As tiring as it may sound, training is still the most important risk mitigation factor in reducing the number of insider threats. Insider threats originate either through the vulnerability of human kindness and the rush of our non-stop world, or through malicious and disgruntled actions.
With the majority of corporate training today being more of a checkmark for management then actual user education, employees have created ways to bypass the act of learning for sake of time. Requiring the review and acknowledgement of policies and possibly going through a slideshow presentation leads the majority of users to bypass the review, and click acknowledge.
Make Sure You Do Proper Training
1. Proper training should include Social Engineering examples relevant to your organization. Errors and omissions are still a large cause of downtime, service degradation and financial loss. If your operations include entering values, alpha or numeric, work with development to design built-in checks and acknowledgement prior to submission, or for operational changes, ensure you have a Change Management procedure.
2. Users hear your directive that personal computers and storage devices should not be brought to the workplace, but also help them understand why and how their harmless flash drive could easily become infected and then spread malware throughout your environment as well as the costs and operational and strategic risks that come with it.
Protect From Even The Simple Vulnerabilities
Breaches will continue to occur as long as humans are involved in ensuring the proper controls are in place and functioning. Be it an under-protected vendor portal or a simple email attachment, vulnerabilities as simple as these open the door for malicious actors. This is not to say that you should not protect your information assets, as defense-in-depth, the act of adding layers of security around your critical data may deter or slow an attack so that it is detectable.
Asset Management - knowing what data, applications and systems are on your network and all of the connections that your network maintains and allows - is a first step towards a more secure bank or credit union. Here's some related important questions to ask:
- Have you documented how each of your vendors connects to your network?
- Do you know the logical and physical location of sensitive data and the protections that surround it on your network?
- Are you responsible for protecting that data, or is your vendor?
- How will you know if you've been compromised if you don't know about all of the systems and data on your network?
Vendor systems will continue to be a target for cyber attacks because of the sheer volume of data available for thousands of credit unions and millions of members stored in one location.
Understand Vendor Documentation for Risk Insight
Your bank or credit union, like all others, have many vendors providing services that are critical to your operations such as your core, card processing, item processing, loan processing, etc.
These vendors provide you with Service Organization Controls (SOC) reports, but do you really know what the 150 pages are telling you about how they're handling your data and managing your systems?
Outsourced companies can analyze your vendor's SOC reports and provide a summary informing you of possible risks in your vendor's controls. In addition, companies can also perform a deep dive into your vendor's performance on Overall Information Security, Cybersecurity, as well as Business Continuity and Disaster recover reviews. Each of these reviews provides a unique insight into your vendor and the potential risks involved.