These days, almost anyone can get the attention of a financial institution executive with the phrase “cybersecurity” – and rightfully so. This topic is very relevant, especially for smaller financial institutions who lack the resources to afford an in-house security staff. That being said, there a number of practices financial institutions can implement which can mitigate the majority of the risk involved with cybersecurity.
These types of insights are very powerful – but only if you implement them at your financial institution! Take initiative yourself as a leader or assign someone who is accountable at your institution to take charge.
Credential stuffing involves using lists of stolen credentials from a third-party system to access another system where the same username and/or password has been used. For instance, if your employees use the same password for an industry newspaper a fraudster might successfully gain access to your system by successfully attacking the presumably less secure industry publication. To prevent this, ensure staff are educated about the need to use distinct passwords, use single sign-on (SSO) systems like Active Directory for as many systems as possible, and enable two-factor authentication via a security token. Ensure staff are not writing down passwords or sharing them amonst each other. Contrary to popular belief, do not implement a policy to change passwords every 90 days. Research shows that these policies force employees to move towards pattern-based passwords which are easier to predict.
Much of this risk revolves around staff – but they can only do what’s right if they are trained and educated properly. Consider quarterly cybersecurity updates to keep them informed.
Lastly, legacy systems that limit passwords to a specific length or character set put your institution at risk. Antiquated architecture and bureaucracy at larger corporations make it very difficult to make your specific financial institution’s password requirements more secure. To mitigate this, consider asking potential technology partners about their password policy and making this part of the contract. After all, you as the financial institution should have control over your security. You should not be responsible for the poor design of legacy systems that exist in the industry today.
Personal email should not be allowed on business devices. This is less about the actual email application, and more about the content of the email the staff member may open. Email is one of the most widely used attack vectors, so anything you can do to limit email from untrusted sources is a big cybersecurity win. Enough spam flows through financial institution inboxes already – there is no need to add to this.
Similarly, email should not be used to interact with your end-users. Instead, a robust secure-messaging portal is absolutely critical. This portal should be fully integrated with both online and mobile banking, and can even double as a CRM system.
The Narmi team is happy to chat further if you have any questions – please contact us at firstname.lastname@example.org.