Tag Archive for: Cybersecurity

Posts

,

Was the CrowdStrike Incident a Fluke or the Beginning of a Trend?

By Rob Foxx

On July 19, 2024, CrowdStrike pushed out an update to their customer base that disabled an estimated 8.5 million computer systems across the world. This not only damaged their reputation, but it also sent fear and uncertainty into those businesses that utilize IT services. This single event cost about $5.5 billion in damages and business loss.

The real question is who can be affected by an event like this. The short answer is anyone who uses any products or services that can affect the system files of a computer. This includes Microsoft Windows automated updates, antivirus, remote configuration tools, and many others. For those who are not familiar with the previously mentioned list you have several of these on any given business computer.

So why do we not hear about events like this more often? The reality of the situation is these events happen every day. Windows updates pushed out by a managed service provider that removes all network drivers, thus disabling the connection to the login service rendering a computer useless, was my personal CrowdStrike. This happened several times over the course of a month, anti-virus similar to CrowdStrike that disables use of business-critical software or core access. An update to Windows that prevents backup software from running correctly. These have all happened. Most people have never heard of these events as they did not have a worldwide impact or cost billions of dollars in losses. CrowdStrike made news because of their wide adoption as they offer a service only a handful of other companies do.

So how do I protect my organization? The only 100% means of protecting your computer environment is to power it down, unplug it, and bury it in concrete. Business, however, runs on acceptable risk, so let us look at what could help lower your risk and impact. During the course of onboarding or reviewing a vendor for contract renewal, you can verify or request that they add in testing criteria before sending out updates. Comparing vendor services with an RFP (Request for proposal) can identify whether a service fits your needs. Several similar companies allow for the designation of a test group which includes a sampling of computers across your organization. This group should fill all the key roles to running your enterprise and test for a week or more before the updates are pushed to the rest. Perhaps one of the best means to protect yourself is to have knowledgeable IT on staff or as an on-call vendor. The fix to restore CrowdStrike would take per computer less than 10 minutes at a keyboard. A little longer if the computer has BitLocker or other similar protections in place. A good recovery plan and continuity for running on alternate systems can also save quite a bit of recovery time.

I do believe there will be more events like the CrowdStrike outage, especially given how large some services grow to global offerings. I believe vendors will be more cautious in their products. Will you be more cautious in your implementations?

Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.

/by
,

Executive Letter: Cybersecurity Awareness Month Underscores the Importance of Staying Informed and Vigilant

By Rose Oswald Poels

October is Cybersecurity Awareness Month and this year’s theme is “secure our world.” However, as Rob Foxx, director – infosec and IT audit services for FIPCO, astutely pointed out in a WBA staff meeting this week, “If you’re doing it right, every month is cybersecurity month.”

According to Forbes, cybercrime is surging. 2023 saw a notable increase in cyberattacks, resulting in more than 343 million victims.

I know leaders at many member banks are concerned about the ever-increasing costs of cybersecurity and the growing threat of reputational damage. WBA understands the challenges facing the industry and can offer support on several fronts.

Consider sending your key employees to WBA events on the topic, like the annual Secur-I.T. Conference recently held in Wisconsin Dells. Attendance can keep your team up to date on the most recent trends in cybersecurity and incident response techniques.

WBA’s Best Practices Library housed on our website features a robust list of security and financial crimes resources.

WBA’s subsidiary FIPCO offers an IT Audit & Security service. This service, which includes tests, audits, and resources, helps your financial institution stay one step ahead in mitigating high-risk areas. FIPCO’s team can also provide consultation and advice to ensure that your cybersecurity strategy is complete.

Additionally, Midwest Bankers Insurance Services (MBIS) provides cyber insurance for your bank to help guard against losses. In their 2024 Cost of a Data Breach Report, IBM Security calculates that the average total cost of a data breach is $4.88 million, a 10% increase over last year. Because of this risk, comprehensive insurance coverage is crucial in the event of an attack. MBIS offers an extensive list of insurance coverages, including cyber liability. The insurance carriers for cyber liability policies also provide extensive resources that MBIS recommends be immediately engaged in the event of any cyberattack.

Additionally, FIPCO’s Loan Processing Central service provides a resource you can retain ahead of time to immediately step in if a bank experiences a disaster, including a cyberattack, to help continue the processing of your loan documentation.

Cybersecurity is covered in Wisconsin Banker articles. In case you missed them:
•   Guarding the Vault: Strategies for Banks to Combat Ransomware Threats
•   Embracing a Culture of Cybersecurity

Foxx’s column for Wisconsin Banker often includes relevant cybersecurity information:
•   How Do Business Leaders Protect Data?
•   Passwords: Ensuring Secure Data

Several cybersecurity webinars are currently available to WBA members including:
•   The Top 6 Controls to Reduce Your Risk of a Cyber Incident, October 15 and on demand
•   Preventing & Addressing Crime: Cyber, Human Trafficking & Disaster Relief, on demand

Technology is ever-evolving, and so are the skills of cybercriminals. That is why it is crucial to stay informed and vigilant to protect your bank’s reputation and preserve your customers’ trust. It is WBA’s aim to be an active partner in ensuring your bank and your employees are equipped to protect against the threat of cyberattacks.

If you are interested in finding out more about the protections WBA can help you implement at your bank, please contact Rob Foxx (FIPCO) at rfoxx@fipco.com or Jeff Otteson (MBIS) at jeffo@mbisllc.com.

/by
, ,

How the Right IT Managed Security Services Provider Can Help You Optimize and Grow

Sponsored content by Wipfli, a WBA Silver Associate Member

By Tom Wojcinski and Jeff Olejnik

IT Managed security services are vital in helping financial institutions oversee IT operations and compliance — but the right provider can take that role further.

IT Managed security services that bring increased capability and industry specialization can go from managing your IT infrastructure to modernizing it, acting as a strategic partner in identifying the solutions you need to optimize workflows and enhance the customer experience. And it can help you understand the latest updates to the cyberthreat landscape and regulatory priorities so your operations stay secure and compliant.

When you’re working with the right provider, you’re not just getting support for your servers — you’re getting support for your business.

Here are four ways IT managed security services can help you hand off operational tasks and grow your institution:

1. Modernizing your IT infrastructure

To implement the latest solutions, increase productivity and better reach customers, you need the right infrastructure. IT services can be a valuable source of insights into how your organization can create a modern workplace environment.

The right provider can help you update your IT infrastructure by switching out legacy systems and implementing cloud infrastructure — including helping you address the resulting security concerns.

Software as service (SaaS) platforms come with built-in security features, but they often leave you responsible for establishing things like permissions and access control. Your provider can help you build security strategies for cloud services and integrate new solutions with your core banking system.

2. Meeting customer needs

Customers expect services to be faster and more accessible across industries. If your financial institution wants to stay competitive, it needs to evolve the customer experience.

Managed services can help by taking on a more strategic role, providing guidance on an IT road map that supports technologies to help you:

Use dashboards to track key customer metrics.

Create a better omnichannel experience.

Use customer data to effectively cross-sell and increase wallet share.

Partnering with an effective provider can help you better strategize on how your institution can improve workflows and productivity so that you can deliver the experience your customers expect.

3. Enhancing your cybersecurity

Cyberattacks continue to increase in frequency and severity. Your IT managed security services should be helping your institution keep pace with support for:

Being proactive: In addition to addressing server performance issues, your provider should be proactively looking for indicators of compromise. They should employ 24/7 monitoring that can quickly identify and research any anomalies so that potential compromises can be solved before they escalate.

Staying updated: As AI continues to increase the frequency and sophistication of cyberattacks, your provider should not only be helping your institution enhance data protection but also adapting its own capabilities. An effective provider has the tools, infrastructure and threat detection in place to help them identify indicators of compromise faster, such as advanced endpoint detection and response and AI-powered threat correlation.

Meeting regulatory expectations: managed IT support with industry specialization can help ensure your institution meets key regulatory priorities in areas including ransomware, operational resilience and incident response. For example, it’s crucial that financial institutions use a provider that can retain security event logs if an incident does occur.

4. Providing crucial talent

For most institutions, establishing 24/7 security operations in-house is neither cost-effective nor viable.

Employing enough staff to provide that level of support requires substantial resources. And attracting and retaining staff can be equally challenging, given the current labor shortages and the relative lack of complexity and challenge financial institutions provide for these roles.

Outsourcing these positions with managed services provides you with the necessary staff and infrastructure without the cost of hiring. They can also help guide your institution’s data security at the executive level with fractional or virtual CISO services.

How Wipfli can help

Wipfli’s managed services go beyond IT operations and compliance to help your financial institution evolve. With industry specialization and deep cybersecurity capability, we can provide your institution with the solutions and strategy it needs to optimize operations and further its growth. We can also work alongside your current provider to augment your existing support.

Contact us today to learn more about how our managed services can transform your institution.

/by
,

Guarding the Vault: Strategies for Banks to Combat Ransomware Threats

By Malcolm McDowell Woods

Ransomware, a crippling cybercrime which can lock up a company’s data in return for payment of a ransom before user access is restored, is big business. In 2023, victims reportedly paid out a record of more than $1 billion in ransom. Earlier this year, stories surfaced of one institution paying out a record $75 million ransom.

Exact trends are hard to pin down — the cybercriminals tend to overstate their successes, while ransomware victims are reluctant to publicize payouts — but for any business, ransomware represents a tremendous threat, according to Brad Robinson, the senior director for cybersecurity policy for the Conference of State Bank Supervisors (CSBS). And for the financial sector, and community banks in particular, “the threat is existential,” he warns. “If you’re not prepared, if you’re dead in the water and you can’t communicate with customers and you can’t do business, it can be become a safety and soundness issue with your institution very quickly.” Smaller community-based financial institutions simply don’t have the resources to withstand a prolonged outage or closure.

Ransomware is just one subset of cybercrime, a wide variety of criminal actions that prey on the modern world’s digital connectedness to commit identify theft, fraud, scams, data breaches, and other malicious acts. In a ransomware attack, perpetrators infiltrate an organization’s digital network and prevent access to its data (often by encrypting the data), demanding a ransom before access is restored. Even more troubling is that cyber criminals continue to evolve their attacks, with some now employing double or triple extortion demands, requiring additional ransom for not publicly sharing the data or contacting the victim’s customers directly.

Jeff Otteson, vice president of sales for Midwest Bankers Insurance Services, a WBA subsidiary and Gold Associate Member, says the banking industry represents a plum target. “Cyber criminals feel if they can crack into financial institutions and encrypt their data, infiltrate any back up system and also encrypt that, there’s a pretty big payload” waiting for them, he explains.

It’s a frightening scenario.

However, there are steps financial institutions can take to help secure their data and ward off ransomware attacks.

Rob Foxx is the director of information security and IT services for Madison-based FIPCO (Financial Institution Products Corporation), a WBA subsidiary and Gold Associate Member. Foxx performs information security audits for financial institutions, assessing their vulnerability to cyber attacks. The goal is to keep data safe and secure. The challenge is that criminals are constantly evolving their methods. “Their technology is advancing and becoming ever more sophisticated,” says Foxx. While the banking industry’s available defense systems are also evolving, Foxx points to what remains the weakest link in the armor — personnel.

“By and large, the quickest, easiest, and most common way they get in is by attacking the human element,” he says. “They will send an email that will cause fear and panic, requiring you to click on it, or to fill out information. You know, that’s the classic way. And it’s become more sophisticated because they use artificial intelligence (AI) to generate their letters.”

That means education and training throughout the workforce is critical. “The employees are the weakest link,” says Robinson. “They always will be. That’s just human nature, and the bad guys know it.” The key is practicing what he calls basic cyber hygiene, protecting your perimeter. Foremost is training and educating staff on proper information security.

That includes utilizing multi-factor authentication, ideally throughout the workforce, but particularly for admin level, or privileged, users. “We’re talking soft tokens on your phone or, you know, actual physical key tokens that you carry around that plug into a USB,” says Foxx.

Next is securing your data. Otteson points to the 3-2-1 rule. That means that maintaining three copies of your data, using two different types of media and storing one copy off-site. “That way, your data can be restored without paying ransom, suffering any downtime, or losing any data.”

Your entire network should be safeguarded by up-to-date anti-virus software. “And it’s not the same antivirus software you use at home. You want something that’s enterprise level, next generation, usually, with AI and heuristic analysis in it.” All software ought to be up to date, to reduce the possibility of what are known as zero-day exploits. “If your systems are out of date, you can have all the other controls in the world in place, but known vulnerabilities are easy-ins for bad guys,” says Foxx. “Those are flaws in your software, your operating system, or pretty much anything else on your computer that hasn’t been identified or patched by the companies that put it up.”

How do you know if you are taking the necessary steps? No doubt, your insurer will ask, but there are other tools you can use.

The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service collaborated to develop a tool which financial institutions can use to assess their vulnerability to ransomware attacks. The Ransomware Self-Assessment Tool, or R-SAT, was created to encourage discussions about preparedness, says Robinson. It’s freely available for download on the csbs.org website.

The tool, a list of 20 questions, isn’t designed to produce a score or rate a bank’s preparedness, but to identify potential weak links. “The whole purpose is to get folks talking about it within their institution,” says Otteson. “It’s not terribly hard to complete, but it forces people who complete it to look at the answers to the questions. It talks about instant response, employee training, multi-factor authentication, backups, how you control access to your system, to your vendor relationships. Those are all sorts of foundational things that every institution — big or small — can look at to protect themselves against ransomware.”

Taking the necessary steps will not only provide greater protection for your institution, but likely result in a lower premium. “Without multi-factor authentication in place on emails, or for privileged users, it’s very hard to secure strong terms and conditions on a cyber policy,” notes Otteson. He says a recent flattening of rates in the cyber insurance market is proof that financial institutions are doing a better job of protecting their data.

Still, it only takes one successful attack to wreak havoc. “You can always get blindsided,” admits Otteson. “The best financial institutions with the best cybersecurity platforms and teams and expertise can still get caught off guard. And we do the best we can to secure systems and deploy security patches, and train staff. But from what we’ve seen in general regarding cybersecurity incidents is it has been employees, clicking on links they shouldn’t have,” or it’s been a security patch where the IT team assumed it had been implemented and deployed, or someone not utilizing MFA. In addition, the industry has experienced an increase in vendor privacy incidents, the owner of the customer data is liable for it, even when shared.

And if your bank is targeted? Usually there are obvious, frightening signs, such as all of your computer monitors flashing “PAY US MONEY” in unison.

“If you’ve had an IT or information security audit, you are going to have a disaster recovery and incident response plan in place or are in the process of developing them,” says Foxx. “Once you’ve discovered that yes, we have an incident, that somebody from the outside is in and our data may have been compromised, I immediately want to get insurance and legal involved.”

When an attack happens, Otteson says he connects with the insurance company to set up a meeting of their breach response team. Legal counsel is quickly brought in, partly to protect attorney client privilege. “Everything gets run through legal,” he says. “They will bring in a forensic firm to attempt to unlock, or decrypt, the data.” They will assess the depth of the data breach — whether the attackers reached the backup systems — and try to determine the identity of the attackers. Legal counsel will provide advice about communicating with others about the attack, helping you craft appropriate language. Finally, ransomware negotiators will be brought in. According to data collated by Comparitech researchers, almost 1 in 5 ransomware attacks led to a lawsuit in 2023. Over the past couple of years, lawsuits filed following ransomware attacks have increased, with the overall average over the last five years standing at 12 percent.

It’s the stuff of nightmares, but Otteson notes that ransomware payments have dropped through the first quarter of 2024, and he credits it to the industry taking the issue seriously, with strong and robust cyber security, employee training, secure data backups and by staying ahead of the internal controls required by the insurance company. “Hey, doing the basics will take you a long way in protecting your institution. It’s not about a huge capital spend on crazy systems and whatnot. We want to keep you from letting people in the door to begin with.” The attacks are getting more sophisticated but by and large it’s the basics that are the most common successful means of entry.

McDowell Woods is a freelance writer and an instructor of journalism and media studies at the University of Wisconsin–Milwaukee.

/by
,

5 Signs You’ve Outgrown Your MSP Services

Sponsored content by Wipfli, a WBA Silver Associate Member

By Jeff Olejnik and Tom Wojcinski 

Your managed services provider (MSP) may be responsive in helping you manage your servers and meet basic compliance needs — but is that enough?  

Financial institutions face new cybersecurity and IT considerations as they adopt the latest innovations for optimizing operations and enhancing customer experience. And the cybersecurity threat landscape continues evolving as AI brings new efficiencies to both businesses and threat actors.  

If your MSP isn’t helping meet your changing IT needs, it may limit your growth. Switch to an MSP that can join you as a strategic partner — not just a service provider — helping you go beyond the basics to transform your institution.  

Here are five signs you’ve outgrown your MSP services:  

1. They’re not industry specialized 

Many MSPs work with multiple industries, meaning they often lack knowledge of the unique operations and regulatory requirements of financial institutions.  

When you work with an MSP that offers industry-specialized services, you’re working with people who have a deeper understanding of your technology requirements and the industry challenges you’re likely to face. They understand the business applications and can help you maximize availability. And they can apply their experience in helping other financial institutions to your obstacles.  

2. They’re not helping you meet regulatory priorities 

The threat landscape has changed since the FFIEC Cybersecurity Assessment Tool was last updated in May 2017, and regulatory priorities reflect that 

Regulators are now inspecting for the additional priorities outlined in the Fiscal Year 2024 Bank Supervision Operating Plan. This plan highlights critical areas such as data recovery, access controls and operational resilience.  

Your MSP should not only be aware of these regulatory priorities but also help you update your security controls to satisfy regulators.   

3.  They don’t help guide your digital strategy 

With the rapid pace of technological change, modernizing business is a key concern across industries. 

For financial institutions, modernizing often involves integrating your core banking systems with new customer relationship management and analytics systems. And that process requires support for more than just your servers.  

Your MSP should be able to help you develop an IT road map, guiding you in creating a technology infrastructure that supports your organization’s strategic vision, identifying potential challenges and providing recommendations. They should also take a proactive role in helping you identify ways to use technology to improve workflows, productivity and customer experience — all while helping ensure your IT strategy and strategic plan stay aligned.  

4. They lack scalability 

Many MSPs operate as smaller organizations with limited staff. That means that as your organization grows, it may not be able to scale with you.  

Find a provider capable of supporting your future growth, not just fixing and patching your servers. You need an organization with the bench strength to support you as your cybersecurity needs and IT infrastructure evolve.  

5. They’re not meeting your security needs 

The introduction of innovations such as AI and cloud services has changed the threat landscape significantly.  

To effectively secure your cloud environment, your institution needs to work with a provider who can offer design and engineering support for critical safeguards, such as access control, identity management and security configurations. And now that threat actors are using AI to increase the frequency and sophistication of attacks, you’ll need an MSP capable of responding.  

Partner with an MSP that maintains connections with different threat intelligence sources and understands the latest threats on a global scale — especially those impacting financial institutions. MSPs that work with organizations like FS-ISAC are better equipped to apply their knowledge of the latest threats to protect your institution.  

How Wipfli can help  

Wipfli’s managed services team brings deep industry experience to support your financial institution’s IT needs. We understand your critical industry, operational and regulatory concerns, and we’re ready to provide proactive guidance to help you address them.  

Contact us today to learn more about how our MSP services can do more to further your growth 

/by
,

Is Your MSP Helping You Meet Evolving Regulatory Priorities? It Should Be.

By Jeff Olejnik 

The cybersecurity threat landscape is constantly evolving. And while the FFIEC Cybersecurity Assessment Tool (CAT) provides a reference for the controls required based on your inherent risk profile, the reality is that it hasn’t been updated since May 2017 — and a lot has changed since then.  

To protect your financial institution, it’s essential to stay informed about developments in the cyberthreat landscape and the latest regulatory priorities.  

The OCC identified regulatory priorities for cybersecurity and operations in its Fiscal Year 2024 Bank Supervision Operating Plan, highlighting key areas, including incident response, data recovery and operational resilience.   

Most financial institutions use a managed service provider (MSP) to help provide IT and security support. They can also help address the talent shortage gap by accessing specialized expertise at a lower cost.  

However, your choice of MSP is also critical for helping your organization meet regulatory priorities. The right MSP can help you respond to regulatory and cyberthreat updates, while inferior service can introduce operational risk and compliance concerns.   

Here are six areas where your MSP security services should be helping you meet regulatory priorities and mitigate risk: 

  1. Incident response

Establishing and regularly rehearsing your incident response plan is a crucial part of addressing cyberattacks.  

When a cybersecurity incident occurs, the immediate reaction is to take steps to fix the situation — often by rebuilding the workstation or server that was compromised. However, these actions can delete all evidence, making it nearly impossible to conduct a forensic investigation.   

Your MSP should be aware of its role in your incident response plan as an active partner in retaining evidence of an attack. Help ensure that your MSP is informed and willing to participate in helping you identify and act on opportunities to gather evidence or work with your digital forensic team during an incident.  

  1. Data recovery 

Testing is vital to maintaining an effective business continuity plan program. In addition to monitoring your backup system, your MSP should be helping you perform monthly file-level recovery tests and annual full recovery tests. 

Make sure to also provide your MSP with recovery time objectives and recovery point objectives (RTO and RPO) for the systems and applications they support and that the recovery strategy meets your requirements.   

And if you’re uncertain of what your RTO and RPO should be, consider working with an MSP or a business continuity planning specialist who can help you develop or improve your business impact analysis.  

  1. Operational resilience

Your MSP should be supporting your vulnerability management program, including periodic vulnerability scanning, patching and updating computers and network devices to help ensure known vulnerabilities are addressed — even for non-Microsoft applications (e.g. Adobe, Flash). Additionally, your MSP should be assisting you with IT asset management, including replacing deprecated, end-of-life equipment so that it doesn’t introduce security vulnerabilities. 

  1. Cybersecurity risks

Work with an MSP who can provide managed advanced endpoint detection and response (EDR). 

Traditional antivirus software checks files and programs to see if they’re “bad” based on a list it has. Advanced EDR watches everything happening on your device. It looks for how programs and files behave, allowing you to quickly detect and isolate ransomware and other malware before it infects other computers, minimizing the damage.   

Your MSP should be using both to keep your institution safe.  

  1. Unauthorized authentication and access

A quality MSP can assist you with authentication and access controls. Their support should include multifactor authentication implementation, regular removal of users who are no longer within your organization and monthly reports identifying dormant accounts.  

You also need to be aware of how your MSP accesses your network and systems.  

One of the baseline requirements in the FFIEC CAT includes encrypted connections and multifactor authentication for contractors and third parties. MSPs service many clients, and this baseline requirement is commonly not met. In fact, many MSPs share passwords among employees or even use the same administrator password to provide convenient access to multiple clients. This practice, however, introduces risk to your institution.   

  1. Third- and fourth-party risks 

As a third-party provider, your MSP should ensure that their own security practices are helping keep your institution safe. However, many providers commit to practices that may expose you to operational risk.  

During your vendor due diligence process, make sure you not only understand your MSP’s controls, but also those of your MSP’s vendors, such as cloud service, data backup and remote monitoring and management providers. Kaseya and SolarWinds are examples of how fourth parties used by MSPs led to breaches of the MSP’s clients.  

A new and rising threat vector is your vendors’ use of AI. Your vendor due diligence needs to include questions about how AI is used, what data is shared and how your security and privacy are protected with the large language models used by your MSP. 

How Wipfli can help  

Wipfli’s MSP services bring industry-specific experience and cybersecurity know-how to help make your institution more efficient and secure. We understand the complex regulatory environment and unique business operations financial institutions face, making us capable of providing you with the targeted support you need.    

Our MSP services can do more to protect your financial institution. Contact us today to learn how. 

/by
, ,

WBA Members Can Strengthen Cybersecurity Practices and Offer Employees Career Advancement

The Wisconsin Bankers Association (WBA) provides members the opportunity to engage in more educational offerings through associate member SBS CyberSecurity. Membership in their SBS Institute grants access to webinars, certifications, and other cybersecurity resources.

In addition to SBS CyberSecurity’s cybersecurity risk management software, consulting services, network security, and IT audit solutions for financial institutions of all sizes, their SBS Institute serves the banking industry by providing cyber education through webinars and certifications to better prepare students and their financial institution for cybersecurity threats and regulations.

Banking specific, role-based certifications allow students to master the concepts and technologies required to perform essential cybersecurity functions. The certifications include real-world cybersecurity issues and establish solutions that make cybersecurity responsibilities more efficient and effective.

The SBS Institute certification program is designed around three learning paths: executive, manager, and technical.

WBA members who purchase an SBS Institute membership or hold an active SBS certification gain access to special pricing.

Upcoming webinars include:

Information Security Panel Discussion June 20, 2024 – 2:00 PM CST

Is it Time to Switch to the Cloud? July 17, 2024 – 2:00 PM CST

The certifications available through SBS Institute are:

Certified Banking Security Executive (CBSE)
Objective: Gain a better understanding of the key elements of an Information Security Program to make more informed decisions about risk mitigating activities. 

Certified Banking Cybersecurity Manager (CBCM)
Objective: Focus specifically on each element of the FFIEC Cybersecurity Assessment Tool to build a solid foundation of understanding for the FFIEC guidance and defending cybersecurity threats. 

Certified Banking Security Manager (CBSM)
Objective: Understand how to build and manage a comprehensive Information Security Program (ISP). 

Certified Banking Vendor Manager (CBVM)
Objective: Dive deep into the vendor management process and become a trusted expert in the eyes of auditors and examiners. 

Certified Banking Business Continuity Professional (CBBCP)
Objective: Prepare your institution for the worst-case scenario with a clear understanding of the business continuity process. 

Certified Banking Incident Handler (CBIH)
Objective: Understand best practices of handling common incidents in the banking industry and become an expert in responding to incidents and minimizing losses. 

Certified Banking Security Technology Professional (CBSTP)
Objective: Explore the technical design and implementation of Information Security Program controls. 

Certified Banking Ethical Hacker (CBEH)
Objective: Master concepts and technologies used by today’s hackers to better defend your institution. 

Certified Banking Vulnerability Assessor (CBVA)
Objective: Explore what makes a vulnerability tick and how to identify and remediate those vulnerabilities in your institution. 

Visit Certifications | SBS CyberSecurity for more details.

Click here for the 2024 Online Certification calendar.

/by
,

The Evolution of Cyberthreats: Preparing for AI-Powered Attacks

By Brett Gilsinger

The latest arsenal of tools that cybercriminals will harness for their illicit activities is increasingly being powered by artificial intelligence (AI). The transition to AI-driven cybercrime is already underway. Traditionally, cybercriminals have relied on a plethora of tools acquired from the dark web to penetrate their targets. These off-the-shelf tools have allowed cybercriminals to gather the information they need effortlessly. Instead of developing code specifically for a target, attackers have been able to purchase these tools through underground networks and dark web marketplaces. Such tools permit them to tailor malware or compile exploits from pre-packaged kits. As long as profits continue to soar, the underground market for cybercrime services thrives, fueled by robust demand for illicit tools and the ongoing supply by clandestine developers.

This underground ecosystem has been operating for years and shows no signs of diminishing. Yet, with the advent of highly sophisticated large language models such as ChatGPT, the tools available to wrongdoers are transforming. GPT stands for “Generative Pre-trained Transformer.” It is an artificial intelligence model designed to generate text by predicting subsequent words in a sentence based on the preceding words. This technology, developed by OpenAI, uses deep learning algorithms and a large amount of data to understand and generate human-like text. We are witnessing the emergence of unregulated AI models like FraudGPT and WormGPT. These models function without the ethical constraints usually imposed on publicly available versions like ChatGPT. Offered via subscription services in the more obscure regions of the internet, they harness stolen or open-source training datasets to power private GPT systems that assist cybercriminals indiscriminately, completely disregarding the legality or ethics of their facilitation.

Reports indicate that some of these emerging systems possess the alarming capability to generate undetectable malware. They can orchestrate comprehensive phishing operations, crafting the deceitful messages and the code for the malicious landing pages designed to harvest credentials. With such technology at their disposal, the scope of advanced criminal activities is limited only by the perpetrator’s creativity — or perhaps not even that, should the AI itself suggest ways to refine their malicious endeavors.

Facing these sophisticated threats, institutions and individuals must remain vigilant and proactive in safeguarding their operations and personal information. While these advancements pose a significant concern for the security of our data in the era of AI, there are measures that can be taken to protect your institution from these threats. Almost all of these attacks rely on human error to grant bad actors access to your environment. Regular training and awareness programs are the first line of defense. Employees should be consistently educated on the most recent cyber threats and the critical nature of security best practices to avoid successful phishing and social engineering attacks.

Beyond improved training programs, hardening your processes and technology can establish a more secure infrastructure. Implementing multi-factor authentication (MFA) and biometrics for identity verification and performing routine internal security audits to ensure all systems are current and free of vulnerabilities are essential steps. Opting for the right technology security solutions, such as Managed Detection and Response (MDR), can automate the threat identification process and significantly diminish the likelihood of breaches.

By focusing on people, process, and technology, institutions can construct a formidable defense against the complex realm of AI-enabled cybercrime, thereby securing their assets and maintaining the confidence of their clientele. Moving forward, institutions will need to focus on evolving their security solutions to stay ahead of the quickly changing threat landscape.

Gilsinger is executive vice president – CTO of IT Resource, a WBA Associate Member.

About IT Resource

IT Resource provides technology solutions to streamline IT environments, enhance productivity, and lower costs. And now we are excited to announce that IT Resource is evolving into Endeavor IT! While maintaining the same dedicated team, ownership, and management, we’re expanding our already exceptional services to offer a broader range of IT solutions with offices spanning across the North, Midwest, and South. Curious to explore further? Check out endeavorit.com.

/by
, ,

Executive Letter: Protecting Your Bank from a Cyberattack

By Rose Oswald Poels

Cyberattacks are becoming an increasingly alarming trend and it is vital that bankers in Wisconsin remain vigilant in safeguarding their institutions and the personal financial information of their customers. In 2022, global cyberattacks increased by 38% when compared to the year prior, notes a study conducted by Check Point Research. These attacks, which target both individuals and businesses worldwide, include phishing, ransomware, breaches, and vulnerability exploitation. Each year, cybercrime costs the U.S. economy billions of dollars.

Despite this, there are many ways in which banks are able to mitigate these risks if an attack occurs.

Continually monitoring, updating, and testing your systems are all key to ensuring that your people and environments are not vulnerable. In an ever-changing digital and banking world, it may be difficult to know what areas need to be addressed, but it does not have to be. As always, WBA and its subsidiaries — FIPCO and Midwest Bankers Insurance Services (MBIS) — offer many different resources for banks to help educate your employees, protect your systems, and partner with you during a cyber event.

To proactively identify vulnerabilities of critical aspects of business operation, FIPCO offers an IT Audit & Security service. This service, which includes various tests, audits, and resources, keeps your institution one step ahead to mitigate high-risk areas before it is too late.

Right behind robust firewalls, up-to-date antivirus software, and other initiatives to mitigate cyberthreats, are your employees. Ensuring all team members feel empowered to assist in cyber risk reduction efforts should be a significant aspect of an institution’s risk mitigation strategy. Annually, WBA offers a number of security and IT-focused educational opportunities, a best practices library featuring an extensive list of security and financial crimes resources, as well as a technology and operations peer group to help in facilitating discussion and idea sharing.

Ensuring that all team members are set up with strong, unique passwords may also be the difference between a secure organization and a vulnerable one. These passwords, according to the National Institute of Standards and Technology (NIST), should be more than 12 characters long and include mixed casing and numbers. Multifactor Authentication (MFA) is also strongly recommended for bank leaders and administrators, if not every member of the team.

Having comprehensive insurance coverage is also crucial in the event of an attack. MBIS offers an extensive list of insurance coverages, including cyber liability. This policy is designed to protect directors, officers, employees, and entities from losses arising out of electronic theft of customer information, including cyber extortion, forensic expense, security breach notification, e-commerce activity, and electronic publishing. The insurance carriers for cyber liability policies also provide extensive resources that MBIS recommends be immediately engaged in the event of any cyberattack, including phishing incidents and ransomware attacks. Additionally, FIPCO’s Loan Processing Central service provides a resource you can retain ahead of time to immediately step in if a bank experiences a disaster, including a cyberattack, or an unplanned employee absence, to help continue the processing of your loan documentation.

Whether your bank is recovering from a cyber incident or mitigating the chances of one, our team is here to ensure your bank is well-prepared and equipped to navigate the complex and stressful landscape of cybersecurity challenges. If you are interested in learning more about the protections WBA can help you implement at your bank, please contact Rob Foxx (FIPCO) at rfoxx@fipco.com or Jeff Otteson (MBIS) at jeffo@mbisllc.com.

/by
Person typing on laptop overlaid with holographic images representing information and security
,

Embracing a Culture of Cybersecurity

All staff needed to help mitigate risk

By Hannah Flanders

Cyberattacks are ranked as one of the top threats to banks across the country. As these threats continue to become increasingly sophisticated and prevalent throughout our communities, bankers are looking to mitigate the risk for the safety of both their institution and all customers served. As such, administrators — including members of the human resources (HR) department — have been tapped to take on a new role alongside the information technology (IT) department to protect the bank from falling victim.

Prioritizing Cybersecurity

According to Proofpoint’s State of the Phish survey, approximately 79% of U.S. organizations reported at least one successful phishing attack in 2021. As cybercrime continues to rise — costing over $1 trillion a year worldwide, as highlighted in a report by McAfee Center for Strategic and International Studies — it is critical for the success of banks across the country that they establish a culture of cybersecurity.

In the American Bankers Association’s (ABA) Banking Risk and Compliance Management Outlook for 2023, surveyed bankers identified cybersecurity and IT risk to be, overwhelmingly, the top risk priority for the 18 months ahead. With the use of online banking and digital payments skyrocketing, and employee negligence being cited as one of the top reasons banks are put at risk — Proofpoint’s survey highlights that around 27% of employees believe that their organization/IT department will take care of any mistakes. However, as the cost of cybercrime continues to become more expensive for impacted organizations each year, finding ways to educate both consumers and employees of the cyber risks they face will not only help protect information from being compromised, but save banks from contributing to the astounding losses reported by financial institutions each year.

The Federal Bureau of Investigation’s (FBI) Internet Crime Report highlights that in 2021, Wisconsin totaled over $51,800,000 in victim losses. By taking proactive steps in both their cybersecurity protocols and training, banks throughout the state will have the opportunity to save the organization, and their customers, from substantial loss.

While banks make strides to incorporate risk mitigation — such as integrating multifactor authentication (MFA), a bare minimum in preventing bad actors from gaining access to accounts with greater privileges, and following regularly updated guidance from the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) — into their procedures, those seeking to optimize their efforts are looking beyond their IT staff for assistance.

Team Effort

Establishing a culture that embraces cybersecurity begins from the top and requires uniting members throughout various departments. According to Marsh McLennan, a leading professional services firm in risk, strategy, and people, “a robust cybersecurity culture starts from the top of the organization and involves continuous communication and training for leaders across all key functions.” The firm highlights that, as of 2019, nearly 90% of all organizations only included InfoSec/IT, C-suite, risk management, legal, and finance professionals in the management of cyber risk.

“Cyber defense is a team endeavor, not just an IT or a management one,” emphasizes Rob Foxx, director – InfoSec and IT audit services at FIPCO. “Threats apply to all parts of an enterprise, as should defense.”

The Cybersecurity and Infrastructure Security Agency (CISA) highlights that HR professionals play an integral role in detecting, deterring, and mitigating threats by screening candidates prior to employment, managing secure information, and regularly communicating policies.

When HR professionals have a seat at the cyber risk management table, banks not only gain a risk-conscious ally, but also ensure that HR professionals throughout their organization have a strong understanding of the cyber risk policy they utilize in their own day-to-day operations. Additionally, ensuring that the HR team is abreast of the latest cyber risks and mitigation procedures is critical so that said information can be communicated with all staff members.

Playing a Part in Protection

As the U.S. financial sector continues to prioritize cybersecurity — regularly spending up to $3,000 per employee on ongoing cybersecurity education, according to the McAfee report — ensuring that every employee is making the most of their training, testing, or coaching and remains vigilant against all threats to the organization is critical for the safety and security the institution and its customers.

  • The Employee Lifecycle

Of course, HR plays a substantial role in the onboarding and offboarding process to evaluate the quality of incoming employees and ensure that all former staff are no longer granted access to confidential company data upon their departure. Furthermore, given the close ties to all staff members, HR can play an important role in clarifying policy, providing resources, and working behind the scenes to recognize and anticipate the potential information security issues, highlights the Society for Human Resource Management (SHRM).

  • Training

Although cyberattacks continue to cause headaches for businesses across the country, only 64% utilize organization-wide training, according to Proofpoint’s 2022 survey. Training, which is usually administered by the IT department or virtually, has the potential to be strengthened by HR’s involvement. In taking a human-centric approach that emphasizes how all staff members — administrative through executive leadership — play a role in the security of the institution, employee morale is heightened.

Additionally, HR can emphasize and enforce the importance of practicing good cyber habits and encouraging training from the start because of the department’s close connection to all bank staff. HR staff will also notice if staff don’t attend training, regularly fail simulated tests, or display non-compliance with cyber protocols. From there, action can be elevated beyond coaching from IT staff or managers.

“A significant amount of malware is file-less and exists only in the active memory of a computer,” highlights Foxx. “While the next generation of antivirus has the ability to detect more activity than older versions, file-less attacks are just the beginning, and these tools can now detect abnormal user, host, and network activity. Ensuring your team is on the same page is a critical component in mitigating these attacks.”

  • Coordinating Cybersecurity Requirements

In partnership with the IT department, HR should ensure that there are well-documented policies, standards, and best practices for not only averting attacks or breaches, but also for reporting attempted or successful cybercrimes. Throughout their day-to-day tasks, HR professionals are expected to adhere to the organization’s procedures and guidelines as well as communicate this information with staff. Understanding the various protocols, exploits, tools, and resources fraudsters utilize can help members of HR in assisting their staff to build confidence in mitigating a cyber risk. At the very least, Foxx adds, bankers should adhere to cyber security frameworks such as the NIST Cybersecurity Framework or ISO 27001 certifications, which assist organizations in gaining direction and highlighting areas of need.

As more aspects of our daily lives digitalize, and cybercrime and attacks become a regular and unfortunate normality across the banking industry, the need to secure sensitive data has become a widespread effort. It is critical that leaders look throughout their staff for unique perspectives and opportunities to educate. Establishing a culture of cybersecurity could be the difference between a secure and a compromised institution.

Ready to take your cybersecurity to the next step? Visit fipco.com/solutions/it-audit-security to ensure your bank is secure!

FIPCO is WBA subsidiary and Gold Associate Member.

/by
Wisconsin Bankers Association logo

questions@wisbank.com

608-441-1200

4721 S Biltmore Ln.
Madison, WI 53718

Get our Newsletter!
Subscribe