For the National Bank of Blacksburg, Virginia, the nightmare scenario for community banks everywhere began with an employee ignoring basic cybersecurity hygiene.
Russian hackers' entry into NBB's computer systems and network "most likely originated from a phishing email to a National Bank employee," according to a 2018 lawsuit the bank filed against its insurance company for failing to cover the losses from the incident two years earlier. Unfortunately, phishing attacks have become more common during the coronavirus crisis.
At NBB, the hackers changed customer account balances, monitored network communications, removed critical security measures such as anti-theft and anti-fraud protections, conducted keystroke tracking, and entered and changed electronic data and computer programs on the bank’s computer systems. Then they used ATMs across the country to pilfer more than a half million dollars.
The bank installed new security systems, but another phishing email allowed the hackers to steal almost $2 million more eight months later. All told, the Russians made off with $2.4 million in funds during the two intrusions.
What happened to NBB is a prime example of the tech-based threats facing community banks, says Paul Ferrillo, a partner at McDermott Will & Emery.
Community banks and credit unions “unfortunately many times do not have the resources to keep up with the latest technological innovations and operating systems,” says Ferrillo, who works with banks and credit unions on cyber IT asset management prevention and response.
"Operating systems are many times out of date, and very often vulnerabilities are not patched on a timely basis, which allow attackers prime avenues to attack their network."
The main vulnerability, he says, are phishing attacks aimed at spreading malware onto the firm’s network. That malware could be looking for email addresses and passwords to allow a successful business email compromise attack or, even worse, it could be a ransomware attack intended to encrypt their files.
Endré Jarraux Walls, chief information security officer of Phoenixville, Pa.-based Customers Bank, says as larger financial institutions rely more on rapidly advancing technical solutions, community banks become bigger targets with fewer resources to defend themselves.
"Community banks have a bigger challenge than other banks in the industry,” Walls says. “The prevalence of internet-enabled banking and all of the things that come with have turned the average community bank … into a national or even global player in the financial industry."
Walls says “community banks, from what I’ve observed, tend to be baptism-by-fire-type folks – they know the threats are out there, they have an idea of the level of investment it takes to prevent those threats, but they still treat security like it’s insurance.”
And no matter what technologies community banks deploy, the NBB breach reinforces that the banks’ employees are still the weakest link.
“When it comes to threat vectors, let’s be honest – the employees themselves are the greatest threat to the organization’s security, and most organizations do not take that threat seriously,” Walls says.
The way ahead
Today’s banking security dilemma can be boiled down to three primary elements, says Sebastian Fazzino, director of sales operations for Gladiator & Financial Crimes Solutions from ProfitStars, a technology solutions firm serving banks and credit unions.
- The sophistication of threats
- The complexity of IT environments
- The shortage of IT and information security professionals
“This combination is eroding community banks’ ability to protect consumer account information, corporate confidential data, and the availability of their computing infrastructure to serve their customers and members,” he says. “The hard truth is that FIs are more exposed today than ever before.”
Regulators have done a good job ensuring all financial institutions, even the small ones, are addressing the basic security requirements, Fazzino says. That includes ongoing system, application and third-party patching; 24/7 firewall and IPS monitoring; DNS security monitoring; email security scanning; endpoint protection on all systems, and annual penetration testing.
But community banks must “continue to budget and invest in the latest security solutions and employ today’s advances in technology to better protect their institution from the pervasive and persistent cyberthreats,” he says.
Among other things, Fazzino recommends that community banks:
- Reevaluate their security provider and ensure that they are using a modern security information and event management platform leveraging applied threat intelligence, machine learning and automation.
- Consider running vulnerability scans weekly and on-demand when vulnerabilities are announced.
- Update unified threat management devices and deploy their full functionality.
Walls says the biggest challenge community banks face is their perception of risk.
"Unfortunately, banks still view cyber risks as tactical challenges and not strategic ones,” he says. “The days of hackers hitting you the moment they find a weakness are over. They strategize for effectiveness and are focused on monetization. So if the security threats are strategic, the solutions should be as well."
Register for BAI Deep Dive: Fraud Prevention & Cybersecurity, and get a week's worth of content on this topic.
Howard Altman covers the military and national security for the Tampa Bay Times. His work has also appeared in the New York Times, Philadelphia Inquirer, The Daily Beast and other publications.