We’ve assembled this compilation once more as we gear up to refresh our board of directors’ routine awareness training materials, including presentations and movies.  This is designed primarily for community banks, but could apply to small businesses as well.  Most of these items are not new, especially since we try to provide a high-level overview of the risks in general categories. An example of this is the second risk this year, Cyber Threats.  While there have been new and novel cyber-attacks which we could discuss, the overall category of cyber-attacks is not new.  This compilation serves as a starting point for dialogues within your board and management circles, helping pinpoint specific risks and threats your entity faces.

Artificial Intelligence – A notable “new” risk in 2024 revolves around generative AI and its potential implications. Generative AI’s capability to produce quality text, audio, and video content harbors both positive and negative uses. While it can enhance employee productivity, it equally opens doors for fraudulent activities.  From crafting credible phishing emails targeting your employees, to romance fraud emails targeting your customers, or replicating voices from mere 20-second audio clips to impersonate stakeholders, there are many ways this technology may be used fraudulently.  Noteworthy is a reported incident where a CFO was deep faked in a VIDEO call, leading to a $25 million scam. Discussing AI’s risks internally is critical for early mitigation.

Cyber Threats – This is most definitely not a new risk, but if we are talking about top risks to IT, cyber threats will always be a top risk.  If you have public facing assets on the internet, you are exposed to cyber threats.  And these threats are constant, on the MSSP side of our business, I’m always amazed by the constant scanning and attempted vulnerability exploits seen by our sensors.  Patch management and vulnerability management (as well as awareness training) are the key controls to address this threat, and we jokingly refer to those two processes as Sisyphean.  Vulnerability scanning and penetration testing should then be used to confirm those controls are working as intended.

Ransomware – This was a top risk in 2021, but it hasn’t gone away by any means and is a specific type of cyber threat. While there definitely wasn’t any imagination used to come up with this top risk, ransomware was involved in almost a quarter of breaches in 2023 (Verizon Data Breach Investigation Report 2023), and it’s so ubiquitous we will be talking about it for the foreseeable future.  Like general cyber threats, patch management, vulnerability management, and awareness training programs play an important role in curtailing the risk of ransomware.  But one unique control, or assessment, for ransomware is the Ransomware Self-Assessment Tool, which “helps financial institutions periodically assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security.” This tool was updated in October 2023 and should be reviewed annually.

Third Parties – Another risk that is by no means new are third parties, but outsourcing is a trend that is continuing to grow.  Financial institutions are ultimately responsible for protecting customer information and must ensure the controls used to protect that information are in place no matter where that information resides.  Besides the risk to customer information, there’s many other risks; legal and compliance risk, operations risk, reputation risk, and concentration risk to name a few.  So, what can you do? Our answer is to “Know Your Vendor,” through the five precepts of assurance, insurance, contract, financials, and incident response/business continuity plans.

Cloud Adoption – We are increasingly moving information from our systems into the cloud.  This migration creates unique risks as we rely on our vendors to protect our information and requires specific controls to address.  When we deploy cloud assets, there are unique threats due to many factors, including the fact these resources are made to be accessible to anyone on the internet.  Using cloud resources without implementing proper controls such as enhanced access methods (MFA, IP whitelisting, time or location restrictions, etc.) is an incident waiting to happen.  Finally, as a rhetorical exercise meant to galvanize momentum, we suggest every banker ask themselves, “why have we never required strong passwords on our ATMs?”

Access Management – One of the most common attack methods in incidents and breaches is the use of stolen credentials.  There are many controls that can be discussed for access management beyond simply using complex passwords.  MFA should be in use; required for remote access, in place for administrators and privileged accounts, and can even be implemented across your domain for everyone.  Awareness training should discuss password security, especially warning against using the same password for multiple systems.  Access removal after termination or job change should take place in a timely manner, and access reviews of systems containing confidential material should be conducted annually.

Instability – They say the only constant is change, but too much change, especially unpredictable change is not a good thing.  Post-pandemic, the landscape of global trade, politics, and economics have shifted, introducing new challenges. For banks, this can translate to talent retention difficulties, increased IT procurement costs, and complexities in strategic planning. Acknowledging the heightened uncertainty in planning, especially for complex IT projects, is crucial.

So, to summarize, the top seven risks community-based banks face in 2024 are:

• Artificial Intelligence
• Cyber Threats
• Ransomware
• Third Parties
• Cloud Adoption
• Access Management
• Instability