Many of us thought 2021 was going to be the downhill side of the pandemic. I recall working on a webinar presentation that we hosted last summer and including the words, “Now that the pandemic is behind us…” Obviously, I was overly optimistic. As we look ahead to 2022, we must acknowledge that the COVID-19 pandemic will continue to affect us to one degree or another. With that said, these budgeting ideas for 2022 may look somewhat similar to those for 2021, but there are slight variations based on current banking technology, compliance, and security issues.
1. Multifactor Authentication
Implement multifactor authentication (MFA) on all your email accounts wherever it is possible and appropriate. MFA can reduce the risk of having account credentials compromised by as much as 99.9%, making it one of the most effective measures you can use to protect your institution. There is typically a small cost for licensing and implementing MFA software. So, you can add MFA to your email accounts for a nominal cost and with minimal effort in most cases. If you are using Microsoft’s cloud email solution, for instance, implementing MFA can be as easy as changing a few minor settings. Another area to consider for MFA is logging into the domain account. There can be a cost associated with this as you will probably want to use a tool to help you manage the process. You can apply MFA only on accounts with administrator rights or on all users. But since many cybersecurity insurance companies are requiring MFA for accounts with administrator rights, using this stronger type of authentication might be your only option.
With different variants of COVID-19 or other viruses popping up, remote work may still be an option for certain employees. Remote capabilities may even be necessary to keep the institution operating smoothly at times. Be sure you have the infrastructure in place for a partial remote workforce because the need could develop at any point. For this reason, you should consider providing laptops for all employees who could conceivably work from home. Start with those who need new devices. Then prioritize based on those doing the highest-level work necessary to keep the institution running. Laptops and encryption software, required for mobile devices, may cost slightly more but should not cause a huge increase in expenditures. In some cases, you may be able to reuse a desktop computer to replace an older workstation for an employee whose duties cannot be performed remotely.
And don’t forget… There is a chip shortage and high demand for laptops, which means it can take months to secure computers and other hardware. So, order any equipment you need well in advance to ensure you have the appropriate infrastructure in place to support staff that may need to work from home.
3. Moving to the Cloud
Having infrastructure in the cloud can be extremely beneficial, so slowly start moving your infrastructure to the cloud. Cloud infrastructure decreases the need for an employee to be onsite with the hardware, and cloud computing increases uptime. In addition, disaster recovery becomes easier and faster with cloud infrastructure. More than 90% of Fortune 500 companies are running at least some infrastructure in the cloud, primarily through Microsoft’s cloud computing platform: Azure. The cloud is the future of IT and infrastructure, and it makes sense for institutions that need reliable and resilient infrastructures. So, if you need to purchase a server next year, consider getting a quote for moving the server to the cloud instead.
4. Cloud Security
While the cloud offers plenty of advantages, it comes with settings, management tools, and security options that must be effectively configured and managed to ensure the highest level of security in the cloud. Cloud security is a concern for not only institutions with infrastructure in the cloud, but also for M365 Windows/Office licensees with OneDrive enabled, email in the cloud, or using Microsoft as an authentication mechanism with a third-party application. Earlier this year, the FDIC released a letter outlining the need to secure cloud configurations. Their cloud-security concerns are warranted. Safe Systems has worked with several institutions ranging from a hundred million in assets up to multibillion dollars in assets and found that almost every institution had gaps in their cloud security. Some institutions had indications of their email or user accounts being compromised; others had settings that could open the door to future compromises. Safe Systems worked closely with these institutions to develop an innovative M365 Security solution to address these issues with reports, alerts, and reviews. This unique product is specifically designed to help financial institutions manage their cloud setup now and in the future. In addition, it is a reasonably priced option for the substantial amount of value that it delivers. Institutions should reach out for a quote to determine if M365 Security could fit into their budget next year.
5. Virtual ISO
Another item to consider for your budget is virtual Information Security Officer or VISO services, which we also mentioned last year. These services have become increasingly popular as the landscape of information security has grown more extensive and complex. In many cases, institutions are finding it harder to keep up with the latest information security expectations, regulations, and trends. Safe Systems’ ISOversight service addresses this problem by combining applications for self-management with assistance from compliance experts to offer a VISO service at a competitive price. This type of service can be beneficial in many ways as it can provide structure, automation, accountability, assistance, and consistency throughout your information security program. It can also enable your institution to stay engaged, which is critical when an exam or audit occurs. VISO services, which vary in price depending on the work being performed by the third-party provider, are ideal for any institution with limited access to security expertise in-house.
You cannot have a conversation about budgets for next year without addressing the issue of cybersecurity. Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, a recent Boston Consulting Group report indicates. Cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights. And cybersecurity has become even more precarious during the COVID-19 pandemic. The pandemic has created new opportunities for security breaches as the increase in remote work makes information security more challenging to manage. Unfortunately, institutions will need to increase their security layers and annual spending to address this issue. According to Computer Services Inc. (CSI), 59% of financial institutions will increase spending for cybersecurity this year.
The threat to your institution’s data is as real today as it ever has been. Therefore, make sure you are applying these measures to strengthen your security:
- Employee training to ensure adequate, effective, and safe practices
- Perimeter protection to ensure the appropriate layers are enabled and all traffic is being handled correctly, including encrypted traffic
- Advanced threat protection and logging to be able to identify how, if at all, malware or an intrusion created an incident
- Backup and data redundancy to ensure ransomware cannot wipe out your data
Have a conversation with a security company you trust to ensure that, if you are the target of a ransomware attack, your business won’t sustain long-term damage. In other words, invest in cybersecurity now, so your institution won’t end up paying more later.
As you contemplate your budget for 2022, don’t just think about the items that others have put on your plate. Be sure to consider the changes that may have occurred at your institution—and the ones that may be coming—and have a plan to address these. All these changes can be exciting and make a major difference for your institution. But they can often be hard to get implemented if they are not budgeted for ahead of time.