6 Cyber Security Tips for Financial Institutions
The increase and sophistication of cyber-related attacks has raised a new level of awareness and the need to strengthen cyber security controls. According to the Verizon’s 2015 Data Breach Investigations Report (DBIR), the Financial Services sector was one of the top three industries most affected by cyber security breaches in 2015. Some of the breaches reported by financial institutions involved Phishing, malware, unpatched systems, denial of service attacks, and weakness in third party service provider’s management.
Due to the increase in cyberattacks targeting the financial sector and following a Presidential Executive order for Improving Critical Infrastructure Cybersecurity, the Office of the Comptroller of the Currency (OCC) provided guidance requiring financial institutions to perform cyber security assessments. The Federal Financial Institutions Examination Council (“FFIEC”) released the Cyber Security Assessment Tool (CAT) in July 2015 to help financial institutions determine their level of cybersecurity preparedness. The National Institute of Standards and Technologies (NIST) also published a Framework for Improving Critical Infrastructure Cybersecurity, which serves as the basics to review, assess and implement the necessary security controls to help enhance organization’s cyber security posture. The CAT provides guidelines to determine the inherent risk profile and cybersecurity maturity of an organization, to ensure that the baseline levels of maturity are consistent with legal and regulatory requirements and to help minimize the risk.
Whether a direct result from cybersecurity attacks or due to new regulations, financial institutions should reassess their security posture, and make every effort to implement strong security controls in order safeguard sensitive information, maintain compliance with laws and regulations and manage risk.
The following are a few tips for improving your organization’s Cyber Security posture:
- Assess the risk: Perform a Security Risk Assessment to identify weaknesses, vulnerabilities, assess threats and attacks vectors. The risk assessment will help you determine the inherent risk profile of your organization, as well as help you to develop a strategy to implement security controls to enhance your security posture. Performing a risk assessment is an essential part of building and maintaining a strong security program.
- Define security controls: Develop a strategy that defines control objectives and establishes an implementation plan. The security strategy should include:
- Appropriate consideration of prevention, detection and response mechanisms.
- Implementation of the least permissions and least privileges concepts
- Layered controls that establish multiple control points between threats and organization assets
- Perform periodic audits: Audits are not only a good practice, but they help identify weaknesses in IT controls. They are important to ensure security controls are working effectively, and ensure that security policies are in compliance with applicable standards, regulatory compliance laws and regulations.
- Implement security monitoring: Continuous monitoring ensures continued effectiveness of all security controls. A robust security monitoring will also help enhancing your Incident Response capabilities.
- Develop a strong service provider security oversight
- Determine if service providers’ contracts contain security requirements that at least meet the objectives of your information security program.
- Develop a Security Risk Assessment questionnaire and make it a requirement for every service provider connecting to your infrastructure.
- Ensure the service provider has implemented a security program and that the adequate controls, commensurate with the risk, are implemented.
- Follow the guidance
- Make examiners and auditors happy by developing your security program, following the appropriate guidelines.
- Map your information security program to the FFIEC Information Technology Examination Handbook (IT Handbook); ensure that every policy and procedure in your security plan addresses all security processes outlined in the handbook.
- Get ahead… be familiar with Examination Procedures listed in Appendix A of the handbook. You can be prepared for your annual examination by reviewing the examination procedures to ensure that your security program covers the spirit of the guidance.
Following these guidelines will help you fortify your organization’s security program. We know by experience that this is not a simple task; it requires strategic planning, time and resources in order to build, implement and maintain a strong program. I’d recommend seeking the support of a security partner to help you assess, develop, implement and/or enhance your cyber security program.