Information security incidents are on the rise. Every day it seems that a new vulnerability is identified or another business has been breached. Unfortunately, information technology or information security budgets haven’t always accommodated the fight against the ever-growing number of threats.

Here are a few things your bank can do today that have very little to no monetary cost, but can greatly reduce the overall risk profile of the institution:

1. Review System Access Privileges

Liberally granted system access privileges are one of the easiest ways to NOT protect your institution. Restricting access privileges and provisioning privileges based on the user’s primary job function and the “need to know” is one of the easiest and most effective preventative controls an institution can implement to reduce risk.

2. Perform Employee Information Security Training

As much as I hate to admit it, there are some threats that exist that no amount of money can prevent. Money can be spent on systems, software, etc. to prevent threats; however, these controls will have little effect on preventing an employee from clicking on a fraudulent email link or divulging confidential information. Employees consistently reminded of these threats and properly trained on information security are less likely to be the cause of an information security incident.

3. Configure Systems in Accordance with Industry Standards and Best Practices

Are your bank’s systems and devices deployed and configured in accordance with security best practices? A search on the Internet can provide a plethora of information on best practices or industry standards for securing various types of servers, workstations, or other network devices. Reviewing security settings and making appropriate changes on these systems or devices is a relatively easy solution to help manage risk.

4. Implement a Schedule to Review Network Security Logs

Now that systems have been configured in accordance with industry standards, consistent reviews of network security logs should be implemented. Firewall logs, antivirus logs, system event logs, etc. can provide an unlimited amount of data to help an organization reduce or mitigate information security risk. However, if this data is never reviewed, then it becomes of little worth.

5. Collaborate with Peers and Colleagues

“What are the likely threats for my institution?” “How can these threats be mitigated?” These questions can often be answered by talking with peers and meeting with colleagues. What sort of threats have they experienced? How have they managed to reduce the risk of these threats? The information that can be gained from attending a user group meeting or industry conference can be invaluable in mitigating information security risk.


Bottom line—information security risks will continue to rise for the foreseeable future, and there are only so many dollars that can be spent to mitigate these risks. Therefore, those dollars need to be strategically spent. Consider implementing some of the solutions described above to aid in the reduction of your institution’s risk profile.