Information Security Archives - Page 2 of 2

16 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

In a previous post, we discussed the role of the ISO in a pandemic and how he or she must make sure all routine tasks are still being completed; help the institution adapt to the new circumstances; and continue providing all products and services at an acceptable risk level.

While an institution may be prepared to continue business as usual, its third-party provider partners may not be on the same page. Like the bankers they support, third-party vendors are also experiencing the impact of the pandemic and are dealing with a variety of operational issues as well. Financial institutions must be able to perform effective vendor management during a crisis and develop alternative plans in the event a critical vendor may not be able to perform the services agreed upon.

Here are a few things the ISO must consider to effectively evaluate the institution’s vendors during a crisis like a pandemic:

Identify Vendor Risks

During a pandemic, the ISO must anticipate several different risk scenarios that can adversely impact the institution’s daily operations. With vendors, there are two interrelated key risk factors to consider:

“Supply chain risk” is related to the interconnectivity among the entity and others. In a pandemic, critical vendors may receive an overload of requests for products and services from a variety of industries and may not be able to keep up with demand. For example, many financial institution employees have been working remotely due to Coronavirus and to keep the network secure, financial institutions have provided company laptops to staff. However, if the FI’s laptop provider runs out of inventory, the institution is then put in a difficult situation – if they allow the use of personal devices, they must still make sure all employees can work safely from home and ensure the network remains secure.
“Cascading impact risk” is an incident affecting one entity or third-party service provider that then impacts other service providers, institutions, or sectors. For example, if the vendor that manages the bank’s perimeter security has a large case of absenteeism and an inadequate succession plan, real-time alerting may be negatively impacted, and the institution could be exposed.

Evaluating these risks with third-party vendors in advance will help ensure that they have the proper personnel redundancies in place, so these situations don’t impact the institution.

Managing Third-Party Risks

According to the Federal Financial Institution Examination Council (FFIEC), open communication and coordination with third parties, including critical service providers, is an important aspect of pandemic planning. A current SOC 2 report that covers the “availability” trust criteria is the best way to determine if the vendor has the capability to respond and recover its systems. In the absence of a SOC report, the first thing the ISO should request is a copy of the business continuity plan. Since the SOC report may not cover the service providers’ vendors (also referred to as sub-service providers), the ISO will also want to gain some awareness of the possibility of supply-chain risk. For example, how might a provider failure two to three layers deep affect the institution?

In addition to vendor business continuity plans, the ISO should ask additional questions about how the vendor is managing the pandemic. Here are a few examples:

When was the last time you updated and tested your BCM plan? Have you incorporated the possibility of a failure of a critical sub-service provider?
Is the likelihood and impact of a pandemic evaluated as a part of your risk assessment?
How do you plan to continue providing services in the event of the loss of key employees?
Have you been in communication with your critical third-party providers?
Are you financially prepared to withstand a long-term pandemic event?

Critical third parties are often either overlooked or under-managed during normal circumstances, but because of the current high level of interdependency among financial institutions and their third-parties, operational events such as pandemics call for much closer scrutiny. Depending on responses received, ISOs may choose to accelerate their oversight efforts, revisit their vendor risk assessments, and make adjustments accordingly.

For more information on responding to pandemic events, view our pandemic resources.

25 Jun 2020

What is My Bank's Cybersecurity Posture Compared to My Peers?

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

What is My Bank or Credit Union’s Cybersecurity Posture Compared to My Peers?

What is My Bank's Cybersecurity Posture Compared to My Peers?

It is important to understand your institution’s cybersecurity posture to find out where you stand in regard to cyber threats and what you need to do to create a more secure environment. It’s a delicate balance because being behind on your cybersecurity posture means your institution is less secure than it should be but being ahead likely means that you are investing in resources that you may not need. Unfortunately, it’s almost impossible to do a true peer-to-peer comparison because there are just too many variables between even similarly sized financial institutions to obtain a useful analysis. Here’s why:

Every Institution Has a Unique Model

When we implement information security or business continuity programs for banks and credit unions, we start with a process called “Enterprise Modeling” where we identify the departments, the processes, and the functions that make up each individual financial institution. What this process typically reveals is that if you model out two financial institutions that look identical in terms of geographic area, demographic customer or member base, size and complexity, the results will almost always be significantly different since each institution has a unique operating model based on their specific services, organization, processes, and technologies.

Cyber Risk Appetite Is a Key Variable

Cyber risk appetite is another factor that often differentiates your institution from your peers. Safe Systems’ Compliance Guru defines risk appetite as “The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.” For example, let’s say we have two financial institutions that seem equivalent in outward appearance. Based on their strategic plan, one institution has decided to take a more aggressive cybersecurity posture to electronic banking products and the other has decided to take a more conservative approach. Because the level of risk varies by the approach, you simply cannot accurately compare the two institutions.

The Best Way to Evaluate Cybersecurity Posture

At Safe Systems, we recommend allowing your bank or credit union’s information to stand on its own. To truly improve your cybersecurity posture, you must examine where you are based on where you need to be — not where a peer may be in the process. Carefully evaluate your risks (including areas of elevated risk), and the controls you have in place that offset those risks. Then, examine the best control groups to apply against those areas of elevated risk and develop an action plan to take your institution from where you are now, to where you need to be. Then, when you conduct this process again next year, you can demonstrate steady progress to both examiners and your Board.

Holding Steady May Cause You to Fall Behind

In addition, just because your inherent risk profile isn’t increasing from one assessment to the next, this doesn’t necessarily mean your control maturity levels shouldn’t increase. The risk environment is constantly evolving, so holding steady on your controls may actually mean your cybersecurity resilience is decreasing. Making incremental increases in your control maturity levels will help keep you ahead of the latest threats.

For more information about improving your cybersecurity posture, watch the full “Banking Bits and Bytes Super Duper CEO Series,” below.

18 Jun 2020

Banks, Compliance, Credit Unions Darren Bridges 0 comment

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

Review all guidance and issues related to their institution and become familiar with any changes that might impact them
Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments
Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

Analyzing potential threats
Assessing the technology required
Managing access controls and security
Conducting regular data recovery test
Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”

21 May 2020

Banks, Compliance, Credit Unions Jamie Davis 0 comment

The Value of Network Reporting for Community Banks and Credit Unions

With increased cyber-attacks, shared data with third-party vendors, and strict regulatory requirements, community banks and credit unions have high standards to meet for information security. Adequate oversight and network reporting on the information security program is needed to ensure the proper controls are in place and that all stakeholders have visibility into the network.

In a recent webinar, Safe Systems shared some key observations on the need for financial institutions to have better communication and reporting between IT staff, the compliance department, and senior management. Here are a few key points to consider:

Gaps Between IT Staff and ISO/Compliance Teams

In many financial institutions, there is a lack of synergy and communication between the IT department and the information security/compliance team. Many ISOs simply do not have the technical background to fully understand how information is being protected. They tend to be more focused on vendor management, business continuity management, and performing risk assessments and less familiar with how systems are getting patched; if machines have antivirus; or if backups are updated consistently. It can be difficult to communicate effectively if ISOs don’t understand the IT world or don’t have visibility into network reports and the necessary information to do their job.

Oversight to Better Manage Controls

Because bank and credit union IT staff are human, sometimes errors will occur. While financial institutions have many technology solutions that automate IT functions and controls, oversight is required to ensure that the controls are adequate, working, and therefore mitigating risks. Without appropriate oversight, any gaps in the network can lead to a successful cyber-attack. Similarly, a finding during an exam that shows certain controls were implemented ineffectively can also leave the institution vulnerable.

Limited Access to Reports

Too often, when ISOs conduct a review of the information security program, the reports they receive are vague or too technical to decipher the key insights most important to the ISO role. Other key stakeholders, like the Board and senior management, also may need more access to high-level reports to better identify threats, assess risk, and make decisions on the appropriate controls to implement.

Without access to adequate reports, the ISO and other stakeholders can become overly reliant on the IT team to explain what is happening on the network without having the ability to verify that information independently.

To learn more about information security reporting and get a demo of our NetInsight ™ cyber risk reporting tool, watch our webinar, “NetInsight: Trust But Verify.”

01 May 2020

Banks, Credit Unions, Technology Brendan McGowan 0 comment

Combating Business Email Compromise and Protecting Your Remote Workforce

Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).

Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:

What is business email compromise and how does it work?

Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.

These attacks have two main categories:

Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.
Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.

Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.

There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:

A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.

The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.

How Can Financial Institutions Defend Against These Threats?

Prevent

The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.

Mitigate

The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:

Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.
DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.
URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.
Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).

These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.

Respond

The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.

To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”

23 Apr 2020

Banks, Credit Unions, Technology Jamie Davis 0 comment

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

For many financial institutions, it has been a challenge to keep IT operations moving efficiently during this pandemic. Since community banks and credit unions are considered an essential business, they are required to continue to serve customers and members. This can be difficult when employees are unavailable or are forced to work remotely from their homes for the first time. Many financial institutions have questions about how to efficiently manage their remote workforce, while keeping the institution secure and employees, customers, and members safe.

To address these questions, Safe Systems’ Information Security Officer, Chuck Copland, VP of Compliance Services, Tom Hinkel, and Chief Technology Officer, Brendan McGowan held a live panel discussion last week covering ways financial institutions can manage banking IT operations during a pandemic. In this blog, we’ll cover a few of the top questions from the panel:

1. How would you suggest making sure that remote access vendors are vetted quickly but thoroughly?

For many financial institutions, remote access was limited before the pandemic because this technology either didn’t support critical functions or wasn’t a priority at the time. Now, remote access is very important to continue business operations efficiently, and many community banks and credit unions are evaluating options for larger scale use. To do this effectively, you first need to consider all of the risks associated with remote access and the potential impact on your organization. This helps you get a quick baseline of the controls you’re going to require, which will then inform your vendor review.

While some institutions may be in a rush to get remote access tools up and running, it is important to stick to your normal vendor review process and take the time to thoroughly evaluate third-party risk. If you do have to sacrifice the integrity of your normal due diligence process and cut some corners to choose a vendor quickly, understand that there will be a resulting change in your institution’s risk appetite, or your acceptable risk. Make sure this is updated and that the executive management team including the Board sign off on the your new risk appetite.

2. What are some lessons learned about remote access for financial institutions during this pandemic?

It can be difficult to determine which remote access tool fits best with your institution’s unique security and regulatory needs. First, you should identify the best way for your staff to access the network whether it’s through a virtual private network (VPN) or an application for remote access, like a telecommute remote control tool. A VPN is a piece of software that lives on a computer that your user has at home — preferably a bank or a credit union asset and not their personal home PC.

When a user connects through a VPN tunnel, typically the computer gives access to the local network at the institution. With telecommute remote control tools, like LogMeIn and Splashtop, the user is working from a local computer at the office. These tools limit the abilities of the computer from interacting with the institution’s local network, often, making it a secure option for organizations that don’t want employees to have direct access to the network. Because each tool achieves a different goal, you will want to determine exactly what your team needs to conduct remote work efficiently, effectively, and securely.

There are also several collaboration tools and meeting tools to consider which can help different teams within your institution communicate and collaborate on projects internally and meet with each other or speak with external users outside of your organization.

What are you hearing from examiners? How are exams continuing during the pandemic?

We’re seeing that all examinations have either been pushed back to a later date or changed to a remote visit. In the climate that we are in, examiners are expecting institutions to make accommodations to customers that may be negatively affected by this pandemic and ensure they have access to other critical products and services.

But what happens when the dust settles, and we go back to a more normal set of circumstances? What will examiners expect then?

Most likely, we expect them to be looking for a mature “lessons learned” document that financial institutions create to show what they have learned over the course of this particular pandemic event. We can certainly see guidance changes coming out of this, with regulators having a new set of expectations for financial institutions going forward. Right now, we are all concerned with just getting through this challenging time but all financial institutions need to document what they are doing and the lessons they have learned along the way. They also need to create a report for the Board and the executive management team recommending any necessary changes to mitigate the impact of a pandemic, should one happen again in the future.

If you’d like to find out what other questions were answered during the live panel, watch our recorded webinar, “Ask Our Experts: Managing Banking IT Operations During a Pandemic.”

09 Apr 2020

Banks, Compliance, Credit Unions Christine Ray 0 comment

American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

With ongoing cybersecurity threats; increased use of third-party providers; and constantly evolving regulatory and reporting requirements, the role of the information security officer (ISO) is even more important in today’s complex banking environment than ever before. However, community bank and credit union ISOs often struggle to keep up with the growing number of responsibilities this role requires – often forced to manage critical tasks with limited resources and a lack of segregation of duties.

The Challenge

Nicole Rinehart, Chief Operations Officer at American Pride Bank, ran into this very issue as the sole IT admin at American Pride Bank. Managing all of the ISO responsibilities, including critical activities such as Board reporting and the production of comprehensive reports for examiners, was difficult to manage due to the many manual processes required.

During a regulatory examination, an examiner recommended the bank focus on having more independence within its ISO duties. The Federal Financial Institution Examination Council (FFIEC) states that all financial institutions must have separation of duties for the ISO role. To accomplish this, the bank began evaluating solutions to help streamline processes and ensure complete oversight of all information security activities.

The Solution

Implementing a Virtual ISO to Improve Compliance Posture Complimentary White Paper

After consideration, American Pride Bank decided to partner with Safe Systems and implement its ISOversight virtual ISO solution. The service includes a suite of applications and programs to help institutions streamline management of key compliance duties including the CAT, BCP, Vendor Management and Information Security.

In this case, the bank was already leveraging individual components of ISOversight. By converting to the virtual ISO service, they gained additional tools, reports, and expert compliance support. An important part of the solution includes monthly meetings with the Safe Systems compliance team to assess the bank’s information security activities and provide guidance.

The Results

With ISOversight, American Pride Bank has improved its overall preparation and communication of the information security program. All key stakeholders in the bank have access to ISO-related items in real-time, and the information security program is more organized and streamlined, enabling the bank to save time on monitoring and reporting.

“The ISOversight solution has been a game-changer for our bank because now we have a robust process in place working with Safe Systems and a full committee of our team members to ensure all tasks are completed accurately and nothing slips through the cracks,” said Rinehart. “It’s so important to have a process like this, especially when you have limited resources. Safe Systems has truly become an extension of our internal team, helping us to stay on track with ISO responsibilities and ensuring we comply with all regulatory requirements.”

To learn more, read the full case study, “American Pride Bank Streamlines Processes and Improves Compliance Reporting with Safe Systems’ ISOversight Virtual ISO Solution.”

← Previous 12