2020 was a year many of us would like to forget. The year began and ended with two events that caused chaos in the “normalcy” of cybersecurity practitioners. I am referring to the COVID-19 pandemic and the SolarWinds breach.
How many of us had a pandemic in our incident response plan and actually went through an exercise? And how many of us really scrutinize our fourth parties (third-party contractors and partners) in a manner that provides comfort in their security posture?
It is my hope that both community bank practitioners of cybersecurity — as well as non-practitioners — will become more aware of today’s immense cyber risks. It is not just the security teams’ job to protect bank assets, but all employees are involved in protecting a bank’s shareholder value, customer and employee data and bank assets.
We are all familiar with many of the major breaches that have occurred in recent years from Equifax, Microsoft, Chase, US OPM and on and on. Your neighborhood community bank or local business is not on the list. These are Fortune 500 global corporations and government agencies. If they can be breached, so can you.
So, why does this keep happening? The Verizon 2020 Data Breach Investigations Report stated that 86% of breaches were financially motivated, and phishing is the top threat action. Depending on the article you source from, new malware samples are being produced at the rate of 230,000 to 390,000 per day — astonishing figures. Can your legacy antivirus product keep up?
We are at the national security crossroads when it comes to cybersecurity risks that all Americans need to be aware of. Cybersecurity costs are affecting all of us, whether it is the inconvenience of having our own credit/debit card data stolen, higher regulatory costs because of the increasing need to protect customers or helping our community bank resolve a cyber or data privacy crisis.
The coming cyber war is here now, and it’s important to gain the awareness and knowledge to raise your program’s maturity level.
Community bank protection
From a community bank perspective, you may be thinking “if the major corporations can get breached, what is preventing us from being breached?” It is imperative at all levels of a company, from staff level individuals through managerial and executive ranks, all the way to the board, to be keenly aware of and involved in their bank’s cyber/information security program.
There are many facets to protecting corporate assets at your company. The most basic principle is to use a risk-based approach when determining which assets are critical and use a defense-in-depth approach (aka multilayered approach) when protecting assets.
To start, your bank should be using a common cybersecurity framework or assessment tool such as NIST Cybersecurity Framework or the FFIEC Cybersecurity Assessment Tool, which is very familiar in the banking community.
There are five areas you and your bank can focus on that will greatly improve your cyber posture:
- Security awareness training
- Vulnerability and patch management
- Next-generation security tools (those that use Artificial Intelligence/Machine Learning and Deep Learning, Security Orchestration/Automated Remediation (SOAR) and User Behavior Analytics (UBA)
- Strict access controls using Multi-Factor/Two-Factor Authentication (MFA/2FA)
- Penetration Testing, Red/Blue/Purple Team exercises
These along with a strong threat intelligence program will go a long way to protecting community bank assets and shareholder value. Let’s touch on each briefly.
Security awareness training
This begins with baseline testing of employees through phishing exercises using a security awareness/phishing simulation system that can integrate with your Learning Management System. This allows you to simulate a phishing attack by sending a designed email to employees and tracking the metrics on who clicks on the email. This can provide real-time training.
Phishing was represented in 93% of incidents, according to the 2018 Verizon Data Breach Investigative Report. No matter the method you use for security awareness at your company, it should be a pillar in your cybersecurity program.
Vulnerability and patch management
This remains one of the most tedious but necessary processes in your cybersecurity program to remediate defects found in computing systems. Vulnerabilities are prevalent in computing environments, with new vulnerabilities found daily. Risk Based Security stated that more than 22,000 vulnerabilities were disclosed in 2018.
It is imperative that an organization run vulnerability scans on their infrastructure on a weekly basis and patch those systems as quickly as possible. I’d recommend patching workstations weekly and servers on a monthly basis with critical, exploitable patches as soon as feasible — within a week of release.
While signature-based tools are not dead yet, they are certainly heading in that direction. Like most technology, there are always advances. Next-gen tools use artificial intelligence and machine or deep learning. Many also include user behavior analytics (UBA) and automation to remediation of issues (SOAR). These are becoming more available for cyber teams to deploy.
What is great about these tools is that no use case is too small, and they don’t require a lot of resources or super sophisticated cybersecurity experts to utilize them. Machine learning tools do as the name implies: They learn the behavior of a computing system and can detect anomalies (malware, malicious behavior) and alert on that behavior and even eliminate the threat.
Deep learning is like machine learning on steroids; like a neural network, it operates more similar to a human brain. A good place to start with implementing these types of tools is on endpoints due to the previously stated information related to phishing.
A password study found that 81% of breaches are due to weak passwords. The 2018 Global Password Security Report by LastPass reveals that the larger the company, the weaker the password. This is where MFA/2FA come into play.
MFA/2FA are authentication mechanisms that require you to input something in addition to a password or other authentication method: a password plus a PIN, a password plus a token received, a password plus a fingerprint, a badge plus a fingerprint, for example.
These access and authentication controls, whether accessing data on premises or in the cloud, combined with sound admin account controls and data visibility, such as using a Cloud Access Security Broker (CASB) to monitor cloud usage, will provide additional layers of protection to help shore up your security posture.
Penetration testing, red/blue/purple team exercises
To mimic what a hacker does requires experts (white-hats, good guys) and either internal teams or third-party teams to perform red team/blue team/purple team exercises and penetration tests on your environment. These types of tests will certainly prove that “you don’t know what you don’t know.”
It is important to note that these tests are not just vulnerability scans or assessments, although they may be included. These types of simulations involve proceeding through the attack chain to escalating privileges, moving laterally to key assets, then exfiltrating data outside of your infrastructure.
These exercises and simulations can be done in conjunction with your security team, where each of you is learning from the other, or they can be an exercise that accomplishes stated goals and includes a report on recommendations.
Cybersecurity staff shortage
CSO, a cybersecurity publication, conducted a global survey that found that the cyber talent shortage is staggering: 53% of respondents reported a “problematic” shortage. With this type of issue facing corporations around the globe, the five areas of focus previously described, along with robust threat intelligence processes, will help banks improve their cybersecurity posture and protect their assets.
I would also encourage the utilization of third parties, including a vCISO (virtual chief information security officer) when you lack resources to mature your program. In addition, these tips will help employees become more valuable and well-informed.
Note to the board
The National Association of Corporate Directors and Partners 2019 Governance Outlook Projections on Emerging Board Matters study revealed that boards view cybersecurity threats as having the third greatest effect on their companies in the next 12 months. Cybersecurity risks are prevalent throughout the report.
Boards should be asking these key questions:
- Is the cybersecurity program proportionate with the risks, size and complexity of the company?
- Is the program effective?
- Is the cybersecurity program aligned with business strategy?
- What is the cybersecurity risk policy, including an appetite statement that clearly defines tolerance?
- Are we adequately prepared — meaning have we tested our complete incident response plan in case of a breach?
Some of these may seem fundamental, but the board should know if the program is commensurate with risks and the last time response to a breach has been tested.
Recommendations for the board to consider include:
- Cyber risks as part of the overall Enterprise Risk Management Program
- A cyber report that the board can understand
- Independent testing (penetration test, red/blue team test)
- A cyber-risk appetite policy and statement
- Basic and fundamental cyber-hygiene
- The board of directors must lead from the front and should be mindful of the cyber risks that exist within companies they govern.
- MFA/2FA is now a must; passwords on their own won’t protect you enough.
- Security awareness and the various types of simulated breach tests are needed to help the organization be prepared and find security gaps.
- AI-Machine/Deep Learning, Behavior Analytics, SOAR are all the rage for a reason; these products can help detect cyberattacks quickly and help reduce the dwell time of a cybercriminal.
If it’s not already obvious, the coming cyber war is here now. We are at a tipping point and the time is now for the government, private sector and all Americans to work in tandem doing everything we can to minimize the effects of cyberattacks on our businesses and each one of us personally.