Pub. 11 2021-2022 Issue 6


Five Strategies for Strengthening Your Bank’s Cybersecurity Posture

In its seventh annual survey, CSI asked banking executives from across the nation about their top strategies and priorities for 2022. The results were used to inform the 2022 Banking Priorities Executive Report, which details the challenges and opportunities in today’s financial landscape.

When asked about the one issue that will most affect the financial industry in 2022, it’s no surprise that cybersecurity (26%) outranked the other two leading issues – recruiting/retaining employees (21%) and regulatory change (14%).

What Did Bankers Identify as the Top Cybersecurity Threats for 2022?

According to the 2022 results, an overwhelming majority of bankers view employee-targeted phishing (57%) as the top cybersecurity threat, with customer-targeted phishing (51%) following closely. Often the result of social engineering schemes, 48% of bankers worry about the threat of ransomware.

As cybercriminals enhance their tactics to continue targeting data-rich institutions, this concern is well-founded. Ransomware is a type of malware that locks out the authorized user once installed and encrypts the available data to hold for ransom, posing an operational and reputational risk. Incidents of ransomware have risen, with the global attack volume skyrocketing by more than 150% for the first half of 2021 compared to the previous year.

The current geopolitical climate, greater reliance on digital channels and increased turnover in a variety of industries have created an environment ripe for vulnerabilities. And cybercriminals are wasting no time exploiting the weaknesses and vulnerabilities of systems to launch sophisticated attacks.
Unfortunately, the availability and automated nature of modern ransomware allows an attack to be initiated with limited upfront costs and maintenance from criminals. Since ransomware attacks pose little risk to the hacker, provide a quick payout for criminals and are carried out relatively easily and anonymously, institutions should remain on high alert to identify and combat these threats.

How to Strengthen Your Bank’s Cybersecurity Posture

As incidents of ransomware and other attacks increase in frequency and sophistication, consider the following strategies to enhance your bank’s cybersecurity posture:

1. Prioritize Cybersecurity Training:
With 41% of bankers emphasizing employee/board cybersecurity training, most understand that the “people factor” represents an institution’s biggest potential weakness. To create a cybersecurity-focused culture, ensure employees are familiar with the latest threats and know how to identify the warning signs. If employees fail social engineering tests, revisit your strategy to provide real examples of phishing as well as incentives for employees to do their part.

2. Raise Customer Awareness:
Only 18% of bankers identified customer cybersecurity training as a top tactic in 2022, but it’s important to remember that banks benefit significantly from an informed customer base. Since customers, especially those newest to digital banking, are another component of the “people factor,” institutions must ensure they reinforce the importance of good cyber hygiene through cybersecurity awareness programs, which could include videos and gamification.

3. Update Your Incident Response Plan (IRP):
Institutions must consider all the operational, financial and reputational implications of being held hostage to ransomware. Your bank’s IRP should include planning for data and system backups, communication plans, business continuity plans if employees or customers are unable to access your systems and dealing with the attackers. You don’t want to confront those issues for the first time during a ransomware attack. With 23% of bankers reporting IRP testing as a top tactic to combat cyber threats, remember that maintaining a tested IRP puts your bank in a stronger position to withstand an attack.

4. Conduct Vendor Due Diligence:
Even if your internal systems and employees are prepared for a cybersecurity attack, your bank is vulnerable if an external vendor does not adhere to the same defense standards. Appropriate cybersecurity due diligence and regular monitoring should be conducted on all third-party vendors, especially any external vendor who has access to your sensitive data or systems. This process is critical to mitigate risk of supply chain attacks, which have surged in the past year.

5. Implement Multi-Factor Authentication (MFA):

Incorporate MFA into all applications where employees – or customers – must enter their credentials. With MFA, multiple authentication factors are required to verify a user’s identity, preventing unauthorized account access. This verification strengthens resiliency and provides an effective defense against the two largest threat vectors: social engineering and phishing. When confronted with this extra obstacle, many hackers will move to a less secure target.

Maximize Protections with a Layered Approach to Cybersecurity

As institutions navigate the changing cybersecurity landscape, embracing a layered approach to cybersecurity will maximize protections for your bank. Implementing multiple layers of security – including cybersecurity training and tools – makes it more difficult for cybercriminals to infiltrate your systems and keeps employees and customers secure.

Download CSI’s 2022 Banking Priorities Executive Report for additional insight into bankers’ perceptions of cyber threats, technology, compliance and more.

Steve Sanders serves as CSI’s chief information security officer. In his role, Steve leads CSI’s information security vision, strategy and program and chairs the company’s Information Security Committee. He also oversees vulnerability monitoring and awareness programs as well as information security training. With over 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain command of cyber-risk oversight.