2019 is now history, but many financial institutions are still dragging the ghosts of unfinished cybersecurity projects into the new year. New Years is a perfect time to resolve to get ahead of cybersecurity threats in 2020. While institutions vary regarding which projects need focus in the new year, we are finding that many institutions need to resolve these areas:
- Eliminate End of Life Windows Systems: It was hard to avoid hearing about the upcoming End of Life for Windows 7 and Windows Server 2008, yet many institutions have not yet eliminated these operating systems. In 2020, Institutions still running these systems should make their elimination a top priority. Institutions must have a formal plan in place, including steps taken to mitigate risks as well as a schedule for system replacement or upgrade. Read our article “Mitigating Windows 7 After Its End of Life” for more information on mitigating Windows 7 EOL risks.
- Learn Where Your Weaknesses Are: Many financial institutions avoid internal penetration assessments and thorough vulnerability assessments. If these assessments have never been performed, it is likely that there are vulnerabilities present that will provide a hacker with the opportunity to breach a network. It is always better to know about these weaknesses and proactively mitigate them than it is to be the victim of an attack. Financial Institutions should have qualified outside parties perform thorough internal credentialed vulnerability assessments and internal penetration tests annually and should mitigate any critical gaps found.
- Review and Revise Your Information Security Policies: Attackers constantly adapt and discover new ways to attack financial institutions, but many institutions do not review and update their policies to ensure that they are keeping up with these new threats. Institutions should perform a complete review of their information security policies, standards, and procedures annually, revising them to meet the newest threats.
- Strengthen Password Controls: The days when a complex 8-character password was considered adequate are gone. Even at 10 characters, a decent hacker can crack 25% of encrypted passwords if they can get a hold of the hashes. Institutions should consider complex passwords of 14 characters at minimum (20 for administrators) and should prohibit use of dictionary words in passwords or password reuse.
- Implement More MFA: Multifactor Authentication can help protect from over 95% of breaches even when credentials have been leaked. While most financial institutions utilize MFA for external connections, more and more are starting to require MFA for employees to login locally even within an office. We expect to see this trend continue into the future, with internal MFA for all employees becoming a standard within the next several years.
- Strengthen DLP Controls: Data Loss Prevention does not simply mean placing software on desktop computers. While desktop software can keep an employee from uploading customer data to a website or sending it via email, many institutions are surprised when they find out a breach occurred using a mobile device. A strong DLP strategy means analyzing any way that data can leave an institution and ensuring that protections exist for each scenario, and it means putting monitoring in place to ensure the protection is working for each scenario.
We provide virtual Chief Information Security Officer (vCISO) services to financial institutions across the United States. We can help you achieve your cybersecurity goals and resolutions for the New Year. Shoot us an email at support@bedelsecurity.com to get the conversation started!