Cybersecurity is now a requirement for all corporations across all industries. Hackers are advancing just as fast as technology if not faster. “Since 2013 there are 3,809,448 records stolen from breaches every day, 158,727 per hour, 2,645 per minute and 44 every second of every day.” (Milkovich, 2018) It is imperative that our institution’s cybersecurity is proactive and adaptable to the everchanging environment. This memo will outline best practices that the board should adopt to protect the bank from cyberattacks.
Risk Assessment
In order to best evaluate the cybersecurity program, we must identify and predict any reasonably foreseeable internal and external threats. The most predictable threat are current, former and future employees of the bank. “About 80% of security breaches are caused by a company's own staff…” (Goodwin, 2000) A recommended best practice would be to limit access to the bank’s central data center and hard drives. Only the Information Technology and Cybersecurity department employees need complete access to such sensitive software and hardware.
When a new employee is hired, their computer usage should be monitored for the first 90 days after their start date. IT employees should be able to identify when an employee is outside of their day to day usage pattern. Former employees should not have access to any software or hardware within the institution. Depending on the reason for their termination, the bank should ensure that is impossible to regain access.
Another potential threat are current and future customers. Their transactional and relationship history should be monitored aggressively to ensure that they are not attempting to defraud and/or attack the institution. Employees need to be cognizant of both new and established customers’ actions and motives. If a customer asks an abnormal question or makes an abnormal request, the appropriate management personnel need to be notified immediately.
Assessing the Sufficiency of Existing Policies and Procedures
The board of directors, C-suite executives and IT/Cybersecurity personnel should be well versed on industry standards. All parties should research and recommend any changes or upgrades necessary for the institution’s protection. Today’s preventative measures could change by the next week or even the next day. If the board decides to adopt any changes whether minor or major, the change needs to be communicated throughout the institution to ensure compliance.
Hiring an Outside Consultant to Conduct a Risk Assessment
An outside consultant is necessary for a fair risk assessment of our cybersecurity program. The individual or group designated to perform the assessment will have extensive experience assessing risks across the industry. Although we are confident in our internal experts, it is always beneficial to have an objective party with a broader perspective.
Designing Security Controls
With the assistance of the outside consultant IT/Cybersecurity and Risk department employees need to collaborate to design effective security controls. Compliance officers should monitor the adherence to the controls and any attempts to bypass them. An easy way for hackers to gain access into our systems is through emails. The bank should establish firewalls preventing suspicious emails from being delivered and preventing any outgoing emails containing sensitive information. Employees should be required to create complex passwords along which should be changed once a quarter.
Development of a Response Program
The IT/Cybersecurity, Risk and Communications departments should collaborate with each other to create a comprehensive response program in the event of a cyberattack. IT/Cybersecurity will be tasked with the responsibility of assessing the attack and recovery. They will then report to the Risk and Communications departments with their findings. Both departments will determine what to disclose to customers and investors and how the institution will move forward from the attack and efforts to prevent future attacks.
Training Staff
The Human Resources department should development training modules and sessions for new and current employees. Employees should be constantly reminded of cybersecurity and their role in the institution’s protection. Individuals who choose to disregard these controls must suffer the consequences of such defiance.
Testing Controls
Our databases and systems are also subject to cyberattacks from hackers all over the world. We must ensure that access to these systems and the firewalls protecting them are nearly impenetrable. Routine tests should be scheduled and performed in order to evaluate the strengths and weaknesses. In the event of any failures, efforts to correct should be immediately and be tested again.
Monitoring Systems
A specific team of employees within the IT/Cybersecurity department should be solely tasked with monitoring the institution’s systems for attacks. Consistent monitoring is more proactive than only monitoring systems based on a certain schedule. Management should be alerted immediately of any discrepancies or suspicious activity occurring.