Remember when stealing money required actually breaking and entering into a financial institution? These days those responsible for securing banks and credit unions have much more than just physical security to worry about. They must also contend with cyberthreats to retain compliance and continually secure bank assets.
As the Federal Financial Institutions Examination Council (FFIEC) (which oversees the five major banking industry regulators) has noted, financial institutions have become “increasingly dependent on information technology and telecommunications to deliver services.” This means any “disruption, degradation, or unauthorized alteration of information and systems” can negatively impact not only core processes but also undermine confidence in the financial sector.
Understanding cybersecurity risks and following best practices help cultivate a robust financial security posture. To that end, here are seven key security questions for financial institutions to consider.
1. Do we have an integrated information security strategy?
Of course you have a security policy in place. But does it integrate all of the relevant areas of concern? Considering technology, policies, procedures, and training all together is necessary to mitigate risk. The best policies factor in risk and technological complexity to address:
- Information technology risk management
- Treat information sharing
- Information security
Incident response and resilience.
Tip: An effectively integrated framework provides a common language to use in communicating about cybersecurity both internally and externally. A proactive plan will identify assets and potential threats while also addressing detection, response, and recovery.
2. Are we doing thorough risk assessments to protect customer information?
There are different levels of risk assessment and vulnerability scanning. For financial institutions, regardless of size or scope, thorough proactive testing is essential to identify and prioritize for protection organizational assets (i.e. hardware, systems, data, and applications) based on data classification and business value.
Tip: In assessing policies and procedures in place to safeguard customer information, look to identify any reasonable and foreseeable internal and external threats as well as the likelihood and potential damage of threats. Weigh also the sufficiency of policies, procedures, and customer information systems.
3. Do we keep employees up-to-date on policy changes, new information security risks, and best practices?
Your bank or credit union may have the most advanced cybersecurity posture, but that highly developed technology may be for naught if your humans aren’t up to speed. Human error is a major cyber security vulnerability. The human desire to trust and help others can also compromise financial institution security.
Tip: An annual information security training for your employees should include incident response, emerging issues, and current threats (i.e. phishing, spear phishing, social engineering, mobile security, etc.).
4. Are we educating our customers about information security risks and best practices?
Your customers want to keep their accounts secure, of course. But at the same time, they want convenience and efficiency. So, yes, they might go online to your banking site to pay bills or transfer money on an unsecured wifi network in a coffee shop. Or, they may rely on the same recycled username and password credentials they are using on social media and their many online shopping sites.
Tip: Make awareness materials available to your customers. Counter the prevalent “it won’t happen to me” attitude with proactive education. At the same time, don’t leave your institution vulnerable to customer laziness. Require password complexity. Encrypt passwords in storage and transit. Establish authentication controls (i.e. layered controls, multifactor) for customer access to Internet-based products or services that are commensurate with the risk.
5. Are we effectively managing and monitoring system configurations?
A comprehensive cybersecurity posture holistically considers all of the system, object, network, virtual machine, and application controls. Your team needs to not only manage and monitor perimeter defense tools such as border routers and firewalls, but also keep systems configurations (for servers, desktops, routers, etc.) up to industry standards.
Tip: Identification and authentication is essential for access to all systems, applications, and hardware. Also, limit employee access to systems and confidential data based on their job responsibilities. This computer security concept minimizes user profile privileges based on job necessity. Similarly, each computer system component or process should only be configured to connect with other components it must necessarily access.
6. How are we staying abreast of the latest threat and vulnerability information?
We’re going to employ that cheesy television station slogan now: “The More You Know…”
It’s true. The more you know, and the sooner you know it, can make the difference between protecting critical systems and assets in a timely manner and a widespread business disaster.
Tip: Subscribe to sites focused on information sharing for a “safer, stronger Internet for all” such as the Financial Services Information Sharing and Analysis Center or the U.S. Computer Emergency Readiness Team.
7. Do we act on what we know about the latest threats and vulnerabilities?
Having a single employee on your information security team tasked with reading the latest alerts and rounding them all up in an email to everyone else on the team isn’t enough.
Your organization should have a clear plan of attack, and have identified who is responsible for what, to both monitor threats and vulnerabilities and use new threat information to proactively enhance internal risk management and controls.
Tip: Clearly identify information security roles and responsibilities among your personnel.
Also, establish processes to identify any additional expertise needed to improve your information security defenses in the light of new trends or emerging threats.