Tech Time: The Financial Sector's Best Cybersecurity Practices
Insider threats are still one of the leading causes of data breaches, according to the Global State of Information Security Survey 2018 from PwC. This is especially true for the financial sector, where—according to the 2017 IBM X-Force Threat Intelligence Index—more than half of reported data breaches were the result of insider activity.
Insider threats are the human risk posed by people who have privileged access to sensitive information: your employees, vendors, strategic partners, administrators, and in some cases, managers as well. An insider could have malicious intent to cause a data breach or could cause a breach through negligence.
In this article, we present some of the greater financial industry's best practices that can be adopted by credit unions of any size. Additionally, we also discuss relevant technologies and processes that can help enhance security at your institution.
Financial Industry Perspective
The financial industry has consistently proven itself to be well prepared to handle today’s cyber threat environment. For better or for worse, a driving factor of the financial industry’s cybersecurity success is regulatory compliance—the Federal Reserve, Federal Deposit Insurance Corp., and the Office of the Comptroller of the Currency are just a few of the federal agencies regulating banks today.
For a long time, however, financial institutions were focused on perimeter security. Thankfully, cybersecurity has become a lot more comprehensive, and its focus has expanded to include such insider threats as those resulting in the majority of the last year’s data breaches. By mitigating the opportunity for an insider incident, you also prevent external attackers from leveraging the human factor against your credit union.
Credit unions should aim to apply these bank best practices as soon as possible, since the risk conditions are similar. Just as large banks are considered a backbone of the country, so too are credit unions to their communities.
The NIST Framework
The National Institute of Standards and Technology developed a framework that has proven to be not just a powerful cybersecurity planning tool but also a strong tool for common-ground communication about cybersecurity. The framework is the result of a joint effort between the government and the banking industry. It includes standards, guidance and best practices for digital infrastructure protection. The standard among large financial institutions, it is readily adoptable by organizations operating on a smaller scale.
Vendor Permissions and Cybersecurity
It is important to understand what third parties have access to your networks. This means you need to identify all third-party vendors and set their permissions on a need-to-know basis. These permissions should be reviewed regularly. In addition, your vendors’ cybersecurity practices should be regularly reviewed by your credit union. It is not uncommon for hackers to breach a larger organization by using a vendor to gain access. You can use the NIST framework to help facilitate these discussions with your vendors.
The Financial Services Information Sharing and Analysis Center is a roughly 7,000-member group that exists to primarily share threat indicators among member financial institutions. Credit unions should not only share cyberthreats but also resources to help prevent incidents before they occur. Consider joining FS-ISAC or start your own local cybersecurity forum with credit union leaders from your community or region.
The Financial Crimes Enforcement Network also recently launched the voluntary FinCEN Exchange program to enhance information-sharing with financial institutions about illicit finance threats. The hope is to help financial institutions to better identify risks and focus on high priority issues and to support FinCEN and law enforcement in receiving information critical to fighting financial crime.
Scenario Planning and Testing
The financial sector as a whole has been very active in testing both external and internal vulnerabilities. Rather than just planning for major external attacks, credit unions should explore all possible cybersecurity threats.
One likely insider-involved scenario is a phishing attack: A privileged manager downloads a document from a seemingly legitimate email. However, the email contains malware that creates a backdoor in your network using the manager’s credentials, allowing external hackers to siphon out data. The manager of course did not have malicious intent, but by not being vigilant about phishing attempts, this individual caused a data breach.
Once you have identified scenarios under which external and insider originated attacks can occur, create action and prevention plans. In the previous example, employee training about phishing attacks would have helped to prevent the breach. The resources above can help identify test scenarios.
Best practices are often paired with supporting technologies. Technology can’t do everything for you, but it sure can do a lot to help meet your cybersecurity goals. Below are a few technologies worth consideration for investment.
User Behavior Analytics
This technology focuses on establishing a baseline (normal) behavior for users and the network based on log data. Once that baseline is established, the system can alert you when an anomaly is detected.
Rule-Based Risk Analysis
Rule-based risk analysis is a practice that exists between operational risk and an organization’s cybersecurity processes. There are several technologies available to help monitor and analyze security policy violations by department and user, including data loss prevention software, application monitoring, keylogging or the user behavior analytics mentioned above. Rule-based risk analysis tools can watch for risky behavior and notify administrators and managers when security policies are violated. By creating a snapshot of which users or departments are causing operational risk, your credit union can take proactive corrective action to prevent negligent insider threats.
As noted above, one of the most important things your organization can do is define which roles need access to what information and set permissions on a need-to-know basis. That applies to internal users as well as vendors. Any user with more access than they need places your credit union at greater risk.
Going forward, credit unions will need to focus their cybersecurity efforts more on collaboration in order to effectively mitigate the risk of insider threats. It is the responsibility of every financial institution to practice strong cybersecurity for the sake of our community members.
Isaac Kohen is the founder and CEO of Teramind, Long Island City, N.Y., an employee-monitoring and insider threat-prevention platform that detects, records and prevents malicious user behavior in addition to helping teams to drive productivity and efficiency.