Stay informed. Stay safe.
A COOPERATIVE RESOURCE TO KEEP COMMUNITY BANKS AND FINANCIAL INSTITUTIONS AT THE FOREFRONT OF CYBERSECURITY
what is KMBS?
KeepMyBankSecure.com is a cooperatively produced and underwritten resource for North American independent banks and financial institutions to learn and stay informed of the latest in cybersecurity planning and strategy. Our initiative was founded in 2021 by CalTech with the cooperation and assistance of Texas state banking authorities, state banking associations, and community bank leaders.
With the increasing number of recent threats against and attacks on U.S. institutions by malicious actors, we believe it is important for regulated industries such as banking to make cybersecurity a top priority. Now more than ever, cybersecurity should not just be a part of annual planning, but a part of the overall financial institution business model.
Engage
We aim to further raise awareness and discussions around cybersecurity as a means to decrease the vulnerabilities of financial institutions. As threats increase, so too must our awareness.
inform
Knowledge is power. The more banks and their people know about cyber threats and how threat actors go about exploiting our institutions, the better equipped we can all be at preventing attacks.
instill
Bank and financial institution cybersecurity is no longer a line item, but a mindset. We seek to help banks protect against threats by encouraging leaders to make it a part of their business models.
The Latest
Ransomware Attacks Pose Serious Threat
Monday, December 5, 2022
As the cybersecurity landscape continues to worsen across the globe, of particular concern is the alarming rise in ransomware breaches, especially within the financial services sector. According to the Financial Crimes Enforcement Network, cyberattacks, and ransomware specifically, are the most significant threats to U.S. financial institutions.
With more pervasive and sophisticated methods, ransomware attacks continue to create a new level of threat for the industry. Last year, 55 percent of financial organizations fell victim, up from 34 percent the previous year – a 62 percent increase.*
Research by Trend Micro Inc. found that the banking industry has been disproportionately affected by ransomware, experiencing a 1,318 percent year-on-year increase in attacks in the first half of 2021.
What Exactly Is Ransomware?
Ransomware is a type of malicious software (malware) designed to block access to a computer system or data. It often encrypts the data and locks the system’s screen or user’s files, then spreads to shared storage drives and other accessible systems.
Cyber attackers hold the system or data “hostage” until a ransom is paid. Usually, the ransom is a substantial amount of money or cryptocurrency.
If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. An emerging tactic is for the cybercriminals to steal sensitive data and threaten to publicly disclose it or sell it if the ransom isn’t paid, creating a double extortion scheme.
Mitigating the Risks
Early detection of a cyberattack is always important, but it is even more crucial with ransomware. Recognizing and eliminating the attack before the data is encrypted is vital, because once you see the ransom demand message, the damage has already been done.
Whatever the size of your business, it’s critical to invest in anti-malware solutions that monitor your network for any malicious activity. These techniques include signature-based detection, behavior-based detection, and detection through abnormal traffic.
Also, educate employees on how to detect ransomware and the action to take if they notice a suspicious email or link. Most ransomware attackers leverage human error to compromise systems.
While early detection is crucial, organizations must also implement effective ransomware recovery measures in case of an attack. So, it’s important to have a comprehensive data backup strategy. Data backups can restore the data to normal, as well as remove the infection, which eliminates the question of having to pay the ransom.
Should You Pay?
FBI and Department of Homeland Security recommend that companies avoid paying ransoms, because doing so encourages more attacks.
The decision of whether to pay the ransom should be made carefully at the organization’s highest level. And understanding what happens if you pay is key to making that decision.
Theoretically, if you pay the ransom, the attackers will provide a decryption tool and withdraw the threat to publish stolen data. But payment is no guarantee that all data will be restored. Gartner, Inc. notes the following realities of ransomware that must be considered:
On average only 65 percent of the data is recovered, and only 8 percent of organizations recover all their data.**
Encrypted files are often unrecoverable. Attacker-provided decrypters may crash or fail. You may need to build a new decryption tool by extracting keys from the tool the attacker provides.
Recovering data can take several weeks, particularly if a large amount of it has been encrypted.
There is no guarantee that the hackers will delete the stolen data. They could sell or disclose the information later if it has value.
Before negotiating with attackers, it’s important to engage a professional incident response team and consult law enforcement and regulatory bodies.
However, the best alternative to the pay-or-don’t-pay dilemma is to have a business continuity plan in place and to proactively defend your financial institution against ransomware attacks.
*source: The State of Ransomware in Financial Services 2022, Sophos report
**source: The State of Ransomware 2021, Sophos report
anatomy of a cyber attack
Can this really happen? Yes. It already does. Find out how.
expert advice
Recorded in late-2021, we invited Executive Chairman, Trey Maust, of Lewis & Clark Bank of Portland, Oregon and Phillip Hinkle, Director of IT Security Examinations for the Texas Department of Banking, to sit down and talk about a range of topics related to cybersecurity. Specifically, the two focused on issues impacting community banks and financial institutions. Learn more about these topics below, as we progressively release the videos through 2022.
cybersecurity
strategy
What are some of the best practices in planning your financial institution’s strategy for cybersecurity?
RANSOMWARE SELF-ASSESSMENT
There’s a tool available for any bank or financial institution to assess their preparedness for a cyber attack — the Ransomware Self-assessment Tool.
cybersecurity management
Do you handle cybersecurity on your own, or bring in outside experts? Let’s talk Cybersecurity Management.
CIS CONTROLS
& FFIEC CAT
This segment covers CIS Controls and the FFIEC CAT — two important standards in staying atop your institution’s cybersecurity practices and planning.
Vendor Management in IT
Banks face challenges working with a vendor or internal party that does not have a focus on banking. Spend time understanding the topics unique to the banking industry’s needs.
3rd Party Firms Risk Management Assessment
Partnering with a critical vendor is a big step for companies looking to outsource a particular practice or expertise. Before signing on, conduct your risk management or risk assessment analysis to ensure the vendor is the appropriate one for you.
MOCK FFIEC EXAMS
Mock FFIEC Exams too often focus on compliance rather than on securing your bank. This is a mistake. Phillip Hinkle shares his take on the subject with Trey Maust.
Gramm-Leach-Bliley Act pinpointing Risk Areas
Universal standards that cover a multitude of industries do not always include bank-specific elements, such as the Gramm-Leach-Bliley Act. When looking at your bank’s unique security elements, you must ensure that a focus on regulation is not forgotten.
Management and Board Education on CYberSecurity
Board management and education on cybersecurity is a road one shouldn’t take alone. Lean on trade associations, experts, and make a commitment to knowing this is a skill set you need to develop to stay ahead of new threats.
PSA Board Cybersecurity
It’s vital that you and your board stay plugged in with outside resources, trade associations, peers, and information-sharing networks to build an understanding of the fundamentals of cybersecurity.
expert advice
Ryan Melle, SVP, Chief Information Security Officer at Berkshire Bank, joins Rob Houser, Strategic IT Consultant at CalTech, to discuss how cloud-based services and technology provide benefits but also create challenges in the risk landscape for banks.
There don't have to be trade-offs when it comes to cybersecurity. Have the solution that fits your organization and learn how to use technology to your benefit.
As cyber-attacks advance and become more prevalent, do you have the proper security to defend against scammers?
With the recent shift to remote workforces, companies have to evaluate their security beyond the walls of their building. Employees working from various locations pose a new challenge to organizations when it comes to managing cyber risk.
Keeping your bank secure can be costly, but an attack creates far more risk. Find out ways to manage your security and maintain costs.
cybersecurity Q&A
A PRIMER FOR BANKS AND FINANCIAL INSTITUTIONS
how do we prevent cyber attacks?
There are many tactics that are available to prevent and thwart cyber attacks, but a multi-layered (i.e. multi-factor authentication) approach alongside end-user education is probably the simplest and most critical.
Is my bank vulnerable?
There is always a chance that your bank infrastructure is vulnerable. However, the best way to know for sure is to find and engage a qualified IT services provider to perform an audit and assessment of your infrastructure and protocols for cybersecurity. Only then will you know your degree of vulnerability and the best steps your financial institution can take to lessen your risk.
where do these attacks come from?
The short answer is, from all over the world. However, as has been recently reported by the U.S. government and intelligence community, we’re seeing an increasing number come from Russia, Eastern Europe, and China.
how fast do these attacks occur?
Cyber-attacks can start with the single click of a button but can take weeks to fully infect a network and steal data before locking you out of access data.
what about my remote employees?
Remote access can always be a weak point for security. However, you don’t have to limit your remote employees and their productivity to be able to protect them. Education, software, hardware, and protocols can all be enacted to ensure better cybersecurity, even for remote employees.
do ransoms always have to be paid?
Depending on the scale, source, and sophistication of the attack and your backup and recovery systems in place at the time of the attack, not necessarily. With the right systems in place, even partially successful attacks and data lockouts can be circumvented.
how do hackers get into a server?
Hackers typically gain access via less obvious means first, like a mobile device or a workstation. Email is an easy and popular place for them to gain access since much information is shared between and amongst employees via email. From there, hackers will typically dig around until they find the servers and the credentials necessary to access them. This is why it is good practice to use separate administrative accounts from your email account(s).
how do we know a hacker is serious?
You will know a hacker is serious by the amount of evidence of the infiltration of your IT infrastructure. For example, if the hacker has encrypted your data and locked you out, then you can assume they are serious. Another sign of the seriousness of an attack is the hacker’s choice of communication. A serious hacker will usually insist on a sophisticated and non-traceable means of communication.
how do we train employees for this?
Monthly end-user training combined with quarterly testing by a qualified IT security provider is a great place to start in order to introduce and educate employees to cybersecurity best practices and protocols.
can we catch these criminals?
Unfortunately, most of these criminals are outside of the United States. Without government and international authority intervention, options to bring them to justice are limited. The best defense is to have a proactive plan and approach to cybersecurity.
what other kinds of attacks are there?
Other than phishing schemes, there are attacks known as brute-force attacks where the hacker simply uses trial and error to guess credentials. There are attacks that shut down websites, such as denial of service attacks, where a web server is flooded with false data requests. There is also a credential stuffing attack, where a hacker gains access to one’s password and login credentials and then proceeds to try the credentials across multiple sites and networks. This approach counts on users using the same login credentials for different networks and services. These are just a few, but there are many others.
how do i know if i’m a target?
Anyone and everyone can be a target. If you receive spam mail, you have most likely been targeted. If you have received an email that attempts to get you to click on a link by evoking an emergency or urgent situation, you have definitely been a target. Hackers count on volume and the weakest link to gain access to organizational data. This is usually through employees and staff.
what kinds of passwords need to be set?
Passphrases should be used instead of passwords. This allows a longer character count while still making it easier for the end-user to remember. And, never use easily guessed content in your passwords or passphrases (e.g. “password”, your name, sequential numerals, etc.)
how often do we change passwords?
You should change passwords at least every 90 days unless you have complex passphrases in place. However, even then, it’s wise to periodically change them.
additional resources
Center for Internet Security
National Institute of Standards and Technology