Cyber Hygiene Practices Are Effective Deterrents to These Threats
According to CISA Director Jen Easterly, “Basic cyber hygiene prevents 98% of cyber attacks.” Cyber hygiene programs generally include well-known controls that have been employed in financial institutions for years; however, ongoing attention is needed to ensure that these programs are consistently implemented and managed across the entire organization.

To ensure that a strong cyber hygiene program is maintained, institutions should:

Implement an asset inventory management program that captures all organizational IT assets, including all assets that make periodic or continuous connection to the institution’s network. A comprehensive inventory management program is necessary to support vulnerability and patch management, as well as end-of-life management programs.
Develop and maintain a comprehensive and robust vulnerability and patch management program. Unpatched hardware and software provide an attractive and frequently exploited attack vector for cyber criminals and state-sponsored threat actors.
Implement an ongoing end-of-life management program to identify and manage software and hardware assets that are nearing the end of their useful life.
Use strong passwords supported by a robust password management policy.
Implement and properly configure phishing-resistant multi-factor authentication (MFA) for control of privileged access; access to cloud-based services (including email); access to external applications hosting nonpublic information; VPN/remote desktop access to the network; third-party vendor access to the network; access to internal service accounts; and customer access to nonpublic information such as eBanking services and remote deposit capture.
Develop a comprehensive third-party risk management program that identifies and categorizes by risk all third-party vendor relationships, including those with managed service providers (MSPs).
Ensure that logging is enabled for application, access, and security logs, and store logs in a central location for convenient access and review. Cyber criminals often exploit short log retention periods and the lack of logging of routine administrative activity.
Maintain effective backups for core processing, network administration, and other critical services.
Maintain a robust cybersecurity awareness training program, including periodic phishing testing, for all employees, including executives.
Ensure that the institution has a program to receive, evaluate, and disseminate active threat information. Subscribing to alerts from FS-ISAC, FBI InfraGard, and CISA can provide valuable active intelligence on current ransomware and geopolitical threats.
Develop and regularly test an incident response plan that enables a rapid response to different types of cyber incidents.

As a complement to these foundational cyber hygiene practices, CISA provides beneficial, no-cost cyber hygiene services to financial institutions. These services consist of two offerings:

Vulnerability Scanning, which continuously monitors and assesses public-facing, internet-accessible network assets to evaluate their host and vulnerability status. In addition to weekly reports of all findings, participants receive ad-hoc alerts about urgent findings, such as the identification of potentially risky services and known exploited vulnerabilities.
Web Application Scanning, which takes a deeper dive into publicly accessible web applications to uncover vulnerabilities and misconfigurations that attackers could exploit.

We strongly recommend that you consider implementing these free services from CISA in your institution. To learn more about these services or to enroll, visit CISA’s Cyber Hygiene Services page.

Industry and Regulators Must Work Together to Stop These Threats
Continued cooperation between the financial sector and regulators is necessary to address the significant ongoing threats from ransomware and state-sponsored threat actors. For financial institutions, ongoing attention is needed to maintain and strengthen institutional IT security practices, including the foundational cyber hygiene practices identified here. It is important for institutions to address these recommended actions now since many of the techniques described here are being actively exploited by criminal organizations.

In consideration of the threats, as well as the likely emergence of future threats impacting the financial sector, institutions and regulators alike must develop and maintain the agility to efficiently receive, evaluate, and prioritize threat information and appropriately mitigate these and other emerging threats on an ongoing basis. The significance and persistence of current threats warrants your ongoing attention to the aforementioned cyber hygiene practices.

Resources below are provided by trusted sources and are generally considered industry best practices: