When CSI asked bankers to identify the one issue that would most affect the financial industry in 2021, cybersecurity was the clear winner. With 34% of the vote, it far outranked the other two leading issues—meeting customer expectations (20%) and regulatory change (17%).
Interestingly, bankers expressed this viewpoint before news of the SolarWinds hack splashed across our news feeds in mid-December. As the scale and long-term implications of this unprecedented cyberattack continue to emerge, it’s worth examining what bankers had to say about cybersecurity in the CSI 2021 Banking Priorities Survey and taking some extra precautions to protect against this persistent threat.
Where Bankers See the Greatest Cybersecurity Threat in 2021
The survey presented bankers with a list of specific cybersecurity threats in 2021 and asked which one posed the greatest threat to their institution. The responses clearly reflect a landscape altered by the coronavirus pandemic, which drove society to remote work environments and digital services, making everyone increasingly vulnerable to cyber manipulation and exploitation.
Social Engineering Fears Predominate
According to the 2021 survey data, the overwhelming majority (81%) of bankers view social engineering, either in general or in specific forms, as the greatest cybersecurity threat in 2021. Here’s the breakdown:
- Customer-targeted phishing: The topmost cybersecurity threat identified by bankers was social engineering aimed at customers via phishing (34%). This coincides with recent reports of large scale email impersonation attacks, including those that target employees of large corporations pretending to be from the recipient’s personal bank and trying to trick them into providing sensitive information about their accounts.
- Employee-targeted phishing: Almost as many bankers (32%) are most worried about phishing aimed at internal targets that let attackers into internal systems. This concern is well-founded. Employees working from home and burdened by new financial and family challenges due to the pandemic are ripe targets for cybercriminals.
- Social engineering: Rounding out the top three cybersecurity threats at 14% was social engineering in all its forms, which includes baiting, phishing, vishing, spear phishing, tailgating and contact spamming.
Less Concern about Ransomware than Circumstances Warrant
Considering that almost every successful breach involves some form of social engineering, it’s not surprising that it dominated the responses to this question. But institutions still need to be concerned about what happens after a social engineering attack successfully infiltrates their systems.
Ransomware is one of the most troubling and costly cyber events, yet it only garnered 9% of the vote. By all accounts, ransomware attacks increased and ransom demands grew in 2020. This trend will continue in 2021, therefore institutions need to keep ransomware on their radar.
The Rest of the Threat Landscape Revealed
All of the remaining cybersecurity issues received less than 5% of the vote, which is not to say that institutions are necessarily downplaying them. It hopefully suggests that bankers have greater confidence in their defense posture in these areas:
- Data theft (5%)
- Synthetic identity fraud (2%)
- Denial of service (2%)
- Endpoint security (1%)
Emerging Cybersecurity Threats in 2021
Cybercriminals are constantly evolving their tactics to gain access to systems and data. As institutions navigate the risks of remote workforces, it is critical to stay vigilant against these emerging cyber threats.
- Supply Chain Attacks: This attack occurs when a bad actor targets a software or hardware vendor to deliver malicious code through seemingly legitimate products or updates. The recent SolarWinds breach is an example of a supply chain attack, which is becoming an increasingly popular method to distribute malware.
- Virtual Private Network (VPN) Attacks: As remote work becomes the norm for many organizations, cybercriminals will likely continue VPN attacks in attempt to gain access to corporate networks and data. Many home networks do not have proper passwords setup or lack proper security protocols, presenting vulnerabilities for criminals to target.
- Cloud-Based Attacks: Many organizations are migrating more of their infrastructure to the cloud, prompting cybercriminals to shift more of their efforts to cloud-based attacks. Institutions must ensure their cloud infrastructure is securely configured to prevent harmful breaches.
How Bankers Plan to Assess and Strengthen Cybersecurity in 2021
It’s not enough to theoretically identify the most pressing cybersecurity threats. Institutions need to be able to practically detect such threats and then defend against them. So, we asked bankers what top three tactics they planned to use in 2021 to assess and strengthen their cybersecurity posture. The results indicate that most bankers plan a full-throated strategy that employs a variety of tactics within their cybersecurity arsenal.
Cybersecurity Training Is Priority One
Over 85% of bankers plan to conduct some form of cybersecurity training. The vast majority of them (62%) plan to educate both employees and customers. A smaller group (23%) plans to focus on internal training among employees and board members.
Preemption Is Next Up
A significant number of bankers plan to take the following proactive steps to defend against cybersecurity attacks:
- More than half (51%) say they will prioritize penetration testing
- Almost as many (47%) will conduct routine social engineering exercises
- And 43% plan recurring vulnerability scans
Additional Tactics Round Out Cybersecurity Strategies
Although in smaller numbers, bankers also plan to focus on these management tools as a way to strengthen their cybersecurity posture:
- Over a third (35%) will conduct a cybersecurity audit
- More than a quarter (26%) will test their Incident Response Plan
- And 14% will focus on improving their business continuity planning
15 Ways to Mitigate Cybersecurity Threats in 2021
Given the survey responses, the lingering pandemic and potential fallout from the SolarWinds hack, here’s our list of the 15 best things your institution can do to protect its systems, operations, data and customers:
1. Let your cybersecurity framework be your guide: This management tool has the power to significantly improve the effectiveness of your cybersecurity efforts, but only if the exercise is more than checking boxes to meet a compliance obligation. When completed in a deliberate manner, a cybersecurity risk assessment is the best way to test your assumptions. From there, it can help you align your cybersecurity measures to where your greatest weaknesses are located and avoid overspending on areas where your institution is already sufficiently protected.
2. Conduct a remote work debrief: It’s been over a year since the first stay-at-home orders were implemented, and we still don’t know how long remote work environments will be needed. Regardless, institutions would benefit from a review and analysis that documents the remote work cybersecurity challenges they faced, resolved and still need to address.
3. Include ransomware threat in your Incident Response Plan (IRP): With attacks on the rise, institutions must consider all of the operational, financial and reputational implications of being held hostage to ransomware. As part of your IRP, you need to be able to answer questions such as:
- Are you adequately backing up your systems and data?
- Have you thought about how you would deal with employees or customers not being able to access your systems?
- How would you communicate with your stakeholders?
- How would you deal with the attackers?
You don’t want to be addressing these questions for the first time in the midst of a ransomware attack.
4. Re-emphasize third-party vendor management: Your internal systems and employees can be highly prepared for a cybersecurity attack, but your institution is still vulnerable if just one of its external vendors is not adhering to the same level of defense standards as you are. Appropriate cybersecurity due diligence and regular monitoring must be conducted on all third-party vendors, with significant attention paid to any external vendor who has access to your sensitive data or systems.
5. Think of cybersecurity as a whole-of-business issue: Despite institutional reliance on IT for every aspect of daily operations and communications, there is still a tendency to think of cybersecurity as a strictly IT issue when it’s actually a whole-of-business issue. Imagine a ransomware attack that hijacks your entire system. Of course, the IT staff will be on the front lines of getting your systems back on line, but every other department will potentially be affected and the institution’s reputation and financial position will be in jeopardy. Internal cybersecurity training should present the issue in that context to everyone from board members to employees.
6. Add cybersecurity expertise to the board: The most effective boards consist of members that bring a range of perspectives, so consider including someone with an IT background on your board. That member could help the CIO and IT staff translate complicated technology matters and cybersecurity threats into lay terms that relate to overall institutional safety and soundness for other board members.
7. Evaluate employee testing and training: Based on the survey responses, bankers rightly understand that the “people factor” is an institution’s biggest potential weakness. Does your employee testing and training strategy reflect that recognition and is it working? If employees continue to fail social engineering tests, it’s time to rethink your strategy to more effectively explain the threat, identify the warning signs and provide incentives for employees to do their part.
8. Assign cybersecurity ambassadors: Back up your cybersecurity training by asking respected employees throughout your institution to act as the issue’s ambassadors. Their job is to help continually reinforce the message within their respective departments.
9. Raise customer awareness: Customers, especially those newest to digital banking, are another big part of the “people factor” that makes cybersecurity so tricky. Help them understand what good cyber hygiene is and how it benefits them by inviting them to a virtual cybersecurity awareness program.
10. Create Stronger Passwords: Institutions should enforce stronger password requirements to prevent unauthorized account access. Many organizations have previously recommended 8-character, frequently changed passwords, but the current best practice is using passwords consisting of 14 characters or more and changing them once a year or as needed.
11. Utilize Multi-Factor Authentication (MFA): True MFA—not just double passwords—should be used whenever possible. With MFA, multiple authentication factors are required to verify a user’s identity. This verification strengthens resiliency and prevents fraudsters from accessing an account solely by obtaining or cracking a password, providing an effective defense against the two largest threat vectors: social engineering and phishing.
12. Ensure Secure Internet Access: It is critical to ensure proper network security for employee VPNs and their home networks as much as possible. Encourage employees to use high-quality routers with strong network passwords, run current security protocols and install up-to-date virus and malware protection on personal and corporate devices. Web content filtering tools also provide additional protection by preventing employees from accessing malicious websites.
13. Enhance Endpoint Security: Secure endpoint protection is an important consideration for any institution with a remote workforce or endpoint devices. If business-owned devices are stolen or compromised, institutions could face loss of data or other serious risks. Proper endpoint security will safeguard end-user devices and detect instances of breaches to maximize protection.
14. Review Acceptable Use Policy: Employees may be more likely to use corporate-owned devices for personal business while working from home, increasing an institution’s risk of vulnerabilities. Review your Acceptable Use Policy—and any other relevant corporate policy—to communicate your specific guidelines for using business devices. Additionally, your institution should review and update policies for VPN access and removal.
15. Invest in new technologies: Finally, bake cybersecurity into customer transactions with the help of passive biometrics and behavioral analytics. These tools simultaneously reduce the risk of cyber threats and minimize friction in the customer experience.
Learn More about Bankers’ Cybersecurity Priorities
Curious to know what else bankers had to say on CSI’s sixth annual survey? They weighed in on everything from the pandemic response to market share strategies and regulatory compliance. Get the full industry perspective in the 2021 Banking Priorities Executive Report.
Steve Sanders is vice president of Internal Audit for CSI. In his role, he oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. Steve is a CISA, CRISC, CRMA, and CTGA, and he speaks regularly on information security, cybersecurity, IT and IT audit topics.