Tag: banking security

08 Apr 2021
Why Security Solutions Fail and What Your Financial Institution Can Do to Stay Safe Featured Blog Image_Header Image

Proven Security Solutions to Keep Your Financial Institution Safe from Cybersecurity Threats

Why Security Solutions Fail and What Your Financial Institution Can Do to Stay Safe Featured Blog Image_Header Image

Like many other professional industries, the financial sector of business was forced to work from home due to the COVID-19 pandemic. With an unprecedented number of employees still working remotely, now more than ever financial institutions are susceptible to a cyberattack. The increased threat of a security compromise has prompted financial institutions and other organizations across the country to increase their cybersecurity posture to help prevent a future attack.

In a recent post, Safe System’s guest blogger, Keith Haskett, president and CEO of Rebyc Security, discusses 5 reasons security solutions fail, such as lack of multi-factor authentication or improperly configured spam filtering and what you can do to keep your institution safe. In case you missed the full blog, view it here.

22 Dec 2020
3 Top Security Threats Financial Institutions Must Defend Against

3 Top Security Threats Financial Institutions Must Defend Against

3 Top Security Threats Financial Institutions Must Defend Against

Security remains one of the primary areas of concern for community banks and credit unions, according to our recent sentiment survey and based on responses, the top three security threats that keep survey respondents up at night are cybersecurity, information security and ransomware.

Here’s a synopsis of each of these security categories as well as some proven best practices that can help institutions address them:

#1: Cybersecurity

Cybersecurity is a broad area for financial institutions to truly master, especial smaller community banks and credit unions with fewer resources to devote to defending themselves – something that National Credit Union Administration Chairman Rodney Hood has even acknowledged.
In today’s world, cybersecurity threats are ubiquitous, with cyberattacks 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report. However, banks and credit unions can take advantage of a number of resources to strengthen their security efforts. Two valuable tools include the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA.

Institutions can also capitalize on the National Institute of Standards and Technology (NIST) Cybersecurity Framework to address cybersecurity issues. Not only can the Cybersecurity Framework help institutions properly evaluate their defensive capabilities, but it provides policies and procedures that can help them identify and even resolve security issues.

#2: Information Security

The goal of information security is to prevent electronic and physical data from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. More specifically, information security is a set of strategies for managing the processes, tools and policies that are necessary to defend data when it is being stored and transmitted between different machine or physical locations.

The three basic principles of information security are what are known as the “CIA” triad: Confidentiality, Integrity, and Availability. “Confidentiality” relates to being able to identify who is trying to access data and block attempts by unauthorized individuals. “Integrity” entails maintaining data in its correct state and preventing it from being improperly modified—either by accident or maliciously. “Availability,” like confidentiality, equates to ensuring data can only be accessed only by users with the proper permissions.

Today, institutions face a variety of threats to their data security, including breaches, malware, and deceptive phishing emails that trick victims into divulging their private information. These types of attacks can have a detrimental and long-lasting effect on companies, such as a loss of customers, reputation, revenues, and profits.

Financial institutions are common targets of malware, phishing scams, and data breaches. About 50 percent of all unique organizations impacted by “observed” phishing domains were from the financial services sector, according to Akamai Technologies’ 2019 State of the Internet/Security Financial Services Attack Economy Report.

As a defensive tactic, organizations should implement a layered approach to preventing information security threats. This means employing multiple security measures, policies, and procedures, from patch management to secure software development. However, people can be the first—and best—line of defense, so educating employees about potential cybersecurity threats is crucial.

#3: Ransomware

As the name implies, ransomware is malicious software that is designed to block access to a computer system until the victim pays a sum of money. The ransomware threatens to publish the data or deny access to it either temporarily or permanently.

Regardless of how the attack is initially perpetrated, ransomware presents a serious threat to all types of organizations. It typically begins when someone downloads a malicious email attachment or visits an infected website. The ruse is often undetectable, so most victims are not aware the data breach is happening—until it is too late. Unfortunately, ransomware is difficult to stop, and it can take a huge toll on consumers and organizations, causing frustration, disruption, data loss, and financial damage.

The problem with ransomware is that it is both widespread in nature and costly to address. And ransomware attacks—along with other cyber scams—began surging during the COVID-19 pandemic, according to the July 2020 McAfee COVID-19 Threat Report. A recent example is Ransomware-GVZ, which displays a note and demands payment in return for decrypting the company’s compromised computer systems and the data they contain.

Fortunately, there are actionable steps financial institutions can take to defend their data against ransomware attacks. Some of the most practical measures include keeping operating systems patched and maintaining up-to-date malware software to detect potential threats. Another good practice: keep files backed up, so the data can be replaced if a hacker ever holds it hostage. However, the time to implement defensive data security strategies is before a cyberattack happens.

For more insight about these top three security threats and best practices to defend against them, download our Top 10 Banking, Security, Technology and Compliance Concerns white paper.

09 Sep 2020
Why Security Solutions Fail and What Your Financial Institution Can Do to Stay Safe Featured Blog Image_Header Image

Why Security Solutions Fail and What Your Financial Institution Can Do to Stay Safe

Why Security Solutions Fail and What Your Financial Institution Can Do to Stay Safe Featured Blog Image_Header Image

From the beginning of the pandemic, the financial sector has seen a rising number of security threats. With more employees working remotely and increasing their online activity, cybercriminals are finding success using attacks like phishing and social engineering to take advantage during these uncertain times. These attacks have prompted financial institutions and other organizations to improve their cybersecurity posture and protect against future attacks.

Financial institutions make significant investments to protect their networks especially as their workforce has turned to digital channels for remote work. However, there are a few additional security measures that often get overlooked.

In this blog post, we discuss 5 reasons why security solutions fail and what you can do to keep your institution safe and combat malicious attacks.

Improperly configured spam filtering/web filtering solutions

Every financial institution uses some form of spam filtering and web filtering solutions. However, IT personnel often set these solutions up, configure them, and then may not test them again, which creates vulnerabilities over time. Financial institutions must check to make sure these solutions are configured properly and understand all of the security features available to them to use these tools at full capacity.

Lack of multi-factor authentication for ALL accounts

Multifactor authentication (MFA) is crucial for financial institutions to protect against unauthorized access to the network and email accounts. In fact, a report from Microsoft has determined that 99.9% of account compromises can be blocked with MFA, but the overall adoption rate remains low.

Financial institutions often experience difficulties implementing an MFA program for their staff because it can be a time-consuming project and often requires staff to use their own personal devices. It is important to understand the different types of MFA solutions available and identify the one that works best for your staff. While there is variance among MFA solutions in terms of strength and security, having at least some form of MFA greatly enhances your security posture.

Lack of security coverage enterprise-wide

Not just IT, but everyone within the organization, should be practicing cybersecurity best practices to keep the network safe. Employees are often the weakest link when it comes to security and cybercriminals prey on these individuals to gain access to non-public information. Without proper training, your staff may not have the skills and awareness to spot security threats and handle them in the appropriate manner. Investing in security awareness training can provide them with the knowledge and expertise to combat malicious threats and ensure that the entire enterprise is working towards this goal.

Accessing external resources (Gmail/Dropbox)

When employees use external resources like Google Drive or Dropbox for file sharing, it can be difficult for IT personnel to control “what” data is going “where.” Cybercriminals are also using these file sharing tools to trick users into clicking links to fake websites to steal login credentials and then slip by corporate security protections.

To mitigate these issues, financial institutions can use credential theft protection tools to block usernames and passwords from leaving the organization. Even if a user fails to recognize the threat, these tools provide protection on the backend to keep the information safe.

Utilizing corporate resources remotely

With many employees working from home during the pandemic, financial institutions must take extra care to ensure the network is protected. It is important to understand how employees are connecting to the network; what devices they are using; and ensure that those devices are secured. Some employees may be using personal devices or public Wi-Fi to access the network. These are high risk behaviors that can have detrimental impact on the institutions if attackers are able to exploit vulnerabilities through these entry points.

As employees continue to work remotely, they should be using corporate devices; avoiding public Wi-Fi; and accessing the network through a virtual private network or another secure remote access device. Ultimately, it will be staff’s ability to reference remote access policies and practice appropriate cyber hygiene on remote devices that helps keep their institution secure.

Keith HaskettKeith Haskett is the president and CEO of Rebyc Security and is responsible for executing their strategic plan. After several years leading the Risk and Information Security Consulting Services practice at CSI, he co-founded Rebyc to deliver offensive security solutions customized to meet the needs of the highly regulated, financial services industry. His teams have delivered over 2,000 engagements to financial institutions nationwide.

For more information on protecting your institution from security threats, view Rebyc Security’s recent blogs.

18 Jun 2020
Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

  • Review all guidance and issues related to their institution and become familiar with any changes that might impact them
  • Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments
  • Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

  • Analyzing potential threats
  • Assessing the technology required
  • Managing access controls and security
  • Conducting regular data recovery test
  • Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”