R7-2023

Top Seven Risks . . .

that small bank Information Security Officers face in 2023!

When we present audit reports to boards of directors, we also talk to the board about the top risks the institution is facing. Since 2006, we have been compiling a list of the “top seven risks small institutions are facing,” in preparation for these board presentations. In 2019, we decided to make this list public, what is now an annual article, “R-7.” And while we curate this list, we ourselves our not bankers, but our Clients are. We work on this list throughout the year, taking notes while attending conferences, talking to our Clients, and getting feedback. While not every item on this list may pertain to your institution, we believe this is a good starting point for talking to your board about the risks going into 2023. And we love feedback, so please let us know if you agree or disagree with the following list, or if there are other items that you feel should be included.
So, let’s cut to this year’s list:

Attacks on Users (social engineering).  This is something everyone reading this should be familiar with.  Whether it’s your employees, your customers, or even your vendors, they will be attacked through social engineering.  And users are one of our first lines of defense.  Just like our typical users, we need to arm all of our users, across the board, with the information on how to identify and react to these threats.  And this is what we call awareness in all directions, which is a cornerstone of information security.

Talent Risk (employee attrition).  This is a threat we’ve been taking seriously, especially at smaller community-based institutions where more often than not, they’re working with limited resources and limited budgets.  The job market has also changed a lot in the last couple of years, and keeping and attracting the right personnel isn’t an easy job.  Losing a key person, or not having the number of employees to handle the workload, can be very disastrous to keeping operations working normally.  To mitigate these risks, community-based banks can take several steps, including developing formal succession plans, documenting job descriptions and responsibilities, and investing in employee training and development.

Supply Chain Attacks. Banks rely on a complex network of vendors and suppliers to provide them with the products and services they need to operate effectively. However, this reliance on third-party vendors can also make them vulnerable to supply chain attacks. A supply chain attack occurs when a cybercriminal targets a supplier or vendor to gain access to an organization’s systems or data.  That is, the threat of software (or even hardware, but that’s outside the scope of this article) from our vendors, or software our vendors are using from their vendors, may be compromised.  The best example of this is the SolarWinds breach from 2020, where companies such as Cisco, Intel, and Microsoft were affected due to their use of SolarWinds products.  And we expect attacks like these to increase, while typically technically hard to execute, the payoff for these attacks can be huge as vendors can have a very large Client base.  Proper due diligence, awareness, and contingency planning are required to be prepared for such potential attacks.

Endpoint Threats.  This item is related to the first risk, attacks on users.  If we assume, and rightfully so, that our users will be attacked, we should not only protect our users but the devices they use.  We use the metaphor of a moat protecting a castle to illustrate that our devices are no longer contained in our own environments these days.  With many devices outside of the protection of our “castle,” and increasingly sophisticated technical and social engineering attacks, we need to ensure that we know the risks these devices pose and have implemented the proper controls to address that risk.

Supply Chains Issues. Community banks, like any other business, are not immune to supply chain risks. Supply chain risks can be defined as any unexpected events, disruptions, or vulnerabilities that occur in the extended network of suppliers, contractors, or partners that support the community bank’s operations.  There are many variables playing into this, global instability, COVID, fears about inflation and recessions, and this means prices have gone up and supply has gone down.  Addressing this risk is primarily through awareness; awareness of the fact that IT projects may take longer and cost more than previously anticipated.

Malicious Insider Threat.  As an auditor, one thing I find at smaller community-based institutions, and something that sets them apart from their competition, is dedicated employees who genuinely care for their communities and customers.  The malicious insider threat can be a taboo subject because we do trust our employees, that is why they are working for us.  But trust is not a control and while the likelihood is hopefully very low, the impact can be disastrous and to address this risk we need to be able to properly respond to it.  The concern isn’t whether your employees are trustworthy, it’s whether you are prepared to respond if you ever suspect a possible malicious insider threat.  Making matters (possibly?) easier is the notion that if you are at “Pure Zero Trust” that means you “assume breach” in your security posture.  In other words, you are assuming there is already an insider on your network.  While this insider may be demonized with the three letters, APT (Advanced Persistent Threat), the APT could be somebody you know.

Regulatory Risk (anticipated regulatory risk).  As we move into 2023, community banks face an increasingly complex regulatory landscape. Changes in legislation and the introduction of new regulations are expected to impact community banks significantly.  These include new regulations related to cybersecurity, consumer protection regulations, anti-money laundering regulations, and others.  Fintech is also taking the spotlight, and new issues surrounding current bank collapses may also impact new regulations going forward.  Staying informed about the latest regulatory developments and assessing how they may impact your operations is key to addressing these items as they arise.

So, to summarize, the top seven risks community-based banks face in 2023 are:

1. Attacks on Users (social engineering)
2. Talent risk (employee attrition)
3. Supply Chain Attacks
4. Endpoint Threats
5. Supply Chains Issues
6. Malicious Insider Threat
7. Regulatory Risk (anticipated regulatory risk)

Original article by Adam Reynolds CISSP. Lead Non-Technical Auditor, infotex

Interested in any of infotex’s services? Visit offerings.infotex.com to request information!