Over the past year, companies had to quickly adapt to a heavily remote world and an uncertain market. This led to a drastic shift in the way companies use technology to support their business, and forced many to evaluate the emerging risks and threats surrounding this new technology. We hosted a discussion with Alexandria Campbell, Information Technology Examiner for the Federal Deposit Insurance Corporation (FDIC), to get her expert view on what security elements companies should highlight in 2021. Based on the advice expressed by the examiner, ensure your Information Technology (IT) Risk Management function prioritizes:
Your IT strategic planning should have a top-down approach. All relevant bodies, from the Board to the IT Steering Committee, should consider the risks to this ever-changing environment. Make sure you’ve evaluated the impact of things like remote working, expansion of digital customer delivery channels, and increased reliance on mobile devices and laptops.
How do these changes affect your risk assessments or your risk appetite? How do they affect your policies, procedures, and standards? Keep in mind that your Information Security Policy is intended to be a living document that responds to organizational and environmental changes, so policies that were effective in 2020 may not be right for 2021.
This is the biggest change most organizations experienced in 2020, and many will continue to support it in the future. Examiners will want to see adequate planning and consideration given to both operational and security impacts of this shift, such as:
- Remote Network Access
What mechanisms have you set up to allow employees to access resources remotely? (E.g. VPN, remote desktops, web-based app storefronts, etc.) What controls did you implement regarding user access, authentication, transmission encryption, monitoring, etc.?
What hardware are your employees using to access resources? Have you secured them with disk encryption, endpoint security software, and data loss prevention (DLP) software? Do your standard network security controls, such as asset management and Security Information and Event Management (SIEM) software, apply to remote hosts? In general, employee-owned devices shouldn’t have any direct connectivity to the bank’s network without a very high level of scrutiny and layered mitigating controls.
- Capacity Monitoring
Have you considered the impacts of remote working on your IT systems capacity? This may include network bandwidth and support personnel.
- Standards and Exceptions
New deployments should still adhere to security policies and standards. If that isn’t possible, the policies and standards should be updated accordingly, or the exceptions should be documented and approved.
Rapid deployments, especially during an emergency like the COVID-19 pandemic, are highly prone to errors and oversights. Examiners recommend an evaluation to ensure that all risk and security requirements were upheld during the shift to remote working.
Business Continuity and Incident Response
Many business continuity plans (BCP) were put to the test in 2020, and these plans will likely remain an important focus area going forward. In particular, the FDIC will be interested in the effective integration of your continuity and incident response plans (IRP) with those of your vendors. It’s not enough that your own BCP and IRP meet your internal needs. Banks are heavily reliant on vendors to provide services and continue operations, so you’ll need to get assurance over their BCPs and IRPs as well.
What happens if there’s an incident at your vendor that affects your or your customers’ data? Are the requirements around reporting timelines and responsibilities clear, both internally and externally? Are there redundant or even contradictory procedures in your respective plans? Whenever possible, these questions should be addressed within contracts. However, your bank is still responsible for maintaining cohesive business continuity and response plans.
Additionally, the FDIC re-emphasized the need for a thorough testing program. This program should cover all elements of your BCP, incorporating all types of scenarios and all functional areas of the institution.
If you fall victim to a ransomware attack, the FDIC urges all institutions to never pay the ransom. Paying provides you few guarantees. And if the entity you pay is on the Office of Foreign Assets Control (OFAC) list, you would expose yourself to regulatory issues.
This focus area is steadily growing in importance, and the critical topics in 2021 consist of:
- Application whitelisting
- Asset identification and inventorying (especially Internet of Things [IoT] devices and other miscellaneous hosts)
- Configuration management
- Network segmentation
- Patch management
- Vulnerability management
Vulnerability and Penetration Testing
In addition to your in-house vulnerability management program, you must also have an independent, third-party vulnerability test annually. This should include all hosts on your network to verify the results of your own scanning.
Penetration testing is a separate process that’s also highly encouraged. In a penetration test, the attacker typically begins with little or no system access and attempts to exploit weaknesses to increase their foothold. This test will demonstrate the practical implications of security weaknesses and may discover problems that vulnerability scanning didn’t identify. We strongly recommend performing both internal and external network penetration tests annually.
Social Engineering and Security Awareness
The disruption caused by the pandemic left many people in unfamiliar working environments, and attackers made sure to capitalize on this. Phishing attempts increased by over 600% in the spring. Banks need to reemphasize their training and testing efforts surrounding social awareness in general, and phishing specifically. Tests should include scenarios that users will likely experience, such as a package delivery and stimulus payment notices.
The technology trends that are emerging emphasize the critical need for an effective IT strategic plan. 2020 forced many companies to heavily analyze their new technology risks and quickly adapt to unfamiliar situations and challenges. Our discussion with Alexandria Campbell reinforced the importance of the many strategies companies must employ in 2021 and beyond to ensure continuity and success in this rapidly changing environment.