People: The Greatest Threat of Banking Cybersecurity

Contrary to common sense, the key to ensuring a bank's cybersecurity isn't just technology, it's people.

This is why we cybersecurity professionals say that the weakest link in this chain is the human being.

And although it may seem hard to believe, employees in the financial sector tend to make the most mistakes that compromise the security of their organizations.

According to cybersecurity firm Cydef, 45% of banking employees admitted to clicking on phishing emails.

One explanation for this is the requirement that they respond quickly to all the emails they receive.

Recommendations to minimize the chances of errors:

🎓Train staff in cybersecurity: The objective is to become aware of the risks to which an organization's information is exposed. Obviously, training must be continuous, as threats are constantly changing.

🛡️ Implement access restriction policies and controls of both physical and technological security.: As more people have access to information, the risk may increase. Therefore, it is advisable to give access to those who really need it or to give it for a limited time without forgetting the use of security controls in the systems.

 🔐 Encourage employees to perform regular backups. A simple way to implement this standard is to configure devices in such a way that they automatically back up the information they are working with in the cloud. And if you want to make the information even more secure, then the data stored in the cloud can be copied to an external hard drive. For sensitive data, it is always recommended to use the cryptography, that is: the method of encrypting information. Data can be encrypted both at rest and in transit. For example: if a database is critical, this mechanism can be applied to ensure its integrity and authenticity.

Just as it seems that threats to cybersecurity are increasing day by day, so are the resources and methods to ensure information security. It is not enough just to be trained on the risks that exist (and that may exist), since we must work constantly on information security, this being a world in which threats are renewed every day. ‍

It's not all bad news - The CID Triangle-

Just as there are numerous threats that can compromise the security of an organization's digital infrastructure and data, there are also principles and criteria that help protect them.

Thus, two decades ago, information security professionals created the “CID triangle”, consisting of the attributes confidentiality, integrity and availability, to guide organizations' information security management.

Let's see what these terms mean in the context of information security:

• Integrity

This attribute refers to the fact that access to certain information should only be available to authorized users. According to the ISO 27001 standard, information is classified according to its value, legal requirements, sensitivity and the critical nature of the company. And the two most commonly used techniques to ensure information confidentiality are encryption and fragmentation.

• confidentiality

This attribute guarantees that information can only be modified by authorized users and that, therefore, it maintains its consistency, accuracy and reliability in any of its 3 states: storage, processing or transit.

• Availability

  This attribute means that an authorized user can access the information they need whenever they want it. To keep information available at all times for authorized users, strategies such as redundant solutions, backup schemes, business continuity plans (BCP) and disaster recovery (DRP) are implemented.

And we speak of a triangle or triad of information security because these 3 attributes are interrelated; one cannot exist without the other.

CID Triangle or CIA Triad.

At Infocorp, we work together with banks, not only to provide them with increasingly secure digital channels, but also to train staff in good practices. If you want to implement it in your Bank, we are here to help.

For safer banks and people, let's work together on prevention and continuous improvement in information security.