It’s a community bank’s worst nightmare: a massive ransomware attack or a cyberattack cripples the bank’s operations or steals customers’ data. The key for any organization is to be prepared for when that day comes.
Several cybersecurity experts, speaking on a panel on Feb. 28 at the American Bankers Association National Conference for Community Bankers in Honolulu, said community banks can take numerous steps to defend against attacks and respond effectively if they do occur.
Community banks should shore up their email and authentication security controls, the experts said. They should also make sure they have their data backed up in the event of a ransomware attack, a malware attack in which the cybercrook gains access to a computer or data and holds it hostage in exchange for money.
Banks can also purchase cybersecurity insurance to protect themselves from liability, but that should not be a substitute for robust security controls.
Additionally, the experts encouraged banks to maintain solid working relationships with law enforcement agencies and reach out to local law enforcement or the FBI immediately after being hit with an attack.
“How you respond is going to be key to your continued existence as an institution,” said Adam Levin, founder of CyberScout, an identity protection solutions firm. “That depends on how bad this was and whether you were really good in your response or said, ‘Gee, I hope this goes away.’”
Banks Must Decrease Cybersecurity Attack Surfaces
There are several “low pain, high yield” steps community banks can take to secure themselves, said Stephen Moore, vice president and chief security strategist at Exabeam, a security intelligence and management solutions company. “You have to look very closely [at] what you allow into your environment,” he said.
Banks should use proxy servers to block outbound activity to the internet, he said. IT administrators should also block employees from accessing uncategorized websites and block advertising networks.
Moore also advised banks to audit any system or application that uses a username and password, especially if it is internet-facing. Banks should use multifactor authentication and adaptive authentication, he said. Adaptive authentication, as Identity Automation notes, is “a method for selecting the right authentication factors depending on a user’s risk profile and tendencies.”
Levin said banks should avoid having users’ ID names be their email addresses and give users unique IDs. He also suggested that banks provision mobile devices for employees and user enterprise mobility management software or platforms to secure smartphones and tablets. “In the end, you may find it’s one of the cheapest investments you’ve ever made,” he said.
Levin quoted cybersecurity expert Bruce Schneier, who has said, “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”
Technology, Levin said, is one element of a strategy but banks also need to make sure cybersecurity training and hygiene is a constant and ongoing process for employees.
“From the mailroom to the boardroom, everybody in the organization has to understand the threats the institution faces, and the institution has to go out of its way to make them understand that each and every one of them has a role to play,” he said.
How Banks Should Handle Ransomware
The FBI has estimated that in 2016 ransomware payments totaled $1 billion. Will Bales, supervisory special agent of the Honolulu Cyber Squad of the FBI, said many times those attacking a bank with ransomware have no way of even decrypting files if a bank pays a ransom.
The FBI advises that banks and other organizations do not pay ransomware to malicious actors who use the malware. Instead, they should contact local law enforcement and the FBI immediately. If the FBI gets involved early, he said, it can intervene and potentially play with attackers to get them to reveal themselves, so they can be traced.
Some kinds of ransomware can be undone with decryption tools available on the internet, he said. If they can, banks should try to segment or sandbox the infected machines.
Levin added that “the three most important words you should be thinking about when it comes to ransomware: update, upgrade, backup.” Banks should update systems and software when vendors issue legitimate patches, upgrade old equipment and make sure all of their data is backed up in multiple locations, he said.
Cybersecurity Insurance Shouldn’t Substitute for Action
Banks can also look to purchase cybersecurity liability insurance, of which Levin said, “It’s better to have it and not need it than need it and not have it.” Banks may need to jump through hoops to get it, and also must ensure that they are actually doing everything they tell the insurance company they are doing to protect themselves, he said. Otherwise, they could lose coverage.
Levin also warned banks not to use insurance “as a substitute for having deep security protocols you follow. Make sure you understand what this insurance is covering.”
In the end, a community bank’s reputation is everything when it suffers a breach. “Know when to go public and how to do it. Get out in front. It’s all about controlling the narrative.”
For all of BizTech’s coverage of ABA’s National Conference for Community Bankers, click here.