By Paul Gores
With cyberattacks on U.S. businesses a possibility as Russia’s war against Ukraine rages on, financial institutions need to make sure their cybersecurity measures are first-rate and up to date, experts say.
The White House has warned that Russia could try to disrupt digital operations and damage the U.S. economy in retaliation for sanctions against Russia after its invasion of Ukraine.
Ransomware attacks on U.S. businesses, some based in Russia, already have been growing in recent years, and recently, the FBI said it discovered and secretly removed malware that hackers from Russia had placed in computer systems worldwide. Some American leaders think Russian President Vladimir Putin still has plans to try to inflict a major cyberattack.
If he does, banks that have been diligent and proactive about protecting their systems from hackers should be less vulnerable to the chaos a cyberattack could cause, experts say.
Banks need to make sure they’ve taken inventory of all of their technology assets and are doing what they can to keep them safe from attackers.
“Know what those assets are — all your software, hardware — and then from there follow your basic cyber hygiene,” said Scott Noles, assistant vice president and information security officer for Mukwonago-based Citizens Bank. “Are they up to date? Have you patched them? Do you have end-of-life software? Do you have anything that’s in your environment that shouldn’t be? Those I think are really mission critical.”
While many assume the Russian government would want to target the biggest banks and core processors to cause the most disruption to the financial system, infiltrating a bank of any size would be a win for attackers, experts say. That’s why it’s important for community banks to ensure techniques cyber crooks often use to bust into an institution’s system, including phishing emails that can be the gateway to a system takeover, will run into a tough defense. Training employees not to respond to infecting emails, whether in the office or working remotely, is one important step.
“Everyone’s digital life, whether it’s at work or at home, is intertwined now,” said Ian McShane, vice president of strategy for the cybersecurity firm Arctic Wolf Networks. “You can get compromised at home and have that lead into your work life as well. Just because you close the door on your laptop at work doesn’t mean you don’t need to remain vigilant. It can be a risk to businesses wherever you are.”
McShane and others stressed that multifactor authentication is crucial. With multifactor identification, users must submit two or more pieces of evidence to verify their identity in order to gain access to a digital resource. An organization must at least make sure that all of its information technology workers are using multifactor authentication.
In addition, McShane said, a bank’s IT pros or security officers should take stock of which machines in the system are accessible from the internet.
“And make sure there is a good reason for those machines to be accessible from the internet as well, because they are going to be the first bastion of adversarial activity,” he said.
Jeff Otteson, vice president of sales for Midwest Bankers Insurance Services, said specialty insurance carriers considering coverage applications from banks are requiring multifactor authentication.
“What the carriers are looking for amongst other internal controls, the big key is multifactor authentication,” he said. “And that multifactor authentication expands to all users, but most important are privileged users which are those users that can access critical systems, install software, and change security settings.”
Otteson said insurers also need to know that critical patches and updates are implemented and deployed, and they want servers and back-ups to be encrypted. Without those measures, “They put themselves at risk,” he said.
Banks must always be diligent and vigilant — and that was expected even before the Russian threat in the wake of the Ukraine invasion.
“There is no institution that’s immune from a potential cyberattack,” Otteson said.
The security measures of vendors that have access to bank data also have to be airtight, said Jeff Kurek, vice president, information services and cyber security for Park Bank in Madison. He said vendors ranging from those managing IT all the way down to the bank’s HVAC company could put a bank at risk if they have access to the internal system.
“We are heavily regulated, we’ve always had information security programs in place, we’ve always been audited,” Kurek said. “But what about our third-party vendors — the vendors that we utilize to provide us our critical services?”
If Russia were to mount a large cyberattack on the U.S., major infrastructure could be key targets, many believe. But cyberattacks could produce side victims like smaller banks. McShane said most incidents are opportunistic.
“They happen because someone clicks on something that they weren’t aware was weaponized, or it was part of another kind of attack or breach or ransomware campaign, and someone has noticed, ‘Hey, we’ve got access to a bank here,’” he said.
While the main goal of a Russian cyberattack would be to disrupt and damage the U.S. and its economy, extortion could be another result. Ransomware thieves normally try to break into an organization that has the insurance coverage and wherewithal to pay a multi-million ransom — an organization like a bank.
Big banks have the money to beef up their defenses in ways that a community bank might not, perhaps leaving the smaller bank more at risk if, say, the bank has let its software age and it no longer is receiving vendor patches to fix vulnerabilities.
“I think the smaller regional banks or city-based institutions don’t have that same luxury of being able to throw money at it,” McShane said.
But experts said no matter what size the bank is, it has to make cyber security a priority and be willing to spend the money to do it. The downside of a breach or extortion is too brutal, they said.
“I believe that any nation states that they’ll (Russia) be attacking, they will go after the biggest targets possible, but they also realize the biggest targets are the ones that are hardest to get into,” said Noles. “So what they’ll be doing is looking at anybody they can get into.”
The No. 1 method of attack still is phishing.
“They are trying to send you a link to see if they can get somebody to click on it, because then they can get credentials, they can get inside environments, they can install malware,” Noles said.
The cost of cybersecurity is increasing, but that’s just reality in today’s increasingly tech-driven world, experts say.
Otteson cited a Financial Crimes Enforcement Network (FinCEN) report showing that during the first half of 2021, financial institutions reported 635 suspicious ransomware-related activities, or 30% more than all reported activity in 2020. FinCEN said more than $590 million in payments tied to ransomware attacks occurred in the first six months of 2021, up from $416 million in all of 2020.
“(Insurance) rates are going up on these lines because the claims have been going up,” Otteson said.
Noles said vendors also can drive up the cost of cybersecurity by pushing new products. Many banks would be better off making sure they are effectively using capabilities of tools they already have purchased, he said.
“What do vendors have to do? They have to sell a new product. They have to sell a new blinky box or a new tool,” Noles said. “So they’re using what I call FUD — fear, uncertainty, and doubt — to get you to spend more money on their products.”
There’s no question cybersecurity costs will continue to rise.
“Probably eight years ago I saw an article of some sort that said ‘bringing IT from the backroom to the board room.’ That sort of stuck with me,” Kurek said. “And what that really means is that cybersecurity should be a strategy to the organization. It’s not just a keep-the-lights-on thing anymore. Cybersecurity is huge. It’s an inherent risk at this point to any company, and it should really be part of your overall company strategy in my opinion.”
If an incident takes place, banks also need to have a solid communication plan for reacting to it, making sure their lawyers, regulators, law enforcement, and customers are informed as promptly as possible.
“They should have a business continuity plan, and they should have an instant response plan, and they should be updating those regularly and they should be testing them regularly,” Kurek said. “And what a better time to test than now.”
Said McShane: “Nothing is more important in security than understanding you’re going to have an incident at some point, and it’s better to be prepared to know what to do when it happens.
Paul Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.
Midwest Bankers Insurance Services is a WBA Gold Associate Member.
Arctic Wolf Networks is a WBA Bronze Associate Member.