Tag Archive for: Cybersecurity

Posts

,

Securing Your Data: Advice From An Award-winning Cybersecurity Team

By Fred Hamilton, chief information security officer, BHG Financial

Technology continues to insinuate itself into almost every facet of our daily lives, whether it is personal or work-related. As a result, protecting data privacy has become increasingly more relevant to every consumer and business. In 2022, 422 million people were affected by data breaches at U.S. companies at an average of 4.8 breaches per day. Stolen data included bank account numbers, medical histories, Social Security numbers, and more. Personal data is continuously being collected, shared, or sold, so it is crucial that everyone understands how to protect it.

In today’s world, it is incumbent upon companies to ensure they have the information security protocols in place to protect customer data and electronic assets from the growing global threat of hackers. This requires a keen focus on increasing the adoption of new technological innovations and following industry-best practices in the evolving world of cybersecurity.

Companies with an established history of successfully safeguarding electronic data often share similar characteristics, such as:

  • A significant investment in people and technological resources
  • Executive leadership that has demonstrated its mission to make information security and data privacy top priorities
  • Next-generation firewall and encryption technology to protect internet connections and Wi-Fi networks
  • Best-in-class security software installed and updated automatically
  • Industry certifications and acknowledgments that appropriate security controls are in place to protect the confidentiality, integrity, and availability of all data assets

BHG Financial is a noteworthy financial services provider that has earned recognition for its exceptional cybersecurity capabilities. The company boasts a team of seasoned cybersecurity professionals who have been recognized for their outstanding contributions to the industry. In this article, we will be sharing insights from BHG Financial’s cybersecurity experts on simple yet critical tasks that businesses should not overlook.

In acknowledgment of its dedication to cybersecurity, BHG and its Information Security Team recently received several industry accolades. First, it was honored with a 2022 Fortress Cyber Security Award for organizational excellence. In addition, the company has been certified SOC 2® Type 2 compliant in accordance with standards set forth by the American Institute of Certified Public Accountants. SOC for service organizations is a compliance standard which demonstrates that BHG Financial is safeguarding customer data throughout its services and is meeting standards for strong operational effectiveness.

Security tips to protect your data from BHG Financials’ Security Team

  • In the spirit of driving awareness about the importance of being cyber-aware, and to help you protect the integrity of your data, here are some simple tips not to be overlooked: Avoid uploading sensitive or confidential data (personal or customer account information, Social Security numbers, etc.). If you must, all information should only be uploaded to a trusted, secure source or database.
  • Be aware of any suspicious emails and do not click on unfamiliar embedded links. Be especially wary if an email contains misspelled words within the body and/or subject line of the message. Other suspicious indicators include unfamiliar email domains or enticements to act or respond immediately. Report these emails to your organization’s IT Support team right away.
  • Lock your screen when you are away from your desk to prevent others from accessing sensitive information.
  • Beware of public Wi-Fi. It can expose your data to scammers monitoring internet activity. It also greatly increases the risk of malware being transferred to your devices. If you must access a public Wi-Fi network, use a virtual private network (VPN) to add a helpful layer of security.
  • Find out if your personal information has been targeted in a data breach. It is quick and quite easy to do. Simply enter your email or phone number at https://haveibeenpwned.com/.The system will respond almost immediately, detailing when and where your data was breached.
  • Before disposing of old IT equipment, ensure no personal data remains on the system. Consider hiring a specialist to wipe the data from the device or use deletion software such as BitRaser File Eraser or File Shredder.

Your role in data privacy

Cybersecurity is everyone’s business. With a little discipline and practice, protecting the integrity of your data can become second nature. Nobody wants to be the person who accidentally downloads malware onto their company’s systems, or who leaves their online banking credentials vulnerable to external threats. Following and regularly repeating a few simple security protocols is well worth the time to remain cyber safe at home and at the office.

Content Sponsored by BHG Financial, a WBA Bronze Associate Member.

/by
,

Embracing a Culture of Cybersecurity

All staff needed to help mitigate risk

By Hannah Flanders

Cyberattacks are ranked as one of the top threats to banks across the country. As these threats continue to become increasingly sophisticated and prevalent throughout our communities, bankers are looking to mitigate the risk for the safety of both their institution and all customers served. As such, administrators — including members of the human resources (HR) department — have been tapped to take on a new role alongside the information technology (IT) department to protect the bank from falling victim.

Prioritizing Cybersecurity

According to Proofpoint’s State of the Phish survey, approximately 79% of U.S. organizations reported at least one successful phishing attack in 2021. As cybercrime continues to rise — costing over $1 trillion a year worldwide, as highlighted in a report by McAfee Center for Strategic and International Studies — it is critical for the success of banks across the country that they establish a culture of cybersecurity.

In the American Bankers Association’s (ABA) Banking Risk and Compliance Management Outlook for 2023, surveyed bankers identified cybersecurity and IT risk to be, overwhelmingly, the top risk priority for the 18 months ahead. With the use of online banking and digital payments skyrocketing, and employee negligence being cited as one of the top reasons banks are put at risk — Proofpoint’s survey highlights that around 27% of employees believe that their organization/IT department will take care of any mistakes. However, as the cost of cybercrime continues to become more expensive for impacted organizations each year, finding ways to educate both consumers and employees of the cyber risks they face will not only help protect information from being compromised, but save banks from contributing to the astounding losses reported by financial institutions each year.

The Federal Bureau of Investigation’s (FBI) Internet Crime Report highlights that in 2021, Wisconsin totaled over $51,800,000 in victim losses. By taking proactive steps in both their cybersecurity protocols and training, banks throughout the state will have the opportunity to save the organization, and their customers, from substantial loss.

While banks make strides to incorporate risk mitigation — such as integrating multifactor authentication (MFA), a bare minimum in preventing bad actors from gaining access to accounts with greater privileges, and following regularly updated guidance from the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) — into their procedures, those seeking to optimize their efforts are looking beyond their IT staff for assistance.

Team Effort

Establishing a culture that embraces cybersecurity begins from the top and requires uniting members throughout various departments. According to Marsh McLennan, a leading professional services firm in risk, strategy, and people, “a robust cybersecurity culture starts from the top of the organization and involves continuous communication and training for leaders across all key functions.” The firm highlights that, as of 2019, nearly 90% of all organizations only included InfoSec/IT, C-suite, risk management, legal, and finance professionals in the management of cyber risk.

“Cyber defense is a team endeavor, not just an IT or a management one,” emphasizes Rob Foxx, director – InfoSec and IT audit services at FIPCO. “Threats apply to all parts of an enterprise, as should defense.”

The Cybersecurity and Infrastructure Security Agency (CISA) highlights that HR professionals play an integral role in detecting, deterring, and mitigating threats by screening candidates prior to employment, managing secure information, and regularly communicating policies.

When HR professionals have a seat at the cyber risk management table, banks not only gain a risk-conscious ally, but also ensure that HR professionals throughout their organization have a strong understanding of the cyber risk policy they utilize in their own day-to-day operations. Additionally, ensuring that the HR team is abreast of the latest cyber risks and mitigation procedures is critical so that said information can be communicated with all staff members.

Playing a Part in Protection

As the U.S. financial sector continues to prioritize cybersecurity — regularly spending up to $3,000 per employee on ongoing cybersecurity education, according to the McAfee report — ensuring that every employee is making the most of their training, testing, or coaching and remains vigilant against all threats to the organization is critical for the safety and security the institution and its customers.

  • The Employee Lifecycle

Of course, HR plays a substantial role in the onboarding and offboarding process to evaluate the quality of incoming employees and ensure that all former staff are no longer granted access to confidential company data upon their departure. Furthermore, given the close ties to all staff members, HR can play an important role in clarifying policy, providing resources, and working behind the scenes to recognize and anticipate the potential information security issues, highlights the Society for Human Resource Management (SHRM).

  • Training

Although cyberattacks continue to cause headaches for businesses across the country, only 64% utilize organization-wide training, according to Proofpoint’s 2022 survey. Training, which is usually administered by the IT department or virtually, has the potential to be strengthened by HR’s involvement. In taking a human-centric approach that emphasizes how all staff members — administrative through executive leadership — play a role in the security of the institution, employee morale is heightened.

Additionally, HR can emphasize and enforce the importance of practicing good cyber habits and encouraging training from the start because of the department’s close connection to all bank staff. HR staff will also notice if staff don’t attend training, regularly fail simulated tests, or display non-compliance with cyber protocols. From there, action can be elevated beyond coaching from IT staff or managers.

“A significant amount of malware is file-less and exists only in the active memory of a computer,” highlights Foxx. “While the next generation of antivirus has the ability to detect more activity than older versions, file-less attacks are just the beginning, and these tools can now detect abnormal user, host, and network activity. Ensuring your team is on the same page is a critical component in mitigating these attacks.”

  • Coordinating Cybersecurity Requirements

In partnership with the IT department, HR should ensure that there are well-documented policies, standards, and best practices for not only averting attacks or breaches, but also for reporting attempted or successful cybercrimes. Throughout their day-to-day tasks, HR professionals are expected to adhere to the organization’s procedures and guidelines as well as communicate this information with staff. Understanding the various protocols, exploits, tools, and resources fraudsters utilize can help members of HR in assisting their staff to build confidence in mitigating a cyber risk. At the very least, Foxx adds, bankers should adhere to cyber security frameworks such as the NIST Cybersecurity Framework or ISO 27001 certifications, which assist organizations in gaining direction and highlighting areas of need.

As more aspects of our daily lives digitalize, and cybercrime and attacks become a regular and unfortunate normality across the banking industry, the need to secure sensitive data has become a widespread effort. It is critical that leaders look throughout their staff for unique perspectives and opportunities to educate. Establishing a culture of cybersecurity could be the difference between a secure and a compromised institution.

Ready to take your cybersecurity to the next step? Visit fipco.com/solutions/it-audit-security to ensure your bank is secure!

FIPCO is WBA subsidiary and Gold Associate Member.

/by
, ,

Passwords: Ensuring Secure Data

How you can be your own best first line of defense against hackers

By Rob Foxx, CCBTO

Depending on how old you are, you will have a different perspective on passwords. The more seasoned professionals would have come in at a time when a minimum of six characters, no capital letters, numbers, or symbols was a commonplace practice. In comparison, passwords today usually consist of eight characters — at least one being one upper case — a number, and a symbol.

With a good computer and access to a vulnerable system, even now those passwords could be cracked by a common tool to brute force into the system in less than six hours. While our technology continues to evolve, unfortunately, so too do the bad actors and threats to our data security.

Digital Security Threats

While some threats are technology based, a consistent number of threats to our passwords are not. Saving a password to a browser is an invitation for trouble. Once you walk away from an unlocked computer, it would not take much effort to log in or even change your credential without your knowledge. There are many tools that can copy these passwords quickly and with very little expertise.

Additionally, those who reuse passwords or only slightly change them is a direct invite to bad actors. If your password was compromised on a common website and associated with your email, someone has that information, and there is a good chance they are going to try it elsewhere. For example, changing a password from Carl!123 to Carl@123 is also risky as a list of passwords associated with users’ names fed into a computer could guess this in seconds rather than hours.

Many people write their passwords down and tape it to a monitor. The inside of a desk drawer, or under the keyboard or mousepad are not much safer a hiding spot.

As many of us are aware, sharing passwords is a bad idea from an accountability point of view. Once someone else has it, you can no longer secure it from being written down or re-shared.

Be aware if your passwords or accounts have been breached in the past. The website have ibeenpwned.com is a staple for those in the information security field. This allows you to check if both passwords and email accounts have been used or discovered in past breaches.

Additional Protective Steps

Like many threats, the best answer is in the hands of the people most at risk. With a little education and a few resources, you could be on your way to making yourself an unappealing target.

  • Multi-Factor Authentication

Multi-Factor Authentication (MFA) is the latest and greatest in terms of locking an account if available. It requires a token or application on your phone to give a random code that matches up to a login service. Using MFA makes unauthorized access very difficult.

  • “Real” Passwords

The NIST (National Institute of Standards and Technology) in their 800-63 publication points out that complexity does not matter to a computer. It only makes it harder for users to remember. Password length makes it exponentially more difficult for a computer to guess or break a password that has not been breached. A 15-character password with all lowercase letters would take a computer an estimated 12 million years to breach. Passwords can be as simple as three unrelated words or based on items found on your desk — coffeelampmouse is a good example. The internet is filled with random password generators, but they are only of limited use as the passwords they generate are impossible to remember.

  • Password Vaults

Password vaults are very reliable and inexpensive or free. They can make and save passwords for you requiring a single password to access all your other passwords. Additionally, they can generate passwords for you. This removes the requirement to come up with something new every time you make a password. Some vaults are cloud based, and for those who are looking for a business version or an entirely offline vault, these are also available.

Armed with the knowledge of the problem and the tools presented you can use them to be your own best first line of defense against people trying to take over your digital life. You would not choose a lawyer, doctor, or bank officer who barely meets minimum requirements to do something important, so do not skimp on the passwords that secure your data with a minimum requirement either. If you have questions, feel free to ask your local IT or information security professional — they are generally very happy to help people safeguard themselves, as it makes their lives easier as well!

Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.

/by
, ,

The New Face of Identity Theft

The rapid growth of synthetic identity fraud

By Hannah Flanders

Like many aspects of our day-to-day lives, the expansion of technology has both enhanced and complicated the ways in which we operate. As more and more of our information lives online, identity theft — once more likely to occur because of a stolen wallet — has also assumed a digital appearance: synthetic identity theft.

What is Synthetic Identity Fraud?

Synthetic identity fraud is defined as the use of a combination of pieces of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.

This form of identity theft has allowed bad actors to combine a stolen Social Security Number (SSN) and other false information — such as a fake name, address, date of birth, or phone number — to create a counterfeit identity to steal funds, escape prosecution, or any other number of criminal and fraudulent activities.

An Alarming Trend

In 2020, the Federal Bureau of Investigation (FBI) named synthetic identity theft as the fastest growing financial crime in the United States. Fraud targets are often those who do not typically use credit or are less likely to monitor their credit activity — including children, homeless individuals, and the elderly. These victims may find themselves blindsided as fraudsters create a new identity, apply for credit, and after years of building good credit by making payments for a time, abandon the account without paying anything back to the financial institution.

While this type of fraud is already difficult to detect due to its elusive or “normal” nature, many bad actors go to incredible lengths to appear as such, states Forbes. In addition to establishing good credit by making payments quickly and on time, some create digital profiles or use P.O. boxes for addresses.

Not only has technology and access to the dark web made PII more accessible to fraudsters, in 2011 the Social Security Administration (SSA) began randomizing the nine-digit social security codes rather than assigning them to individuals based on their geographical location and group number. No longer do social security numbers raise red flags when enrolling or opening accounts “out of state.”

As online banking grows in popularity, so too do concerns for synthetic identity theft. Between prevalent phishing schemes and heightened risks for data breaches — accessing PII and conducting synthetic identity fraud has become much easier than in years prior.

How to be Proactive Against Bad Actors

Inconsistent categorization and reporting make it difficult to identify and mitigate this type of fraud — as far as banks and credit bureaus can tell, these individuals are just like anyone else. . . until they “bust out” or abandon the maxed-out account with no intention of repayment.

After abandoning the false identity’s account, a fragmented file is created. This additional file not only becomes associated with the original SSN but also holds the additional credit report information and other fabricated PII. Unfortunately, this information could negatively impact the credit rating of the real individual.

When working with customers, bankers should advise frequent credit report checks or freezing unused credit at credit bureaus throughout the U.S. as to deter criminals or catch them early.

In addition, customers may take additional steps to protect themselves and their family against synthetic identity theft. One way parents can protect their children from fraudsters is by requesting their child be added to their credit profile. By adding a child to an adult’s credit profile, not only does the child’s own credit profile become established in his or her name and SSN, but the child is also able to begin building their credit.

The Cost of Synthetic Fraud

While victims of identity theft typically are not liable for fraudulent purchases or accounts, as long as they can prove they are the real SSN holder and not the thief, banks and other financial institutions are left to absorb the cost. This scheme is not only incredibly costly to banks across the country — with losses estimated at $20 billion in 2020, according to the Federal Reserve Bank of Boston — but gaps in the U.S. Fair Credit Reporting Act may have also increased the likelihood of repeat offenders.

The Federal Reserve has reported that bad actors are able to ‘flood the financial institution with an overwhelming number of claims’ on their fake accounts, and when creditors are unable to fulfill the investigation in the allotted timeframes, the disputed item is removed from the false credit report and time and time again, fraudsters get away with the act.

“Synthetic IDs are a struggle for community banks to identify,” states Lenore Breit, vice president – compliance manager at Wausau’s Prevail Bank. “Based on a recent presentation, [community banks] most likely have synthetic ID fraud in their deposit and loan accounts that remains undetected with traditional third-party ID verification programs that most community banks use.”

“There are other, more robust ID verification programs available to detect synthetic ID fraud,” adds Breit. “But they are costly and may not interface with legacy software.”

One such software program, the electronic Consent Based SSN Verification service, was created in part by the Economic Growth, Regulatory Relief, and Consumer Protection Act. The electronic service offered by the SSA was created in 2018 to aid financial institutions in combating synthetic identity fraud and verify an authorizing individual’s name, date of birth, and SSN against the SSA records. Services are based on the annual transaction volume and can cost thousands or even millions of dollars.

Common Signs of Synthetic Identification Theft

While difficult to trace, there are a few significant ways bankers can remain attentive to PII and other key indicators of synthetic identity fraud.

Most obvious is ensuring all SSNs match to the PII given. Do not assume a name change or relocation; ask questions or require verification for the sake of your bank and the security and privacy of all customers. This extra step could make all the difference in protecting the personal information of every customer.

If an account is already open, bankers should note applicants who have the same contact information or SSN as well as those with multiple authorized users.

As synthetic identity fraud becomes increasingly prevalent throughout the U.S., it is critical, for the safety of customers and security of all financial institutions, that Wisconsin bankers are prepared to combat this emerging fraudulent activity, caution community members against sharing unnecessary personal information with others, and assist individuals in regaining their rightful identity if necessary.

If you are interested in learning more about synthetic identity fraud, how these schemes can impact your bank or customers, or more ways you can take a stand against bad actors, please contact WBA’s Legal Team at wbalegal@wisbank.com or 608-441-1200.

/by
,

Ensuring the Safety and Security of Wisconsin Communities

Dan PetersonBy Daniel J. Peterson

As technology continues to advance faster than ever before, the importance of staying up to date on the latest trends and best practices for the safety of both the bank and its customers is quickly becoming the number one concern for Wisconsin bankers.

As the last several years have shown, a growing number of consumers throughout the state rely on technology and online banking for their day-to-day needs. It is critical that, for continued success and relevance of our industry, bankers are aware of not only how best to serve our customers through offering modern banking amenities, but how to best protect our communities from increasingly more sophisticated — and prevalent — fraudsters.

For this purpose, in addition to ensuring that all Wisconsin banks remain a safe, secure place for finances and sensitive information, the Wisconsin Bankers Association (WBA) will once again host a combined Secur-I.T. & BSA/AML Conference. The conference specifically targets BSA/AML, operations, security, and technology banking professionals looking to remain educated on our ever-evolving industry.

This year’s annual conference will be held September 20 and 21 at Glacier Canyon Lodge in Wisconsin Dells and features a unique variety of speakers. From local professionals and WBA Associate Members to world-famous cyber security expert and ethical hacker Bryan Seely, WBA’s Secur-I.T. & BSA/AML Conference will assist banking teams in understanding how best to protect against hackers, what trends to watch for in money laundering, and so much more. This is an event you don’t want to miss!

By engaging in conferences such as WBA’s Secur-I.T. & BSA/AML Conference, bank leaders can ensure their staff is gaining the most relevant and up-to-date banking-related information from the most knowledgeable individuals in the industry. Along with over seven hours of presentations focused on the safety and security of our banks and customers, bankers will enjoy networking with professionals from across the state and meeting with exhibitors offering products and services that help community banks further advance their customer service capabilities.

Please visit wisbank.com/Secur-IT to register or for additional details.

Peterson is president and CEO of The Stephenson National Bank & Trust, Marinette, and the 2022–2023 WBA Chair.

/by
,

See Into the Mind of a Cybercriminal

WBA’s Secur-I.T. & BSA/AML Conference returns in 2022

As cybersecurity and fraud continue to be rising topics of discussion throughout the banking industry, bankers are encouraged to stay informed on the latest trends experts are seeing and how regulations will continue to impact Wisconsin banks by attending WBA’s annual Secur-I.T. & BSA/AML Conference held in Wisconsin Dells.

The two-day conference — beginning September 20 and adjourning at noon on September 21 — draws over 125 BSA/AML, operations, security, and technology professionals from around the state for over seven hours of educational presentations and networking.

This year’s keynote session will feature Bryan Seely, a world-famous cyber security expert, ethical hacker, author, and former U.S. Marine. Seely became one of the most famous hackers in 2014 when he became the only person to ever wiretap the United States Secret Service and FBI. Before he was caught, he confessed to the two agencies that there was an issue that needed to
be fixed.

Unlike many hackers, Seely is passionate about fighting for consumers rights, privacy, and educating the public about how to stay safe in a constantly changing technological landscape. In this keynote session, Seely will highlight the different ways in which hackers think and the new, creative ways professionals must approach security in order to protect the most critical information of the business and customers.

In addition to this captivating keynote speaker, the Secur-I.T. & BSA/ AML Conference offers several breakout sessions and networking opportunities that will assist banking professionals from throughout Wisconsin in further developing their bank’s customer experiences, BSA/ AML program, security, and technology capabilities as the banking and technology industries continue to evolve.

/by
,

How Do Business Leaders Protect Data?

By Rob Foxx, CCBTO

I frequently get asked, “How do I or my other non-technical staff help keep my institution safe from electronic threats?” Ransomware is the topic of the day, and I don’t know that there will be changes to that any time soon. There are a few things that can make protecting yourself easier. Good security is done in multiple layers of defense and requires participation of all members of your team.

Involve Your Whole Team

Cybersecurity is the responsibility of all members of the business, not just IT. To that end, everyone needs to know what common tactics are used to compromise your security. Learning how to identify phishing emails as well as business email compromise and reporting these types of events could be the difference between fighting a breach or dodging one. This kind of mindset has been in physical security for a very long time, but it has been a lot slower to be adopted into data security. By educating your staff and yourself and reporting it to the right people in your organization, you can avoid a very common but costly pitfall.

Ensure System Maintenance is Up to Date

The next item is a task that IT performs but is something leadership should both understand the basics of and require accountability for. Keep your systems updated and patched. An alarming number of breaches over the years could have been prevented by simply keeping systems up to date. Microsoft pushes out Windows patches the second Tuesday of every month, which should be reviewed for issues with your environment and deployed as soon as possible. There are tools that make this very easy to perform should you invest in them. Less obvious patches to other software like Adobe Reader, Google Chrome, and even your remote connection software, are equally important. Keeping an inventory of your software assets and checking them regularly for updates and patches can reduce your attack surface. Updates should not only be done, but they should also be reported to management and/or the board of directors at a regular frequency.

Secure Your Passwords

Get secured passwords or, if possible, multi-factor authentication. Insurance companies offering cyber insurance policies are pushing for people to utilize tools such as authenticators on your phone for multifactor authentication. While this is ideal, it may not be in place in many institutions. The National Institute of Standards and Technology (NIST) security framework used by the U.S. Department of Defense recommends longer passwords (16+ characters) without complexity and no expiration unless you have reason to believe it was exposed. Passwords can be as simple as picking out 3 random words such as doorbluecomputer. This is easy to remember and difficult for a computer to guess. If you can’t use multifactor authentication, using a password manager can enable you to use many complex and long passwords that you could never otherwise remember.

Give IT and Security a Seat at the Table

Bring IT and information security into your decision-making process. If this is something that is not being done currently, consider adding these people to the team that makes your highest-level decisions. They will have a perspective on additional costs as well as potential problems and conflicts that may occur. While they may not represent the majority of your staff or income, they speak for a considerable portion of your assets. There are few things as frustrating as going forward with a new project and not having considered how it will work with the rest of your environment or whether you have the hardware or software to support it without extra expenditure of assets. Additionally, there are many problems that exist within a business that your more technical staff could offer a solution to that the rest of the staff may not have known about.

Keep Up With Advancements in Technology

Don’t let technology outpace you. New technologies come out every day, and while you’re not expected to be on the leading edge, you should at least keep a healthy pace with it. For example, if you are using a conventional virus scanner, you are already behind the times. Zero-day exploits (bugs that are either unknown or unpatched) and fileless malware and viruses are also not detected by traditional antivirus products. Fileless attacks are becoming more prevalent, and you can get them any number of ways. It could be as innocent as going to a website and without any need clicking or downloading — without your permission, you could have brought an unwanted problem to your institution. Though a bit on the pricier side compared to traditional antivirus, next-generation products in this field are far more capable than their older counterparts.

Most of the items presented are of a non-technical nature and should be part of making your staff work well with your information security team and vice versa. In our more modern environments of work from home, it is more important than ever to make cybersecurity a part of everyone’s day to day.

Foxx is information security and audit advisor for FIPCO, a WBA Gold Member.

/by
,

Amid Russian Cyberattack Threat, Bankers Focus on Security Measures

By Paul Gores

With cyberattacks on U.S. businesses a possibility as Russia’s war against Ukraine rages on, financial institutions need to make sure their cybersecurity measures are first-rate and up to date, experts say.

The White House has warned that Russia could try to disrupt digital operations and damage the U.S. economy in retaliation for sanctions against Russia after its invasion of Ukraine.

Ransomware attacks on U.S. businesses, some based in Russia, already have been growing in recent years, and recently, the FBI said it discovered and secretly removed malware that hackers from Russia had placed in computer systems worldwide. Some American leaders think Russian President Vladimir Putin still has plans to try to inflict a major cyberattack.

If he does, banks that have been diligent and proactive about protecting their systems from hackers should be less vulnerable to the chaos a cyberattack could cause, experts say.

Banks need to make sure they’ve taken inventory of all of their technology assets and are doing what they can to keep them safe from attackers.

“Know what those assets are — all your software, hardware — and then from there follow your basic cyber hygiene,” said Scott Noles, assistant vice president and information security officer for Mukwonago-based Citizens Bank. “Are they up to date? Have you patched them? Do you have end-of-life software? Do you have anything that’s in your environment that shouldn’t be? Those I think are really mission critical.”

While many assume the Russian government would want to target the biggest banks and core processors to cause the most disruption to the financial system, infiltrating a bank of any size would be a win for attackers, experts say. That’s why it’s important for community banks to ensure techniques cyber crooks often use to bust into an institution’s system, including phishing emails that can be the gateway to a system takeover, will run into a tough defense. Training employees not to respond to infecting emails, whether in the office or working remotely, is one important step.

“Everyone’s digital life, whether it’s at work or at home, is intertwined now,” said Ian McShane, vice president of strategy for the cybersecurity firm Arctic Wolf Networks. “You can get compromised at home and have that lead into your work life as well. Just because you close the door on your laptop at work doesn’t mean you don’t need to remain vigilant. It can be a risk to businesses wherever you are.”

McShane and others stressed that multifactor authentication is crucial. With multifactor identification, users must submit two or more pieces of evidence to verify their identity in order to gain access to a digital resource. An organization must at least make sure that all of its information technology workers are using multifactor authentication.

In addition, McShane said, a bank’s IT pros or security officers should take stock of which machines in the system are accessible from the internet.

“And make sure there is a good reason for those machines to be accessible from the internet as well, because they are going to be the first bastion of adversarial activity,” he said.

Jeff Otteson, vice president of sales for Midwest Bankers Insurance Services, said specialty insurance carriers considering coverage applications from banks are requiring multifactor authentication.

“What the carriers are looking for amongst other internal controls, the big key is multifactor authentication,” he said. “And that multifactor authentication expands to all users, but most important are privileged users which are those users that can access critical systems, install software, and change security settings.”

Otteson said insurers also need to know that critical patches and updates are implemented and deployed, and they want servers and back-ups to be encrypted. Without those measures, “They put themselves at risk,” he said.

Banks must always be diligent and vigilant — and that was expected even before the Russian threat in the wake of the Ukraine invasion.

“There is no institution that’s immune from a potential cyberattack,” Otteson said.

The security measures of vendors that have access to bank data also have to be airtight, said Jeff Kurek, vice president, information services and cyber security for Park Bank in Madison. He said vendors ranging from those managing IT all the way down to the bank’s HVAC company could put a bank at risk if they have access to the internal system.

“We are heavily regulated, we’ve always had information security programs in place, we’ve always been audited,” Kurek said. “But what about our third-party vendors — the vendors that we utilize to provide us our critical services?”

If Russia were to mount a large cyberattack on the U.S., major infrastructure could be key targets, many believe. But cyberattacks could produce side victims like smaller banks. McShane said most incidents are opportunistic.

“They happen because someone clicks on something that they weren’t aware was weaponized, or it was part of another kind of attack or breach or ransomware campaign, and someone has noticed, ‘Hey, we’ve got access to a bank here,’” he said.

While the main goal of a Russian cyberattack would be to disrupt and damage the U.S. and its economy, extortion could be another result. Ransomware thieves normally try to break into an organization that has the insurance coverage and wherewithal to pay a multi-million ransom — an organization like a bank.

Big banks have the money to beef up their defenses in ways that a community bank might not, perhaps leaving the smaller bank more at risk if, say, the bank has let its software age and it no longer is receiving vendor patches to fix vulnerabilities.

“I think the smaller regional banks or city-based institutions don’t have that same luxury of being able to throw money at it,” McShane said.

But experts said no matter what size the bank is, it has to make cyber security a priority and be willing to spend the money to do it. The downside of a breach or extortion is too brutal, they said.

“I believe that any nation states that they’ll (Russia) be attacking, they will go after the biggest targets possible, but they also realize the biggest targets are the ones that are hardest to get into,” said Noles. “So what they’ll be doing is looking at anybody they can get into.”

The No. 1 method of attack still is phishing.

“They are trying to send you a link to see if they can get somebody to click on it, because then they can get credentials, they can get inside environments, they can install malware,” Noles said.

The cost of cybersecurity is increasing, but that’s just reality in today’s increasingly tech-driven world, experts say.

Otteson cited a Financial Crimes Enforcement Network (FinCEN) report showing that during the first half of 2021, financial institutions reported 635 suspicious ransomware-related activities, or 30% more than all reported activity in 2020. FinCEN said more than $590 million in payments tied to ransomware attacks occurred in the first six months of 2021, up from $416 million in all of 2020.

“(Insurance) rates are going up on these lines because the claims have been going up,” Otteson said.

Noles said vendors also can drive up the cost of cybersecurity by pushing new products. Many banks would be better off making sure they are effectively using capabilities of tools they already have purchased, he said.

“What do vendors have to do? They have to sell a new product. They have to sell a new blinky box or a new tool,” Noles said. “So they’re using what I call FUD — fear, uncertainty, and doubt — to get you to spend more money on their products.”

There’s no question cybersecurity costs will continue to rise.

“Probably eight years ago I saw an article of some sort that said ‘bringing IT from the backroom to the board room.’ That sort of stuck with me,” Kurek said. “And what that really means is that cybersecurity should be a strategy to the organization. It’s not just a keep-the-lights-on thing anymore. Cybersecurity is huge. It’s an inherent risk at this point to any company, and it should really be part of your overall company strategy in my opinion.”

If an incident takes place, banks also need to have a solid communication plan for reacting to it, making sure their lawyers, regulators, law enforcement, and customers are informed as promptly as possible.

“They should have a business continuity plan, and they should have an instant response plan, and they should be updating those regularly and they should be testing them regularly,” Kurek said. “And what a better time to test than now.”

Said McShane: “Nothing is more important in security than understanding you’re going to have an incident at some point, and it’s better to be prepared to know what to do when it happens.

Paul Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.

Midwest Bankers Insurance Services is a WBA Gold Associate Member.

Arctic Wolf Networks is a WBA Bronze Associate Member.

/by

The Evolution of Information Technology

Thank You, Ken Shaurette, for 13 Years at FIPCO!

By Hannah Flanders

On December 31, 2021 Ken Shaurette retired from FIPCO’s Information Security and Audit Services after 13 years with the company. Shaurette launched his IT career in 1976 after completing his associates degree in data processing. Over the past two decades, he has also garnered a collection of training courses through venders and trade schools as well as certifications by the National Security Agency (NSA) in Information Assessment Methodology. In 2008, Shaurette was hired at FIPCO to build the Information Security and Audit Service from the ground up as its director.

Shaurette shared reflections on how the industry has changed over his decades of experience. When his career began, data was stored centrally in large computer data centers. Slowly, the industry began to give more processing power and ability to manipulate data to users and as the data became increasingly decentralized, security professionals had to establish improved policies and information security programs that addressed data no longer being stored in a big computer center, but out at the desktops anywhere in the company.

As data collection and storage abilities improved, not only did it become more difficult for all the information to be properly secured, it became increasingly important. Regulations have been created today in order to meet the expectation that customer data is equally protected no matter the size of the bank. “Information security [must continue to be] part of our individual and our companies DNA” says Shaurette. “Without security controls, your business can’t grow quickly.”

Shaurette’s perspective has allowed him to help banks throughout Wisconsin protect themselves against serious attacks that could in turn affect growth, reliability, and profits. Shaurette notes that “when it comes to information security 80% is the same regardless of [the] industry when securing the data, 15% is unique to the [banking] industry, and probably 5% is the social atmosphere of [each bank].”

“Over the course of the years, his expertise and service have been greatly appreciated and well-respected by our customers and members,” says Pam Kelly, president of FIPCO. “His passion and unfailing dedication to information security and our members has helped hundreds of bankers keep critical data secure, avoid attackers, and meet the needs of their own communities. Thank you, Ken, for 13 years!”

In his retirement, Shaurette looks forward to spending time with his grandchildren, volunteering, and — he jokes — not writing audit reports. However, he leaves FIPCO customers with one last message in appreciation over that last 13 years, “I may be boating off into the sunset, but the sunrise of a new generation is transitioning behind me, and you will be left in very good hands with Rob Foxx. I’ll be waiting for you to show up for an information security peer group meeting or networking round table on the pontoon boat someday soon. Those that know me, the refreshments are always ready.”

/by
,

It’s Time to Take Action in 2022

Ken Thompson HeadshotBy Kenneth D. Thompson, WBA Board chair, president and CEO of Capitol Bank, Madison

January marks the halfway point of my time as WBA chair and as we transition into a new year, there are undoubtedly new things to look forward to as an industry and as an association.

Our successes in 2021, many of which related to the ongoing uncertainty of the COVID-19 pandemic, taught us all valuable lessons I hope can be brought with us into the new year. From low levels of past-due loans throughout our industry to excess liquidity, it’s safe to say that stepping outside of our routine has resulted in spectacular results.

Looking onward to 2022, I encourage bankers to approach challenges with the same curiosity we have for the past two years. As our industry continues to grow, how will each of us lead the way in making Wisconsin banks efficient, diverse, and robust?

WBA has long known that banks are cornerstones in our communities and as such, should be leaders in embracing societal developments. Technology, for both our customers and employees, has been and should continue to be an aspect that sets our industry apart. In embracing these digital channels, banks have a unique ability to meet the expectations of customers while also supporting them with cybersecurity and best technological practices.

Our ability to advance diversity, equity, and inclusion (DEI) efforts, as well as offer flexibility to employees, has the potential to set our industry apart. This is especially important to consider as we navigate through a competitive hiring and retention landscape.

As we all envision a brighter 2022, it serves us to remember that innovative solutions, such as PPP and advances in online banking, have provided our communities with much-needed assistance in the past. We must not be held back by what we are familiar with. This pandemic has taught us all that some of the most effective answers may not be the ones that have been tried before.

It is essential for banks to approach these situations with caution instead of resistance and as always, WBA remains a valuable resource in education, advocacy, and community involvement for each of us as we look forward to what’s to come in 2022.

/by
WBA logo

questions@wisbank.com

608-441-1200

4721 S Biltmore Ln.
Madison, WI 53718

Get our Newsletter!
Subscribe