About Us | Contact Us
View Cart

R7-2022

By Adam Reynolds | Monday, March 21, 2022 - Leave a Comment

Top Seven Risks . . .


that small bank Information Security Officers face in 2022!


R7.infotex.com

Once again, we compile this list in preparation for updating our normal board of directors awareness training presentation and movies and such.  This list is meant for community-based banks but could apply to small businesses.  How this works can be illustrated with our decision to NOT include this new risk:

“Compliance with the FFIEC Architecture, Infrastructure, and Operations Booklet.”

While this is indeed a very important risk we are all thinking about now, this is compliance risk.  And while compliance risk is important, the threats to our information (and our customer’s information by extension) is what can keep us up at night, and what we want to address here.

So, let’s cut to this year’s list:

Users May Will Still Make Mistakes.  The first risk is a combination of two items from previous years; users will still make mistakes and vendors will still make mistakes.  Mistakes are unfortunately a part of life, even for the best of us.  They can happen to our users and our vendor’s users.  It’s how we catch mistakes and respond to them that is important.  Our employees need awareness training to understand and recognize the threat landscape, and we need employees who are not afraid to report their mistakes.  A self-reporting culture is really a necessity these days for true information security, and it’s up to us to ensure our employees feel comfortable reporting mistakes without fear of retribution. For our vendors, as their users our outside our control, there are two important groups of controls that are needed.  The first is vendor due diligence, making sure we know the risks the vendor presents to us and the controls they have in place to protect our information and notify us when there is a problem.  The second group of controls are the ones we implement when responding to a vendor issue, our incident response and business continuity programs.

Supply Chain Cyber Risk. While the supply chain risk in general has increased in likelihood over the past couple years, here we are focusing on supply chain cyber risk.  That is, the threat of software (or even hardware, but that’s outside the scope of this article) from our vendors, or software our vendors are using from their vendors, may be compromised.   Here, a supply chain attack works by targeting a third party with access to an organization’s systems rather than trying to hack the networks directly.  The best example of this is the SolarWinds breach from 2020, where companies such as Cisco, Intel, and Microsoft were affected due to their use of SolarWinds.  Another good example is the Apache Log4j vulnerability from December 2021.  Log4j is a java-based logging utility used in many software applications from vendors such as Fortinet, VMWare, Sophos, and Microsoft.  In these examples, these companies were breach due to third-party software.

Attacks on Your Customers (BEC | CATO | PATO | Ransomware).  This is something everyone reading this should be familiar with.  Whether they are corporate accounts or personal accounts, compromised through email, social engineering, viruses, or ransomware, our customers are being attacked daily.  Just like our users, we need to arm our customers with information on how to identify and react to these threats.  And this not only includes awareness information for our customers, but also the controls we implement to protect them such as multi-factor authentication for logins and additional authentication requirements for high-risk transactions.

Shadow IT (New).  While shadow IT is a new term in the AIO booklet, the threat is not.  We have been referring to this threat as rogue technology acquisition for many years.  It’s the threat of hardware or software being on our network or systems without vetting through the proper channels first.  Most of the time this happens by good meaning individuals trying to accomplish their job as opposed to a malicious insider as discussed below.  We need to ensure that any device connecting to our network, and any software installed on our systems, have gone through the proper due diligence, risk assessments, and controls review so that they will not be exposing us to unknown risk.

Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT).   As our cyber defenses evolve, so do the attacks themselves.  This will always be a cat-and-mouse game as each side evolves as exemplified by the continuous cycle of vulnerability management.  Our tech team and defenses (patch management, vulnerability management, anti-virus and malware, awareness of threats, etc.) need to stay on top of the ever-evolving threat landscape.

Cloud Deployment (Without Proper Controls).  We are increasingly moving information from our systems into the cloud.  This migration creates unique risks as we rely on our vendors to protect our information and requires specific controls to address.  When we deploy cloud assets, there are unique threats due to many factors, including the fact these resources are made to be accessible to anyone on the internet.  Using cloud resources without implementing proper controls such as enhanced access methods (MFA, IP whitelisting, time or location restrictions, etc.) is an incident waiting to happen.  Finally, as a rhetorical exercise meant to galvanize momentum, we suggest every banker ask themselves, “why have we never required strong passwords on our ATMs?”

Malicious Insider Threat (New).  As an auditor, one thing I find at smaller community-based institutions, and something that sets them apart from their competition, is dedicated employees who genuinely care for their communities and customers.  The malicious insider threat can be a taboo subject because we do trust our employees, that’s why they are working for us.  But trust is not a control and while the likelihood is hopefully very low, the impact can be disastrous and to address this risk we need to be able to properly respond to it.  The concern isn’t whether your employees are trustworthy, it’s whether you are prepared to respond if you ever suspect a possible malicious insider threat.  Making matters (possibly?) easier is the notion that if you are at “Pure Zero Trust” that means you “assume breach” in your security posture.  In other words, you are assuming there is already an insider on your  network.  While this insider may be demonized with the three letters, APT (Advanced Persistent Threat), the APT could be somebody you know.

So, to summarize, the top seven risks community-based banks face in 2022 are:

1) Users May Will Still Make Mistakes (In General)
2) Supply Chain Cyber Risk
3) Attacks on Your Customers (BEC | CATO | PATO | Ransomware)
4) Shadow IT (New)
5) Next Gen Attack Tools (Ransomware, Fileless Malware, Password Spraying, AI, OS-INT)
6) Cloud Deployment (without proper controls)
7) Malicious Insider Threat (New)

We have taken this list and created a webinar-movie!


Original article by Adam Reynolds CISSP. Lead Non-Technical Auditor, infotex

Interested in any of infotex’s services? Visit offerings.infotex.com to request information!


same_strip_012513


 

Latest News
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]