The necessity for continuous risk assessment triggers the need for appropriate resources to meet the demands of new and emerging threats.
By Steve SoukupA hurricane is hovering off the coast and will make landfall in 24 hours. The news is blaring with warnings for residents to brace themselves for the worst, but you’re prepared. Food, water, and safety supplies have been secured since the beginning of hurricane season. You’ve assessed the house for vulnerabilities, shuttered the windows, removed outside debris, and gassed up the cars. You are ready for the storm and the aftermath. But is your bank as prepared for the storm of cyber threats? Are banks threat ready?
Achieving an effective level of cyber threat readiness requires banks to use a comprehensive approach that encompasses the following:
1. A proactive and evolving cyber risk management solution based on risk assessment data.
2. Appropriate technology, resources and personnel for cyber threat detection, prevention, and mitigation.
3. Effective response, resilience and recovery plans.
4. Comprehensive understanding of the evolving threat landscape.
From cybersecurity to cyber risk management
For banks that are truly threat ready, first shift their mindsets from traditional cybersecurity methods to a proactive, cyber risk management strategy. Technological advancements are paving the way for banks to provide improved customer service and streamlined daily operations, but with every change, vulnerabilities are exposed, placing your customers’ assets and data at risk.
Rather than focusing solely on cybersecurity measures aimed at preventing breaches or reducing the impact of one after it occurs, banks benefit when they change their approach to a proactive strategy that flexibly adapts and evolves with the changing threat landscape. Similar to protecting a house by securing the structure from the threat of winds or projectiles, banks implement cybersecurity measures to safeguard their bank systems, programs and infrastructure. While these measures may prevent a breach, banks can no longer rely on them alone. The transition to cyber risk management enables banks to continuously assess and modify strategies to address cyber threats as they materialize.
Train employees. ALL employees. Including C-level executives
Training staff to understand how and where breaches occur has become a crucial part of cybersecurity. While financial institutions are spending money on outside security operation centers and new products to protect their institutions, they can forget about their weakest link: humans. Verizon’s 2022 Data Breaches Investigations Report revealed that 82 percent of data breaches were due to some kind of human error. Employees make mistakes that open the door to bad actors, and the fueling force is a knowledge gap. According to Proofpoint’s 2022 Human Factor report, “55 percent of U.S. workers admitted to taking a risky action in 2021, 26 percent clicked an email link that led to a suspicious website, 17 percent accidentally compromised their credentials and only half were able to correctly identify the term phishing.”
This type of breach, which can be avoided with proper training, is not just a run of the mill mistake such as forgetting to close your car window when it rains. Clicking on a phish, using weak passwords, mishandling sensitive information or even carelessly utilizing technology could ultimately enable hackers to gain access to money and sensitive data resulting in a devastating loss to your financial institution.
Continuous training for all employees provides them with the knowledge they practice daily to avoid making critical errors.
Assess risk continuously
With banks continually targeted and threats evolving at a rapid pace, an assessment of risks must be documented in real-time as they are detected so the institution can properly respond. Instead of updating the risk assessment annually, a better plan is to continuously go through this valuable exercise and update it in real-time to allow for an accurate and timely picture of risk profile.
Continuous risk assessment allows institutions to appropriately design and implement controls, allocate resources and ultimately focus attention on the right areas in order to assure protect protection. Homeowners in a hurricane zone don’t wait for an evacuation order to be announced to prepare. They assess their risk to ensure that they are safeguarded with or without an imminent threat. And banks should do the same.
The information that is generated from regular risk assessments provides a grasp of the necessary changes at the time they are needed instead of waiting until the end of the year and having a long list of modifications to satisfy. Then possibly realizing that those modifications no longer adequately mitigate the risk at its current level. Digital solutions are readily available to help assess, monitor and maintain your bank’s level of risk to effectively adopt a proactive approach to risk management.
Evaluate your resources
Some smaller institutions incorrectly assume that they are not at risk. It’s easy to get comfortable and complacent and underestimate the extent of the threats. Thinking that smaller FIs won’t be on the radar of one of these operations could not be further from the truth. Cybercriminals do not care what size institution they breach..
As cyberattacks are on the rise, FIs, regardless of size, must reevaluate the scope and reach of their cybersecurity solutions because cyber-attacks are only going to become more sophisticated and threat actors more brazen. Finding an effective balance between the advanced technology available and human resourcefulness is unique to each FI.
Many FIs now partner with cybersecurity companies that can assist with 24/7/365 monitoring for cyber threat detection and investigation. Partnering with a proficient, credentialed outside security operations center to assess and evaluate threats gives FIs an advantage in the war against cyberattacks. The combination of human and artificial intelligence for cybersecurity monitoring has created a cohesive approach to cyber readiness.
It is virtually impossible for humans alone to efficiently scrutinize the millions of events occurring online. Using AI (especially products built for banking) in conjunction with human monitoring provides a streamlined system to reduce false positives, proactively detect fraud, increase anomaly detection and decrease human error.
Response, resilience, recovery
Your bank has assessed and reevaluated the risk landscape. Proactive plans and monitoring are in place. But, are you prepared for an actual breach? Are you prepared for the aftermath of the storm?
Even when all the necessary proactive defenses to prevent attacks are established, cyber-attacks are inevitable for banks which function with a target on their backs. Banks are urged to implement and practice incident response plans so employees are prepared to address cyberattacks in a timely and efficient manner. Running tabletop exercises, which are hands-on simulated response scenarios, provides practice in responding to the incident, containing the breach and then making adjustments based on the outcome.
Through these simulations, banks gain better understanding of their capabilities, procedures, deficiencies and overall preparedness to respond to an incident. IBM’s 2022 Cost of Data Breach report notes: “Businesses with an incidence response team that tested its incidence response plan saw an average of $2.66 million lower breach costs than those without.”
Cyber risk awareness
With any possible disaster, knowledge and awareness are keys to your preparedness. Just like the need for information about the threat of a hurricane and its path of destruction, being aware of the latest cyber threats and malicious attacks keeps you informed and ready. Awareness is not limited to just cyber threats.
Effective information sharing in cybersecurity includes threat awareness, incident reporting, best practices, defensive techniques, etc. The Cybersecurity and Infrastructure Security Agency recommends staying informed by subscribing to various credible news outlets for alerts and security topics. Join a peer-to-peer sharing community about cybersecurity within the financial sector. The Financial Services Information Sharing and Analysis Center is “The only global cyber intelligence sharing community solely focused on financial services. The organization leverages its intelligence platform, resiliency resources, and a trusted peer-to-peer network of experts to anticipate, mitigate and respond to cyber threats.”
Keep current by joining their mailing lists for critical alerts and ongoing news. FS-ISAC provides various trainings, events and insights to stay current, threat ready and informed. Another great resource for information sharing is InfraGard, “a public-private partnership among U.S. businesses, individuals involved in the protection and resilience of U.S. critical infrastructures and the FBI.” Another best practice is to always immediately report incidents to CISA and/or the FBI.
Stay informed, prepared, and proactive
Banks are held to a higher level of expectations to safeguard their customers’ assets and sensitive data. With cybercriminals finding new and inventive ways to infiltrate cybersecurity systems, banks should function with a threat-ready stance 100 percent of the time. Cyber readiness isn’t just about having prevention plans in place. It is also about flexibility in your methods to address the threats as they evolve and emerge. A proactive cyber risk management strategy fueled by real data and knowledge about the current threat landscape and appropriate defensive resources, combined with an effective plan to detect, prevent and migrate breaches, will improve banks’ cyber risk maturity. When banks satisfy these crucial standards of preparation, they are truly threat ready and prepared to weather the storm of cyberattacks.
Steve Soukup is chief executive officer at DefenseStorm.