Big Breaches Coming to Small Institutions…A CEO’s Worst Nightmare

As published in the Pennsylvania Association of Community Bankers\’ February 2019 issue of Hometown Banker

Over the past decade, I have often heard bankers say, “We are not a big enough target for hackers; they will attack bigger banks first.”

Fast-forward to 2018 and the reality of community banks experiencing network breaches has arrived. Recent attacks on community banks that have been successful include the compromise of a single employee email account, potentially exposing confidential information contained within emails sent and received on the compromised account, and newly installed firewalls that are misconfigured or where the vendor leaves a default password. Additionally, inadequate network monitoring either due to insufficient internal monitoring and detection, limited hours of third-party coverage, or deficient quality of the review services, have resulted in a significant delay in detecting and responding to an attack.

These attacks and compromises provide imperative takeaways for all community banks today:

1. Phishing: Yes, breaches have occurred from just one user falling for a phishing attack.  A single click on a hyperlink or the opening of an attachment can place an attacker on a network as an administrator. It’s really that easy.
2. Secure Email: Even when emails containing potentially sensitive customer information are sent via encrypted email, the information may not be safe. The reason is a large number of secure email solutions store the email in clear-text on the sender’s machine. In other words, the email is encrypted when in transit, but is not encrypted on the sender’s machine while at rest. Therefore, secure emails alone will not necessarily protect you against a successful attack.
3. Network Configuration: A newly installed firewall that is poorly configured may not restrict outbound traffic, which can potentially expose 100% of client data.  Furthermore, if attackers send the information back to themselves using an encrypted channel, firewalls may not be able to detect or inspect the traffic leaving the network.
4. Network Monitoring: Choosing a network monitoring vendor that does not monitor the network 24/7 significantly increases vulnerability during a successful attack. While strong monitoring can shut down an attack within minutes, limiting the potential customer impact, a delayed response could potentially expose all information on the network.
5. No Bank Is Too Small: The days of believing small institutions won’t be targeted are over. Phishing emails are easy to construct and can be launched from anywhere.

The above attacks prompted the banks involved to realize the importance of cybersecurity budgeting, training, and incident response procedures.  Below is a short list of items that every institution needs to consider in this new wave of cyber-attacks focused on even the smallest of community banks:

1. Training: Employees remain the weakest link to an institution’s security.  Social engineering tests should be conducted, with results reported to the Board of Directors or a similar body. Additionally, the institution should consider remedial actions, such as additional training, for employees who repeatedly fail phishing attempts during testing.
2. Multi-Factor Authentication: A system that can potentially contain sensitive information should be reviewed, and multi-factor authentication should strongly be considered.  While this solution can be costly, the price is much less than the reputational risk that an institution wagers when a breach occurs or potential costs relating to notifying customers of a data breach.
3. Quarterly Firewall Reviews: As required by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool, reviewing firewall rulesets after major changes, or at least quarterly, even if no changes were made, is crucial for ensuring that only preferred data is allowed in and out of the institution.
4. Secure Email: All institutions should review the way they use secure email. If the email is stored in clear-text within the sender’s inbox, policies should be reviewed and altered as needed to stress that email should not be considered secure and care should be taken when sending sensitive information via email.

A breach can happen at any institution. While banks can’t always be one step ahead of hackers, they can take many precautions to protect confidential information and hopefully forgo a CEO’s worst nightmare.