Last week, we reported some eye-opening cybersecurity statistics discussed at the Tennessee Bankers Association’s Credit Conference. While the focus of these conversations centered on the credit process, managing breaches has become one of the most significant focus areas for businesses of all kinds.
The types and volume of cyber-crime activity have increased so rapidly across the globe that it is difficult for even the most vigilant monitors to stay ahead of the threat actors. The pervasiveness of risk makes it incredibly important for banks to do everything necessary to address vulnerabilities and consider all methods for protecting systems and sensitive data sensitive data from cyber criminals, human error, and even natural disasters.
Our team of Cyber Solutions experts has prepared a high level checklist that covers eight key risk areas; along with questions you should be asking to secure your financial institution.
Human Factor
Human error and oversight are the most common causes of security breaches. If your employees are not adequately trained, they can expose your organization to breaches by malicious attacks, phishing, scams, and even disgruntled employees. Education is the key. Make sure everyone in the organization understands his or her role in protecting the organization. Train them on cybersecurity and data protection procedures to help them be more careful, more vigilant and know the right procedures to take to protect the organization’s IT assets.
Ask: Do your employees clearly understand their role in protecting the organization?
Access Management
Keep track of the users who access your systems. Enforce regular password changes for these users. Business systems are interconnected in ways that were difficult to imagine or predict even a few years ago - requiring a thoughtful and detailed approach to access policies, procedure and management to protect sensitive data.
Ask: Who has access to your systems? Is your organization managing this carefully?
Security Policies and Procedures
If your systems and critical data are compromised, the entire organization is compromised. You face the danger of interrupted business, lost customers, and even personal liability. If you have weak or non-existent security policies and procedures, there is no basis for accountability. Particularly for organizations like banks that manage large volumes of personal data, it’s unwise to settle for basic templates to establish security policies and guidelines. Define actionable plans and procedures that address your unique situation and needs.
Ask: Do you have a plan to protect your organization? If a breach happens, do you have a recovery plan?
Network Security
Criminals see your internal and external facing networks as ‘attack surfaces’ that, if breached, open access to valuable data. Vulnerability scans are a first step, but they don’t tell the whole story. They often result in false positives and create alerts that are not actionable. Routinely conduct penetration tests on external and internal networks. Have specialists test your network the way hackers do – aggressively, creatively and persistently. Then prioritize your action plan and make the right changes.
Ask: Is your network susceptible or vulnerable to security threats? When did you last run a vulnerability scan or penetration test? Is your hardware configured to provide protection and are these configurations up-to-date?
Operating System and Application Security
Keeping everything updated with the latest protections in place is necessary to defend your organization from attack. As vendors become aware of new vulnerabilities in applications and operating systems, vendors distribute patches and work to repair their code. With internal, custom applications you are not able to take advantage of this lifecycle. Make certain you have experienced security researchers seeking vulnerabilities in your software in order to make repairs. In situations where it is not feasible to fix vulnerabilities, knowledge of those weaknesses allows you to structure your network and layer protections around weak points to protect your data.
Ask: Are you installing the patches that are critical to the security of the software your organization relies on?
Data Encryption
Organizations face the challenge of determining what needs encrypting. Regulations and best practices are broadening the scope of what data must be encrypted. Mobile access to systems is driving more data to reside on devices and outside of the protection of central servers and encryption. Data encryption must be addressed when data is at rest on a system, as well as in transit between systems.
Ask: Do you know what data is being encrypted to protect it from a security breach? Is the right data being encrypted?
Third Party Relationships
More than 60% of data breaches are linked to a third party vendor. When outside partners and vendors connect to critical systems through your supply chain and other business-to-business relationships, it increases the security risks in your systems. Do not allow attack surfaces you have exposed to be vulnerable. Third parties that interact with your systems must have security practices that meet or exceed your own. Make certain you have the right expertise in place to monitor vendors and help you manage this significant security risk.
Ask: Do your vendor and business partners meet your security standards?
Disaster Recovery
In the face of a crisis, you must take a proactive approach to protect your IT environment and minimize data loss and damage. Often, the security of a disaster recovery environment is not as secure as your production site. Backing up your data without carefully considering how that backup is transmitted, stored, and recovered can expose your data to additional vulnerability. If a negative event does happen, incident response plans are needed to determine why the outage occurred. Along with restore and recovery actions, a response plan serves as a precaution against future risk.
Ask: Does your organization plan for the worst? Where do your backups reside? Did you know that your backup data can be a prime target for attackers?
Cyber-security affects every level of the organization. Every executive in the team needs to prioritize protecting sensitive data, customer information, network operations, competitive secrets and business continuity. By asking questions proactively, and putting resources in place across the organization, you have already taken important steps to understanding and mitigating vulnerabilities. The dedicated HORNE Cyber Solutions team works alongside clients to put in place tailored measures to reduce the exposure to the threat of costly breaches.
Join the conversation and receive updates of new posts