeaways for Financial Institutions
October is National Cybersecurity Awareness Month. It’s yet another reminder that criminals are constantly trying to hack into our networks to steal data and wreak havoc.
How do banks, credit unions, mortgage companies, and fintechs stop themselves from falling victim? Ncontracts webinar Evolving Cyber Threats: What You Need to Know Now tackled this topic with two of our cybersecurity experts.
Here are four of the top takeaways:
1. Examiners and the vendor maturity approach. You know about the vendor management lifecycle, but what about the vendor maturity approach? Examiners are looking to see how the risks of working with a particular vendor may have changed as that relationship has matured. This is particularly true if your financial institution has added additional products and services.
Questions to consider:
- Does a new product or service introduce a new risk to the institution?
- Does adding additional products or services increase the collective risk of working with the vendor?
Make sure your FI is taking a granular look at vendor products and services to see how they impact overall vendor risk.
2. How do you know when there is enough cybersecurity in place? Deciding whether a financial institution has sufficient cybersecurity isn’t an individual or even a departmental decision—it’s a business decision.
Risk managers quantify risk. The business (i.e., the board of directors) determines the FI’s risk appetite and tolerance. Those responsible for assessing cybersecurity need to report to stakeholders to explain the amount of risk the FI is exposed to and the areas that require additional mitigation to keep the FI at or below its thresholds. If there is an area of cybersecurity where the risk level isn’t acceptable, additional controls are needed.
3. How to build out or upgrade cybersecurity. The onslaught of cyberattacks makes building a cybersecurity program feel like an insurmountable task that must be completed immediately. That’s just not realistic.
Instead of expecting to build it all in a day, start with the bare minimum and work your way up. Implement patching policies and procedures and install an anti-virus program. It doesn’t have to be the world’s greatest program, but it’s something, and it can be improved over time.
When picking and choosing which controls to install or upgrade first, consider the risks your FI is facing and the type of attacks it most frequently encounters. Those are the areas that should receive top priority. (See how you got backed into a cyber risk assessment there?)
Building from a baseline over time makes cybersecurity more manageable.
4. Password hygiene. Passwords aren’t just a pain for users trying to remember and keep track of them. They are also a potential source of a breach for companies when users employ the same password for multiple sites and applications and that password is part of a data breach.
While training employees to follow password best practices is important, it’s also smart to institute multi-factor authentication as a protective control. When done correctly, it can mitigate a lot of the risks associated with passwords while reducing the number of times passwords must be changed each year.
Want more cybersecurity insights to improve cyber risk management?