5 Tips for Enhancing Your Financial Institution’s Cyber Resiliency
Cybersecurity is more than buying a well-regarded solution and calling it a day. It’s knowing what assets your institution has, understanding the risks associated with them, and identifying and implementing ways to mitigate those risks.
Handling cybersecurity any other way is putting the cart before the horse—and leaves your institution exposed to cyber risk.
Here are five tips for enhancing cyber resiliency at banks, credit unions, mortgage companies, and fintechs.
1. A great cybersecurity solution may not be the right tool
Imagine an institution that buys a popular cybersecurity solution. The tool may be an excellent solution that does exactly what it promises—but it might not be a great solution for the particular issues the FI is facing.
The only way the institution would know that is by conducting a risk assessment before investigating solutions. Cybersecurity isn’t one size fits all. While there are universal threats (ransomware and other malware, social engineering, viruses, data breaches, denial of service (DDoS) attacks, etc.), different companies are exposed in different ways. A risk assessment helps an institution understand where it is exposed to the most risks so it can find ways to mitigate them.
It doesn’t end there. The risk environment is constantly changing. Some threats might recede while others gain prominence. The FI might adopt new technologies, products, services, or third-party vendors.
How do these changes impact the FI’s risk assessment? The only way to find out is to continually assess risk—especially when there are known factors that are likely to have an impact. If an FI isn’t reassessing risk, it won’t know if its current cybersecurity solutions and the allocation of its cybersecurity resources still make the most sense.
2. Preventative cyber controls: Don’t forget to lock the door
Good cybersecurity isn’t just what you do. It’s what you don’t do. One thing you shouldn’t do is keep open ports and other access points that aren’t used.
It’s easy to remember to open an access point when a new product or service is implemented. Users will complain if they can’t access what they need. It’s much harder to remember to close that access point after the user departs or the product or service is no longer needed.
Make sure your FI turns off unused ports and implements role-based access control. Employees, third-party vendors, and others who need system access should be given just enough access to do what their job requires them to do and nothing more. There should also be up-to-date inventories of assets and connections. You can’t prepare for a threat if you don’t know it exists.
3. Focus on cybersecurity basics
The increasing complexity of cyber threats requires layers of security. That includes the basics. From network segmentation to patching and firewalls, many common items that don’t involve a lot of time and money can have a significant impact on cybersecurity.
Back in 2017, Equifax was the victim of a breach that exposed the private financial information of over 145 Americans. It happened because a patch hadn’t been updated (part of a backlog of 8,500 unpatched known vulnerabilities). But it also happened because Equifax didn’t have an IT asset inventory, no follow up on IT findings, no accountability for IT-related tasks, unencrypted data, no audit trail, and a CIO who thought he was above bothering with the basics.
If your FI is just getting started or improving program over time, focus on those core assets to start with. When risk assess and include mission critical items in risk assessment, make sure get higher priority and more people resources assigned to strengthen security and controls around it.
4. Security awareness training can’t be underestimated
People may gripe about it, but security awareness training can go a long way in protecting your employees from falling victim to phishing or social engineering.
Internal actors cause 44 percent of breaches in the financial services industry, according to the 2021 Verizon Data Breach Investigations Report. For the most part, these aren’t intentional actions taken by unethical employees—they are accidents. The Verizon Report notes that mistakes like sending emails to the wrong people (responsible for 13 percent of all breaches) can have a huge impact.
Find creative ways to train coworkers and other employees and engage them in the material. Connecting training to news events can help increase the relevance and make others feel like they are a valuable part of the IT security team.
5. Speak IT in a way everyone can understand
Your financial institution may have the smartest, most technical IT team around, but if they can’t communicate effectively with risk, compliance, the C-suite, and the board they are exposing the institution to increased cyber risk.
IT needs to learn to speak in the same language as the rest of the institution and put together reports that make sense to everyone. They need to be able to explain the risks and problems the FI faces and offer solutions to fix them. If there’s a communication gap, having someone in the middle who can translate will make your cybersecurity program more successful.
Need to start building your financial institution’s cyber resiliency?
DOWNLOAD THE CHECKLIST
Topics: Risk & Compliance