About Us | Contact Us
View Cart


By Adam Reynolds | Monday, March 21, 2022 - Leave a Comment

Top Seven Risks . . .

that small bank Information Security Officers face in 2022!


Once again, we compile this list in preparation for updating our normal board of directors awareness training presentation and movies and such.  This list is meant for community-based banks but could apply to small businesses.  How this works can be illustrated with our decision to NOT include this new risk:

“Compliance with the FFIEC Architecture, Infrastructure, and Operations Booklet.”

While this is indeed a very important risk we are all thinking about now, this is compliance risk.  And while compliance risk is important, the threats to our information (and our customer’s information by extension) is what can keep us up at night, and what we want to address here.

So, let’s cut to this year’s list:

Users May Will Still Make Mistakes.  The first risk is a combination of two items from previous years; users will still make mistakes and vendors will still make mistakes.  Mistakes are unfortunately a part of life, even for the best of us.  They can happen to our users and our vendor’s users.  It’s how we catch mistakes and respond to them that is important.  Our employees need awareness training to understand and recognize the threat landscape, and we need employees who are not afraid to report their mistakes.  A self-reporting culture is really a necessity these days for true information security, and it’s up to us to ensure our employees feel comfortable reporting mistakes without fear of retribution. For our vendors, as their users our outside our control, there are two important groups of controls that are needed.  The first is vendor due diligence, making sure we know the risks the vendor presents to us and the controls they have in place to protect our information and notify us when there is a problem.  The second group of controls are the ones we implement when responding to a vendor issue, our incident response and business continuity programs.

Supply Chain Cyber Risk. While the supply chain risk in general has increased in likelihood over the past couple years, here we are focusing on supply chain cyber risk.  That is, the threat of software (or even hardware, but that’s outside the scope of this article) from our vendors, or software our vendors are using from their vendors, may be compromised.   Here, a supply chain attack works by targeting a third party with access to an organization’s systems rather than trying to hack the networks directly.  The best example of this is the SolarWinds breach from 2020, where companies such as Cisco, Intel, and Microsoft were affected due to their use of SolarWinds.  Another good example is the Apache Log4j vulnerability from December 2021.  Log4j is a java-based logging utility used in many software applications from vendors such as Fortinet, VMWare, Sophos, and Microsoft.  In these examples, these companies were breach due to third-party software.

Attacks on Your Customers (BEC | CATO | PATO | Ransomware).  This is something everyone reading this should be familiar with.  Whether they are corporate accounts or personal accounts, compromised through email, social engineering, viruses, or ransomware, our customers are being attacked daily.  Just like our users, we need to arm our customers with information on how to identify and react to these threats.  And this not only includes awareness information for our customers, but also the controls we implement to protect them such as multi-factor authentication for logins and additional authentication requirements for high-risk transactions.

Shadow IT (New).  While shadow IT is a new term in the AIO booklet, the threat is not.  We have been referring to this threat as rogue technology acquisition for many years.  It’s the threat of hardware or software being on our network or systems without vetting through the proper channels first.  Most of the time this happens by good meaning individuals trying to accomplish their job as opposed to a malicious insider as discussed below.  We need to ensure that any device connecting to our network, and any software installed on our systems, have gone through the proper due diligence, risk assessments, and controls review so that they will not be exposing us to unknown risk.

Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT).   As our cyber defenses evolve, so do the attacks themselves.  This will always be a cat-and-mouse game as each side evolves as exemplified by the continuous cycle of vulnerability management.  Our tech team and defenses (patch management, vulnerability management, anti-virus and malware, awareness of threats, etc.) need to stay on top of the ever-evolving threat landscape.

Cloud Deployment (Without Proper Controls).  We are increasingly moving information from our systems into the cloud.  This migration creates unique risks as we rely on our vendors to protect our information and requires specific controls to address.  When we deploy cloud assets, there are unique threats due to many factors, including the fact these resources are made to be accessible to anyone on the internet.  Using cloud resources without implementing proper controls such as enhanced access methods (MFA, IP whitelisting, time or location restrictions, etc.) is an incident waiting to happen.  Finally, as a rhetorical exercise meant to galvanize momentum, we suggest every banker ask themselves, “why have we never required strong passwords on our ATMs?”

Malicious Insider Threat (New).  As an auditor, one thing I find at smaller community-based institutions, and something that sets them apart from their competition, is dedicated employees who genuinely care for their communities and customers.  The malicious insider threat can be a taboo subject because we do trust our employees, that’s why they are working for us.  But trust is not a control and while the likelihood is hopefully very low, the impact can be disastrous and to address this risk we need to be able to properly respond to it.  The concern isn’t whether your employees are trustworthy, it’s whether you are prepared to respond if you ever suspect a possible malicious insider threat.  Making matters (possibly?) easier is the notion that if you are at “Pure Zero Trust” that means you “assume breach” in your security posture.  In other words, you are assuming there is already an insider on your  network.  While this insider may be demonized with the three letters, APT (Advanced Persistent Threat), the APT could be somebody you know.

So, to summarize, the top seven risks community-based banks face in 2022 are:

1) Users May Will Still Make Mistakes (In General)
2) Supply Chain Cyber Risk
3) Attacks on Your Customers (BEC | CATO | PATO | Ransomware)
4) Shadow IT (New)
5) Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT)
6) Cloud Deployment (without proper controls)
7) Malicious Insider Threat (New)

We have taken this list and created a webinar-movie!

Original article by Adam Reynolds CISSP. Lead Non-Technical Auditor, infotex

Interested in any of infotex’s services? Visit offerings.infotex.com to request information!



Latest News
    Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex.  “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
    about artificial intelligence . . . And who will protect us from it . . .  Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
    The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
    Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker.  This isn’t science fiction, it’s an actual attack that has […]
    Unavailability Strikes Where it doesn’t matter anyway Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . So, I’m writing today’s article from a resort in the middle of Wisconsin.  I want to make sure I’m staying on top of my New Leaf, which is to […]
    . . . and the importance of segregated response. The latest edition of Executive Vice President, Michael Hartke’s article series! In 2007 when I first joined infotex, coming from small to medium sized business general IT support into the world of cybersecurity, the one thing that was very hard for me to internally rectify was […]
    How concerts can help us understand APTs . . . Especially if you use your imagination! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . My daughter reminded me of a concert Stacey and I attended way back in 2013, in Chicago.  It was one […]
    Mutiny! The Malicious Insider Threat Webinar Registration A Webinar-Video It is often awkward to bring up the one attack vector most of us have not addressed. The malicious insider threat. Even if we can flaunt all statistics and claim that the likelihood of an insider attack is low in our bank, the impact is still […]