10 Strategies for Mitigating Risk in an Evolving Cybersecurity and Compliance Landscape
Since the pandemic, we’ve seen a pronounced shift in how people work, marked by increased mobility and flexibility. Financial institutions have experienced profound changes—including accelerated digital adoption and hybrid workforces—accompanied by an evolving set of regulatory and cybersecurity risks.
How has the pandemic shaped the cybersecurity and regulatory landscapes moving forward? What are the top strategies to mitigate current risks for your institution? Read on for answers to these questions and more.
What is a top cybersecurity lesson learned since the pandemic?
The pandemic led many institutions to adjust their day-to-day operations and implement remote work policies almost overnight. Even today, remote and hybrid work is common, given the flexibility it affords employees. But some institutions learned the hard way that remote work comes with certain risks, including remote data access. As such, it’s still imperative that all institutions understand their network security vulnerabilities, which types of controls can best secure those connections and how users access their systems.
Further, the shift to remote work reinforced the importance of resiliency and redundancy in business continuity. Organizations must continue to think about their infrastructure and its level of accessibility. Many institutions have realized the benefits of migrating servers, systems and applications to the cloud, such as increased availability and connectivity. The cloud also offers a secure, encrypted backup option to safeguard your data.
How have regulators responded to the changing threat landscape?
Since 2020, regulators have placed heightened scrutiny on how employees access systems and keep track of data. As a result, institutions must understand where data travels and resides, as well as the appropriate controls to secure it. Regulators also emphasize the security of cloud offerings, including a review of Office 365 configurations. If your institution is considering a cloud migration, ensure you’ve taken the appropriate steps to identify users and how they access your network.
In recent years, examiners have begun shifting to a more methodical framework approach, as presented in the FFIEC’s Architecture, Infrastructure and Operations (AIO) booklet. The AIO booklet was a substantial update to the FFIEC’s IT Handbook, underscoring that senior leadership and board should understand risk and architecture, as well as how each affects business. This understanding extends beyond cybersecurity and compliance, as your institution’s leadership should know your objectives and how your technology supports them.
What is a noteworthy trend in IT and information security?
As IT and security become increasingly complex, more institutions are embracing a risk management approach when determining their strategies. While a layered approach to cybersecurity is critical, implementing a specific set of controls doesn’t necessarily make your institution secure or compliant. Similarly, deploying the latest and greatest technology does not guarantee data protection.
A risk management perspective should drive your IT and IS decisions, meaning your institution should first assess your risk appetite and risk tolerance. From there, you can determine how risk factors into broader institutional initiatives, including budgets, business processes and desired business objectives.
A risk-based approach allows your institution to create a business context around IT and IS while optimizing resources. Further, a risk-based approach allows senior leadership and directors to steer the strategic direction of IT and security from a business perspective while understanding the areas in which risk could manifest within your institution.
What are the biggest risks facing financial institutions?
Cyber threats will continue to evolve in the months and years to come, and one fact will continue to hold true: Financial institutions remain targets for cybercriminals due to the amount of sensitive data they hold and, of course, their direct involvement with money. Institutions should stay abreast of the latest threats and deploy defenses to protect users, data and systems. Below are several risks facing financial institutions in today’s threat landscape.
- Ransomware: While some expected the ransomware threat to fizzle out, it has continued to linger and evolve. According to the U.S. Treasury Department, financial institutions reported nearly $1.2 billion on likely ransomware-related payments last year, more than double the amounts reported in 2020. The shift to remote work, supply chain issues, greater reliance on digital channels and increased turnover have contributed to an environment ripe for vulnerabilities. Most networks have multiple entry points and complex system operations, including remote endpoints and cloud-based systems. Cybercriminals exploit these weaknesses to launch sophisticated attacks. And with the rise of ransomware-as-a-service kits, executing ransomware often requires very little knowledge for a big payout.
- Poor configurations and distributed data: Most hacks are not overly complex, and many involve a hacker cracking a default password or exploiting poor network configurations to gain initial access. In fact, IBM’s 2021 Cost of a Data Breach report found that 20% of data breaches involved compromised credentials. This makes strong credentials paramount, especially as more users work remotely and can readily access data that’s distributed across a network. Financial institutions and other organizations are also embracing application programming interfaces (APIs). Rather than developing processes based on software, institutions now want to develop their internal processes around business goals. However, APIs could bypass an institution’s established security controls on certain platforms when pulling data into a system. If embracing APIs, conduct the proper due diligence and ensure your data remains secure by having protections in place to prevent it from leaving the network.
- Understanding the cloud: While the public cloud delivers a variety of benefits, institutions must know exactly what their cloud solution entails, including understanding where the connections exist and if they are needed. Knowing what figurative doors to your environment exist and which doors to close will minimize risk for your institution. Many institutions move forward with a cloud migration without taking the time to first think through exactly which systems and applications should be moved and when. It’s also important that institutions fully understand user access, including who has access to your system and where access is available.
- Lack of cybersecurity understanding and talent: Another risk involves the lack of understanding and proper education of senior executives and boards to allocate resources and provide credible challenges to those who handle internal IT. Your institution’s leaders should understand your IT and cybersecurity strategies at a high level to make better decisions. Employees must also recognize common social engineering schemes and cyber threats. They should also know the procedures for reporting suspicious emails or activity.
As many institutions struggle with staffing—especially for IT- or cybersecurity-related roles—cybercriminals are laying the groundwork to exploit this gap. Having a strong cybersecurity awareness program in place reduces the risk of criminals successfully executing an attack.
How should financial institutions mitigate risk?
Managing risk is nothing new for financial institutions. But as risks evolve, your institution should be familiar with the latest strategies to protect your users and data. Consider the ten best practices listed below to help minimize risk while navigating new challenges.
- Implement access controls: From an audit perspective, access control and change management play an integral role in mitigating your institution’s risk. Your institution should review existing privilege controls for all users and ensure the level of access is appropriate for their day-to-day duties. Temporary access can also be granted if an employee needs greater access to data for a specific amount of time. Restricting these privileges to a smaller pool of employees will decrease your institution’s overall risk, especially if a user falls victim to a cyberattack. Additionally, an up-to-date data flow diagram lets you accurately visualize where your data resides to help mitigate risk. Often institutions don’t realize certain data connections exist until they see it in a diagram, which provides an opportunity to implement necessary controls.
- Deploy data loss prevention (DLP) software: Since data can reside in multiple places, institutions must mitigate risk of unauthorized data sharing, whether unintentional or malicious. DLP tools identify sensitive information and apply specific policies to prevent data from leaving the system. DLP tools must be configured and activated in the cloud but allow for a more secure system with more visibility into existing risks or challenges once implemented.
- Partner with a trusted cloud provider: The cloud delivers a variety of benefits, but the intricacies of this technology drive the need for expertise. Partnering with a trusted cloud provider helps your institution ensure configurations are appropriate, minimizing your risk. Third-party providers familiar with the financial services industry are also well suited to conduct penetration testing and vulnerability assessments on your cloud environment. Further, as institutions of all sizes struggle to attract and retain experienced IT and cybersecurity talent, partnering with a trusted provider allows institutions to meet the IT demands of today’s environment by creating a resilient, redundant cloud environment. Cloud services providers employ experts to manage the environment on your institution’s behalf, offsetting your need to use in-house resources.
- Leverage virtual private networks: Throughout the pandemic, many organizations leveraged virtual private networks (VPNs) for their security benefits. VPN mitigates security risks associated with employees using unsecured home networks or personal devices to access corporate data. With the popularization of hybrid work, VPN connections offer exponentially more security coverage than standard connections, significantly reducing your risk. At this point, your institution should not view VPN as optional.
- Require multi-factor authentication (MFA): While institutions once resisted multi-factor authentication (MFA) due to the added friction in the login process, this security layer has proven to be the single most effective way to minimize account takeover risk. MFA requires an additional piece of information—adding an extra step in the login process—but delivers measurable results in preventing attacks. If an attacker encounters an account protected by MFA, they will likely move on to an easier target.
- Monitor your entire IT environment: Another key strategy to mitigate risk involves having comprehensive visibility into network activities. Monitoring your network around the clock allows you to understand what’s happening and strengthens cybersecurity compliance to meet regulatory requirements. Developing a robust governance program to identify controls, vulnerabilities and other related areas will further enhance your institution’s security posture.
- Educate your employees and customers: Along with cybersecurity monitoring, user education is a key component in the defense against ransomware and other social engineering schemes. Continuous cybersecurity training and awareness campaigns will reduce the likelihood of employees inadvertently aiding a breach.
- Conduct vulnerability assessments: Vulnerability assessments are valuable tools that quickly identify areas that need attention in both internal systems and external perimeter devices. Once a vulnerability assessment has been conducted, you must analyze the assessment and plan to remediate issues. However, it’s important to prioritize which vulnerabilities should be addressed. Addressing every existing vulnerability could become a full-time operation, so you must consider which vulnerabilities are most likely to be exploited and which offer the most value in being remediated.
- Utilize penetration testing: Penetration testing takes your protection to the next level. Vulnerability testing casts a wide net quickly, but there is no “intelligence” associated with the testing. Penetration testing is objective oriented and methodically challenges your network controls like a hacker would. A vulnerability test finds as many known vulnerabilities as it can but stops there. Going much further, a penetration test will find a vulnerability, leverage it to gain a foothold or additional access and then look for another avenue to exploit. During a penetration test, this process is repeated to pivot throughout the network in an attempt to gain administrative or sensitive data access.
- Embrace IT governance: Some institutions risk falling into the trap of viewing cybersecurity as a technical issue that can be remedied with technology. However, cybersecurity is not a technical issue; it’s a business issue that should be approached from a risk-based business perspective. Approaching cybersecurity from a technical perspective often leads to adding more technology, which can create friction in business processes and impede your institution’s progress toward its goals.
IT governance serves as the foundation on which IT systems should function and includes management of the risk surrounding these systems from a regulatory and business perspective. By embracing IT governance, your institution can better mitigate IT- and cybersecurity-related risk and ensure technology investments support your specific goals.
Navigating the Changing Security and Compliance Landscape
As the landscape changes, ensure your institution keeps up with the latest industry trends and strategies. With so many tools at your disposal, ensure you’re strategic in determining which ones to embrace and how they help you achieve business goals. Above all, be aware of the risk facing your institutions and have a plan in place for mitigation.
Learn more about mitigating risk and determining which technologies align with your strategic goals by downloading our white paper.
Tyler Leet serves as director of Risk and Compliance Services for CSI’s Business Solutions Group. With over 20 years of experience in the information security, risk, and compliance industries, Tyler oversees and is involved in the development and maintenance of the risk and compliance-related services that are conducted for a wide variety of financial institutions and organizations in other vertical markets. He frequently speaks at conferences and seminars and is often cited in industry publications.