Community banks, which have largely dodged a recent wave of cyberattacks, must prepare for the next major online assault.
Big banks are getting the most attention from hackers, but smaller institutions could also be susceptible, industry experts warn.
"Smaller and midsize banks believe it won't happen to them," says Cara Camping, director of managed security services at SunGard Availability Services. "But attackers will go after them. Everyone's vulnerable."
U.S. intelligence officials have also issued warnings about cyberattacks as assaults have crippled the online and mobile banking platforms at banks such as Wells Fargo, JPMorgan Chase and Regions Financial.
The Office of the Comptroller of the Currency has reached out to its banks to reinforce the need to stay vigilant, a spokeswoman says. At a recent meeting hosted by the Federal Reserve Board, a speaker told the audience that cyberattacks against smaller banks are inevitable, says Lowell Dansker, chairman and chief executive at Intervest Bancshares in New York.
Many of the recent attacks have involved distributed denial of service, or DDoS, which flood a website with so much information that the bank can't respond to legitimate requests. A study issued in December found that nearly two-thirds of respondents had experienced a DDoS attack in the last year.
Hacktivists have claimed responsibility for many of attacks, which they characterize as a form of protest. But there are entities, such as organized criminal enterprises and foreign governments, that also target U.S. financial institutions, says Greg Bell, service leader for information protection at KPMG.
Over the last five years, cybercriminals have moved from finding targets of opportunity — companies that lacked the proper security to thwart an attack — to specific victims. The latter strategy is more difficult to defend against, Bell says.
"I hate to be a doomsayer, but you have to understand these guys are highly motivated and they only have to be right once," Bell says. "We have to be right 100% of the time, so the odds are not in our favor."
Smaller banks can complete a few simple steps to better guard against a breach, industry experts say. Educating employees about potential threats and scams is important, Bell says. This includes outlining the types of seemingly innocuous data that is sometimes posted to social media sites, but could prove useful to hackers.
Community banks should also review their operations and identify their most-valuable data, such as customer account information. Managers should set up strategies to protect that data, even if the information is stored with an outside provider, Bell says.
Banks must have proper monitoring for detecting attacks. Most companies don't realize they've had a breach until they are notified by an outsider, like a customer or a law enforcement agency, Bell says.
A proper level of security requires quarterly testing, Camping says. This could include penetration testing — where an expert examines a bank's response by trying to break into the network — or simulations to review things like traffic patterns based on known threats, she says.
Smaller banks should utilize their close ties to customers to fight cybercrime, says Doug Johnson, senior advisor of risk management policy at the American Bankers Association. "Smaller banks know their customer base, so they can view those accounts and see if a transaction is unusual since they personally know them," he says.
Small banks should have a plan in place to address potential breaches. The plan should outline how to handle the incident and how to disclose it to clients, regulators and the media, Bell says.
Unlike larger banks, smaller financial institutions often lack the internal expertise and resources to develop these security measures. Instead, they rely on outside vendors, industry experts say.
When selecting a firm, it's important to review the provider's history, backgrounds of key executives and any independent audits, experts say. Banks should be wary of firms that sell products only on fear because they "may lack a broader prospective," Bell says. He also advises caution when dealing with firms that offer a 100% guarantee because "that's simply not possible in today's world."
Banks should also take the time to carefully outline their expectations in vendor contracts and routinely follow up to make sure the guidelines are being met, industry observers says.
Community banks must make sure that vendors are updating the systems and services as technology changes, says Viveca Ware, executive vice president of regulatory policy at the Independent Community Bankers of America.
"Smaller banks are dependent on core service providers who are supposed to be up-to-date about security," Dansker says. "It's incumbent upon us to make sure they are doing what they are supposed to be doing."
The key to successful cybersecurity is awareness, Dansker adds. The $1.7 billion-asset Intervest has an IT staff and a steering committee to oversee its efforts and review vendor contracts. The company sometimes asks its auditor to look at best practices at other companies.
"As technology becomes more widespread and we become more dependent on it, you have to add security," Dansker says. "It's one of the costs of doing business."
Such preparation may lead to upfront costs, but it is better than reputational damage and a loss of customers if a breach occurs, Camping says.
"If you suffer an attack it can cost you millions," Camping says. "An investment in security is minor compared with that."