Community banks and credit unions have special appeal for cyber criminals. Why? Smaller financial institutions maintain large amounts of financial and personal data, but are perceived to lack the same well-fortified defenses that big banks use.
In 2017, 58 percent of data breaches targeted small businesses, up from 53 percent in 2016, according to the Verizon Data Breach Investigations Report. One reason for the spike is that criminals have become more organized and sophisticated, leveraging dark web chat forums and government-grade software tools. Even financial institutions with strong security protocols can be tripped up through spearfishing and social engineering threats that target an individual employee's credentials.
The good news? Financial firms of all sizes may be able to sharply reduce their exposure with the following proactive measures:
Single solutions, such as a strong firewall or antivirus measures, can't protect against every threat. Comprehensive, around-the-clock protection requires advanced end-point detection, ransomware and malware blocking, network defense, threat intelligence, and an orchestrated real-time response. While it would be costly for the typical community bank or credit union to acquire the technology and specialized talent to maintain that level of coverage, managed service options exist today that offer equivalent or better support for less than the cost of hiring one experienced full-time cybersecurity professional.
To protect your reputation and assets, manage cybersecurity as thoughtfully as you're managing other business interests.
It's important to develop a written cyber-protection policy with clear protocols for employee devices, passwords, social media, payment authorization and other process controls. Examples include mandating that any transaction over an agreed-upon amount receive at least two written approvals, instructing employees not to accept email orders without first validating the orders with a phone call to the requesting firm or office, and requiring the use of VPNs to access financial institution networks from home Wi-Fi routers. Requiring strong password protections is also crucial.
Backups are an essential tool that too many organizations neglect. But the damage that can occur when records are destroyed or altered as the result of a ransomware incident or other breach can be catastrophic. Such events can result in the permanent loss of important personal and business data. Financial institutions can help mitigate the risk of ransomware strikes by backing up regularly and verifying the integrity of their backups to ensure all necessary information is captured.
While it is certainly important to conduct regular risk assessments in partnership with the head of IT, the chief information security officer and other members of management, getting an outside perspective can also help validate internal protocols and objectively assess your organization's preparedness. Bringing in outside advisors to conduct a cyber-risk assessment across your portfolio can provide your board with the information it needs to understand those risk factors, make truly informed investment decisions and encourage sound, enterprise-wide practices.
Insurance can offer additional protection against loss from cybercrimes. Ensure your policy is priced appropriately for your risks and carefully consider the coverage. Some policies are written to cover financial losses, while many others are narrowly written to cover just the immediate aftermath of an incident.
Not only do financial institutions need to keep their own house in order, they should also look out for the needs and vulnerabilities of their channel partners and suppliers. That can mean asking for quarterly risk reports and that at least one board meeting a year include a discussion of cyber health. Insist that each entity conduct an annual cyber health review and encourage partners and suppliers to engage a managed security service provider to improve their defenses. Those measures can help establish and sustain better cybersecurity discipline.
Finally, don't let cost be a barrier. The onset of a breach is the very worst time for a business to be scrambling for help. Lining up the right relationships now will ensure there is someone to call and a plan in place when an event does happen. To protect your reputation and assets, manage cybersecurity as thoughtfully as you're managing other business interests.
Interested in learning more? Watch How Orchestration of Cyber Defense is Critical to Cybersecurity to learn how adversaries and financial institutions are using machine learning to identify, attack and defend unique vulnerabilities.