Pub. 2 2023 Issue 4

of educating users will almost always be less than the cost of dealing with a breach. Hackers often rely on weak passwords or phishing attacks to gain system access, but educating your users on the latest tactics and common social engineering schemes — and how to report them when spotted — helps mitigate your risk of a successful attack. Ensure your employees and customers remain vigilant when they receive an unexpected email with an urgent message that includes a strange link or attachment, as this is a common hacker tactic. 4. Implement multi-factor authentication. One way to encourage hackers to move on to a different target is by making it as difficult as possible to carry out their objective, which is often account access. Multi-factor authentication (MFA) is an excellent way to discourage hackers, as it requires more than a username and password to obtain account access. This additional information can include a token, text message, email or biometric data such as a face scan or fingerprint. Not only should employees use MFA when accessing your systems and network, but your institution should encourage customers to enable this control on their financial accounts, email accounts and even social media. 5. Implement patch management. Most bad actors use tools that take advantage of your system vulnerabilities, so it’s important to invest in routine vulnerability and patch management to shore up your defenses. If you remediate a vulnerability, bad actors don’t have an easy way to exploit it and will likely move on to low-hanging fruit elsewhere. Further, good patch management minimizes surface area and attack exposure. While updating your patches can be resourceintensive, it is worth it in the long run. This approach includes encouraging employees to update software, operating systems, applications, etc., to mitigate the risk of hackers taking advantage of any vulnerabilities. 6. Assess your risk. If done properly, risk assessments are a key component of a cybersecurity plan. A risk assessment helps an organization identify and manage financial, operational and other risks associated with internal and external incidents. And proper risk assessments should be more than filling out a spreadsheet; they’re about the lessons learned along the way as you produce it. During this assessment, you should identify assets you need to protect and understand how controls in place work together. The resulting document should help you prioritize your limited resources. 7. Involve your leaders. Cybersecurity involvement should not be limited to your IT department. Since this issue touches nearly every part of your bank, it’s important to have board and senior management involvement. Senior management should be invested in understanding cybersecurity threats and have enough familiarity with the topic to ask credible questions to IT leaders. Further, they should serve as advocates for your cybersecurity plan and reinforce the importance of education and training at all levels. When determining the appropriate cybersecurity investment, leaders should consider your institution’s individual objectives, risk assessment and risk appetite — or a representation of how much risk an institution is willing to accept. As an integral component of a holistic approach to IT, security and compliance, IT governance ensures that an institution’s technology and business objectives support its larger strategies. FINDING THE VULNERABILITIES BEFORE CYBERCRIMINALS With evolving threats and opportunistic hackers, investing in cybersecurity for your institution should be a priority. Tools like penetration tests and vulnerability assessments should be components of your larger cybersecurity strategy and help you stay ahead of cybercriminals. Scan the QR code to download our white paper for more strategies to strengthen your cybersecurity posture. https://www.csiweb.com/what-to-know/content-hub/whitepapers/aguide-to-strengthening-your-institutions-cybersecurity-posture/ Tyler Leet serves as Director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. With over 20 years of experience in the information security, risk and compliance industries, Tyler oversees and participates in the development and maintenance of the risk and compliance-related services conducted for a wide variety of financial institutions and organizations. 22 | INDEPENDENT REPORT

RkJQdWJsaXNoZXIy MTg3NDExNQ==