Cybersecurity is everyone’s job. What’s your role?

One-quarter of all malware intrusions are aimed at financial institutions, according to a 2019 IntSights report. But, increasingly, banks are finding that throwing money and technology at the problem, especially in the form of isolated IT security efforts, isn’t enough to solve it.

By Karen Epper Hoffman

“Cybersecurity is an enterprise-wide concern, because cybercriminals need only one point of entry into the system to gain access and control of the system,” says Greyson E. Tuck, attorney and consultant with Gerrish Smith Tuck Consultants and Attorneys PC in Memphis, Tenn. “Once inside the system, cybercriminals can move throughout. Any point of entry will suffice.”

Here’s what every department, from the front office to the executive team, should be doing to protect the bank and its customers from hackers and scammers.

Cybersecurity icon

Frontline staff

Frontline employees often serve as the first line of defense when it comes to spotting cybersecurity threats with branches, ATMs or phone banking because of their proximity to customers.

Jeff Newgard, president and CEO of $405 million-asset Bank of Idaho in Idaho Falls, Idaho, says he wants all of the community bank’s universal bankers to be trained to recognize a potential scam, “even when the customer doesn’t.”

For example, Newgard says that phone calls and emails with instructions to take action immediately to avoid negative consequences or to receive a great reward are common scams that customers should vet with branch personnel. “Tellers or universal bankers are typically the first to have contact with a customer who may be falling for such a trap,” he adds.

Frontline employees should ensure customers aren’t being scammed through electronic bank channels like an email or threatening phone call. They should also look out for odd customer behaviors and be able to spot phishing scams, including test emails that they receive from the bank directly, Newgard says. “We train our employees on these methods regularly, and then we test them with our own efforts, with pretext calling and our own internal phishing campaign,” he adds.

“Train tellers to understand the risk in their environment in terms of personal information, so they aren’t accidentally exposing sensitive data.”
—Travis Brennan,
Stradling Yocca Carlson & Rauth

Travis Brennan, chair of the privacy and data security practice at Stradling Yocca Carlson & Rauth in Newport Beach, Calif., suggests that frontline employees should “understand how they fit in a bigger picture.” These employees could prevent low-tech fraud simply by keeping their work area clear of sensitive documents and making sure they log out of their computer when they leave their desk, he adds.

“Train tellers to understand the risk in their environment in terms of personal information,” Brennan says, “so they aren’t accidentally exposing sensitive data.”

Cybersecurity icon

IT department

Cybercriminals are looking for the most accessible point of entry into a system, Tuck says, and this is typically not through the IT department. Like most community banks, Bank of Idaho’s IT staff are responsible for the day-to-day management of protective measures designed to keep information safe, such as firewalls, proper backups and proactive anti-malware programs. “It is their job to ensure all of these programs and methods are kept current and fine-tuned to do the job they are meant to do,” Newgard says.

Newgard says IT employees are trained to watch for anything unusual in web traffic, the flow of information, and internal and external indicators of threats. “When an anomaly is detected, an investigation is launched to quickly assess and review the incident and address it as needed,” he adds. “It is worthy to note that the greatest threat from the perspective of [the IT] department lies not with outsiders trying to get in, but with the employees and customers of the bank. Having protective systems in place to guard against intrusion is the easy part. Making sure the bank’s employees and customers follow the proper procedures to protect information is much harder to manage.”

“The greatest threat from the perspective of [the IT] department lies not with outsiders trying to get in, but with the employees and customers of the bank.”
—Jeff Newgard,
Bank of Idaho

When potential security issues are detected, IT staff must implement early disaster-recovery protocols, Newgard says, including isolating the issue, assessing damage and mitigating that damage by following pre-defined steps.

“In every instance where suspicious activity occurs at their level, [these incidents] must be disclosed to the bank security officer as well as the CEO of the bank,” he says, “even if no damage was done or the bank experienced no exposure.”

Cybersecurity icon

Compliance officers

Compliance can be a slog for even the most adept officer. But that doesn’t mean they can sidestep cybersecurity responsibilities, which typically include the ongoing management of the bank’s security protocols and disaster recovery procedures, Newgard says. At Bank of Idaho, the compliance department consists of two or three people who act as experts on the safety and soundness of the bank, “including the realm of cyber and digital,” he adds.

This team oversees employees’ adherence to compliance standards around risk. They also manage training on basic safety measures. Cognizant of ever-changing compliance rules, it’s incumbent on compliance employees to suss out exceptions to policy, procedures and processes that can lead to unnecessary exposure. “Along with the IT staff, they serve as the guardians and advisors to all bank staff in matters of security,” Newgard says.

“Any time they find that an employee is not following the guidelines set forth, [compliance officers] work with immediate supervisors to retrain and then reassess those areas of weakness,” he says. “They watch for the exceptions to the rule and address them [quickly] and aggressively.”

For smaller banks, the compliance role may be left to a single person either inside or outside the bank. Brennan recommends that the board of directors or a designated board committee oversee the compliance officer’s implementation of the data security program. Failure to do so can expose the organization, or in some cases individual directors, to liability. The compliance officer should be able to consult with in-house or outside counsel on risk exposure and compliance obligations, as needed.

Cybersecurity icon

Executive officers

For the C-suite, perhaps the most important role they can serve in helping manage cybersecurity is to lead by example, industry experts say. They should make sure they’re at least aware of potential risk and aren’t cutting corners that may cause undue exposure. “Take the training and learn what to watch for,” says Newgard, who sought and obtained a CompTIA Security+ certification covering core security functions.

C-suite executives … are often targeted by bad actors because of their high level of access … [so they] should be alert for scams like wire transfer fraud and ransomware.

While Newgard doesn’t require fellow Bank of Idaho executives to follow the same path, he says it’s important they know what threats are posed and how to limit the exposure of the bank and its customers. So, all bank executives train annually in overall cybersecurity risks, and many have a specific focus in compliance, security, disaster recovery or communications depending on their role.

Since C-suite executives and top managers are often targeted by bad actors because of their high level of access, as well as the assumption that they might be more lax in their security protocols, these community bank officers should be alert for scams like wire transfer fraud and ransomware.

“Ransomware seems to have made a comeback in recent months,” Newgard says. “[Bank of Idaho] executives and other key employees receive training on these types of scenarios and work through real-life case studies to know how to manage that process through to a successful outcome for the bank.”

Karen Epper Hoffman is a writer in Washington state.