Cyberattacks no longer affect just the target — they create ripple effects that harm partners, service providers and customers. In today’s interconnected world, breaches impact many stakeholders.

As data breaches continue to trend up, organizations are spending more on solutions that prevent attacks without disrupting business. This escalating threat underscores the critical role of the information security officer (ISO) in adopting proactive security measures. Their leadership is vital in ensuring organizations take every precaution to avoid becoming victims.

All organizations should consider these key topics in their 2025 information security (IS) program review.

1. Ransomware Awareness

Ransomware remains a critical risk to organizations. The Ransomware Self-Assessment Tool 2.0 (R-SAT 2.0) addresses evolving threats, attacker tactics and security controls. This tool helps organizations identify security gaps, raise ransomware awareness and provide executive leadership with insights for informed decision-making and resource allocation. It also supports auditors, consultants and examiners in evaluating security practices while incorporating lessons from past ransomware incidents.

Overall, R-SAT is a valuable resource for strengthening cybersecurity posture and improving security practices.

2. Board Cybersecurity Training

An organization’s board of directors holds ultimate fiduciary responsibility for its security. Without a strong grasp of cybersecurity, they may make decisions that weaken defenses, misallocate budgets or fail to align security strategies with business goals. A board that underestimates cybersecurity risks may fail to implement proactive measures to prevent breaches and may lack effective crisis response plans, resulting in poor risk management.

Cybersecurity is a shared responsibility that extends beyond a single person or committee. A consistent training program fosters trust and reinforces the organization’s commitment to protection.

3. Firewall Reporting and Monitoring

Approximately 60 to 75% of our customers outsource firewall management. While this relationship is trusted, the organization retains ultimate oversight responsibility. At a minimum, organizations should understand their network baseline to ask the right questions and identify key risk indicators.

Outsourcing firewall management introduces both risks and opportunities. Relying on a third party means depending on their expertise and responsiveness. However, misconfigured firewalls can lead to vulnerabilities, and limited visibility into the vendor’s operations may hinder effective monitoring and data protection.

To mitigate these risks, organizations should establish clear roles and expectations in written contracts, conduct periodic security audits of the vendor’s practices as part of their vendor management program and limit administrative access to authorized personnel with strong authentication, like multifactor authentication (MFA). Oversight should include receipt and review of comprehensive logs or read-only access, at a minimum, to monitor suspicious activities or policy violations.

Vendors should be integrated into the organization’s incident response plan, including defined roles, communication channels and escalation procedures. Collaboration and transparency are key to ensuring firewall security and improving oversight and response capabilities.

4. Multifactor Authentication

Hackers increasingly use malware, ransomware and phishing to steal credentials and access networks. MFA is a key defense that adds an essential layer of security by requiring two or more verification factors. Strengthening security with MFA enhances data centers, secures remote work and minimizes cyber threats.

Organizations should enforce MFA for administrative access to directory services, backups, network infrastructure, endpoints, remote employees and vendors, and firewall management. Many cybersecurity insurance vendors now require self-attestation, including MFA verification for remote and administrative users.

Without adequate controls for administrative users, organizations risk unauthorized access, data breaches, financial loss, reputational damage, legal consequences and operational disruption.

5. Vendor Management Program

Vendor management continues to evolve and requires diligent monitoring, especially for those deemed critical to operations. Adhering to FFIEC and interagency guidance ensures comprehensive risk evaluation in vendor relationships, including vendor risk classifications, annual assessments, committee reviews of critical vendors, and procedures for contract review, due diligence and acquisition.

Effective vendor management optimizes costs, leverages vendor expertise, enhances agility, minimizes disruptions and improves customer experience. Poor practices, however, can lead to operational disruptions, security breaches and regulatory noncompliance.

Organizations should adopt a comprehensive vendor management program to mitigate risks and ensure compliance.

6. Microsoft 365 Controls Assessment

SBS CyberSecurity began Microsoft 365 audits in 2021 due to discoveries by the network security team. An independent assessment is crucial for identifying and mitigating cyber threats within the Microsoft 365 environment. It should evaluate security controls for malware, third-party app access, data loss prevention, external sharing, advanced threat protection and permissions.

Common security gaps within the Microsoft 365 environment include overly privileged administrator roles, misconfigured MFA, inadequate admin center settings, neglected audit and activity logs, and authorization issues.

7. Adequate Backups and Testing

Disaster recovery measures are key to preventing and mitigating ransomware attacks. This includes maintaining multiple on- and off-site backups, replicating critical data, encrypting files and using air-gapped storage. Regularly testing backups ensures data can be recovered after an attack. Air-gapped backups, isolated from networks, protect against ransomware that seeks and deletes accessible backups. Keeping offline, up-to-date backups eliminates the need to pay a ransom.

Depending on budget, immutable backups offer an additional layer of ransomware protection. These unchangeable backups ensure quick recovery by restoring the last clean version in case of an attack or data loss.

As part of risk mitigation, organizations should create, maintain and exercise a cyber incident response and communications plan, including response and notification procedures for ransomware incidents. If a vendor manages your organization’s backups, verify that they follow best practices and formalize security requirements in contracts to safeguard data integrity.

Additionally, regular testing — such as restoration testing, failover testing and simulations — builds confidence in an organization’s ability to recover data in an emergency.

8. Bank Protection Act of 1968

The shift to remote audits has highlighted the importance of managing and monitoring physical security in line with regulatory expectations. Since remote assessments often rely on videos or photos, verifying security measures can be challenging. The Bank Protection Act of 1968 mandates that institutions uphold effective physical security measures. To further strengthen security, it is recommended that a dedicated security officer be appointed to oversee the program and deliver an annual report to the board.

9. Segregation of Information Security from Information Technology

Regulatory and audit scrutiny over IS and information technology (IT) role segregation increases once a financial institution reaches $750 million in assets. The ISO should be independent of IT operations and not report to IT management. Without proper segregation, risks include conflicts of interest, lack of oversight, operational bias and inefficient incident response. Separating IS and IT enhances accountability, risk management, compliance readiness and incident response efficiency.

10. Updated Policies

The following policies should be documented within an IS program, as some are now formal regulatory recommendations:

• • End-of-Life (EOL) Policy: Defines EOL timeframes, tracks IT asset life cycles and ensures timely replacement to prevent security vulnerabilities and operational disruptions.
  • Imaging Policy: Establishes document storage guidelines to maintain readability, accuracy, responsibility, procedures and disposal of original documents.
  • ATM/Debit Card Management Policy: Covers application processes, authorized personnel, activation, PIN changes, returned cards, customer contact procedures and card retention timelines.
  • Instant Issue Policy: Defines security controls, authorized access, inventory management, dual control, monitoring and audit procedures for instant card issuance.
  • Internet Banking Policy: Specifies responsibilities, summarizes services, outlines risk assessment and transaction processes, determines training needs, ensures comprehensive program coverage, and references FFIEC Authentication and Access to Financial Institution Services and Systems as appropriate.

These enhancements ensure institutions comprehensively address physical and digital security, aligning with evolving regulatory standards and cyber threats.