Six Common IT Exam Issues—and the Controls You Need to Address Them
Ask any risk manager about the top risks that keep them awake at night and one answer will always come up: cybersecurity.
It’s not easy to defend against cybercriminals who are constantly refining their techniques and inventing new ones. While it’s nearly impossible to stay ahead of them, that doesn’t mean there’s no hope. In fact, just focusing on the basic building blocks of cybersecurity can go a long way.
Related: Creating Reliable Risk Assessments
A panel of IT examiners at the Tennessee Bankers’ Strategic Technology, Risk & Security Conference shared the top six issues they are seeing during IT exams and offered insights into how FIs can mitigate them. How does your program measure up?
1. Retaining qualified IT staff. Good IT talent isn’t cheap and smaller FIs, in particular, may have a hard time attracting and retaining qualified IT staff, especially if they don’t need one full time. Without sufficient staffing, it’s easier for a FI to fall short of its cybersecurity maturity goals.
Control: Virtual ISOs and IT committees. Virtual ISOs (aka virtual Information Security Officers) can help FIs fill the role of a part-time information security officer, giving FI’s the necessary expertise on a more affordable scale. Designating an IT committee is also a good idea. Since a committee contains a variety of stakeholders from multiple departments, it ensures continuity of knowledge and strategy if there is turnover in the IT department.
2. Phishing. Phishing is an oldie but a goodie that keeps evolving and luring in victims. More than 80 percent of reported security incidents began with phishing and 94 percent of malware is delivered via email, reports CSO. It can take just one employee clicking one bad email to unleash a cyberattack. Messages that look like they are from the CEO, such as ones requesting a wire transfer, are especially likely to cause problems.
Control: Make phishing tests challenging, and train staff on how to handle suspicious emails. Train staff to call the CEO or someone in their office for confirmation if they get a request from the CEO, especially if it’s out of the norm.
3. Patch management. Failing to patch a vulnerability contributes to 60 percent of all cyber breaches, according to CSO. That makes patch management is a must for every FI—but many of them are getting it wrong.
Many banks still run Windows 8 software even though it’s no longer supported (meaning it no longer receives security updates and hasn’t since 2016). Meanwhile, many employees log into their FI’s network on personal laptops, which may or may not be updated with the most recent patches. This leaves machines—and by extension the financial institution—vulnerable.
Control: Inventory assets. What devices are employees using to connect to your network? What operating system and software are they running? Your FI needs to know the answer to these questions and have a plan in place to ensure the devices are up-to-date on patch management.
With many employees working remotely over the past year, it’s also critical to carefully document work-from-home security controls.
Related: Download Ncontracts’ Work-From-Home Risk Assessment
4. Supply chain threats. Supply chains may conjure visions of toilet paper and gas stations, but it’s so much more than that. In the digital world, a FI’s supply chain is the third parties that provide products and services and have access to the FI’s network or sensitive data. This goes beyond vendor management to include technology like third-party applications consumers use to access banking services.
Control: Resiliency, flexibility, visibility. FIs need visibility into vendors’ business continuity and resiliency plans. This may require adjusting the FI’s own plans to ensure suitable backups are available. It also requires limiting access to only the systems or data a third party needs and nothing more. FI’s can also benefit from working more closely with critical vendors.
5. Maintaining robust threat intelligence program. The repeating motif of a new day, a new threat can really wear an IT department down. It’s impossible to stay on high alert every second of every day, and the constant influx of news makes a looming cyberattack feel inevitable. This ennui can make your FI vulnerable if it’s not paying attention to new threats and third-party vendor cyber weaknesses. It’s also helpful to share data about new threats with the Financial Services Information Sharing & Analysis Center (FS-ISAC).
Control: Automate monitoring. Forget about manually monitoring multiple news services to find the latest problems. Automate monitoring using services that can tell you about relevant security issues and potential problems with vendors. It lets you screen out the noise and focus on actionable items.
6. Weak user access administration rights. Part of protecting data is limiting its availability. Employee (and vendor) access to systems, networks, and data should be on a need-to-have basis. If they don’t need that access to do their jobs, they don’t need it at all.
That’s easier said than done. With staff coming and going and moving into new roles, their need for access and control changes. While staff will shout when they need access to new data, they are far less likely to notice they have access to data they don’t need.
Control: User profiles with appropriate rights. The FI should run an annual review of users and their administrative rights and share the report with management. Data and administrative access for each employee should be reviewed and adjusted accordingly. It’s also helpful to regularly review server logs for suspicious activity.
Looking for other ways to protect your FI from cyber risk? The panel praised the Center for Internet Security’s 18 CIS Controls (formerly the SANS Critical Security Controls (SANS Top 20)), saying that implementing just half the controls will make a material difference.
How strong is your FI’s cybersecurity maturity stance? Are you covering all the basics? Using the FFIEC Cybersecurity Assessment Tool (CAT) can uncover your strengths and weaknesses.