1. Threats are constantly evolving
The rise of generative AI is spurring on even more email-based attacks, commonly known as phishing, says David Shipley, CEO of Beauceron Security in Fredericton, New Brunswick, Canada. With tools like WormGPT—the criminal version of ChatGPT—and others like it, phishing isn’t just increasing; its quality is also improving considerably.
“The cyberattack game just got a shot of adrenaline, and it’s really putting a lot of our security controls under stress,” Shipley says.
Criminals aren’t just targeting financial institution customers’ usernames and passwords for banking portals. They’re also going after any third-party software tools, such as QuickBooks, that can integrate with banking portals via application programming interfaces (APIs), he says.
Cybersecurity Key Stats
ransomware attacks were detected by organizations worldwide in 2022
Cost of the global average data breach in 2022
spam emails are sent daily, many of them phishing attempts
The cost of the average data breach in the healthcare industry in 2022. The industry has been the costliest for breaches for 12 consecutive years
The average cost of breaches resulting from stolen or compromised credentials in 2022
Hackers are also upgrading their “cyber-attack-as-a-service,” with some now offering live operators who can collect information such as multifactor authentication codes in real time from fraudulent websites or who will work targets by phone in conjunction with email or text message attacks, Shipley says.
Community bankers should consider a few existing and emerging cyber threats, says Timothy Evans, cofounder and executive vice president of Adlumin in Washington, D.C. These threats include:
Ransomware-AS-A-Service attacks. These attacks typically involve hackers encrypting a victim’s files and demanding a ransom payment in exchange for the decryption key. The victim’s files may be lost or damaged if the ransom is not paid.
Supply chain attacks. These are attacks where the target is not the direct victim but a third party that has access to the victim’s systems or data. For community banks, this could include software vendors, IT service providers or other third-party partners.
Internet of Things (IoT) attacks on physical devices connected to the internet. “Community banks often use IoT devices, such as ATMs and security cameras,” Evans says. “Attackers can exploit vulnerabilities in IoT devices to gain access to a community bank’s network.”
However, according to Charles Potts, ICBA’s executive vice president and chief innovation officer, the biggest emerging threat is complacency, when bankers don’t recognize that ongoing continuous investment in cybersecurity solutions and services is critical.
“This isn’t a ‘set it and forget it’ environment,” he says. “Every bank of every size has to have a very strategic view of cybersecurity as an important part of the way they run their banks.”
2. Cyber hygiene is critical
Kimberly Kirk, COO of $1.9 billion-asset Queensborough National Bank & Trust Co. in Louisville, Ga., spoke at a Finosec conference about the vendor’s user administration and review platform, says Zach Duke, CEO of Finosec. The tool enabled Kirk’s team to identify and remove a profile of a former employee so they could no longer access the community bank’s internal systems and customer accounts, potentially exposing the bank to losses from fraud and other problems.
“Because of the risks associated with this access not being properly removed, auditors and examiners focus on these areas, leaving the bank at exposure to audit and exam findings,” Duke says. “Lastly and perhaps most importantly, the bank’s cyber insurance provider would have an out on covering an event that happened from the access that wasn’t properly removed.”
In another example of the need for ongoing monitoring and training, Beauceron Security’s “Report a Phish” button helped a company intercept and remediate multiple real phishing attacks because its employees filled out a form telling the IT team that they had interacted with the phish, Shipley says.
“The single biggest complaint that we hear and that we respond to is not getting feedback for emails that aren’t a simulation,” he says. “For large organizations, the volume of these emails means that there [often] isn’t time to individually respond to them all. [Beauceron’s SaaS] Feedback Function analyzes the content of emails and provides context to the person who reported the phish to encourage them to continue reporting emails.”
3. Cybersecurity technology is here to help
Software and technology can help community bankers mitigate cyber threats by providing numerous critical capabilities, Evans says. This includes:
Automated real-time threat intelligence
Ongoing risk assessment
Managed detection and response services to monitor bank security
Incident response when a potential problem is found
AI and machine learning can assist in threat detection, allowing for real-time analysis of network traffic and promptly identifying any anomalies or suspicious activities, Evans notes.
“Cybersecurity is a multifaceted concern that requires comprehensive consideration,” he says. “Community banks may choose to outsource some or all their cybersecurity needs to a third-party vendor. However, it is essential to vet vendors carefully and understand the service level that will be provided clearly.”
4. Cybersecurity support abounds
Community banks should consider purchasing cybersecurity insurance to help cover the costs of a cyberattack, such as data restoration and customer notification, says Evans. In addition, they should ensure that all employees know the importance of cybersecurity and take the proper steps to protect themselves and the organization from cyber threats.
Community banks can also take advantage of free resources offered by the U.S. Cybersecurity and Infrastructure Security Agency, including tools to detect system vulnerabilities, says Lance Noggle, ICBA’s operations and senior regulatory counsel.
Beyond deploying software, it’s critical for community banks to practice proper “cyber hygiene,” he says.
“You need to find ways to be ahead of the curve, including planning for ‘zero-day vulnerabilities’—cyberattacks that have never been discussed or seen before—so you can’t just update your cybersecurity software to fix it,” Noggle says. “But you can mitigate these attacks with proper cyber hygiene techniques like pre-op cyber testing and exercises to make sure you can have a proactive response to hopefully reduce any sort of damage to your system and to customers.”
Community bankers can leverage another resource, ICBA’s Community Banker University, which offers continuous certification training and education for chief risk officers and chief security.
“That’s part of the commitment from the banks to its employees to make sure they are armed with current education and current insights into how to run these kinds of programs inside their banks,” Potts says.
One of biggest things bankers need to know is that they can’t just “throw technological silver bullets at cybersecurity.” To be most effective, they must foster an effective cybersecurity culture, Shipley says.
“[Run activities] like town halls within the bank, where senior leaders talk about why cybersecurity is important and can also show how an attack had been stopped because people were told about it,” he says. “This can keep employees motivated and engaged.”
5. Regulators are paying attention to cybersecurity
Cloud computing is now on the regulators’ radar. “They are trying to get their heads around what that means and how to manage that,” Noggle says.
In June, ICBA responded to the Federal Trade Commission’s (FTC) request for information on the business practices of cloud service providers (CSPs) to learn more “about the role they play throughout the sector and the economy at large.”
In the comment letter, ICBA encouraged the FTC to “explore the concentration risk posed by the current landscape of CSPs; encourage CSPs to maintain cyber and data security standards that match the regulatory expectations of the industries they support and make the standards and monitoring thereof available to users; examine the ability for small- and medium-sized businesses to fairly negotiate contracts with CSPs and encourage CSPs to negotiate contracts that are reasonable, fair and clearly disclose fees; and utilize existing research such as the U.S. Department of the Treasury’s report on the Financial Sector’s Adoption of Cloud Services.”
Third-party risk management is also on the minds of regulators at the FDIC, OCC and the Federal Reserve, which in June issued interagency guidance on the topic for financial institutions to consider, Duke says. The document provides examples of considerations in the planning, due diligence, contract negotiation, ongoing monitoring and termination stages of managing third-party relationships.
“A banking organization’s use of third parties can increase its risk, but the use of third parties does not diminish or remove a banking organization’s responsibility to perform all activities in a safe and sound manner, in compliance with applicable laws and regulations, including those related to consumer protection and security of customer information,” the regulators say.
Banks operate in a highly regulated environment, and noncompliance with cybersecurity regulations can lead to significant penalties, Evans says. Banks should stay abreast of relevant regulations and ensure they are compliant. Regular backups and redundant systems can help ensure that critical data and systems can be restored quickly in the event of a breach or other incident.
“You need to build a culture of security in which security is everyone’s job and keeping your customers’ information private is everyone’s job.”
—Lance Noggle, ICBA
“Community bankers also need to regularly assess their cybersecurity risks and develop plans to mitigate them,” Evans says. “Having a comprehensive plan in place for responding to cybersecurity incidents, such as how to restore data and systems, is critical.”
6. Community bank employees should be part of the solution
Employees unwittingly can be part of the problem if they open emails they shouldn’t or fall prey to social engineering, but they should be reminded that they are also part of the solution. “You need to build a culture of security in which security is everyone’s job, and keeping your customers’ information private is everyone’s job,” Noggle says.
“Cybersecurity should be part of [bank leadership’s] DNA—part of their core business thinking.”
—Charles Potts, ICBA
This is a full-time strategic investment for a bank. “Cybersecurity should be part of their DNA—part of their core business thinking,” Potts says. “From that perspective, bank leadership can establish to employees that this is part of how the bank runs and that this is part of who they are. Employees should recognize that this is not a thing they just do; it’s not just event oriented. This is how they should behave all the time.”
From that strategic position, bank leadership can build the tools to train and help employees think about cybersecurity as part of their day-to-day jobs, Potts says.
One of the best ways to motivate employees is to identify the most labor-intensive tasks for employees—such as managing permissions in banking applications—and then “lean into” how such tasks can be handled more efficiently, Duke says. “The big challenge for leadership is to not get stuck in weeds but to see the bigger perspective—not just the tree right in front of you but the forest.”
Cybersecurity training programs are evolving from a purely compliance activity to one that is more engaging through simulation games where employees have fun and can win via incentives, Shipley says.
Above all, employees, including leadership, should not let cyber threats stymie product and service innovation, he says. Shipley also encourages banks to find the right combination of people, processes and technology that will spot cyber events and stop them from becoming incidents.
“There will always be fear, uncertainty and doubt about cyber, but that shouldn’t stop your bank’s digital transformation efforts to better serve customers,” Shipley says. “Just build more resilience within your organization with more cybersecurity layers.”