Top Seven Risks . . .
that small bank Information Security Officers face in 2022!
Once again, we compile this list in preparation for updating our normal board of directors awareness training presentation and movies and such. This list is meant for community-based banks but could apply to small businesses. How this works can be illustrated with our decision to NOT include this new risk:
“Compliance with the FFIEC Architecture, Infrastructure, and Operations Booklet.”
While this is indeed a very important risk we are all thinking about now, this is compliance risk. And while compliance risk is important, the threats to our information (and our customer’s information by extension) is what can keep us up at night, and what we want to address here.
So, let’s cut to this year’s list:
Users May Will Still Make Mistakes. The first risk is a combination of two items from previous years; users will still make mistakes and vendors will still make mistakes. Mistakes are unfortunately a part of life, even for the best of us. They can happen to our users and our vendor’s users. It’s how we catch mistakes and respond to them that is important. Our employees need awareness training to understand and recognize the threat landscape, and we need employees who are not afraid to report their mistakes. A self-reporting culture is really a necessity these days for true information security, and it’s up to us to ensure our employees feel comfortable reporting mistakes without fear of retribution. For our vendors, as their users our outside our control, there are two important groups of controls that are needed. The first is vendor due diligence, making sure we know the risks the vendor presents to us and the controls they have in place to protect our information and notify us when there is a problem. The second group of controls are the ones we implement when responding to a vendor issue, our incident response and business continuity programs.
Supply Chain Cyber Risk. While the supply chain risk in general has increased in likelihood over the past couple years, here we are focusing on supply chain cyber risk. That is, the threat of software (or even hardware, but that’s outside the scope of this article) from our vendors, or software our vendors are using from their vendors, may be compromised. Here, a supply chain attack works by targeting a third party with access to an organization’s systems rather than trying to hack the networks directly. The best example of this is the SolarWinds breach from 2020, where companies such as Cisco, Intel, and Microsoft were affected due to their use of SolarWinds. Another good example is the Apache Log4j vulnerability from December 2021. Log4j is a java-based logging utility used in many software applications from vendors such as Fortinet, VMWare, Sophos, and Microsoft. In these examples, these companies were breach due to third-party software.
Attacks on Your Customers (BEC | CATO | PATO | Ransomware). This is something everyone reading this should be familiar with. Whether they are corporate accounts or personal accounts, compromised through email, social engineering, viruses, or ransomware, our customers are being attacked daily. Just like our users, we need to arm our customers with information on how to identify and react to these threats. And this not only includes awareness information for our customers, but also the controls we implement to protect them such as multi-factor authentication for logins and additional authentication requirements for high-risk transactions.
Shadow IT (New). While shadow IT is a new term in the AIO booklet, the threat is not. We have been referring to this threat as rogue technology acquisition for many years. It’s the threat of hardware or software being on our network or systems without vetting through the proper channels first. Most of the time this happens by good meaning individuals trying to accomplish their job as opposed to a malicious insider as discussed below. We need to ensure that any device connecting to our network, and any software installed on our systems, have gone through the proper due diligence, risk assessments, and controls review so that they will not be exposing us to unknown risk.
Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT). As our cyber defenses evolve, so do the attacks themselves. This will always be a cat-and-mouse game as each side evolves as exemplified by the continuous cycle of vulnerability management. Our tech team and defenses (patch management, vulnerability management, anti-virus and malware, awareness of threats, etc.) need to stay on top of the ever-evolving threat landscape.
Cloud Deployment (Without Proper Controls). We are increasingly moving information from our systems into the cloud. This migration creates unique risks as we rely on our vendors to protect our information and requires specific controls to address. When we deploy cloud assets, there are unique threats due to many factors, including the fact these resources are made to be accessible to anyone on the internet. Using cloud resources without implementing proper controls such as enhanced access methods (MFA, IP whitelisting, time or location restrictions, etc.) is an incident waiting to happen. Finally, as a rhetorical exercise meant to galvanize momentum, we suggest every banker ask themselves, “why have we never required strong passwords on our ATMs?”
Malicious Insider Threat (New). As an auditor, one thing I find at smaller community-based institutions, and something that sets them apart from their competition, is dedicated employees who genuinely care for their communities and customers. The malicious insider threat can be a taboo subject because we do trust our employees, that’s why they are working for us. But trust is not a control and while the likelihood is hopefully very low, the impact can be disastrous and to address this risk we need to be able to properly respond to it. The concern isn’t whether your employees are trustworthy, it’s whether you are prepared to respond if you ever suspect a possible malicious insider threat. Making matters (possibly?) easier is the notion that if you are at “Pure Zero Trust” that means you “assume breach” in your security posture. In other words, you are assuming there is already an insider on your network. While this insider may be demonized with the three letters, APT (Advanced Persistent Threat), the APT could be somebody you know.
So, to summarize, the top seven risks community-based banks face in 2022 are:
1) Users May Will Still Make Mistakes (In General)
2) Supply Chain Cyber Risk
3) Attacks on Your Customers (BEC | CATO | PATO | Ransomware)
4) Shadow IT (New)
5) Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT)
6) Cloud Deployment (without proper controls)
7) Malicious Insider Threat (New)
We have taken this list and created a webinar-movie!
Original article by Adam Reynolds CISSP. Lead Non-Technical Auditor, infotex
Interested in any of infotex’s services? Visit offerings.infotex.com to request information!