Article
Navigating cyber risks in 2024: Insights, controls and strategies for financial institutions
Feb. 19, 2024 · Authored by Christopher J. Tait, Brian Nichols
The cybersecurity landscape is always evolving, and it can feel like your financial institution is constantly on the defense trying to keep up with the latest cyber risks, regulations and emerging trends. As we have seen in recent headlines, even the most established organizations are subject to cybersecurity attacks. While sophisticated hacking is a valid threat, it is rarely the root cause of a data breach. To mitigate risk, you must understand your organization’s unique vulnerabilities, cybersecurity processes and controls. One important thing to remember: In this day and age, there will always be cyber risks to tackle. Learning to pinpoint and stay on top of those risks through proper risk management while still allowing your organization to function is essential.
Internal cyber risks: Risks you can control
Internal cybersecurity risk factors are the type of risks that you ultimately have control over. As your organization grows and starts to implement new systems, services and applications, these risks start to bubble up to the surface and can impact both your internal and external stakeholders. Ensuring proper network security, including your internal network as well as any network you share with your third-party service providers, is a key component in protecting your organization’s assets, data and client information.
As organizations continue to evolve their internal and external-facing systems and services, the old ways of securing the network perimeter have given way to a more user-centric approach. Managing user access and user identifies is now the top priority to prevent unauthorized access to sensitive information. But the question remains, how do you do this in a trusted but frictionless approach?
Organizations have implemented multifactor authentication (MFA) on remote access points, but those are not the only risk factors that need to be considered. The more Software-as-a-Service (SaaS) solutions an organization implements, the more MFA controls need to be put in place. But users are getting authentication fatigue as they are constantly being required to enter those MFA tokens into sites throughout their day.
Beyond thinking about security, it is also important to focus on user experience and how frustrating it can be to constantly type in passwords and authenticate to internally hosted and external applications. The future lies in password-less capabilities. We trust our personal devices to authenticate us with our face, and now it is time to evolve that technology to include the devices we use for work.
Practicing good cyber hygiene, the fundamental cybersecurity best practices that an organization’s security team and users can undertake, is essential. Cyber hygiene is a balancing act between the responsibilities of IT operations and the security team. Foundational activities related to patch management should extend beyond operating system level patching to include firmware and applications. Organizations can no longer rely on annual penetration testing activities; they must be performing ongoing continuous vulnerability scanning and remediation to ensure known vulnerabilities are identified and mitigated as quickly as possible.
A key area that hinders progress is technical debt, which can come in the form of a key business system still running on a mainframe application or even an individual that created a critical internal application/service that no longer works at the organization. The inability to update vulnerable applications and systems really creates a key risk area and can greatly hinder the security of your organization. Many organizations ignore technical debt until it is too late.
Many organizations have transitioned into cloud hosted infrastructure services, and they are finding the transition more challenging than initially anticipated. Organizations should not lift an on-premises environment out of a co-location datacenter and shift it into a cloud-hosted service provider without addressing the nuances with the new technical capabilities provided by the cloud-hosted services. Organizations need to design a transition strategy that utilizes cloud native solutions to get the greatest return on the investment.
As the everyday use of generative artificial intelligence (AI) systems like ChatGPT grows, it is important to communicate to employees specific guidelines about what is and what is not acceptable to ensure data security and privacy. Putting confidential information into generative AI platforms not approved by the organization is not a practice that should be supported. However, there are many AI-related internal capabilities that an organization can start to leverage that does allow more privacy and security. After communicating a clear and concise message to employees regarding external generative AI tools, it would be a good idea to consider introducing internal AI tools that can be trusted with privacy and security and can benefit your organization in the long run.
