Why your biggest cybersecurity risk may be internal

Photo by Sarayut Thaneerat/Getty Images

Whether it’s a bank employee or a contractor, effective cybersecurity procedures and practices are paramount to protecting the bank, its employees and its customers.

By Mary Thorson Wright

At least one study says employees are the cause of a large percentage of cybersecurity incidents and could be the biggest cybersecurity risk for businesses. The Anti-Phishing Working Group Phishing Activity Trends Report for Q1 2021 found that the financial institution sector is the most frequently victimized business sector for the quarter.

Given that perspective, it’s likely a bank employee or employee of a third-party partner may fall victim to cybersecurity deceptions, which range from phishing attacks, scams and social engineering cons to risky web browsing, deficient password habits and careless document controls.

“All community bank employees, regardless of job description, need to understand that information security is part of their job and that customers trust that a bank will protect their information,” says Joel Williquette, senior vice president, operational risk policy for ICBA. He notes that community banks are very good at providing online or in-person cybersecurity training but should consider supplementing it with monthly or quarterly in-person staff discussions focused on how digital crime affects the bank, its employees and its customers. Other topics include how digital crime can be prevented and what tools employees might need to assist in being vigilant. “Don’t take anything off the table,” he says. “Employees come up with good ideas, and you want to empower them.”

While insider malice may account for some cyberattacks, it may be more likely that weak risk management—password practices, access policies, downloads, phishing or social engineering, unprotected data or emails, unsecured networks, inappropriate information sharing, or other deficiencies—are greater risks and are within bank management’s grasp.

Centering risk management

Cybersecurity risk management begins with employees and the tools they use, as well as policies and procedures to support and structure these tools’ implementation. “Risk management needs to be at the center of what community banks do,” says Williquette. “Too often, banks decide to purchase a product or service based only on features, functionality and cost, and then conduct due diligence and risk assessments. A better practice is to evaluate three things—features, functionality and risk—simultaneously with input from all stakeholders before a decision is made.”

He notes that risk assessments should include vendor due diligence, the underlying security of the product, database access or vendor access to bank data, and the quality of the vendor’s project management. Regulators can provide guidance to use as a resource.

The rise of third-party companies and vendors to support community banks with platforms, applications, operations or services also increases employee risk exposure. Williquette recommends several precautions that community banks should employ at a minimum:

  • Understand the vendor relationship. What information does the vendor store or use on behalf of the bank, and how is that information protected? How do the bank’s network, systems and data interact with third-party vendor systems, even those in the cloud?
  • Look at using multifactor authentication (MFA) internally and require vendors to use it, too. Effective MFA supplements user IDs and passwords with a secure app or a physical security device, like a card or key fob. This creates a much more secure MFA than does a username, password and verification through email, a phone call or a text.
  • Understand how your cyber insurance covers your bank if a breach or issue originates at a third-party service provider, including a core provider.
  • Review contracts to understand terms and if third-party service providers, including core providers, accept responsibility and liability should a breach or incident originate in their company.

Cybersecurity is everyone’s responsibility, and the human element cannot be overlooked. The best cyber risk management begins with employees and the tools they use to protect the bank, its data and its customers from cyberattack.


Mitigating off-site employee risk

Off-site employees present different challenges from those working in a bank-controlled facility. “The quality of network defenses for an off-site employee is often not as good as that of those protecting the business,” says Joel Williquette, senior vice president, operational risk policy for ICBA.

He recommends these minimum steps to mitigate risk:

  • Provide a secure firewall/VPN device for your employee to install on their off-site network.
  • Restrict work on bank projects or access to bank networks from bank computers or laptops, and prohibit personal computer use.
  • Instruct employees to practice the same clean-desk policies off-site as they would in the office.
  • Update all IT/security processes, procedures and training to include the remote worker model.
  • Make sure employees periodically review and sign the technology and/or acceptable use policy for your bank.

More information

ICBA released an updated Cyber Insurance Guide to help community banks mitigate cyber risks.
ICBA’s Operational Risk page hosts continually updated resources.


Mary Thorson Wright is a writer in Virginia.