NEWS
BANKING
Avoiding pandemonium With digital attacks on the rise, local banks are ramping up cybersecurity investments. THOUGH CYBER ATTACKS on businesses and government entities have been making news for years, recent breaches involving banks across the country have focused even greater attention on cybersecurity and forced financial institutions to spend more on safeguards, according to local security companies. Part of this is due to the fact that when a financial institution gets hit, it can affect every level of the industry: the businesses— both large and small—that the banks lend to, personal checking accounts, and even employees. There’s a heightened sense of security across all types of infrastructure, says Jeff Moulton, president and CEO of cybersecurity research and services company Stephenson Technologies Corporation, but a security breach in the finance industry has the ability to cause pandemonium. All banks are vulnerable, though attackers generally focus more on larger ones because they have more assets and information, says Mitchell Bearry, information security analyst at Trace Security. It’s easier for security breaches to get lost in the busy daily activities at larger banks. However, smaller banks have less security and are easier to exploit. All banks have a direct tie to money, Bearry says, and therefore are also vulnerable to identity theft attacks. So, how are banks attacked? Much of it has to do with a social aspect, Moulton says. An attacker can impersonate a bank or credit union’s CEO and tell the chief operating officer to make a payment. If that person doesn’t check that action with a third source, they could unknowingly send millions to the attacker. 56
ISTOCK
BY JULIA-CLAIRE EVANS
Many bank employees’ information can be found online, like emails and phone numbers, and it’s easy to look up job titles, Bearry says. Automated attacks are less likely to have a human operating them at all times, Moulton says, and involve a program that searches for a vulnerability in a bank’s security, latches on to it, waits until someone logs in, and then is able to access an account’s money. All banks are subject to federal regulations and have a set of standards they are required to follow. “When all banks and credit unions follow those same standards you can find that information online and attackers can figure out where the weaknesses are,” Bearry says. “Smaller banks want to do the bare minimum, and the attackers know what’s in place and how to get around it.” And, of course, smaller banks will have less of a budget to spend on security solutions, Bearry says. The smaller ones might not have IT or security at all, or may outsource security measures to a third party who can’t be on-site at all times. But while larger banks have larger budgets, they also have more areas to attack, says Keith Mansfield, executive vice president and chief operations officer at b1BANK. They have more
employees and more systems they’re trying to protect. Now, banks and credit unions— even the smaller community banks—are having to spend more to keep up with the technology from attackers. Trace Security has seen a 12.4% increase since 2015 in what its financial institution customers spend on cybersecurity, says Marissa Adams, marketing manager. That doesn’t include things like hardware and software, she says, but they’re definitely spending more on that as well. The company is seeing more interest from banks in Baton Rouge, Lafayette and New Orleans. Banks are upgrading firewalls, detection systems and buying new antivirus technology, Bearry says. They’re bringing in companies like Trace to test those controls to make sure they’re better and to make sure the changes were cost effective. Stephenson does much of the same, auditing the financial organizations to make sure their practices are up to par. There’s more investment in everything, Adams says, especially in employee training with the human factor being such a vulnerability. Education is an emphasis at Investar Bank. Educating employees and customers on the latest indicators of fraud and scams is a valuable tool and key deterrent to
the bad guys, says President and CEO John D’Angelo. Banks are also spending more on insurance, Moulton says, including insurance against theft and restoration insurance. Some have recall protocols in place so that whatever money is stolen can be brought back, he says, but it’s not always successful. “Getting whacked is bad but going through a recovery process has a high cost,” he says. The institutions are also trying to ensure they have simple-but-effective procedures in place, Moulton says, like two-factor authentications and RSA tokens, which are small devices that provide a six-digit number that changes every minute. Employees use that number along with a password to log onto devices. Investar makes sure its security is continuously renewed and performs security product comparisons on existing infrastructure to identify if any new releases would improve security, D’Angelo says. He believes cybersecurity will continue to evolve and rely on artificial intelligence, or AI, in the future to help sniff out and block malicious attempts in real time. “This staff augmentation through technology will help to expand a financial institution’s security controls exponentially,” he says, “in comparison to just throwing bodies at the problem.” Mansfield says b1BANK uses
BUSINESS REPORT, March 2022 | BusinessReport.com
52-57 News Intro.indd 56
2/24/22 2:58 PM
