Do you store sensitive data? Customer data maybe? Account numbers maybe? Credit Card data maybe? Well then, your Community Bank, Regional Bank, or Credit Union is in play to be analyzed for a possible attack by malicious users. As it is, the financial and insurance industries are and will continue to be prime targets for attacks globally. Financial data is a choice asset for hackers seeking to get their hands on regardless of where or who owns the data. The malicious user doesn’t care whether the data is for a big bank or a small bank. One of their main motives is financial gain and selling the data on the open market or getting financial rewards using other means. This is an ever-evolving challenge that major banking organizations face and will continue to face. So, what is the plan to counter the bad guys? How do you evolve the security plan which was very much pertinent last year but is only seventy-five percent valid this year due to changes in threat landscape and the advent of sophisticated attacks? Small, regional and community banks face these similar challenges that need to be addressed now since attacks will never secede and hence the need for security controls arises.
According to the Verizon breach report of 2021, breaches occur due to loss of credentials, brute force or lack of controls with credential management. Over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials.
The first step in establishing a secure environment is to put a “strategic security plan” together at the highest executive level. This will help carry forward the business vision from the executive management to various business units in the company. This plan should be business-centric, risk-conscious, and not solution or technology-centric. Whether it results in choosing a framework, tool, technology platform, or changes in processes, or a combination of all, it must always focus on safeguarding business assets.
Here are some of the security controls that a community bank may implement to better secure its assets.
1. Risk Assessment
Know your crown jewel assets and conduct a risk assessment to identify gaps. This is a critical step towards a comprehensive plan for remediation and securing your valuable assets. Conduct a Business Impact Analysis (BIA) to identify the risk of the asset being unavailable, or breached. There are many frameworks that can be used such as the Center for Internet Security (CIS) based framework etc. Identifying risk is a good start but clear responsibilities must be defined so that each business or application owner of risk understands their responsibilities and how controls can be implemented to lower these specific risks. The first line of defense within a company is the management and their understanding of risks and internal controls. Other frameworks such as NIST can be adopted as well. A sample of risk framework methodology is illustrated below:
2. Access Control
Access control is a crucial countermeasure for organizations since access control spans across multiple business areas regardless of the business objectives. The scope for access control encompasses end to end account life cycle which includes users and nonuser accounts. A user life cycle within an organization goes through a complex set of business processes and is a focus area for the management due to the risk it carries for any business. Establishing an identity process for the workforce and for a consumer is extremely important for security and business growth. Identity and Access Management (IAM) has evolved from purely being a security focus to a more secure user experience-driven platform. More importantly, for customers, CIAM or Customer Identity and Access Management has taken a big leap forward with renewed focus on revenue and customer security. In summary, IAM refers to a set of business processes and supporting technologies that enable the creation, maintenance, and use of a digital identity. As such, the impact of Identity and Access Management to the user community, application portfolio, and information resources is extensive.
3. Multi-Factor Authentication
Multi-Factor Authentication (MFA) has taken a center stage in the authentication process as single-factor authentication based on passwords is less secure and known to be compromised. As a part of the IAM strategy, MFA serves as a crucial preventive control, especially for privileged users. Any application that has critical data or financial data must use MFA as a method to log in. Any adoption choices for MFA (SMS, Token, Push Notification) are better than no MFA. Even though NIST has removed SMS as an MFA option due to its inherent weakness, it is still considered a better option than no MFA.
4. Data Security
The primary objective of information security is to protect the confidentiality, integrity, and availability of the institution’s information assets. The majority of the controls within an organization whether those controls are at the perimeters, hosts, or processes contribute to the achievement of that objective. However, not all data in an institution requires the same protections as other data. Some data may need stronger controls, while other data may not need as strong controls due to its classification. Data security and controls are based on the value of the data. Based on the value of the data, controls should be implemented to provide adequate security. Data in transit should always be encrypted between untrusted networks, while sensitive and confidential data at rest should be encrypted at all times.
5. Monitoring
Monitoring and alerting is another layer of control that is used by organizations to review real-time and non-real-time activities, analyze the activities, and action on activities when required. Security monitoring focuses on the activities and condition of network traffic, hosts, application activities, hardware monitoring, etc. Alerting can trigger important conditions that require immediate attention, manually or automatically to take corrective action. Alerting also provides insight into potential intruders trying to penetrate an organization’s system. Monitoring and alerting can be successful if analyzing the data can quickly result in identifying security events and preventing breaches. A quick response is always beneficial to any organization and should be part of security strategy.
6. Security awareness and training
Another key control is security awareness and training. An unaware and untrained user can become a high risk to any organization. As attacks by malicious users have become sophisticated and user-focused, security training has become an important aspect of the control framework. Educating end-users about social engineering attacks such as phishing, spear-phishing, and baiting (common examples of social engineering) can result in the successful prevention of attacks and breaches for organizations. A people-centric approach for awareness is a critical component to combat breaches and data loss.
Call iQuasar Cyber for a free consulting hour to learn more about our services and how iQuasar Cyber can help you with securing your assets. iQuasar consultants can talk on the phone about your security needs and put a plan for combating breaches.
