Cybersecurity expert: Compliance doesn’t equal security

Bob Cedergren

With bitcoin being the currency of choice for cyber criminals, perhaps the time has come for community bankers to set up a bitcoin account and keep a small balance of bitcoin on hand to pay ransom. While that may sound defeatist, Bob Cedergren, a cybersecurity expert with Wipfli LLP,  unpacked sobering cyber stats during his session at the Independent Community Bankers of Minnesota’s annual convention, held Aug. 9-11 at Mystic Event Center in Prior Lake, Minn., including this one: Cyber crime has surpassed the drug trade to become the most prevalent criminal activity in the United States.

“It’s the greatest threat to the U.S. government,” Cedergren said. Attacks come from eastern Europe and Russia and there’s “how to” advice easily found on the dark web. Since January 2016, 4,000 cyber attacks have been launched every day. These days, bankers are having to spend more than ever to protect their institutions from what seems likely inevitable.

Cedergren said most incidences of criminal activities occur several months after initial access to a system is made. In fact, 205 days is the median number of days hackers are inside a system before they act against it.

Increases in these types of incidents stem from the proliferation of access points, including mobile devices and tablets, employees bringing their own devices to work, employees who work remotely, and outsourcing work. Bankers should weigh the cost of productivity gains against their cyber risks when allowing such flexibility.

Bad passwords and email scams remain the top ways criminals get into computer systems. Emails that look as if they have been legitimately sent from agencies such as the FDIC or the IRS (or Amazon) successfully trick employees into clicking, which can give criminals access to a bank’s files. “People pay attention to emails from these sites, so beware,” he cautioned.

“Any organization regardless of size is a target,” Cedergren said. “And that’s a change from 10 years ago.” Email phishing attacks targeting companies with fewer than 250 employees have increased to 43 percent in 2015, up from 18 percent in 2011. By contrast, email phishing targeting the largest enterprises have dropped to 35 percent in 2015, down from 50 percent in 2011.

Cedergren shared a story of a bank located in central Wisconsin that was targeted as its local school district processed its payroll. Once the payroll was processed and approved, hackers accessed the payroll spreadsheet and changed the bank routing numbers, effectively stealing everyone’s paycheck. The bank’s insurance company covered the loss, Cedergren explained. “The bank took it upon themselves to write the claim and stave off reputational risk.”

“Cyber thieves are expanding account takeovers and extorting big bucks,” Cedergren said. Criminals are just as interested in account information as they are in money; they want business and individual accounts, employee lists and access to systems that move money. Cedergren said nonprofits are targets, too, because crooks want donor lists. “It all gets out into the marketplace and it’s all for sale.”

“Compliance doesn’t equal security,” Cedergren said. Banks need to plan for when their systems will be compromised. When it happens, he said, don’t expect to be able to wire the crooks ransom money. Hackers want bitcoin, he said. “And that takes time.”