As a part of the ongoing 2025 Cyber Hygiene Awareness campaign, the Conference of State Bank Supervisors (CSBS) issued cyber hygiene practices that financial institutions should implement to ensure that a strong cyber hygiene program is maintained. Those practices include the following:
- Implement an asset inventory management program that captures all organizational IT assets, including all assets that make periodic or continuous connection to the institution’s network. A comprehensive inventory management program is necessary to support vulnerability and patch management, as well as end-of-life management programs.
- Develop and maintain a comprehensive and robust vulnerability and patch management program. Unpatched hardware and software provide an attractive and frequently exploited attack vector for cyber criminals and state-sponsored threat actors.
- Implement an ongoing end-of-life management program to identify and manage software and hardware assets that are nearing the end of their useful life.
- Use strong passwords supported by a robust password management policy.
- Implement and properly configure phishing-resistant multi-factor authentication (MFA) for control of privileged access; access to cloud-based services (including email); access to external applications hosting nonpublic information; VPN/remote desktop access to the network; third-party vendor access to the network; access to internal service accounts; and customer access to nonpublic information.
- Develop a comprehensive third-party risk management program that identifies and categorizes by risk all third-party vendor relationships, including those with managed service providers (MSPs).
- Ensure that logging is enabled for application, access, and security logs, and store logs in a central location for convenient access and review.
- Maintain effective backups for core processing, network administration, and other critical services.
- Maintain a robust cybersecurity awareness training program, including periodic phishing testing, for all employees, including executives.
- Ensure that the institution has a program to receive, evaluate, and disseminate active threat information. Subscribing to alerts from FS-ISAC, FBI InfraGard, and CISA can provide valuable active intelligence on current ransomware and geopolitical threats.
- Develop and regularly test an incident response plan that enables a rapid response to different types of cyber incidents.
As a complement to these foundational cyber hygiene practices, the Cybersecurity & Infrastructure Security Agency (CISA) provides beneficial, no-cost cyber hygiene services to financial institutions. These services consist of two offerings:
- Vulnerability Scanning, which continuously monitors and assesses public-facing, internet-accessible network assets to evaluate their host and vulnerability status. In addition to weekly reports of all findings, participants receive ad-hoc alerts about urgent findings, such as the identification of potentially risky services and known exploited vulnerabilities.
- Web Application Scanning, which takes a deeper dive into publicly accessible web applications to uncover vulnerabilities and misconfigurations that attackers could exploit.
Licensees are strongly encouraged to consider implementing these free services from CISA in your company. To learn more about these services or to enroll, visit CISA’s Cyber Hygiene Services page.