Since 1992, Delap has served a wide variety of financial institution clients, from national banks to local credit unions. But no matter the size of the institution, one constant rings true: All financial institutions face the ongoing challenge of staying on top of cybersecurity.

In this article, we outline some of the cybersecurity issues that we commonly encounter with financial institutions and provide some simple recommendations on how to address them.

Managing Vendor Relationships

Most financial institutions have a diverse set of third-party vendor relationships. From the core banking and general ledger accounting systems, to check processing, mobile banking, and payroll, financial institutions use vendors in all aspects of their operations. These vendors frequently have access to sensitive data, and institutions often have significant operational reliance on the services provided by the vendors. As a result, any security issues affecting your vendors can directly affect your organization. Unfortunately, in many cases, an institution's management of these vendor relationships is informal at best.

As a best practice, we highly recommend delegating the management of vendors to a specific role within your organization. And if your organization does not already have a vendor management policy and a vendor inventory, we highly recommend developing and implementing them. Having centralized vendor management and a clearly defined vendor management policy will equip your organization to manage its vendors in a consistent and transparent manner. This allows security concerns to be prevented and/or identified and addressed as soon as possible to minimize any impact to your organization or customers.

Legacy Systems

Legacy Systems

Legacy systems are systems that are out-of-date, run on unsupported operating systems, and/or are unpatched against known vulnerabilities. These legacy systems present a very real risk to the overall security of your organization's IT environment even if they have been sitting in the corner of your computer room for the last decade without causing any overt problems.

Unpatched servers, out of date protocols, and unsupported operating systems are routinely the point of entry into a network for attackers. If your organization doesn't already have one, we recommend compiling a comprehensive inventory of your entire IT infrastructure. Once you have a clear list of the systems within your environment, flag the systems that are out-of-date, missing patches, running on unsupported operating systems, and which may be nearing vendor end-of-life dates. With this information in hand, an organization can consider whether a simple patch, a more involved update, or even just scrapping the system entirely would be the most appropriate course of action to get these legacy systems out of the environment.

User Access Management

Keeping user access segregated is a priority in any business. However, at a financial institution, where user access could potentially impact customers' deposit balances, loan approvals, other sensitive PII, and the entity's financial reporting, proper user access management is an absolutely critical control. Well-organized and properly designed user access management can sometimes feel more like an art than a science. Consider taking a step back and looking at how your organization is currently handling user additions, deletions, transfers, access controls, permissions, rights, and roles. If it always feels like you're making individual exceptions to a user's Active Directory account, there is likely a lot of room for improvement.

What we have seen be successful at financial institutions (and across other industries) is the use of role-based access controls with clearly defined and standardized permission groups. The appropriate level of access is configured at the group level. When a new employee joins the organization (or changes roles internally), assigning the proper permissions to that user is as simple as placing them in the appropriate user group.

You might be thinking that this is an IT Management 101 concept and we would agree. However, this is often easier said than done in the real world. Consider performing an initial, comprehensive Active Directory audit and take note of all unique access exceptions that exist. Once you have identified exceptions, consider if they could be prevented through better-designed user groups and roles. We find that the smaller the number of non-standard exceptions to user account privileges across an organization, the less likely there are to be underlying security issues as a result of improper user access controls.

Security-Minded Employees

According to the 2018 Verizon Data Breach Investigation Report, about 4% of targets of any given phishing campaign will click on the attack. Additionally, on average it takes just 16 minutes from the launch of a targeted phishing attack to the first click by a user. No matter how advanced your network's perimeter security is, attackers will still be able to exploit the single weakest link: human employees.

The only way to combat this threat is to have highly trained employees who diligently keep cybersecurity at the forefront of their minds. Employees of your organization need to know how important cybersecurity is to the organization and they need to be equipped to know what exactly they should be looking for.

All of your employees understand why your branches have a vault, but do they know the intricacies of what a phishing email looks like or what are the common red flags in a social engineering attack? We highly recommend that every financial institution organizes a formal cybersecurity awareness and training program. While you could implement a full-blown cybersecurity training platform, you should also consider the smaller day-to-day things that can be done to instill awareness. A monthly security newsletter, weekly "fast facts" emails, mock phishing campaigns, or even simply posters around the office – these involve little overhead but can provide a value many times greater than the potential cost of a breach!

In summary, financial institutions have always been – and will continue to be – a major target of cybercriminals. Managing security takes skilled staff, buy-in from management, and consistent effort at all levels to reduce the cyber risks to your organization. We hope that this post gives you a few areas to consider for your organization. Delap has a strong history of serving financial services clients at a high level of excellence over the last 25+ years. If you or your organization have any questions or concerns regarding your cybersecurity landscape, please contact us today.