Are you worried about protecting your community bank against cyberattacks? If so, no wonder—cyberattacks against banks increased by 238% in just two months of 2020, according to Cybertalk (https://www.cybertalk.org/2020/08/11/is-it-fiscally-responsible-for-financial-institutions-to-spend-a-small-fortune-on-cyber-security).
It’s no surprise that the costs of cybercrime prevention are increasing along with the risks. As of 2019, the annual cost of bank cybersecurity had surpassed 10% of the overall IT budget, equivalent to $2,300 per employee (https://www2.deloitte.com/de/de/pages/risk/topics/cyber-risk.html).
In this climate, community banks face two major disadvantages against big banks: (1) the expense of cybersecurity is harder to bear, and (2) a security breach destroys trust, sending customers to competitors. So what can you do to protect yourself from cybercrime without breaking the bank?
Increase Your Security Hygiene
High-tech anti-cybercrime tools such as AI and analytics tools abound, of course, but they’re expensive. The good news is that you may not need to spend a lot of money on high-tech solutions designed specifically for cybersecurity. According to an article in the Wall Street Journal, “Bigger cybersecurity budgets aren’t always better, and often lead to waste, said David Stender, chief security officer at M&T Bank Corp., which has assets of about $119 billion.” Stender added that what you need is “cost-effective security, not security at any cost.” In other words, be cautious about overspending on cybersecurity tools and focus instead on security hygiene. (https://www.wsj.com/articles/m-t-bank-security-chief-avoid-ai-and-other-shiny-objects-1531946434)
What is security hygiene? Basically, it’s the simple, inexpensive practices you can—and should—implement at your community bank, including regularly updating software, consistently backing up data, and educating all employees on password management and social engineering risks like phishing.
Most banks do cybersecurity awareness training, but many smaller banks may not, said Steven D’Alfonso, a research director at IDC Financial Insights who focuses on compliance, fraud, and risk analytics strategies. “They really should spend time on phishing tests and teaching people how to spot bad links,” he advised. (https://biztechmagazine.com/article/2018/11/where-should-smaller-banks-focus-cybersecurity-efforts)
A Brief Community Bank Cybersecurity Checklist
A quick Google search will find an overwhelming list of cybersecurity resources. The U.S. Government even offers resources on the FDIC website that include videos for bank directors (https://www.fdic.gov/regulations/resources/cybersecurity/). You’ll also find a variety of checklists intended to help you ensure you’re doing all the right things. Some of these lists can be long and intimidating, but for a quick overview of a few important cybersecurity hygiene steps you can take, read on.
- Assess your risks. You already have some security measures in place; for example, a good core banking software provider (like FPS GOLD) will have many security measures built into its offerings, such as data backup, secure Web and mobile banking, and more. Even if you’ve performed risk assessments in the past, be sure you conduct them regularly. As risks increase, you need to be sure your security measures can address the constantly changing threats.
The ABA has many resources to help you with this, including a Financial Services Cybersecurity Profile, available by free download. This profile, developed by The Cyber Risk Institute, a coalition of financial institutions and trade associations including the ABA, was updated in November 2020. It’s intended to help financial institutions reduce the overall time spent on cyber risk compliance and is accepted by the regulatory community.
- Develop a company policy on cybersecurity that you communicate with all employees and reinforce with frequent reminders. Among other things, this policy could include items like password rules, requiring permission for all software downloads, using company Wi-Fi only for business, not removing company devices from bank premises, and proper use of removable media such as flash drives and CDs.
- Keep software and hardware up to date. Install all software updates as soon as possible. Updates often contain programming that specifically addresses the latest security threats.
- Strengthen login credentials used at your bank:
- Require employees to use strong, unique passwords for all software and websites accessed at work. A strong password typically includes more than eight non-sequential characters and a mix of letters, numbers, and special characters.
- Instruct employees to change their passwords often and not to use the same password twice. Many people use the same password for everything so they don’t forget it. The problem with password duplication, of course, is that a hacker can access everything if one site is breached. Sites such as LinkedIn, Facebook, and even Equifax have been hacked, exposing thousands of users’ names, passwords, and other sensitive information. Those users who had unique passwords on every site or account were much less likely to become victims of further fraud.
- Encourage employees to use a password manager, such as 1Password, KeePass, or LastPass, that can generate and store a unique password for every site. These generated passwords are impossible to guess, even with sophisticated algorithms used by many hackers. Most password managers can also autofill login credentials, which saves time. Many password managers offer a free version as well as a “premium” paid version.
- When you want an extra layer of security for logins, use multi-factor authentication (MFA). MFA is an authentication method in which access is only granted when a user presents two or more login credentials, such as a password and a temporary access number sent to a phone or email account. Login credentials can include passwords, PINs, temporary codes, or fingerprints. When setting up MFA, make sure that login credentials do not come from the same source (such as two passwords).
- Educate employees on social engineering schemes. Social engineering is the practice of tricking people into providing valuable information, such as login credentials. Phishing is a common form of social engineering that, unfortunately, often works. Cyber criminals are becoming more sophisticated, making it harder to identify phishing attacks. Teach employees to be suspicious of any email that asks them to click on a link, even if the email seems to be sent from another employee. Follow up on education with reminders and tests to assess how well employees understand and use what you’ve presented. A good test is to create your own phishing email and send it to your employees to see how many of them take the bait.
- Keep current and vigilant. Schedule regular reviews of your cybersecurity plan and regular training for your employees. Cyber criminals never rest.
Conclusion
Your risk of being a victim of cyberattacks increases as remote and mobile banking become more and more common. Even if you do decide to invest in AI or other high-tech security tools, you can’t neglect security hygiene. A few inexpensive strategies can go far toward defending your community bank against cybercrime. Don’t underestimate the human element. Social engineering depends on the cooperation of people who receive it. Educating your employees is like arming your troops to be an important first line of defense when fraudsters attack.