Cybercrime. It’s one of the most detrimental events any business can weather today. A report from the Center for Strategic and International Studies (CSIS) confirms it: Cybercrime now costs the global economy approximately $600 billion per year. While that figure is alarming, the risk runs considerably greater for financial institutions. For example, when a cybercrime hits a bank, the institution must notify authorities, perform extraneous internal checks to see where the system was violated, and take a deep dive (and a deep breath) to find the information taken and people affected.
That’s a lot of ground to cover and associated costs to consider. But the potential damage to the customer-institution relationship carries its own grave consequences. If the personal information of thousands, if not millions, is exposed, it severs the trust customers have built.
With tremendous costs at stake, institutions must work from the inside out to protect themselves and their customers through a robust IT policy.
Information security policy: your 21-point checklist
From an information security standpoint, institutions need to address these policy areas. Yes, the list is long—but banks cannot afford to overlook any single item here.
- Acceptable use: How and when systems and information can be used.
- Antivirus/anti-malware: Virus and malware prevention measures and methods.
- Asset management: How to appropriately acquire, track and dispose of hardware and software.
- Backup: When, where and how to back up and restore systems.
- Business continuity: How the institution would continue to operate in a disruptive event.
- Bring your own device (BYOD): Institutional use and support of personal devices.
- Change control: Plan, approve and implement technology changes.
- Clean desk: How employees should leave their workspace when absent from it.
- Disaster recovery: How systems and operations will recover after a disruptive event.
- Email: Appropriate use of electronic communications.
- Encryption: Acceptable encryption technologies and how they are used.
- Firewall: How your firewall handles in and outbound network traffic.
- Incident response and reporting: Who deals with cyberattack fallout and how.
- Log management: Log-level usage, reviewing, reporting and storage requirements.
- New technologies: Rules to evaluate and implement technologies into an IT environment.
- Password: Standards for password strength and change frequency.
- Patch management: The frequency of patching and reviews, while determining how to discover and remediate vulnerabilities.
- Remote access: Standards for remote access to network systems, including authentication.
- Removable Media: Use of readable and writable media, i.e., flash drives, CDs and DVDs.
- Vendor management: The inventory, risk assessment and monitoring of all vendors.
- Wireless: Acceptable use of wireless networking for employees and guests.
Five tips to improve IT policies
Policy documentation and ongoing evaluation helps institutions determine whether they’ve addressed the above IT areas and how well those policies work. Once you’ve inventoried your policy library, tackle the policy improvement process with these tips:
1. Prioritize policy by writing down risk
Instead of getting overwhelmed by volume, conduct a business impact analysis to prioritize these areas by level of risk—and start with the top five. If you lack a written policy, record those top five first then review existing policies for the remaining risks. Whether you write or update a policy, make sure it is relevant and specific to your current and emerging environment.
2. Use policy templates
Regulators neither expect nor require your institution’s policies written from scratch, so take full advantage of online templates. For example, the non-profit SANS Institute provides many samples, such as its email policy template. Similarly, the Center for Internet Security (CIS) can serve as another useful policy resource. Customize such templates to fit your specific situation and risk profile to maximize effectiveness.
3. Develop practical, testable policies
After defining a policy as “an overall statement of the institution’s philosophy or intent,” the Federal Financial Institutions Examination Council’s (FFIEC) Management IT Booklet specifies that policies be “clearly written.” This ensures that employees can follow them and institutions adequately test them. When writing or updating an IT policy, keep these rules in mind:
- Simple is more effective.
- Keep it as short yet complete as possible.
- Always keep the end user in mind.
- Write so the least technical person can understand it.
- Spell out both do’s and don’ts for employees.
4. Set policy review expectations for employees
New hires should get policy training from Day One of training and on a routine basis thereafter, with an emphasis on high-risk areas. It should, however, do more than skim a document and collect signatures. Policy has a purpose and every employee must understand their role—and be held accountable.
5. Create a routine process to update the basics
When you inventory policies, note those with basic information that require more frequent updates. This could include task assignments, phone numbers or other pieces of contact information. Not updating information could impede your institution’s ability to carry out policy, especially with incident response or business continuity. Once you create an updating process, make sure staff can access it.
Putting it all together: Peerless protection
In the long run, new policies and procedures—constantly updated—will help your institution fight cyber criminals. Employees in this instance are too often your greatest weakness but the right policies and education will turn them into your greatest security strength.
Even the smallest breach can cause your institution massive headaches. It also puts customers at risk and as mentioned above, jeopardizes their trust in you. With these tips institutions can build a robust internal system that protects them from all angles and maintains regulatory compliance.
Does it demand hard work and valuable resources? Of course. But it’s a small price to expend compared to the alternative. As for would-be hackers after your assets, financial and informational, it will send a sobering message: Cybercrime does not pay.
Want more Banking Strategies? Sign up for our free newsletter!
Rachael Schwartz, business development director at CSI (Computer Services, Inc.), works with community banks on cybersecurity readiness.