Independent Banker - January 2019 - 49

distributed denial of service (DDoS) attacks against
websites in the fi nancial world.
Other risks include business emails being compromised,
wire transfers going astray and banks being sued by
customers. " If you get sued by your own customer because
a wire transfer went out the door, " Payton explains, " even
if the bank wins because the bank's not wrong, it's still
a losing proposition when your own customer sues you.
That's a huge potential risk. "
But there is another hidden risk Payton says isn't
being talked about nearly enough. " What cybercriminal
syndicates have fi gured out is this: If I break in and don't
take anything, and I don't lock any fi les up; if I break in
and I only do one thing, which is to deposit cryptocurrency
mining software and steal your CPUs from you, and you
don't even know it, then I can fatten up my digital wallet
and nobody else is the wiser.
" So, we're starting to see, where these silent break-ins
have occurred, they've fi gured out how to hide in plain
sight within your processing. It's like your neighbor
stealing your electricity by plugging into the outlet behind
your house with a long extension cord. "
Practical security steps
What can community banks do to combat these threats?
First, Payton suggests a walkabout. " Go to each of your
functions that takes care of your customers, " she explains.
" Don't try and fi x, and don't try to criticize, but ask them:
Are there any system processes or manual processes that
you have to create a workaround for in order to take care
of the customer? You could very well learn at that moment
that people are writing customer data on Post-it notes or
taking pictures of screens with their phones. Don't chastise
them for doing it. Just listen. And then look for design
opportunities to remove those obstacles. "
Second, plan for the worst and pray for the best.
Payton suggests quarterly top-down digital disaster
exercises, changing the scenario each time. " I would highly
recommend the fi rst thing being a ransomware attack, " she
says, " and make it for real. Time yourself. Ask somebody
how long [before they can] start restoring backup. And see
how long it actually takes to validate the data. I have people
say to me 'eight hours,' and they come back and it's 18, 24,
72, 96 hours. That's really important. "
Another exercise could be a DDoS attack against your
website, like the Mirai botnet of 2016, when almost the
entire East Coast screeched to a halt. " So, the question is:
With your website down and social media not available,
how do you let your customers know you're still open for
business? What do you want to do? [An email] blast? An
old-school phone tree? Do you want to text message all of
the cell phones you have on fi le? What's the backup plan? "
Third, Payton recommends doing some social
engineering campaigns against third-party vendors and
your own employees to look for potential weaknesses.
" Who clicks on which links and why? Who opens up
attachments and why? " she says. " Ask yourself: Is there a
way to prevent that from happening by using additional
tools and techniques? Or is there a way to almost create a
sandbox for link opening and attachment opening so that
we don't have damages when people make bad choices? "
Payton admits these are diffi cult concepts and advises
community banks to learn about the issues. If that fails, seek
outside help to fi nd out what your peers are doing about it,
for example, ransomware and cyber liability insurance. " You
can see why I say sleep and rest are completely overrated! "
she laughs. " There's so much to do. "
Roshan McArthur is a writer in California.
HOW TO STAY
UP TO DATE
To keep up with emerging threats, Theresa Payton
recommends the following steps for banks.
Q Appoint a board member who is responsible for a
sub-working group on security and governance.
Then decide whether your bank has the capacity
to recruit in-house staff . If you add two staff
members, for example, will they have the capacity
you need?
Q Look at bringing in an outside team as an
alternative. Look for a trusted partner that
understands the needs of community banks-
mission, tight margins, operations, vendors,
internally developed programs, customer care and
recovery-time objectives.
Q Keep up with information from security
conferences. These three sites all upload short
videos explaining key issues and fixes:
rsa.com
blackhat.com
defcon.org
independentbanker.org Q 49
http://www.rsa.com http://www.blackhat.com http://www.defcon.org http://www.independentbanker.org
Independent Banker - January 2019

Table of Contents for the Digital Edition of Independent Banker - January 2019
