Pub 3 2021 Issue 3

HOMETOWN BANKER | HOMETOWNBANKER.ORG | 5 Management company, and Rachael Schwartz, Business Development Director and Director of Partnership at CSI, a FinTech and RegTech firm for financial institutions. Both organizations are PACB Preferred Providers and participants in our education programs. PACB: What are the primary concerns for security in banking right now? BURRIS: “Ransomware. This is the key type of attack for all industries. You can’t stop it from happening, but you can be prepared for it when it does. You don’t want to pay the ransom to get access to your data.” SCHWARTZ: “Having a secure remote workforce. Banks had to move fast in 2020. Remote access provided for workers created increased vulnerability to computing systems, while at the same time provided more opportunities to those who threaten their security.” PACB: Is there anything banks can do to prevent cyberattacks? BURRIS: “You can’t always prevent an attack — hackers are good at what they do- but you can be prepared. For ransomware, the solution is to have your backup on a network of different systems. It’s still going to cost you in time and manpower to get up and running again, but you are in control of your data.” SCHWARTZ: “Always be reviewing your systems of prevention and protection. Remote workers require more robust security solutions. Banks who were already on cloud solutions were able to make the transition for remote access easily and quickly. Those who were managing email internally moved to hybrid cloud solutions like MS 365. They learned it was easier not to try to manage it all on their own.” PACB: How do banks detect when they’ve been attacked? BURRIS: “It’s not always immediately known. You’ve got to monitor the alerts. The Solar Winds situation could have started with an employee opening an email with malware. It’s that simple. It’s hard to stay ahead of the attackers, and it becomes very expensive to undo the damage once it’s been done.” SCHWARTZ: “Detection software is expensive. Attack alerts come in around the clock. You need to filter through to determine which are important. It takes a lot of manpower to manage and investigate the alerts. Many institutions that are handling this on their own drop the ball.” PACB: How can our members minimize the effect of a cyberattack? Both Schwartz and Burris agree that outsourcing your Security Operations Center (SOC) provides higher levels of security than trying to manage it in-house. Having security protocols in place around the clock in a 24/7 world has never been more important. Data is being accessed by employees and clients on desktops, tablets, and phones. These devices are in offices, at home, at coffee shops, and on beaches. Customers are banking through apps and connecting third-party vendors to their accounts. The ways data can be hacked and obtained are innumerable. BURRIS: “Cybersecurity is finally being taken more seriously. It is more valuable and important than the money in your vault. That is insured by the FDIC. One breach can take down your organization and not just physically online. You lose trust when people know you’ve been breached and their personal information has been obtained. A lifetime of free identity theft protection service won’t make a difference — their information is out there — and you’ve lost their trust.” SCHWARTZ: “Create a culture of positivity to properly report on issues — not fear. Promote positive ways of looking at security for both staff and customers. Across the board, people are afraid they did something wrong — when it isn’t their fault. Education of employees and customers is of utmost importance. The human element cannot be controlled, but they can learn their role in security for their organization and personal information.” Attacks such as the one on Solar Winds are accelerating broad changes in the cybersecurity industry. One such change is how software providers, including Fedwire Funds Service, are protecting themselves from liability for hacks by requiring banks to sign off confirming they checked on and have specific controls in place. Schwartz and Burris tell us that the first months of 2021 have been the busiest in IT security. With attacks increasing, requirements getting stronger, and work from home becoming the norm, IT security teams are racing to support their clients’ ever-changing security needs. It’s never been more important to prevent, protect, and detect against cyberattacks. The National Institute of Standards and Technology (NIST) provides guidance for security and privacy controls across all industries. A recent publication, Control Baselines for Information Systems and Organizations, is a quick-start guide to their flagship risk management tool to help organizations reduce their security and privacy risks more easily. More information can be found at news/2020/10/nist-offers-quick-start-guide- its-security-and-privacy-safeguards-catalog. To help your SOC or IT staff stay on top of the latest news, industry professionals and PACB Preferred Providers like Rachael Schwartz and Jeremy Burris regularly present on topics of value to members of PACB on an ongoing basis. Please visit to see our full schedule of Knowledge Hours, Webinars, On-Demand programs, and educational and training services provided for members of PACB. DIANE M. SWEENEY IS A PROFESSIONAL COPYWRITER AND CONTENT STRATEGIST. AT HER DESK, OVERLOOKING BEAVER CREEK IN CHESTER COUNTY, PA, SHE WRITES ARTICLES AND WEB CONTENT TO INFORM, PERSUADE, AND ENTERTAIN. HER WORK CAN BE FOUND AT DIANEMSWEENEY.COM NIST.GOV/NEWS-EVENTS/NEWS/2020/10/NIST-OFFERS- QUICK-START-GUIDE-ITS-SECURITY-AND-PRIVACY- SAFEGUARDS-CATALOG