Tag Archive for: Technology

Posts

Triangle Background
, ,

WBA-Member Bankers Complete GSB Bank Technology Management School

Pictured (left to right) are: Thomas Schulz, David Sanders, Ryan Galligan, and Paul Verdonschot.

This year, four Wisconsin bankers attended and completed the Graduate School of Banking’s Bank Technology Management School in Madison. The school is specifically designed to tie together important banking issues, regulatory requirements, and practical insights to broaden the understanding of banking as a business.

Congratulations to this year’s graduates:

  • Ryan Galligan, FVSBank, Fond du Lac
  • David Sanders, Park Bank, Holmen
  • Thomas Schulz, Associated Bank, N.A., Pewaukee
  • Paul Verdonschot, First Federal Bank of Wisconsin, Waukesha
/by
,

Embracing a Culture of Cybersecurity

All staff needed to help mitigate risk

By Hannah Flanders

Cyberattacks are ranked as one of the top threats to banks across the country. As these threats continue to become increasingly sophisticated and prevalent throughout our communities, bankers are looking to mitigate the risk for the safety of both their institution and all customers served. As such, administrators — including members of the human resources (HR) department — have been tapped to take on a new role alongside the information technology (IT) department to protect the bank from falling victim.

Prioritizing Cybersecurity

According to Proofpoint’s State of the Phish survey, approximately 79% of U.S. organizations reported at least one successful phishing attack in 2021. As cybercrime continues to rise — costing over $1 trillion a year worldwide, as highlighted in a report by McAfee Center for Strategic and International Studies — it is critical for the success of banks across the country that they establish a culture of cybersecurity.

In the American Bankers Association’s (ABA) Banking Risk and Compliance Management Outlook for 2023, surveyed bankers identified cybersecurity and IT risk to be, overwhelmingly, the top risk priority for the 18 months ahead. With the use of online banking and digital payments skyrocketing, and employee negligence being cited as one of the top reasons banks are put at risk — Proofpoint’s survey highlights that around 27% of employees believe that their organization/IT department will take care of any mistakes. However, as the cost of cybercrime continues to become more expensive for impacted organizations each year, finding ways to educate both consumers and employees of the cyber risks they face will not only help protect information from being compromised, but save banks from contributing to the astounding losses reported by financial institutions each year.

The Federal Bureau of Investigation’s (FBI) Internet Crime Report highlights that in 2021, Wisconsin totaled over $51,800,000 in victim losses. By taking proactive steps in both their cybersecurity protocols and training, banks throughout the state will have the opportunity to save the organization, and their customers, from substantial loss.

While banks make strides to incorporate risk mitigation — such as integrating multifactor authentication (MFA), a bare minimum in preventing bad actors from gaining access to accounts with greater privileges, and following regularly updated guidance from the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) — into their procedures, those seeking to optimize their efforts are looking beyond their IT staff for assistance.

Team Effort

Establishing a culture that embraces cybersecurity begins from the top and requires uniting members throughout various departments. According to Marsh McLennan, a leading professional services firm in risk, strategy, and people, “a robust cybersecurity culture starts from the top of the organization and involves continuous communication and training for leaders across all key functions.” The firm highlights that, as of 2019, nearly 90% of all organizations only included InfoSec/IT, C-suite, risk management, legal, and finance professionals in the management of cyber risk.

“Cyber defense is a team endeavor, not just an IT or a management one,” emphasizes Rob Foxx, director – InfoSec and IT audit services at FIPCO. “Threats apply to all parts of an enterprise, as should defense.”

The Cybersecurity and Infrastructure Security Agency (CISA) highlights that HR professionals play an integral role in detecting, deterring, and mitigating threats by screening candidates prior to employment, managing secure information, and regularly communicating policies.

When HR professionals have a seat at the cyber risk management table, banks not only gain a risk-conscious ally, but also ensure that HR professionals throughout their organization have a strong understanding of the cyber risk policy they utilize in their own day-to-day operations. Additionally, ensuring that the HR team is abreast of the latest cyber risks and mitigation procedures is critical so that said information can be communicated with all staff members.

Playing a Part in Protection

As the U.S. financial sector continues to prioritize cybersecurity — regularly spending up to $3,000 per employee on ongoing cybersecurity education, according to the McAfee report — ensuring that every employee is making the most of their training, testing, or coaching and remains vigilant against all threats to the organization is critical for the safety and security the institution and its customers.

  • The Employee Lifecycle

Of course, HR plays a substantial role in the onboarding and offboarding process to evaluate the quality of incoming employees and ensure that all former staff are no longer granted access to confidential company data upon their departure. Furthermore, given the close ties to all staff members, HR can play an important role in clarifying policy, providing resources, and working behind the scenes to recognize and anticipate the potential information security issues, highlights the Society for Human Resource Management (SHRM).

  • Training

Although cyberattacks continue to cause headaches for businesses across the country, only 64% utilize organization-wide training, according to Proofpoint’s 2022 survey. Training, which is usually administered by the IT department or virtually, has the potential to be strengthened by HR’s involvement. In taking a human-centric approach that emphasizes how all staff members — administrative through executive leadership — play a role in the security of the institution, employee morale is heightened.

Additionally, HR can emphasize and enforce the importance of practicing good cyber habits and encouraging training from the start because of the department’s close connection to all bank staff. HR staff will also notice if staff don’t attend training, regularly fail simulated tests, or display non-compliance with cyber protocols. From there, action can be elevated beyond coaching from IT staff or managers.

“A significant amount of malware is file-less and exists only in the active memory of a computer,” highlights Foxx. “While the next generation of antivirus has the ability to detect more activity than older versions, file-less attacks are just the beginning, and these tools can now detect abnormal user, host, and network activity. Ensuring your team is on the same page is a critical component in mitigating these attacks.”

  • Coordinating Cybersecurity Requirements

In partnership with the IT department, HR should ensure that there are well-documented policies, standards, and best practices for not only averting attacks or breaches, but also for reporting attempted or successful cybercrimes. Throughout their day-to-day tasks, HR professionals are expected to adhere to the organization’s procedures and guidelines as well as communicate this information with staff. Understanding the various protocols, exploits, tools, and resources fraudsters utilize can help members of HR in assisting their staff to build confidence in mitigating a cyber risk. At the very least, Foxx adds, bankers should adhere to cyber security frameworks such as the NIST Cybersecurity Framework or ISO 27001 certifications, which assist organizations in gaining direction and highlighting areas of need.

As more aspects of our daily lives digitalize, and cybercrime and attacks become a regular and unfortunate normality across the banking industry, the need to secure sensitive data has become a widespread effort. It is critical that leaders look throughout their staff for unique perspectives and opportunities to educate. Establishing a culture of cybersecurity could be the difference between a secure and a compromised institution.

Ready to take your cybersecurity to the next step? Visit fipco.com/solutions/it-audit-security to ensure your bank is secure!

FIPCO is WBA subsidiary and Gold Associate Member.

/by
,

FinTech Helps Reshape the Banking Industry

Banks engage in embedded FinTech to meet consumer expectations

By Hannah Flanders

As competition throughout the banking industry continues to rise and digitalization takes the world by storm, many banks are turning to new opportunities with FinTech providers.

Today, consumers throughout the U.S. seek immediate, safe, and easy solutions in every aspect of their day-to-day lives — from transportation and grocery shopping to banking.

As banks throughout Wisconsin look to best serve consumers, their ability to create innovative, flexible offerings is one of the most important factors to consider in remaining relevant and competitive in their communities.

The Growth of Technology

In 2021, nearly half of all households across the country utilized nonbank online payment services, including peer-to-peer payments (P2P), according to the Federal Deposit Insurance Corporation’s (FDIC) 2021 Survey of Unbanked and Underbanked Households. P2P payment solutions — such as PayPal and Zelle — and other technology innovations, including Uber, DoorDash, and Zoom, have deeply engrained themselves into households across America and become especially important for younger generations to make transactions.

Already, over 1,200 banks around the country, including over 50 in Wisconsin, have begun integrating Zelle — a digital payments service offered by the FinTech provider Early Warning Services, LLC — to help meet the expectations of their customers. However, as banks continue to compete for deposits and new loans, innovation beyond incorporating P2P payments into their online services may become a necessity.

What is Embedded FinTech?

Heyburn_Virginia

Virginia Heyburn

Virginia Heyburn, director – research, insights, & advocacy at Engage fi and recent keynote speaker at the Wisconsin Bankers Association’s (WBA) 2023 Bank Executives Conference, describes embedded FinTech as a strategy by which traditional banks own the experience and work to build FinTech functionality into their own digital banking experiences. This is comparable to the Banking as a Platform, or BaaP, model that banks may utilize to integrate FinTech solutions into their existing offerings.

Embedded FinTech emphasizes the bank’s possession of the brand, by way of providing the service on their own platform, and the augmentation of FinTech functionality behind the scenes. This process allows banks to strengthen their own offerings, increase customer engagement, and build loyalty rather than provide services to outside users, as is the case with embedded finance or Banking as a Service (BaaS).

What Embedded Fintech Means for Banks

Although 95.5% of all U.S. households were banked in 2021, according to the FDIC’s survey, Heyburn states that it is important that banks continue to deepen their relationships with their retail and commercial customers and offer features that are valuable to them.

By integrating property management capabilities into digital portals for landlords, disbursements for commercial clients, or intelligent budgeting and savings tools for retail customers — banks have the ability, through a partnership with a FinTech servicer, to provide an even greater number of tools and resources for consumers.

As the banking industry evolves faster than ever before, embedding FinTech into their online services will not only allow banks greater flexibility in the products offered, but provide the opportunity for banks to increase their technological capabilities. Early Warning Services, LLC, the FinTech provider of Zelle, highlights that these valuable partnerships permit banks to
utilize technology to consider new ways to attract and engage customers, including cross-selling and engagement with the banking app, as well as reduce costs in other areas such as cash and check management.

“I expect nearly every bank to pursue embedded FinTech strategies within five years,” Heyburn states.

The Challenges

While embracing FinTech solutions may be the next step for a bank, Heyburn says that legacy technology has always made the interoperability of systems challenging. Between delays, a strong reliance on core vendors, and inconsistencies, there are a number of factors to consider when strategizing a frictionless exchange of any internal or external system.

With mobile and online banking being the primary way many consumers interact with their bank, it is critical that banks not only have the personalized products individuals expect, but also can deliver information efficiently.

“Customers are no longer willing to tolerate delays and defects in the FinTech era — they are voting with their fingertips as they choose online banks that offer the speed, ease, and convenience they want,” states Heyburn. “The cost of doing nothing has never exceeded the cost of making a change — until now.”

As Forbes published in a recent article entitled Digital Transformation in Banking, in order to rapidly and cost-effectively design, create, plug in, and deploy new digital products and services, the bank’s digital product platform must be component-based, API-driven, and cloud native.

The Benefits

While less than 60% of all financial institutions currently deploy APIs or cloud computing, according to Forbes, many understand this conversion as a solution to meeting customer needs and expectations. In addition to allowing consumers the ability to connect their accounts across platforms,
engaging with FinTech servicers will provide many banks with the ability to simplify their technology — which in many cases, may be limiting an institution’s ability to roll out new competitive features or service offerings — as well as save on maintenance costs that limit the ability to compete on service price, according to PwC.

By incorporating an open banking system into their digital offerings, banks are able to balance safety and security with the expectations of all consumers. As the industry continues to evolve, and greater emphasis is placed on increasing competition in the marketplace, driving financial inclusion, and creating more consumer choice, partnerships between banks and FinTech providers have the potential to assist banks in not only improving their technological capabilities, but also more effectively serving their customers.

Interested in developing a partnership with a FinTech provider? Learn more about WBA’s upcoming FinTech Showcase at wisbank.com/FinTech.

Engage fi is a WBA Associate Member.

/by
,

FIPCO Serves Compliance Concierge® Customers With Software Updates

By Annette Witkowski

Customers have always been, and will always be, top of mind for FIPCO staff members. That is why we continually revise the Compliance Concierge® software with updated documents, regulation changes, and user enhancement requests.

Some of the items we have released lately are:

  • HOEPA/HPM rates, so Compliance Concierge® notifies when users are outside of their range;
  • Reg Z threshold amount, so Truth-in-Lending documents appear when required;
  • Bank holidays that allow Compliance Concierge® to calculate rescission;
  • Over 40 secondary market documents that the GSEs have changed;
  • Updated Ascensus* IRA documents;
  • User-requested warning messages on certain screens;
  • Factual Data by CBC interface;
  • Revisions to WBA 382 P.O.D. Beneficiary Designation document;
  • User-requested commercial application document; and
  • Updated Automatic Payment Authorization to comply with NACHA rules.

We continue to distribute timely information through software release notes, notices, and the monthly FIPCO Focus e-publication. If you are not receiving these items and would like to, please visit fipco.com and edit your profile or, if you are not registered with our website, click “Sign Up” to request these items.

As always, FIPCO staff members are here for you. If there is anything we can help with, please contact our business development team at fipcosales@fipco.com or fipcosupport@fipco.com.

*Ascensus is a WBA Associate Member.

 

/by
, ,

Passwords: Ensuring Secure Data

How you can be your own best first line of defense against hackers

By Rob Foxx, CCBTO

Depending on how old you are, you will have a different perspective on passwords. The more seasoned professionals would have come in at a time when a minimum of six characters, no capital letters, numbers, or symbols was a commonplace practice. In comparison, passwords today usually consist of eight characters — at least one being one upper case — a number, and a symbol.

With a good computer and access to a vulnerable system, even now those passwords could be cracked by a common tool to brute force into the system in less than six hours. While our technology continues to evolve, unfortunately, so too do the bad actors and threats to our data security.

Digital Security Threats

While some threats are technology based, a consistent number of threats to our passwords are not. Saving a password to a browser is an invitation for trouble. Once you walk away from an unlocked computer, it would not take much effort to log in or even change your credential without your knowledge. There are many tools that can copy these passwords quickly and with very little expertise.

Additionally, those who reuse passwords or only slightly change them is a direct invite to bad actors. If your password was compromised on a common website and associated with your email, someone has that information, and there is a good chance they are going to try it elsewhere. For example, changing a password from Carl!123 to Carl@123 is also risky as a list of passwords associated with users’ names fed into a computer could guess this in seconds rather than hours.

Many people write their passwords down and tape it to a monitor. The inside of a desk drawer, or under the keyboard or mousepad are not much safer a hiding spot.

As many of us are aware, sharing passwords is a bad idea from an accountability point of view. Once someone else has it, you can no longer secure it from being written down or re-shared.

Be aware if your passwords or accounts have been breached in the past. The website have ibeenpwned.com is a staple for those in the information security field. This allows you to check if both passwords and email accounts have been used or discovered in past breaches.

Additional Protective Steps

Like many threats, the best answer is in the hands of the people most at risk. With a little education and a few resources, you could be on your way to making yourself an unappealing target.

  • Multi-Factor Authentication

Multi-Factor Authentication (MFA) is the latest and greatest in terms of locking an account if available. It requires a token or application on your phone to give a random code that matches up to a login service. Using MFA makes unauthorized access very difficult.

  • “Real” Passwords

The NIST (National Institute of Standards and Technology) in their 800-63 publication points out that complexity does not matter to a computer. It only makes it harder for users to remember. Password length makes it exponentially more difficult for a computer to guess or break a password that has not been breached. A 15-character password with all lowercase letters would take a computer an estimated 12 million years to breach. Passwords can be as simple as three unrelated words or based on items found on your desk — coffeelampmouse is a good example. The internet is filled with random password generators, but they are only of limited use as the passwords they generate are impossible to remember.

  • Password Vaults

Password vaults are very reliable and inexpensive or free. They can make and save passwords for you requiring a single password to access all your other passwords. Additionally, they can generate passwords for you. This removes the requirement to come up with something new every time you make a password. Some vaults are cloud based, and for those who are looking for a business version or an entirely offline vault, these are also available.

Armed with the knowledge of the problem and the tools presented you can use them to be your own best first line of defense against people trying to take over your digital life. You would not choose a lawyer, doctor, or bank officer who barely meets minimum requirements to do something important, so do not skimp on the passwords that secure your data with a minimum requirement either. If you have questions, feel free to ask your local IT or information security professional — they are generally very happy to help people safeguard themselves, as it makes their lives easier as well!

Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.

/by
, ,

The New Face of Identity Theft

The rapid growth of synthetic identity fraud

By Hannah Flanders

Like many aspects of our day-to-day lives, the expansion of technology has both enhanced and complicated the ways in which we operate. As more and more of our information lives online, identity theft — once more likely to occur because of a stolen wallet — has also assumed a digital appearance: synthetic identity theft.

What is Synthetic Identity Fraud?

Synthetic identity fraud is defined as the use of a combination of pieces of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.

This form of identity theft has allowed bad actors to combine a stolen Social Security Number (SSN) and other false information — such as a fake name, address, date of birth, or phone number — to create a counterfeit identity to steal funds, escape prosecution, or any other number of criminal and fraudulent activities.

An Alarming Trend

In 2020, the Federal Bureau of Investigation (FBI) named synthetic identity theft as the fastest growing financial crime in the United States. Fraud targets are often those who do not typically use credit or are less likely to monitor their credit activity — including children, homeless individuals, and the elderly. These victims may find themselves blindsided as fraudsters create a new identity, apply for credit, and after years of building good credit by making payments for a time, abandon the account without paying anything back to the financial institution.

While this type of fraud is already difficult to detect due to its elusive or “normal” nature, many bad actors go to incredible lengths to appear as such, states Forbes. In addition to establishing good credit by making payments quickly and on time, some create digital profiles or use P.O. boxes for addresses.

Not only has technology and access to the dark web made PII more accessible to fraudsters, in 2011 the Social Security Administration (SSA) began randomizing the nine-digit social security codes rather than assigning them to individuals based on their geographical location and group number. No longer do social security numbers raise red flags when enrolling or opening accounts “out of state.”

As online banking grows in popularity, so too do concerns for synthetic identity theft. Between prevalent phishing schemes and heightened risks for data breaches — accessing PII and conducting synthetic identity fraud has become much easier than in years prior.

How to be Proactive Against Bad Actors

Inconsistent categorization and reporting make it difficult to identify and mitigate this type of fraud — as far as banks and credit bureaus can tell, these individuals are just like anyone else. . . until they “bust out” or abandon the maxed-out account with no intention of repayment.

After abandoning the false identity’s account, a fragmented file is created. This additional file not only becomes associated with the original SSN but also holds the additional credit report information and other fabricated PII. Unfortunately, this information could negatively impact the credit rating of the real individual.

When working with customers, bankers should advise frequent credit report checks or freezing unused credit at credit bureaus throughout the U.S. as to deter criminals or catch them early.

In addition, customers may take additional steps to protect themselves and their family against synthetic identity theft. One way parents can protect their children from fraudsters is by requesting their child be added to their credit profile. By adding a child to an adult’s credit profile, not only does the child’s own credit profile become established in his or her name and SSN, but the child is also able to begin building their credit.

The Cost of Synthetic Fraud

While victims of identity theft typically are not liable for fraudulent purchases or accounts, as long as they can prove they are the real SSN holder and not the thief, banks and other financial institutions are left to absorb the cost. This scheme is not only incredibly costly to banks across the country — with losses estimated at $20 billion in 2020, according to the Federal Reserve Bank of Boston — but gaps in the U.S. Fair Credit Reporting Act may have also increased the likelihood of repeat offenders.

The Federal Reserve has reported that bad actors are able to ‘flood the financial institution with an overwhelming number of claims’ on their fake accounts, and when creditors are unable to fulfill the investigation in the allotted timeframes, the disputed item is removed from the false credit report and time and time again, fraudsters get away with the act.

“Synthetic IDs are a struggle for community banks to identify,” states Lenore Breit, vice president – compliance manager at Wausau’s Prevail Bank. “Based on a recent presentation, [community banks] most likely have synthetic ID fraud in their deposit and loan accounts that remains undetected with traditional third-party ID verification programs that most community banks use.”

“There are other, more robust ID verification programs available to detect synthetic ID fraud,” adds Breit. “But they are costly and may not interface with legacy software.”

One such software program, the electronic Consent Based SSN Verification service, was created in part by the Economic Growth, Regulatory Relief, and Consumer Protection Act. The electronic service offered by the SSA was created in 2018 to aid financial institutions in combating synthetic identity fraud and verify an authorizing individual’s name, date of birth, and SSN against the SSA records. Services are based on the annual transaction volume and can cost thousands or even millions of dollars.

Common Signs of Synthetic Identification Theft

While difficult to trace, there are a few significant ways bankers can remain attentive to PII and other key indicators of synthetic identity fraud.

Most obvious is ensuring all SSNs match to the PII given. Do not assume a name change or relocation; ask questions or require verification for the sake of your bank and the security and privacy of all customers. This extra step could make all the difference in protecting the personal information of every customer.

If an account is already open, bankers should note applicants who have the same contact information or SSN as well as those with multiple authorized users.

As synthetic identity fraud becomes increasingly prevalent throughout the U.S., it is critical, for the safety of customers and security of all financial institutions, that Wisconsin bankers are prepared to combat this emerging fraudulent activity, caution community members against sharing unnecessary personal information with others, and assist individuals in regaining their rightful identity if necessary.

If you are interested in learning more about synthetic identity fraud, how these schemes can impact your bank or customers, or more ways you can take a stand against bad actors, please contact WBA’s Legal Team at wbalegal@wisbank.com or 608-441-1200.

/by

The Importance of Communication: How to Assist the Non-Technical in Understanding Technology

By Rob Foxx, CCBTO

As an information technology or information security professional, have you ever had a conversation with a member of your team and watched their eyes glaze over and think to yourself, ‘did they just understand a word I said?’ Welcome to the industry — this is part two in my series assisting technical and non-technical staff to better communicate on the subject of technology. Before breaking down a few simple ideas tech professionals can keep in mind when communicating with non-technical peers — we should first discuss where (and why) we as technology professionals falter in our communication.

Gaps in Experience

Like many of my peers, I spent my younger years studying both in college and independently to absorb as much information as I could in preparation for my career. In many ways, college helped me build my baseline for what I would need to learn both on my own as well as on the job. In addition to the standard classes within my major, I was also required to take speech classes like many college students. I did very well in speaking classes, however, my speeches were often on topics far more engaging to the audience than disaster recovery, firewalls, or server specifications.

Since then, I’ve spent much of my career working in teams with non-technical co-workers and, considering my target audience is usually within the banking industry, more than likely you too are a single individual or part of a very small team supporting your enterprise with minimal contact with those sharing your understanding of technology.

If you are of my generation or older, you were likely told somewhere along the way that you were very gifted or had aptitudes that leaned towards the up-and-coming field of information technology. Unfortunately, if you had any degree of awkwardness, it may have also been sold to you as something that would not require you to regularly communicate with people — a detail probably very few people have found to be true.

Having technical skills, aside from communication, is one of the most important skills one can have. On the upside, many of us have found being an effective communicator does not mean being a master orator or an excellent writer. As proof to that, I will tell you in all honesty that I am neither. I stumble over my words, and I need someone to proofread anything holding more content than a short email or technical report.

Four Things to Keep in Mind

As I continue through my career and often work closely with non-technical individuals, I have found that there are a few ways our profession can not only communicate better, but also build relationships for better future communications.

  • Do not get frustrated with your audience.

None of us learned our profession overnight, so do not set the expectation that your non-technical team members will learn yours after one chat. By getting frustrated, you do a great disservice to the effort of everyone who was patient enough to make sure you understood your profession well enough that you could work successfully and independently.

In further developing good communication skills, technical people will realize the importance of asking co-workers to be specific in their requests. You may frequently get calls from peers saying, “my computer does not work.” By asking follow up questions such as “what are you trying to do,” “what does the computer do when you do that,” or “walk me through the problem,” tech professionals will generally get a better overall response and diagnosis of the issue at hand.

  • Know your audience.

Knowing who you’re talking to and their level of understanding in the subject you are talking about is the major difference between public speaking and speaking with business leaders. Never make assumptions about their level of understanding or be afraid to ask how familiar they are with virtual environments. The least technical executive at your bank most likely still receives business articles that could offer a baseline understanding of the subject matter at hand. Either assuming too much or too little could lead to your target getting frustrated with you expending their limited time.

  • Find a beta user.

My original career goal was to become a software developer. I said from day one that I would want to hire someone who is older and less tech savvy to work with my team and test my product. If my non-technical mother could operate it without significant guidance, then I would have succeeded in developing a product that offers an intuitive and user-friendly design and would be well accepted for its ease of use.

To apply this idea in dealing with business leaders, remember that if you can explain it to someone non-technical — be it a spouse, parent, or even a helpful co-worker — business leaders should have a better chance of understanding what thoughts you are trying to convey.

  • Don’t be judgmental.

Make sure to have a non-judgmental way of communicating if a decision that is being made or considered is problematic. In technology, it may be stating that “this is a band aid to the problem,” or “we will need to readdress this problem sometime in the near future.” In information security, the cue is often “we can do that if you are willing to accept the risk and sign a risk acceptance form.”

Now that we have looked at the issues and a few things to help keep in mind, I encourage you to keep in mind that learning complex concepts and making decisions is a process. Talking over the heads of your coworkers and business leaders may only make this process more difficult. Remember, technology is your profession — not theirs.

Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.

/by
,

See Into the Mind of a Cybercriminal

WBA’s Secur-I.T. & BSA/AML Conference returns in 2022

As cybersecurity and fraud continue to be rising topics of discussion throughout the banking industry, bankers are encouraged to stay informed on the latest trends experts are seeing and how regulations will continue to impact Wisconsin banks by attending WBA’s annual Secur-I.T. & BSA/AML Conference held in Wisconsin Dells.

The two-day conference — beginning September 20 and adjourning at noon on September 21 — draws over 125 BSA/AML, operations, security, and technology professionals from around the state for over seven hours of educational presentations and networking.

This year’s keynote session will feature Bryan Seely, a world-famous cyber security expert, ethical hacker, author, and former U.S. Marine. Seely became one of the most famous hackers in 2014 when he became the only person to ever wiretap the United States Secret Service and FBI. Before he was caught, he confessed to the two agencies that there was an issue that needed to
be fixed.

Unlike many hackers, Seely is passionate about fighting for consumers rights, privacy, and educating the public about how to stay safe in a constantly changing technological landscape. In this keynote session, Seely will highlight the different ways in which hackers think and the new, creative ways professionals must approach security in order to protect the most critical information of the business and customers.

In addition to this captivating keynote speaker, the Secur-I.T. & BSA/ AML Conference offers several breakout sessions and networking opportunities that will assist banking professionals from throughout Wisconsin in further developing their bank’s customer experiences, BSA/ AML program, security, and technology capabilities as the banking and technology industries continue to evolve.

/by
,

How Do Business Leaders Protect Data?

By Rob Foxx, CCBTO

I frequently get asked, “How do I or my other non-technical staff help keep my institution safe from electronic threats?” Ransomware is the topic of the day, and I don’t know that there will be changes to that any time soon. There are a few things that can make protecting yourself easier. Good security is done in multiple layers of defense and requires participation of all members of your team.

Involve Your Whole Team

Cybersecurity is the responsibility of all members of the business, not just IT. To that end, everyone needs to know what common tactics are used to compromise your security. Learning how to identify phishing emails as well as business email compromise and reporting these types of events could be the difference between fighting a breach or dodging one. This kind of mindset has been in physical security for a very long time, but it has been a lot slower to be adopted into data security. By educating your staff and yourself and reporting it to the right people in your organization, you can avoid a very common but costly pitfall.

Ensure System Maintenance is Up to Date

The next item is a task that IT performs but is something leadership should both understand the basics of and require accountability for. Keep your systems updated and patched. An alarming number of breaches over the years could have been prevented by simply keeping systems up to date. Microsoft pushes out Windows patches the second Tuesday of every month, which should be reviewed for issues with your environment and deployed as soon as possible. There are tools that make this very easy to perform should you invest in them. Less obvious patches to other software like Adobe Reader, Google Chrome, and even your remote connection software, are equally important. Keeping an inventory of your software assets and checking them regularly for updates and patches can reduce your attack surface. Updates should not only be done, but they should also be reported to management and/or the board of directors at a regular frequency.

Secure Your Passwords

Get secured passwords or, if possible, multi-factor authentication. Insurance companies offering cyber insurance policies are pushing for people to utilize tools such as authenticators on your phone for multifactor authentication. While this is ideal, it may not be in place in many institutions. The National Institute of Standards and Technology (NIST) security framework used by the U.S. Department of Defense recommends longer passwords (16+ characters) without complexity and no expiration unless you have reason to believe it was exposed. Passwords can be as simple as picking out 3 random words such as doorbluecomputer. This is easy to remember and difficult for a computer to guess. If you can’t use multifactor authentication, using a password manager can enable you to use many complex and long passwords that you could never otherwise remember.

Give IT and Security a Seat at the Table

Bring IT and information security into your decision-making process. If this is something that is not being done currently, consider adding these people to the team that makes your highest-level decisions. They will have a perspective on additional costs as well as potential problems and conflicts that may occur. While they may not represent the majority of your staff or income, they speak for a considerable portion of your assets. There are few things as frustrating as going forward with a new project and not having considered how it will work with the rest of your environment or whether you have the hardware or software to support it without extra expenditure of assets. Additionally, there are many problems that exist within a business that your more technical staff could offer a solution to that the rest of the staff may not have known about.

Keep Up With Advancements in Technology

Don’t let technology outpace you. New technologies come out every day, and while you’re not expected to be on the leading edge, you should at least keep a healthy pace with it. For example, if you are using a conventional virus scanner, you are already behind the times. Zero-day exploits (bugs that are either unknown or unpatched) and fileless malware and viruses are also not detected by traditional antivirus products. Fileless attacks are becoming more prevalent, and you can get them any number of ways. It could be as innocent as going to a website and without any need clicking or downloading — without your permission, you could have brought an unwanted problem to your institution. Though a bit on the pricier side compared to traditional antivirus, next-generation products in this field are far more capable than their older counterparts.

Most of the items presented are of a non-technical nature and should be part of making your staff work well with your information security team and vice versa. In our more modern environments of work from home, it is more important than ever to make cybersecurity a part of everyone’s day to day.

Foxx is information security and audit advisor for FIPCO, a WBA Gold Member.

/by
, ,

Executive Letter: Bankers Helping Bankers Platform, New Benefit for WBA Members

Rose Oswald PoelsBy Rose Oswald Poels

I’m pleased to announce that the Wisconsin Bankers Association (WBA) is partnering with state bankers associations nationwide and data provider FedFis to offer access to Bankers Helping Bankers to WBA members.

Bankers Helping Bankers is a bankers only platform for collaboration and research. Through data tools and dynamic user groups, Bankers Helping Bankers provides community bankers with a knowledge base focused on bank technology and emerging Fintech companies, as well as hot topics such as cryptocurrencies, banking as a service, and direct digital banking.

In October 2021, the Independent Bankers Association of Texas (IBAT) was the first state banking association to partner with FedFis, a provider of fintech data analytics and a strategy system which tracks financial, M&A, and vendor data (including technology vendors) on every bank and credit union in the United States. Since then, the exclusive, banker-only platform has been expanding to states across the nation.

Given the rapidly changing landscape of banking technology, it is hard to keep up through in-person events alone. Bankers Helping Bankers provides an additional way for bankers to connect with one another via forums and access a wide range of fintech data.

WBA continues to offer our WBA Connect and CEOnly/CFOnly peer groups that provide in-person and online networking for Wisconsin bankers only. Through the new collaboration with Bankers Helping Bankers, we aim to bring even more value to WBA members by offering an additional opportunity that lets bankers connect with their peers across the country, with a focus on banking technology.

If you or any member of your team would like to take advantage of the Bankers Helping Bankers opportunity, please fill out the form to gain access to the platform. You will receive an email within a couple of weeks with details on how to create your account.

/by
WBA logo

questions@wisbank.com

608-441-1200

4721 S Biltmore Ln.
Madison, WI 53718

Get our Newsletter!
Subscribe