4 Cybersecurity Best Practices for Financial Institutions

By Brittany Demendi / Adlumin, Inc.
June 21, 2022

Targets for cybercriminals are chosen based on two conditions: impact and profit. Financial institutions meet both requirements while offering various profit paths through theft, fraud, multi-channel extortion, and ideological impact. Malware and data breaches lead the charge, and incident costs continue to rise. Security Magazine reports that 75% of data breaches in 2019 were all within the financial services industry. While other industries are in the criminal crosshairs, the Willie Sutton idiom holds firm stating that people rob banks because that’s where the money is. Security Magazine also highlighted the magnitude of financial institutions not being equipped to protect their adapting IT environments: migration to cloud-based services, mobile and bring your own device (BYOD), and remote workers. For example, Capital One and Discover each experienced their fourth significant data breach in 2019.

To avoid becoming another victimized financial institution, below are a few suggested cybersecurity best practices to safeguard your business:

  1. Mitigate Risk Associated with Third-Party Vendors

 Financial institutions rely heavily on third-party vendors to facilitate operations and extend new service offerings and ways of engaging new customers. While customer-facing services appear seamless under a united banking brand, operations are comprised of multiple organizations of varying security capabilities. A failure or compromise in one of the links of the vendor chain leads to reputational damage to the bank’s brand rather than the invisible vendor behind the curtain. In other words, the cyber risk resides with the bank.

Cashless and frictionless financial services are in high demand. Consumers access funds and payments through mobile apps they assume are secure. The organization that owns the consumer relationship must audit its vendors, mitigate associated exposure and build a plan to respond to incidents before they affect consumers.

The ever-evolving threat landscape, daily publication of vendor vulnerabilities, and growing compliance demands make vendor management challenging. Here are a few key guidelines:

Minimize third-party risk by:

  • Conduct a risk assessment and establish minimum security guidelines with each partner.
  • Limit vendor access to crucial assets. For example, marketing services should access customer contact information, not core banking data.
  • Communicate your compliance requirements and align security programs to protect your customers.
  • Establish security event and incident protocols and notification requirements.
  • Monitoring your network using threat detection and automated solutions.

The New York Department of Financial Services (NYDFS) published the Cybersecurity Rules and Regulations (NYCRR500), which includes practical guidelines to secure third-party risk (section 11).

  1. Stay Up to Date with Compliance Regulations

As we have touched on in a previous blog post, compliance is constantly evolving in response to emerging threats. The financial sector is not immune to this change. Keeping up with the latest regulations is essential to ensure credibility and avoid costly investigations and penalties. The goal is to be compliant, regardless of the industry’s ever-changing landscape. Shifting this burden from your internal team to a third-party vendor can help ensure your financial institution achieves compliance.

In addition to existing regulations in the last two years, the financial sector has implemented a few new ones. Any financial institution is at risk of a cyberattack. Regardless of company size, data breaches snowball into complicated situations. They can cripple an organization and end in legal proceedings or disputes that take years to resolve. Meeting cybersecurity compliance standards mitigates risk and the havoc that comes with it.

  1. Make Your Employees Part of Your Defenses

The majority of data breaches or massive ransomware outages start with social engineering and clever phishing campaigns. Frequent cybersecurity testing awareness training provides context and the skills to identify suspicious communications and emails before your employees become unwitting accomplices by clicking dangerous or downloading infected documents.

Like cyber threats, awareness training must evolve. Training is about empowering, not punishing. It does not identify the “Ten Commandments of IT” but to understand how criminals target them and how to identify their calling cards. Covering multiple forms of campaigns like texting and fake IT calls is important, but phishing remains the primary vector.

“In 2021, 83% of organizations reported experiencing phishing attacks. In 2022, an additional six billion attacks are expected to occur,” according to Cyber Talk. Phishing attacks are a top concern for IT decision-makers, so training employees should be at the top of the priority list.

Your employees are the first line of defense against most threats, including phishing scams. Employees across all departments within your company need to be equipped with the proper knowledge of spotting a phishing scam and reporting it.

  1. Implement Continuous Threat Monitoring

In 2016, a cybercriminal wired themselves $81 million in a Bangladesh Bank heist, using the SWIFT banking network in only a couple of hours. This is a perfect example of how imperative it is to have 24/7 surveillance across your entire IT landscape. The quicker you can identify and eliminate a potential threat, the better off you will be in the long run—early detection is essential.

 Financial institutions typically use a 24/7 Security Operations Center (SOC) service to enhance threat detection and response times by continuously scanning your network and host for vulnerabilities. Hiring third-party experts is the most cost-effective solution for securing customers and their transactions. When financial institutions carry the heavy burden of protecting their clients, it is best to proactively work with managed security services built to discover threats and command action.

Additional Resources: