IT security routines that won’t break the budget
By Maria Korolov
Just because your community bank isn’t one of the giants of the financial industry doesn’t mean it’s off the target list of today’s proliferating cybercriminals. But that doesn’t mean that community banks with limited resources have to go out and start spending large sums of money on IT and data security, experts agree.
“Focus on getting basic security practices solid before adopting the next shiny gadget that promises better security,” advises Phil VanMeerhaeghe, an IT security expert with Kansas City–based 10-D Security Inc. in Lexena, Kan. “Too many times we see institutions spending a lot of money and effort on complex security wiz-bangs while the most elementary security practices are not followed.”
1. Maintain software and equipment. Consistently adhering to strong but basic routines for password protocols and software and equipment security maintenance routines can go a long way to deterring most opportunistic cyberattacks, suggests Raj Patel, a security expert with Plante & Moran LLC, a consulting firm in Southfield, Mich.
One straightforward but important security step is to enforce strong passwords (that are regularly changed) and second-level authentication measures bankwide, particularly for high-risk transactions for the biggest customers, Patel says. “Right now, with most banking systems you can do whatever you want once you log in,” Patel says. That’s simply not enough password security, he says.
Ensuring that IT departments and their vendors install all software patches quickly after patches are released is another important ongoing prevention step that can’t become lax. Continually and routinely installing software patches in a timely way, especially for notoriously targeted Adobe and Java software, as virus-detection software website browser plug-ins, can thwart many security threats. Outdated equipment can also create security vulnerabilities, so following a necessary schedule of software and equipment replacement is important as well.
While continually maintaining software patches and frequent maintenance schedules can be time consuming and a hassle for IT staff, the process shouldn’t cost community banks more money beyond their current staff and maintenance routines. Banks that use a content management system, such as Drupal or WordPress, for their websites also have another option—they can set up an automated patch process, according to Verizon’s 2014 Data Breach Investigations Report.
“If you manage [software] yourself, put it on a schedule or automate it,” advises Wade Baker, the lead author of the Verizon report. “If you outsource that functionality, you’ve got to make sure, very sure, that it’s in the contract that the vendor will do that, and check to ensure that they do.”
2. Lock down your website. According to Verizon’s data breach report, website attacks accounted for 27 percent of all security incidents in the financial services industry, compared with 6 percent for incidents in all other industries. The ratio is even higher for community banks, according to the report.
The next biggest attack activity was denial of service attacks in the financial services industry—so far aimed mostly at the biggest banks—which accounted for 26 percent of all incidents. For all other industries denial of service attacks represented 3 percent of their cyberattacks.
“Denial of service attacks are up,” points out Joe Schumacher, security constant at Neohapsis Inc., a mobile and cloud security vendor in Chicago. “Folks try to hold a bank’s website for ransom. Banks can look at leveraging Web application firewalls or a content delivery network, such as Akamai or CloudFlare, to help mitigate or absorb some of the bandwidth the bank is facing.”
Schumacher and Baker say a common website service vulnerability involves failing to maintain strong multifactor online customer authentication. Too many banks still rely on customers using names and passwords, which leaves bank accounts vulnerable to phishing attacks, password crackers and credential-stealing malware on infected user machines.
3. Monitor your vendors. Of course, it’s not enough for a bank to have its own security in order—the same level of security or better needs to be in place for all vendors that support or have access to sensitive bank data, IT security experts point out.
For example, no third-party vendor should have unlimited control of any bank’s systems—every bank needs to control and monitor all the activities of every vendor, even major core software providers. Such vendor security oversight could also take the form of a formal security audit, a standard questionnaire, as well as accountability contract clauses.
All IT software providers should be contractually required to notify the bank client if the vendor’s system has been breached. Conversely, software providers should be contractually required to provide an annual confirmation statement to the bank that the vendor’s system has not been breached.
“You need to ensure that third-party vendors are living up to your framework,” Schumacher says.
4. Educate your employees. A community bank could have the best firewall in the business, but it’s useless if an employee goes and opens up a back door for the criminals. That’s what a phishing attack is designed to do—trick a well-meaning employee into installing rogue software or giving up his or her access credentials.
One community bank, for example, posted the names and email addresses of seven executives on its website. Each of those executives got an email from a purported customer with what looked like a PDF attachment of a wire funds transfer request form. “But the attachment was not a wire,” says Russ Horn, president of IT security services firm CoNetrix LLC in Lubbock, Texas. “It had malware in it. The first people who saw it didn’t recognize it as a threat and forwarded it on, but then it was caught before any damage was done.”
However, the bank’s employees were alert enough to notice some red flags about that so-called wire funds request. First, it came to several people at once, none of whom were actually responsible for wire transfers. The attachment looked at first glance like a PDF, but the filename actually ended in .PDF.SCR—making it a potentially damaging screensaver file.
“The weakest link is people,” Horn offers as a reminder.
5. Educate your customers. Employees aren’t the only ones who get hit by phishing attacks.
One attack just this summer targeted a community bank in a small city, Horn says. The attackers recorded a highly authentic-sounding message and called city residents to tell them that there was a potential breach and they needed to enter their debit card numbers and PINs to validate them.
“Numerous people in the community were getting the calls, both customers and non-customers,” Horn says. “Our current guess is that they got a list of names and phone numbers of people who lived in the city. The bank was one of the better-known institutions in that city.”
Several customers were infected, and the bank is now working with law enforcement and security experts to track the criminals. The bank also immediately took steps to notify its customers via its banking website, mobile apps and even by traditional mail to warn them not to get caught in the scam.
As with employee-targeting phishing attacks, education is pivotal to prevention, as is having a response plan ready to go at the first sign of trouble, security experts say. “A bank has zero control over their customers’ computers,” Baker points out. “And yet they have to let their computers interact with their sites.”
Maria Korolov is a freelance writer in Massachusetts.