7 minute read
Avoiding pandemonium
With digital attacks on the rise, local banks are ramping up cybersecurity investments.
BY JULIA-CLAIRE EVANS
THOUGH CYBER ATTACKS on businesses and government entities have been making news for years, recent breaches involving banks across the country have focused even greater attention on cybersecurity and forced financial institutions to spend more on safeguards, according to local security companies.
Part of this is due to the fact that when a financial institution gets hit, it can affect every level of the industry: the businesses— both large and small—that the banks lend to, personal checking accounts, and even employees.
There’s a heightened sense of security across all types of infrastructure, says Jeff Moulton, president and CEO of cybersecurity research and services company Stephenson Technologies Corporation, but a security breach in the finance industry has the ability to cause pandemonium.
All banks are vulnerable, though attackers generally focus more on larger ones because they have more assets and information, says Mitchell Bearry, information security analyst at Trace Security. It’s easier for security breaches to get lost in the busy daily activities at larger banks. However, smaller banks have less security and are easier to exploit.
All banks have a direct tie to money, Bearry says, and therefore are also vulnerable to identity theft attacks.
So, how are banks attacked?
Much of it has to do with a social aspect, Moulton says. An attacker can impersonate a bank or credit union’s CEO and tell the chief operating officer to make a payment. If that person doesn’t check that action with a third source, they could unknowingly send millions to the attacker.
Many bank employees’ information can be found online, like emails and phone numbers, and it’s easy to look up job titles, Bearry says.
Automated attacks are less likely to have a human operating them at all times, Moulton says, and involve a program that searches for a vulnerability in a bank’s security, latches on to it, waits until someone logs in, and then is able to access an account’s money.
All banks are subject to federal regulations and have a set of standards they are required to follow.
“When all banks and credit unions follow those same standards you can find that information online and attackers can figure out where the weaknesses are,” Bearry says. “Smaller banks want to do the bare minimum, and the attackers know what’s in place and how to get around it.”
And, of course, smaller banks will have less of a budget to spend on security solutions, Bearry says. The smaller ones might not have IT or security at all, or may outsource security measures to a third party who can’t be on-site at all times.
But while larger banks have larger budgets, they also have more areas to attack, says Keith Mansfield, executive vice president and chief operations officer at b1BANK. They have more employees and more systems they’re trying to protect.
Now, banks and credit unions— even the smaller community banks—are having to spend more to keep up with the technology from attackers.
Trace Security has seen a 12.4% increase since 2015 in what its financial institution customers spend on cybersecurity, says Marissa Adams, marketing manager. That doesn’t include things like hardware and software, she says, but they’re definitely spending more on that as well. The company is seeing more interest from banks in Baton Rouge, Lafayette and New Orleans.
Banks are upgrading firewalls, detection systems and buying new antivirus technology, Bearry says.
They’re bringing in companies like Trace to test those controls to make sure they’re better and to make sure the changes were cost effective. Stephenson does much of the same, auditing the financial organizations to make sure their practices are up to par.
There’s more investment in everything, Adams says, especially in employee training with the human factor being such a vulnerability.
Education is an emphasis at Investar Bank. Educating employees and customers on the latest indicators of fraud and scams is a valuable tool and key deterrent to the bad guys, says President and CEO John D’Angelo.
Banks are also spending more on insurance, Moulton says, including insurance against theft and restoration insurance. Some have recall protocols in place so that whatever money is stolen can be brought back, he says, but it’s not always successful.
“Getting whacked is bad but going through a recovery process has a high cost,” he says.
The institutions are also trying to ensure they have simple-but-effective procedures in place, Moulton says, like two-factor authentications and RSA tokens, which are small devices that provide a six-digit number that changes every minute. Employees use that number along with a password to log onto devices.
Investar makes sure its security is continuously renewed and performs security product comparisons on existing infrastructure to identify if any new releases would improve security, D’Angelo says.
He believes cybersecurity will continue to evolve and rely on artificial intelligence, or AI, in the future to help sniff out and block malicious attempts in real time.
“This staff augmentation through technology will help to expand a financial institution’s security controls exponentially,” he says, “in comparison to just throwing bodies at the problem.”
Mansfield says b1BANK uses
ISTOCK
third parties to test its systems.
“We don’t just rely on internal employees,” he says. “The thirdparty companies prove to us that our controls are good.”
The good news is that even though banks have to spend more to keep up with cybersecurity, they can afford it, Moulton says. For community banks, it might cost more, but they can hire a company like Stephenson to come in and do an audit.
A lot of smaller banks do that, he says, because they can’t afford the level of security that bigger banks can.
New banking laws will go into effect this spring that require all U.S. banking organizations to report “any significant computer security incident” to federal regulators within 36 hours of the incident.
What they have to report keeps expanding, Bearry says, which can be good from a security standpoint and for transparency reasons, On the other hand, reporting breaches can damage an institution’s reputation.
In Louisiana, banks are beefing up their cybersecurity investments, though it appears there have not been many breaches. In fact, none has been breached directly that Bearry knows of, though some may have been involved in larger software company hacks, he says.
Moulton says the financial sector in Louisiana is great at sharing information, and if someone sees a security threat in one parish it is immediately known in others.
In the future, spending on cybersecurity across all infrastructures including banking will only increase.
“This isn’t going anywhere and it isn’t new,” Bearry says. “It’s here to stay and everyone needs to be aware. Your weakest link is the human factor, which could allow for everything to be taken down.”
Banks also must continually be on their toes when it comes to updating cybersecurity.
“You’re always chasing a moving target, to an extent,” b1BANK’s Mansfield says. “You can’t rest on your laurels and end up getting caught.”
The minute a vulnerability is detected, you have to rectify it immediately, Mansfield says, because it’s likely someone is already trying to exploit your institution.
MITCHELL BEARRY, information security analyst, Trace Security
Congratulations Pepper Rutland
LIFETIME ACHIEVEMENT AWARD Baton Rouge Business Hall of Fame
“Very few have built the level of loyalty and commitment to excellence that you have achieved at MMR Group. Your drive to excel is evident in everything you do.”
Clayton Babcock
Babcock Consulting Group, LLC
Congratulations to Genesis 360 and Craig Stevens from all of us at The Cottonport Bank
6500 Corporate Blvd (225) 231-6606
“Next to Exellence is THE APPRECIATION of it.”
— WILLIAM MAKEPEACE THACKERAY
CONGRATULATIONS TO b1BANK
Honored as the 2022 Baton Rouge Business Award’s Company of the Year with 100 or more employees
Fenimore Kay Harrison is proud to celebrate b1BANK’s commitment to excellence. Their team is an integral part of the Gulf South banking community and very deserving of this honor.
FKHPARTNERS.COM
#1 IN USA FOR BANK MERGERS & ACQUISITIONS*
(2020, 2021) #1 LAW FIRM NATIONALLY FOR P&A TRANSACTIONS*
Since 2015
4X RECIPIENT OF THE FIVE* STAR AWARD BY IBAT
(2016, 2019, 2020, 2021)
