CISO Shares Tips for Keeping Your Community Bank’s Data Secure
Cybercrime is a growing concern for the business community as a whole, but the community banking industry in particular. The average bank encounters about 85 cyberattacks every year, and the consequences of a breach can be dire. Consider the following sobering statistics:
- Financial institutions are 300x more likely to be targeted for cyberattacks
- The average breach costs a company $5.9 million
- The average ransom demand for a cyberattack is $550,000
For many community banks, these are ruinous numbers. Equally ruinous is the increasing regulatory crackdown by government bureaus to hold banks accountable for their own cybersecurity. In 2018, only two pieces of cybersecurity regulation were on the books. Now there is upwards of 60. The fines associated with noncompliance could be just as ruinous.
How does a community bank navigate this minefield to keep doing what it set out to do — fuel local economies with the capital they need to grow?
In our recent webinar, How to Keep Financial Information Safe in 2024, former law enforcement professional and current SmartVault Chief Information Security Officer Luke Kiely taught community banks how to face a brave new world of cybersecurity threats and regulations.
Examples of Recent Cyber Attacks on Financial Institutions
Both Bank of America and InfoSys in the US fell victim to cyberattacks in 2023. South America was hit by a flurry of cyberattacks, too.
“It really brought to light how regionalized and geographically focused some cybercrime gangs actually operate,” Kiely said. “They do tend to focus on continental areas. So, you find in Australia or Asia Pacific you’ll have a certain type of cybercrime gang operating in that area.”
These attacks vary in their sophistication. The level of success depends on the technological controls the organization has in place, but even more so on how prepared the people in the organization are.
“[Organizations] focus on the technical aspects, but they fail to look at the processes and the people angle,” Kiely said, “which is two thirds of the pie when it comes to effectively managing your cybersecurity program.”
What Is a Hacker?
So, who are these cybercriminals? Super Geniuses in hoodies sitting in dark warehouses full of sophisticated computers?
Not anymore. “Not every hacker is some super technical individual who knows everything about how to hack,” Kiely said. “The advancement in technology, particularly with those technologies that are used to commit cybercrime, are readily available on the internet for a very low fee. This means that pretty much anyone can turn their hands to hacking with varying degrees of success.”
Should a Community Bank Ever Pay a Ransom?
The police will tell you “Never pay a ransom” in a ransomware attack. They don’t want criminals to be rewarded for their criminal behavior, with no guarantee that they will be held accountable.
Kiely takes a more pragmatic approach, framing it as a business decision. “There are going to be some organizations where it’s going to be much cheaper and quicker to pay the ransom than to go offline,” he said. “From a law enforcement hat, I don’t like to see cybercrime gangs making money off of what they’re doing, but at the same time, it really depends on the livelihood of that business. It might be a much safer, quicker option to pay the ransom.”
“I’ve seen a number of occasions where people have actually paid the ransom and there have been no consequences thereafter,” Kiely said. “There’s only been one occasion where I’ve seen a ransomware attack where they’ve paid the ransomware and been reinfected.”
What Are the Top Vulnerabilities for a Community Bank?
Kiely outlined the top vulnerabilities for community banks, including:
- Email and data security
- Phishing
- Lack of cybersecurity experts on staff
- Vendor risk management
- On-premise infrastructure (phasing out as more systems move to the cloud)
- The customers themselves
How Do I Protect My Business?
“The practices you would use haven’t really changed a great deal over time,” Kiely said. “They’ve become better, but the practices haven’t really changed.”
Steps for protecting a community bank include:
- Encryption of data (both in transit and at rest)
- Regular back-ups (often taken care of by cloud-computing redundancies in the cloud-computing ecosystem)
- A Written Information Security Plan (required by FTC regulations)
- Software updates (again, often taken care of by cloud services)
- Use of a client portal or document management system
- Variable access rights (only top-level access to the most trusted users)
- Regular training for employees
- Cybersecurity audits
- Security monitoring and incident response
Curious where your bank is most vulnerable? Download this free Cybersecurity Checklist to see which must-have security protocols you’re missing.
Is Cyber Insurance Important for a Community Bank?
Cybersecurity insurance enjoyed quick adoption when it first came out, but a deluge of claims led to insurers becoming much stingier about the claims they pay out. Kiely questions whether or not the expense is worth it.
“I think it does hold some value,” Kiely said. “Would I rely on it? Absolutely not. There are so many ifs, buts, or maybes that could negate or null-and-void your insurance policy from being paid out. You could even ask the question if it’s more valuable to spend the money on technology rather than insurance.”
What Should Community Banks Know About Compliance Requirements?
The Federal Government has been aggressive about securing the cybersecurity of US infrastructure. The mandate has trickled down to the FTC in the form of the Safeguards Rule, which strictly applies to financial institutions like community banks. These rules call for provisions like 2FA and MFA, as well as a written cybercrime response plan.
“The data privacy laws can really cause you some problems if you’re not on top of them,” Kiely said, “specifically knowing where you operate, which state you operate, where your customers are … that can have an impact on you.”
“They’re going to have a lot more teeth, with severe financial penalties if you don’t get your act together,” he said. “It amounted to some really positive changes, but it also caught a lot of organizations out.”
Learn More Ways to Keep Your Community Bank Secure
Your community bank – simply because of how much personal data you store – is a prime target for cybercriminals seeking to steal identities and commit fraud. Don’t be an easy target. Watch the full webinar on-demand to hear the entire interview.
Ready to increase cybersecurity? Make going digital with secure tech a priority. Read why other community banks are going digital and how you can too.