Taking Charge: October is Cyber Security Awareness Month

CBA’s popular Cyber Risk Summit was held in August in Savannah with close to 70 attendees. Information security officers, digital innovation experts, operations managers, and risk managers gathered to learn, share resources, and ensure their bank is cyber aware and compliant. A few topics this year included computer security incident notification requirements, vendor management & risk assessments as well as IT and cyber governance. In honor of Cybersecurity Awareness Month in October, we polled several community bank cyber experts on best practices, recent threats and what keeps them up at night.

Kerry Everidge, CISM Senior Vice Vice President, Administrative Services Officer , ISO Planters First Bank Cordele

We leverage our employee intranet to promote cyber awareness and policy changes. We continually share information on the latest threats and best practices from a combination of resources (government agencies and service providers). We share a “scam of the week”, examples of phishing emails, and news articles. We also conduct on going phishing exercises and monthly training to keep cyber security top of mind.

Insurance issues as it relates to ransomware and major breeches. Is there language in the policy that is not aligned with our application, or does the carrier disagree with our approaches as it relates to mitigation. We use an outside consultant, but the carrier takes the position of denial, then we need to prove the claim.

We recently increased our insurance coverage, but again, the carrier will make us prove we did everything according to their policy and our application. That’s a lot of information that has to be precisely correct, and to the carrier’s liking.

Notify insurance carrier very early in the process. They, in turn, will assign one of their approved attorneys to represent the bank throughout the incident. The attorneys will provide forensic experts to help mitigate the incident. This method also helps ensure claims payments.

Executive Vice President & COO BankSouth Greensboro

Our foundation partners with community banks on programs that promote safety in nursing homes, HUD housing, and Veterans Homes across America. We support those that gave us so much with systems that prevent financial and physical abuse. Join the hundreds of banks that already participate. To get involved and earn CRA

Latisha Brundidge VP, Chief Compliance Officer Talbot State Bank Fayetteville

Cyber-attacks are what keeps us up at night. Specifically ensuring we are prepared and have enough controls to prevent imminent attacks.

We help employees identify security threats through various training programs. For example, our bank uses Knowb4 to educate and test our staff on different types of social engineering scams and phishing attacks. Our best defense has been our quarterly training. We can prevent loss if our staff is knowledgeable and aware.

Spear smishing has been especially prevalent the last 12 months. Bad actors are actively using LinkedIn and other forms of social media to collect cell numbers of new team members. They then send SMS text messages to the new team members posing as our CEO or other C-level executives. To date, every reported case started out as a pleasantry, like a welcome to the team text. Fortunately, we had users report the strange texts early and now we periodically send out emails to educate users on the scam.

I worry about the sheer volume of security related information that needs to be analyzed and addressed. I, like many of my peers, are signed up for security related notifications and alerts from a plethora of resources. Whether it be newsletters, CISA/US-CERT alerts, audit firms, etc..., I am constantly bombarded with security information, vulnerability information, ransomware information, data breach information, and more. Some are easy to discard, but much of it requires time and analysis to determine if we are impacted and how we can mitigate it. The scariest part is that most of the time, by the time I receive an alert, that means the vulnerability or event has been in the wild for weeks or months or even longer.

IT Director Colony Bank Fitzgerald

Our bank has a weekly operations meeting that has representatives from all areas of the bank. There are standing agenda items for change management requests, which would include new policy changes. Relevant policy information is cascaded throughout the bank from that meeting. September/October 2022 | Georgia Communities First | 23