Mitigating Risk in Financial Institutions

By Rich McRae, CISA, CISM

Keeping your financial institution safe is critical to your success. Without the right security measures and procedures in place, your financial institution can be at risk of cyberattacks, embezzlement and more. In the new modern hybrid work environment, your financial institution’s security is even more important to ensure your business and employee data is kept safe.

Peace of mind begins with an understanding of the risk and how to make a strategic plan for prevention, detection and resolution. We’ve created a guide to give you tips to weather the cybersecurity storm.

Get the Guide

Cybersecurity is Key

Financial institutions are prime targets for cybercriminals. In addition to criminal actors looking to profit from stolen data, nation-states are also focused in on targeting financial institutions. In 2021, ransomware attacks on the banking industry increased 1,300% over the previous year, and financial institutions consistently rank in the highest cost of a data breach. In 2022, the average cost of a data breach for financial institutions was $5.7 million. Having a proactive approach to cybersecurity is imperative to mitigating risk and keeping your customers’ and employees’ data secure.

“Technology has helped create enhancements for regulatory compliance and fraud prevention, although it seems as we get more sophisticated with fraud prevention, those trying to commit fraud get more sophisticated as well.”

-Mark Daigle, President and CEO, First National Bank of Durango

Of course, creating a proactive approach can be a challenge. This is a team effort and everyone in your financial institution needs to play a vital role in keeping information safe. There are best practices in two areas that you can start with today to help increase your organizations proactivity: email and internet, and physical devices.

Email and Internet Best Practices
Email and internet are a key piece of how financial institutions operate and communicate. Here are five ideas to consider to help make these areas more secure from cybersecurity threats.

Think Before Clicking
Investigate an email link before clicking it. Once a link has been clicked, there’s no going back—malicious software can now be installed on your computer. Don’t click a link unless you know and trust the source and are certain of where the link is sending you. If you are unsure about a link, contact the sender prior to clicking or send it to your financial institution’s IT helpdesk to be investigated.
Secure Browsing
Pay attention to the letter “S.” That simple letter makes all the difference when it comes to secure web browsing. “Http” stands for hypertext transfer protocol, while the “s” at the end stands for—you guessed it—secure. It’s important to ensure “https” is displayed in the URL you visit, as it shows the authenticity of the security certificate of that webpage. If you access a webpage without a certificate, or with an expired one, there is a chance you are visiting a webpage that could contain viruses, malware and more.
Cautious Surfing
Don’t surf the internet if you are using an account that has administrator privileges. If you pick up malware using a computer with these privileges, you have given the malware the same administrator rights you have on your user account. Also, consider the Wi-Fi network you are using. Make sure it is secured and password protected.
Strong Passwords
While having a password of “123456” or “password” may be easy to remember, having more complex passwords can make a huge difference in protecting your data and your financial institution. Strong passwords should:

Contain at least 12 characters, including upper- and lower-case letters, numbers and special characters
Be unique to the user—never share them
Not be reused on multiple accounts
Change every 60 to 90 days

Physical Device Best Practices
The actions of your everyday staff, whether they are on-site or working from home, are critical keys to a robust cybersecurity program. Here are some best practices related to your staff and their devices that can help prevent any attacks.

Lock It Up
Every time you step away from your computer, lock it up. While it may seem like a trivial practice, you would be surprised at how often it is not done. Computers contain sensitive information and processes, and when left unlocked, there is possibility that a hacker could have access to the system. To avoid possible information leaks, remember to always lock your computer when leaving your desk. Quick tip: Press the Windows Key + L to lock your screen quickly.
Protect Your Device
Patching and repairing operating systems and applications is another important security practice. Although these patches and updates are released on a regular basis from Microsoft and Adobe, there are times when patches are sent out off schedule to defend against other threats. As time passes and new threats are discovered, system updating and patching will be a constant security measure. This is especially true as employees are working remotely and may require additional programs and security systems.
The Importance of Education
Ensuring all employees are trained in the basics of network, system and information security is a huge piece of your financial institution’s cybersecurity plan. Having a basic understanding of security or knowing how to identify a potential threat can make an employee less likely to be a victim. Employees should be trained on security policies and their role in protecting information. They should also be aware of the expectations when it comes to personal use on company-provided equipment. This may include social media use and web browsing. You will also want to train your employees on social engineering and how to identify these attacks, which come in the form of phishing emails, fake calls and more.
Back it Up
Disasters don’t usually come with much warning. Businesses often aren’t fully prepared for floods, fires, power outages or malicious programs. In these cases, it is possible for businesses to lose information and data stored on devices. The best way to ensure this data is safe is to automatically back up all data daily and store the backups in a secure, off-site location.
Be Smart with Your Smartphone
Smartphones are another avenue hackers may use to access sensitive data. In the financial institution world, bankers may often be traveling and communicating with clients while on the go using their smartphone. Remember to avoid connecting to unsecure Wi-Fi, use strong passwords, and turn off Bluetooth when you aren’t using it.

Watch for Common IT Problems
Many banks rely on a third party for their IT services. However, financial institutions need to know how to check on that third party’s work.

Common Scenarios
A financial institution that has gone through a replacement of their security systems, such as security cameras and access systems, may have a potential threat. Many times, those cameras or locks are easily accessed by unauthorized people. This happens when system vendors create user logins for the bank to use but leave the admin accounts at default or leave the passwords blank.

Software patching continues to be a problem for financial institutions, especially when a third party is responsible for it. These problems may exist in Microsoft apps, Java, Adobe and many other applications. The vulnerabilities in these apps have been discovered in some very large breaches, which have occurred worldwide.

Other systems at risk for security breaches include scanners, phone systems, storage systems, routers and network switches, among others. A person can gain access to these using vendor default credentials, which gives them power to delete the financial institution’s data storage. Smart TVs and electronic signs are also easily hacked, and the hacker may display malicious content and lock the owner out.

Measuring Your IT Risk

Our team of IT professionals has identified 12 questions to help gauge your current security risk areas and assess your overall IT health. Most importantly, the results will provide tips to help you make actionable improvements now.

From data backups to your administrative protocols and password protection processes, this IT quiz will give you some quick wins to take back to your organization. Know how your security stacks up while learning best practices for optimum network stability, disaster recovery, and IT health.

IT Health Check

No matter where you land on the risk scale, sometimes you just need a second opinion. One set of questions can certainly provide a nice overview, but there’s no substitute for a comprehensive security assessment.

Utilize HR to Prevent Fraud

When it comes to fraud, human resources is usually brought into the picture after the act has been discovered. However, having a solid human resource plan from the start can minimize the chances of fraud occurring, as well as result in less severe effects if fraud does occur.

Begin fraud prevention by starting with the hiring process. Background checks on new hires can help your institution avoid negligent hiring and can verify information on a candidate. Placement services can also be used by smaller organizations to find, vet and verify potential candidates, which can help lessen the burden to the business.

Items to consider when vetting potential candidates to avoid becoming the next victim of fraud or embezzlement include:

Verifying education and professional credentials
Performing background checks that include criminal and credit checks
Investigating for any wage garnishments, liens or judgements that may be indicative of prior embezzlement history
Researching for news articles online that may uncover any prior employment activities

You may also want to consider implementing a whistleblower hotline, which provides a confidential way for employees to report wrongful behavior. Not only do hotlines prevent illegal and fraudulent behavior, but they can also detect issues before they become serious and can help reduce losses. Some areas a whistleblower hotline allows for tips to be submitted anonymously for all manners of wrongdoing including:

Financial: Mistakes and criminal activity can take place in many areas such as accounting procedures, lending discrepancies, billing errors and more.
Ethical: Issues considered to be ethical breaches can include code of conduct violation, physical theft, intellectual property theft and more.
Privacy & Security: These go hand in hand, and can include anything from identity theft, confidentiality breaches, customer database hacks and tampering with electronic door locks, to name a few.

“When it comes to where we are going in the future, it’s about adapting to change. We don’t do banking like we did 50 or 150 years ago. We don’t even do banking like we did 15 years ago. Everything is going to change around us, and we have to continue to change along with it.”

-Susan Whitson, EVP, First National

The Importance of Internal Audit No Matter Your Bank’s Size
No financial institution is too big or too small to be a victim to fraud. A system of internal controls that allows management to measure performance and an internal audit program to ensure controls are in effect can protect your institution.

The Federal Reserve System, OCC, FDIC and NCUA provide guidance for internal audits, and all financial institutions must adhere to certain regulatory requirements regarding internal controls. The system of internal control of an organization consists of the environment and procedures put in place by management to ensure risks relating to key business objectives are identified, evaluated and reduced. Key business objectives include reliability of financial reporting, operational effectiveness, regulatory compliance and safeguarding of the institution’s assets.

Components of Internal Control
Internal control consists of five related components:

The control environment sets the tone of the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
Risk Assessment is the business’s analysis and identification of relevant risks relating to the achievement of its objectives. This forms a basis for determining how the risks should be managed.
Control activities are the procedures and policies which help ensure that management directives are carried out.
Information and communication are the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.
Monitoring is a process that assesses the quality of the performance of internal control over time.

It is important to remember that independence is critical to the internal audit function. To accomplish the objectives of the audit function, personnel must maintain total independence from your management or other employees.

Recovering Lost Data
Dealing with attacks to your financial institution can be tough, and there are many aspects to consider in the recovery period. Recovery money is important, but another issue to address is data loss and your potential obligation to report it.

Forensic accountants can help you recover your data in a number of ways, including:

Coordinating with legal services that are well versed in cybersecurity and reporting requirements.
Investigating information from email accounts and preserving and analyzing workplace devices used by those with compromised credentials, or used by those who may have internally committed fraud.
Collaborating with your IT department (which could be third-party or internal) and obtaining logs to investigate and putting in place preventative steps to mitigate future risk.