About Us | Contact Us
View Cart


By Adam Reynolds | Monday, March 21, 2022 - Leave a Comment

Top Seven Risks . . .

that small bank Information Security Officers face in 2022!


Once again, we compile this list in preparation for updating our normal board of directors awareness training presentation and movies and such.  This list is meant for community-based banks but could apply to small businesses.  How this works can be illustrated with our decision to NOT include this new risk:

“Compliance with the FFIEC Architecture, Infrastructure, and Operations Booklet.”

While this is indeed a very important risk we are all thinking about now, this is compliance risk.  And while compliance risk is important, the threats to our information (and our customer’s information by extension) is what can keep us up at night, and what we want to address here.

So, let’s cut to this year’s list:

Users May Will Still Make Mistakes.  The first risk is a combination of two items from previous years; users will still make mistakes and vendors will still make mistakes.  Mistakes are unfortunately a part of life, even for the best of us.  They can happen to our users and our vendor’s users.  It’s how we catch mistakes and respond to them that is important.  Our employees need awareness training to understand and recognize the threat landscape, and we need employees who are not afraid to report their mistakes.  A self-reporting culture is really a necessity these days for true information security, and it’s up to us to ensure our employees feel comfortable reporting mistakes without fear of retribution. For our vendors, as their users our outside our control, there are two important groups of controls that are needed.  The first is vendor due diligence, making sure we know the risks the vendor presents to us and the controls they have in place to protect our information and notify us when there is a problem.  The second group of controls are the ones we implement when responding to a vendor issue, our incident response and business continuity programs.

Supply Chain Cyber Risk. While the supply chain risk in general has increased in likelihood over the past couple years, here we are focusing on supply chain cyber risk.  That is, the threat of software (or even hardware, but that’s outside the scope of this article) from our vendors, or software our vendors are using from their vendors, may be compromised.   Here, a supply chain attack works by targeting a third party with access to an organization’s systems rather than trying to hack the networks directly.  The best example of this is the SolarWinds breach from 2020, where companies such as Cisco, Intel, and Microsoft were affected due to their use of SolarWinds.  Another good example is the Apache Log4j vulnerability from December 2021.  Log4j is a java-based logging utility used in many software applications from vendors such as Fortinet, VMWare, Sophos, and Microsoft.  In these examples, these companies were breach due to third-party software.

Attacks on Your Customers (BEC | CATO | PATO | Ransomware).  This is something everyone reading this should be familiar with.  Whether they are corporate accounts or personal accounts, compromised through email, social engineering, viruses, or ransomware, our customers are being attacked daily.  Just like our users, we need to arm our customers with information on how to identify and react to these threats.  And this not only includes awareness information for our customers, but also the controls we implement to protect them such as multi-factor authentication for logins and additional authentication requirements for high-risk transactions.

Shadow IT (New).  While shadow IT is a new term in the AIO booklet, the threat is not.  We have been referring to this threat as rogue technology acquisition for many years.  It’s the threat of hardware or software being on our network or systems without vetting through the proper channels first.  Most of the time this happens by good meaning individuals trying to accomplish their job as opposed to a malicious insider as discussed below.  We need to ensure that any device connecting to our network, and any software installed on our systems, have gone through the proper due diligence, risk assessments, and controls review so that they will not be exposing us to unknown risk.

Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT).   As our cyber defenses evolve, so do the attacks themselves.  This will always be a cat-and-mouse game as each side evolves as exemplified by the continuous cycle of vulnerability management.  Our tech team and defenses (patch management, vulnerability management, anti-virus and malware, awareness of threats, etc.) need to stay on top of the ever-evolving threat landscape.

Cloud Deployment (Without Proper Controls).  We are increasingly moving information from our systems into the cloud.  This migration creates unique risks as we rely on our vendors to protect our information and requires specific controls to address.  When we deploy cloud assets, there are unique threats due to many factors, including the fact these resources are made to be accessible to anyone on the internet.  Using cloud resources without implementing proper controls such as enhanced access methods (MFA, IP whitelisting, time or location restrictions, etc.) is an incident waiting to happen.  Finally, as a rhetorical exercise meant to galvanize momentum, we suggest every banker ask themselves, “why have we never required strong passwords on our ATMs?”

Malicious Insider Threat (New).  As an auditor, one thing I find at smaller community-based institutions, and something that sets them apart from their competition, is dedicated employees who genuinely care for their communities and customers.  The malicious insider threat can be a taboo subject because we do trust our employees, that’s why they are working for us.  But trust is not a control and while the likelihood is hopefully very low, the impact can be disastrous and to address this risk we need to be able to properly respond to it.  The concern isn’t whether your employees are trustworthy, it’s whether you are prepared to respond if you ever suspect a possible malicious insider threat.  Making matters (possibly?) easier is the notion that if you are at “Pure Zero Trust” that means you “assume breach” in your security posture.  In other words, you are assuming there is already an insider on your  network.  While this insider may be demonized with the three letters, APT (Advanced Persistent Threat), the APT could be somebody you know.

So, to summarize, the top seven risks community-based banks face in 2022 are:

1) Users May Will Still Make Mistakes (In General)
2) Supply Chain Cyber Risk
3) Attacks on Your Customers (BEC | CATO | PATO | Ransomware)
4) Shadow IT (New)
5) Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT)
6) Cloud Deployment (without proper controls)
7) Malicious Insider Threat (New)

We have taken this list and created a webinar-movie!

Original article by Adam Reynolds CISSP. Lead Non-Technical Auditor, infotex

Interested in any of infotex’s services? Visit offerings.infotex.com to request information!



Latest News
    Community Banking and their layers of security. . . Michael Hartke’s first post as Executive Vice President! Thinking back to my first talk to security professionals in community banking almost 10 years ago, the question continues to this day. First some background… infotex was moderating the Indiana Bankers Association Security Conference when one of the […]
    Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to offerings.infotex.com! We even made a movie with all the reasons why infotex should be your next MSOC!  
    infotex and GoTo To all infotex managed security service Clients: As recently reported by major news outlets there was a data breach affecting GoTo (formerly LogMeIn) wherein attackers stole encrypted backups containing customer information in November 2022.  Based on the advisory from GoTo the products they offer that are affected include LogMeIn Pro, LogMeIn Central, […]
    An option for increasing security for ALL organizations. . . The threat landscape is evolving daily, and it is becoming increasingly difficult for even large organizations providing cyber defense services to keep up. As Brandao (2021) notes, it is important for organizations to adapt holistic technologies that can correlate all attack events. Therefore, developing XDR […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A relic of the internet’s less secure past, many small firms struggle to secure their email systems… An article review. With a great deal of cybersecurity related news focused on new threats and similarly new techniques aimed at combating them, it can be easy to forget some of the older threats that have never gone […]
    Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of […]
    System Security and Cybersecurity are not the same thing. . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Regarding “information security,” the last thirty years have seen an evolution of frameworks, laws, and assessment approaches which intimidate the management team with their complexity.  […]
    The cryptographic algorithm is vulnerable to attack and is no longer considered secure… An article review. NIST has announced that it plans to retire the SHA-1 cryptographic algorithm by the end of 2030, citing multiple vulnerabilities in the standard, effectively ending its use after nearly 30 years.  Introduced in 1995, SHA-1 used a 160-bit hash […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]