Customer financial data has high value with the criminals of the world, which means banks and other financial institutions have to be constantly evaluating and evolving to keep customers’ information safe.
“Our customers rely on us to protect their data and keep it from those bad actors,” said Chief Information Security Officer Kendall Reese of Simmons Bank. “If we do not protect their sensitive data, we lose customers’ trust, and ultimately, we lose their business. Further, bank regulatory agencies track and measure a bank’s ability to protect customer data. They expect us to safeguard the data effectively, and cyber is always a highly reviewed area when our regulators are performing examinations.”
At Simmons Bank, many levels of controls are used. No one control or person protects customers’ data; it is protected by many tools and by all of the Simmons Bank associates.
“Security is a portion of everyone’s role here at Simmons Bank,” Reese said.
It definitely is a challenge to provide 24/7 online access for customers. The very same mechanism customers use to access their accounts and perform transactions can be used by criminals to perform malicious activity. Reese said user credentials plus multifactor authentication (MFA) can mitigate many of the risks to a customer account being accessed by a hacker.
Simmons Bank provides general cybersecurity tips to its customers on a regular basis.
“We intend to give customers the basics that will allow them to be skeptical when the bad actor attempts to gain access to their data,” Reese said.
The information security (InfoSec) team at Simmons has many sources that are constantly monitored to identify the threats and rapidly make changes within the security tooling to counter those new threats.
“Continuous learning is very important in our industry,” Reese said. “Also, InfoSec teams tend to be very open to sharing cyber and information security experiences with other banks. This allows banks to be proactive to potential malicious activity that is occurring in peers.”
Ransomware continues to be a top threat. Taylor Cassat, vice president of business development and cyber intelligence at Little Rock cybersecurity training provider Forge Institute, said finance and insurance institutions were the top cyber targets for both 2019 and 2020. In 2020, the targeting of financial institutions rose 238 percent alone.
“Most of these groups [outside those sponsored by nation-states] are monetarily driven, so why not look to the source for the money?” he asked. “The average cost of a data breach in the financial sector topped $5 million.”
It is so difficult to battle cyberattacks because the cyber environment is constantly changing. For example, each time a new software update comes out, there’s potential for avenues for exploitation.
“People want things to be easy and accessible, which also leaves them vulnerable,” Cassat said. “When was the last time you changed your passwords for your bank accounts? Or your email address? The average American probably doesn’t do this more than once yearly.”
Each time a ransomware group gets too well-known, it seems to disappear. Recently, though, Cassat said his team is starting to see groups jump back into relevance with a slight rebrand. Darkside (the Colonial Pipelines exploiter) is believed to have rebranded as Blackmatter, for example.
Cassat said the best possible thing any institution can do is invest in the legitimate professional development of its people, develop a cyber-specific analytic capability and work on sophisticated cybersecurity controls and regulations that are assessed on a routine basis.
Jason Cathey, Bank OZK’s chief information security officer, said the abrupt closure of many workplaces in the spring of 2020 ushered in a new era of remote work for many.
“This pandemic-related shift to remote workplaces and cloud providers has resulted in increased threats from social engineering [phishing], ransomware and third-party breaches,” he said. “I believe people are the most important defense against cyber threats; as such, Bank OZK has invested significant time and effort creating targeted security awareness training for our bankers and customers. Additionally, our dedicated information security team maintains industry leading certifications and attends premier conferences to stay current on ever-changing cybersecurity threats.”
Cybersecurity is a top priority for the bank’s board of directors and executive leadership, which Cathey said is evident in its security-minded culture and strong commitment to its people, facilities and sophisticated technology.
Creating a strong cybersecurity culture starts at the top, said Tony Ferguson, senior vice president, business development/regional director for SBS Cyber Security. SBS acquired Arkansas-based BLU3 Technologies in 2014. Its executives now are based in Little Rock.
Ferguson refers to cyber theft as the modern version of bank robbery.
“Cyber-bank theft and fraud is a daily occurrence through various schemes targeted directly at the financial institution or through the customers to gain access to both consumer and commercial accounts,” he said. “Most community banks do a good job and really make an effort to implement security best practices. It is required.”
Reputational risk can outweigh the actual financial loss in the event of a cyber incident.
“A company’s brand and reputation can be directly linked to how it manages, responds and mitigates cyber risk,” Ferguson said. “Our local financial institutions are pillars of our communities and carry a high level of trust. Maintaining a perception of honesty and transparency are essential to avoid a short-term recovery becoming a long-term disaster following a cyber incident.”
Business leaders and the board of directors must be prepared and know how they will respond to a cyberattack.
“It is not a matter of if but a matter of when your business will experience a cyber incident,” Ferguson said. “In reality, nearly all businesses have already experienced some level of unauthorized access on their network or confidential information.”
Every year, the number of cyberattacks and amount of data exposed continue to break records. This year, there has been a number of high-profile incidents including SolarWinds, JBS and Colonial Pipeline. However, the highest area of growth continues to be the small-business community where there are limited resources, budgets and focus on cybersecurity, Ferguson noted.
“Ransomware is the leading weapon of choice, but the sophistication of threats in 2021 also increased with the use of emerging technologies by criminal organizations,” he said. “A number of the high-profile incidents this year highlighted both the sophistication and far-reaching impacts of supply chain disruption as a result of a ransomware attack. It becomes reality when it disrupts daily lives and is not just a headline about a large corporation losing money.”
A common misconception is that small businesses have a lower risk of being the target of a cyberattack than large corporations. In fact, the majority of malware attack victims are categorized as a small business.
“All businesses, regardless of size, must have a layered approach to cybersecurity,” Ferguson said. “People continue to be the weakest link in any security program, and malicious attackers target people internal and external to your organization. An organization with a strong security culture goes beyond internal employees and talks about cybersecurity threats with its customers as well.”