Last week on the CSI blog, we addressed four common IT questions banks ask vCIOs about IT strategy. In addition to the questions addressed in that post, many of the most common questions vCIOs hear relate specifically to the challenges of cybersecurity. So, this week, we’re digging deeper into protecting your financial institution from an attack as well as the importance of regular vulnerability scanning.
1. How do I know if I’m protected from an attack?
This is the million-dollar question—and the one most likely asked by board members. Unfortunately, there’s no way to guarantee 100 percent protection from an attack. The best defense is remaining vigilant by monitoring every level of connectivity on external and internal devices. Community banks should ensure their defenses do not present any easy entry points by establishing layered security controls. Common tactics include utilizing managed security services, such as Internet protocol (IP) reputation-based tools and one-time password tokens across all channels, including networks, computers, devices and applications.
2. What single cybersecurity strategy can give me the “best bang for my buck?”
Employee security awareness and information training are the most cost-effective ways to prevent security issues. But, because the end user is ultimately the weakest link, the only sure way to avoid cybersecurity issues is to completely disconnect from the Internet. Since that’s not a realistic option, it’s important to implement an effective and measured social engineering program.
A comprehensive training program will make sure all staff—and even customers—are aware of phishing, vishing and account takeover tactics. This must be an ongoing process to ensure that new users are up to speed on threats, protocols and processes.
3. My regulator recommends we join FS–ISAC. Should I do so?
The Financial Services Information Sharing and Analysis Center (FS–ISAC) provides several helpful resources for financial institutions, including alerts on new cybercrime techniques, malware updates and information from regulators on best practices.
But, to make the membership most effective, it’s best to adjust your default settings to filter the appropriate level of information. Between the email lists and daily dissemination of information, you can receive a lot of content, so refine the resources to best fit your circumstances.
4. Why do we need to complete the FFIEC Cybersecurity Assessment Tool?
This is one of the hottest topics of conversation at the moment. Regulatory agencies are recommending that banks utilize the FFIEC Cybersecurity Assessment Tool. Some state agencies already require the assessment for their examinations, with more of them likely adding the requirement in the near future.
The assessment tool is a strong way to ensure the protection of valuable data. It’s also a great resource to help you evaluate and gain insight into the maturity level of your financial institution’s cybersecurity preparedness. The process can look intimidating, but if taken step-by-step, it’s manageable for community banks to implement. The assessment’s length and complexity is partly due to its “one-size-fits-all” approach, which means many areas of the framework are designed for larger banks, and not necessarily relevant to community banks.
5. Do I need more vulnerability scanning than my annual IT audit?
Financial institutions should test more, test often and test both internally and externally. Make this an ongoing process and be sure to test anytime major changes are made to your infrastructure. New vulnerabilities arise each week, so frequent testing has become crucial to ensure your financial institution is always aware of the effects from external and internal sources.
vCIOs recommend at least monthly internal testing and quarterly external testing. They also recommend testing anytime you change something significant: new Internet platform, data conversion, new vendors, etc.
So, as technology within the financial industry evolves and cybersecurity becomes more daunting, it’s important to have strategic initiatives in place, ideally with the guidance of such seasoned professionals as a vCIO from a trusted managed services provider. By having robust strategic parameters in place, you can successfully ensure minimal threat to your bank’s IT infrastructure—and peace of mind for your organization.
Steve Gasiamis serves as a virtual chief information officer for CSI. Steve has more than 14 years’ experience in the information security industry, and he is highly skilled in risk assessments, business continuity and IT compliance requirements for the financial services industry. His professional certifications include Certified Information Systems Security Professional (CISSP), Certified Risk & Information Systems Control (CRISC), Certified Information Systems Manager, (CISM) and Cisco Certified Network Associate (CCNA).