About Us | Contact Us
View Cart

R7-2023

By Adam Reynolds | Tuesday, March 21, 2023 - Leave a Comment

Top Seven Risks . . .


that small bank Information Security Officers face in 2023!


When we present audit reports to boards of directors, we also talk to the board about the top risks the institution is facing. Since 2006, we have been compiling a list of the “top seven risks small institutions are facing,” in preparation for these board presentations. In 2019, we decided to make this list public, what is now an annual article, “R-7.” And while we curate this list, we ourselves our not bankers, but our Clients are. We work on this list throughout the year, taking notes while attending conferences, talking to our Clients, and getting feedback. While not every item on this list may pertain to your institution, we believe this is a good starting point for talking to your board about the risks going into 2023. And we love feedback, so please let us know if you agree or disagree with the following list, or if there are other items that you feel should be included.
So, let’s cut to this year’s list:

Attacks on Users (social engineering).  This is something everyone reading this should be familiar with.  Whether it’s your employees, your customers, or even your vendors, they will be attacked through social engineering.  And users are one of our first lines of defense.  Just like our typical users, we need to arm all of our users, across the board, with the information on how to identify and react to these threats.  And this is what we call awareness in all directions, which is a cornerstone of information security.

Talent Risk (employee attrition).  This is a threat we’ve been taking seriously, especially at smaller community-based institutions where more often than not, they’re working with limited resources and limited budgets.  The job market has also changed a lot in the last couple of years, and keeping and attracting the right personnel isn’t an easy job.  Losing a key person, or not having the number of employees to handle the workload, can be very disastrous to keeping operations working normally.  To mitigate these risks, community-based banks can take several steps, including developing formal succession plans, documenting job descriptions and responsibilities, and investing in employee training and development.

Supply Chain Attacks. Banks rely on a complex network of vendors and suppliers to provide them with the products and services they need to operate effectively. However, this reliance on third-party vendors can also make them vulnerable to supply chain attacks. A supply chain attack occurs when a cybercriminal targets a supplier or vendor to gain access to an organization’s systems or data.  That is, the threat of software (or even hardware, but that’s outside the scope of this article) from our vendors, or software our vendors are using from their vendors, may be compromised.  The best example of this is the SolarWinds breach from 2020, where companies such as Cisco, Intel, and Microsoft were affected due to their use of SolarWinds products.  And we expect attacks like these to increase, while typically technically hard to execute, the payoff for these attacks can be huge as vendors can have a very large Client base.  Proper due diligence, awareness, and contingency planning are required to be prepared for such potential attacks.

Endpoint Threats.  This item is related to the first risk, attacks on users.  If we assume, and rightfully so, that our users will be attacked, we should not only protect our users but the devices they use.  We use the metaphor of a moat protecting a castle to illustrate that our devices are no longer contained in our own environments these days.  With many devices outside of the protection of our “castle,” and increasingly sophisticated technical and social engineering attacks, we need to ensure that we know the risks these devices pose and have implemented the proper controls to address that risk.

Supply Chains Issues. Community banks, like any other business, are not immune to supply chain risks. Supply chain risks can be defined as any unexpected events, disruptions, or vulnerabilities that occur in the extended network of suppliers, contractors, or partners that support the community bank’s operations.  There are many variables playing into this, global instability, COVID, fears about inflation and recessions, and this means prices have gone up and supply has gone down.  Addressing this risk is primarily through awareness; awareness of the fact that IT projects may take longer and cost more than previously anticipated.

Malicious Insider Threat.  As an auditor, one thing I find at smaller community-based institutions, and something that sets them apart from their competition, is dedicated employees who genuinely care for their communities and customers.  The malicious insider threat can be a taboo subject because we do trust our employees, that is why they are working for us.  But trust is not a control and while the likelihood is hopefully very low, the impact can be disastrous and to address this risk we need to be able to properly respond to it.  The concern isn’t whether your employees are trustworthy, it’s whether you are prepared to respond if you ever suspect a possible malicious insider threat.  Making matters (possibly?) easier is the notion that if you are at “Pure Zero Trust” that means you “assume breach” in your security posture.  In other words, you are assuming there is already an insider on your network.  While this insider may be demonized with the three letters, APT (Advanced Persistent Threat), the APT could be somebody you know.

Regulatory Risk (anticipated regulatory risk).  As we move into 2023, community banks face an increasingly complex regulatory landscape. Changes in legislation and the introduction of new regulations are expected to impact community banks significantly.  These include new regulations related to cybersecurity, consumer protection regulations, anti-money laundering regulations, and others.  Fintech is also taking the spotlight, and new issues surrounding current bank collapses may also impact new regulations going forward.  Staying informed about the latest regulatory developments and assessing how they may impact your operations is key to addressing these items as they arise.

So, to summarize, the top seven risks community-based banks face in 2023 are:

  1. Attacks on Users (social engineering)
  2. Talent risk (employee attrition)
  3. Supply Chain Attacks
  4. Endpoint Threats
  5. Supply Chains Issues
  6. Malicious Insider Threat
  7. Regulatory Risk (anticipated regulatory risk)

Original article by Adam Reynolds CISSP. Lead Non-Technical Auditor, infotex

Interested in any of infotex’s services? Visit offerings.infotex.com to request information!


same_strip_012513


 

Latest News
    Endpoint Detection and Response and You Webinar-Video In this webinar-Video, we will discuss the advantages, considerations, pricing, and configuration concerns when adding Endpoint Detection and Response to your security posture. If you are using a traditional Anti-Virus/Malware solution, you’ll want to consider adding or replacing it with a comprehensive EDR/XDR/MDR solution for the most bang […]
    R7: 2023’s Top Seven Technology Risks Webinar-Video What are the top seven risks your board should know about in 2023? Since 2006, Dan has been compiling a list of the “top seven risks small institutions are facing,” in preparation for his board presentations. This webinar will present the 2023 list in a manner that you […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are excited to announce the addition of William Summers to our team as our new Data Security Analyst. William brings a wealth of knowledge to our organization, and we are confident that he will be an invaluable asset in helping us reach […]
    Yes, the CISO of the Starship Enterprise On AI replacing the business of cybersecurity. Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . From time to time, my friends from high school, and even some from college, who have a minimal understanding of the cybersecurity […]
    Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex.  “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
    about artificial intelligence . . . And who will protect us from it . . .  Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
    The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
    Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker.  This isn’t science fiction, it’s an actual attack that has […]