Independent Banker - August 2017 - 108

Nuts & Bolts
Advisors, agrees that the perception of
smaller institutions having less-capable
controls makes them a target because
cyberthieves believe it will make for a
faster, easier attack and a more likely
payoff. " They see it as a pretty straight
path to the money, " he says.
For community banks especially,
whose most valuable currency is their
customer trust, the potential damage
of being publicly outed as the victim of
a ransomware attack could have more
than just a fi nancial impact, including
" a tarnished reputation, the downtime
of operations, and loss of data, " Leet
points out. " Particular to the banking
industry, falling victim to a ransomware
attack would very likely have a
substantial impact on their regulatory
risk and scrutiny, especially in a case
where the bank wasn't adequately
prepared to withstand or recover from
the attack. The reputational concerns
can also be much more impactful on
community banks. "
Indeed, the Kaspersky research
found that small and medium-size
businesses were hit the hardest last
year, with 42 percent falling prey to a
ransomware attack in 2016. Of those
enterprises, one in three paid the
ransom, but one in fi ve never got their
fi les back, even if they paid. Similarly,
a study by IBM Security found that
as many as seven out of 10 businesses
overall pay to get their data back.
What's the plan?
For community banks, the biggest
challenge remains resource and
budget limitations, according to Leet.
" Community banks don't always
have the luxury of investing large
sums into IT and cybersecurity
controls, " he says. " Moreover, they
may not be able to lure or afford
knowledgeable cybersecurity or IT
personnel who can bolster their level
of cyber-resiliency. "
Ransom payment does not
guarantee data recovery, either. In
April 2016, the FBI put out a release
strongly recommending that victims
not pay the ransomware perpetrators.
" Paying a ransom doesn't guarantee
an organization that it will get its data
back, " FBI cyber division assistant
director James Trainor said in the
release. " We've seen cases where
organizations never got a decryption
key after having paid the ransom.
Paying a ransom not only emboldens
current cybercriminals to target
more organizations, it also offers an
incentive for other criminals to get
involved in this type of illegal activity.
And fi nally, by paying a ransom, an
organization might inadvertently be
funding other illicit activity associated
with criminals. "
Victims' willingness to pay these
ransoms is also increasing attackers'
demands, according to recent
64%
The percentage of ransomware
victims who
paid ransom in 2016
research from Symantec Security
Response, which found that 64 percent
of ransomware victims paid up.
Reevaluate your focus
Joshua Jacobs, president and cofounder
of Sawyers & Jacobs LLC
of Collierville, Tenn., says the issue
often comes down to community
banks having " an insuffi cient or misdirected
focus on cybersecurity. " For
example, Jacobs sees many smaller
banks paying fi rms to remotely run
a simple network vulnerability scan,
considering this adequate cybersecurity
testing.
" In working with one community
bank client recently that had passed
its regulatory exams with fl ying
colors and had penetration tests performed
for years, it became apparent
that the bank had not backed up
some of its critical network data in
years, " he says. " Should this bank
have been hit with a ransomware
attack before we uncovered this
vulnerability, there would have been
disastrous consequences. "
108 ICBA IndependentBanker August 2017
Since innovation always
outpaces regulation by at least
two years, community banks must
preempt government instruction
on cybersecurity. Jimmy Sawyers,
chairman and cofounder of Sawyers
& Jacobs LLC, recommends
instituting adequate cybersecurity
testing and regular IT audits.
" Having the right controls and
security measures in place is critical, "
he says, " but those controls and security
measures must be tested to verify
that they are working as designed. "
McGowan advises looking to the
FS-ISAC (Financial Services Information
Sharing and Analysis Center),
a global forum for sharing cyberintelligence
across banks, state and local
government agencies, law enforcement
and other trusted agencies. The
ISAC system recently implemented
a Critical Infrastructure Notifi cation
System (CINS) to allow these groups
to send security alerts to members
around the globe.
" Banks need to get used to the idea
of sharing cyber-risk information, "
McGowan says. " There is no competitive
advantage to the bank next
door being attacked. "
Another important fi rst step is
simply to recognize that a ransomware
attack can happen to anyone.
Bjorklund encourages community
banks to be " realistic about the likelihood
of recovering data, " especially if
they are unwilling to pay the ransom.
" I don't see a lot of organizations
paying because you're just feeding
the beast, enabling the criminals, " he
says. Instead, he recommends banks
employ a defense-in-depth strategy,
using multiple layers of security to
protect their most vital information,
as well as frequent data backups and
employee training to spot potential
phishing scams.
" Cybersecurity is a neverending
battle, " Sawyers says, " but
an educated, engaged and aware
workforce is one of the best ways to
mitigate risk. "
Karen Epper Hoffman is a writer in
Washington state.
Independent Banker - August 2017

Table of Contents for the Digital Edition of Independent Banker - August 2017
