It may not be the top item on your daily agenda, but tightening and maintaining security controls is imperative, and should be something you evaluate regularly. Just ahead of the annual ‘Cybersecurity Month’ reminder, the FFIEC released an update to their Cybersecurity Resource Guide for Financial Institutions with the purpose of equipping financial professionals to combat the evolving threat of cyber attacks.
This update is packed with valuable information on implementing a successful information security program. Many of the items could make or break an institution in the event of a cyber breach, so below I’ve pulled the key items to help your bank be more prepared.
Top takeaways from the updated resource guide
Protection starts with identification
Identification is the first step to protecting your data and customer data. Identification is often taken to mean identifying IT assets, and this is absolutely a critical step in an information security program. However, continuous and near instant identification of external risks is also a critical step and one that is often overlooked or underutilized. Participation with external sources, such as the ones listed in the Information Sharing section of the guide, will help you anticipate, mitigate, and respond to cyber threats.
Over the years I have had questions, from all industries, about what the best resources are to keep up-to-date on these threats. This guide provides a great list. Your bank should have several individuals signed up to receive alerts from three or more of these resources. The ones I have seen to be the most informative are FS-ISAC, CISA and US-Cert. I recommend you review each website and the information within to determine which would best fit your bank.
Tackle the largest risks first: ransomware
Ransomware continues to be one of the largest risks any entity in any industry can have. It does not discriminate. It does not care about the entity’s size, stature, or business. If there is a hole in security, a criminal will willingly penetrate it and take over your systems.
The guide now offers ransomware-specific resources to address the ongoing threat, but I want to offer some additional safeguard reminders. Protection from ransomware is a 3-fold model: plan, educate, test. Please be mindful, this 3-fold model is specifically for ransomware. A fully comprehensive information security program including risk assessments, policy sets, clear processes, and technical controls are essential to truly secure systems.
We all know ransomware exists and it can be detrimental to our businesses; therefore, we all need a plan of action to reference so we can act swiftly and efficiently in a breach event. Time is money as they say, and there is no truer sense to the phrase than when your business is brought to its knees by encryption. A comprehensive plan is a set of guidelines that instructs teams on how to prepare for, identify, respond to and recover from a cyber event.
A concrete plan should:
- Identify vulnerabilities and specify critical assets
- Identify external cybersecurity experts and data back up resources
- Create a detailed response plan checklist to identify the breach, contain the breach, eradicate the breach and recover from the breach
- Design a communication strategy to include regulatory agencies, your insurer (look for an upcoming article from me about cyber insurance), and all affected parties
Ransomware attacks have become so frequent they are nearly unavoidable. The fact is it only takes one click for an attack to be launched, and people are both the first line of defense and one of the most common ways in.
Staff education should be instilled as part of your onboarding process and repeated annually with constant reminders to keep people vigilant. A companywide policy laying out protection protocols and expectations of employees will be the basis of this education.
How to educate employees:
- Review and acknowledgment of the companywide policy
- Regular interactive security awareness education
- Defenses against social engineering
- Phishing simulator
With any luck your bank will go years without having to use the plan. However, depending on the frequency of regulatory changes and changes inside your company, it should be revisited once or twice a year to ensure it is always current. During the years the plan is not put to use, it is important to simulate tests of the plan. There are many ways to test, and the guide offers several tabletop type resources in the ransomware section, but it is also important to perform technical testing to ensure there aren’t any holes or vulnerabilities in the highly complicated configurations and programing.
Technical testing may include:
- Internal vulnerability assessment
- External vulnerability assessment
- Penetration testing
- Active directory testing
- Social engineering testing
- Firewall configuration review