Community Bank Gains Cybersecurity Roadmap from IT and Network Security Audits

The Challenge

First-Time Client Pursues Strategic Cybersecurity Improvement

This community bank, a first-time client, engaged our team to strengthen cybersecurity governance, support regulatory compliance, and prepare for future examinations. To achieve this, the bank requested both a network security audit and a risk-based IT audit that would provide deeper technical insight into its risk exposure and the effectiveness of existing controls.

The Solution

To provide a well-rounded picture of the bank’s security and compliance posture, the SBS team performed full-scope IT and network security audits. The services were conducted remotely, with in-depth testing and analysis.

IT Audit: Identifying Cybersecurity Gaps and Risk Exposure

The IT audit followed SBS’s risk-based approach, which emphasizes identifying real-world risk, not just regulatory checkboxes. Drawing from a broad control set that includes FFIEC, NIST, CIS, InTREx, and industry best practices, the auditor focused on the integrity, reliability, and security of the bank’s IT and information security programs.

The auditor identified six findings to help improve the information security program. Two notable observations were:

• Lack of incident response plan testing: While the bank's incident response plan was current, it had never been tested. Conducting tabletop exercises would help validate team readiness and improve response protocols.
• User access reviews: The audit also identified the need for stronger controls around user deprovisioning. Former employee accounts were not always deactivated in a timely manner, increasing the risk of unnecessary access and potential insider threats.

Network Security Audit: Simulating Real-World Attacks

The network security audit simulated real-world attacks using network mapping, vulnerability scanning, email and telephone phishing, social engineering, and exploitation techniques. Following the  Penetration Testing Execution Standard (PTES) methodology, the assessment provided a comprehensive, systematic evaluation of the bank’s security posture.

Testing uncovered vulnerabilities such as weak passwords, default credentials, and exploitable over-the-phone verification procedures. Using publicly available information, the team was able to obtain account balances by the second call to each branch, highlighting the urgency of strengthening verification procedures. Phishing tests also revealed gaps in employee awareness, demonstrating the need for ongoing security training.

Key remediation and improvement steps included:

• Over-the-phone verification procedures: Weaknesses allowed account balances to be obtained using publicly available information. Improving these procedures reduces the risk of unauthorized access.
• Unnecessary services: IPv6 router discovery and DHCP were enabled by default, potentially exposing internal network details. Disabling these services strengthens perimeter security.
• Internal device passwords: Weak or default credentials created a potential compromise risk. Applying secure passwords mitigates this threat.
• Web-based content filtering and logging: Limited monitoring and filtering were observed. Implementing these measures enhances visibility into potential threats and supports proactive defense.

"The overall process was excellent. We not only received detailed reports but also actionable guidance on how to address findings. SBS even provided templates and sample policies that made it easy for us to strengthen our documentation."
— Chief Technology Officer/Chief Information Security Officer

The Results

Actionable Cybersecurity Roadmap Strengthens Risk Posture and Compliance

The bank walked away with a clear, prioritized roadmap for addressing vulnerabilities and comprehensive reports to aid in board reporting and regulatory conversations.

Remediation began immediately. During the exit meeting, leadership drafted next steps to improve call-in verification and soon extended efforts to user access management and employee awareness training.

The client was particularly appreciative of the clear and practical explanations provided, which made it easier for leadership to understand their cybersecurity posture. Technical concepts, such as the difference between intercepted password hashes and actual passwords, were broken down into everyday language and examples that the entire team could grasp.

Most importantly, the engagement sparked a shift in vigilance. The client proactively began hardening technical defenses, enhancing employee awareness, and strengthening governance processes — significantly reducing the risk of compromise and laying the foundation for a more resilient cybersecurity program.

Ultimately, the engagement strengthened the bank’s security posture and built confidence in SBS, setting the stage for a long-term, trusted partnership.