A community banker’s approach to cybersecurity

Every banker has heard more about cybersecurity in the last year than most of us care to hear in a lifetime. How much of what we hear is hype? And if it’s really that bad out there, how is a community banker supposed to keep up with it?

The reality is the internet is a risky place, and to every degree that we conduct business over the internet, we expose ourselves and our customers to some of that risk. The internet was originally conceived with collaboration, not security, in mind. I clearly remember working at a bank data processing center in the early 1990s when we installed our first email workstation. We all just shared the one email workstation; after all, we didn’t expect to use it very much.

But around the time that banks started conducting business over the internet, cyber criminals smelled opportunity and quickly followed. Security measures have evolved at the same rapid clip as the cyber criminals’ skills and the sheer rate of change has been dizzying. The security frontier in cyberspace has been reasonably described as a new version of the “Wild Wild West.”

The good news is bankers know a thing or two about risk. Managing risk is part of the territory for community bankers — you’ve probably been managing credit risk since the day you walked into the bank. If you focus on the facets of the risk you can mitigate or control, it’s a lot easier to keep your sanity.

With that approach in mind, I’d like to offer some tools for a community banker’s cybersecurity sanity:

Stay informed. You don’t have the luxury of being naive about cybersecurity risks. So keep yourself informed and hold your team accountable to stay informed. Because they travel across shared internet infrastructure, our email conversations and online banking transactions pass through inherently risky places. We are doing business with our customers’ identity and bank accounts in those places. The bad guys would always like a piece of that, so following good “cybersecurity hygiene” is your first and best response.

Adjust your habits. Some industry statistics tell us that more than 80 percent of actual breaches could have been avoided if the people on the receiving end had just used basic cybersecurity hygiene. For ourselves and our teams in community banks, this is all about changing habits. We’ve all learned to change our habits when boarding airplanes during the last 15 years — there is nothing convenient about standing in an extra line, removing your shoes or being scanned, but we accept that some security measures are justified. There is no question that we trade away some convenience any time we add security steps, but this is the world we live in now. So, for example, use longer, more complicated passwords, only click on trusted links, never communicate confidential information by email, don’t use public internet sharing sites and, perhaps most importantly, know your customer!

Don’t go it alone. You don’t have to. Call me crazy, but I like working with most IT auditors and IT examiners. They have a wider view of our peers in the industry, know what is working and what isn’t, and have some great stories to tell. And they are on our side when it comes to cybersecurity — they want us to succeed as deeply as we do. So if they give me a list of recommendations, I try not to view it as a punitive measure — I see it as a consultation to help me prioritize. There are a thousand things we could do to constantly improve cybersecurity, and our auditors or examiners can help us focus our efforts on first things first. In the end, I would far rather learn about a potential weakness in our structure from our auditor or examiner, than from a cyber criminal. So for that reason, consider taking advantage of your IT auditors’ and examiners’ expertise — tell them, ask them and listen to them.