New cybersecurity rules go into effect for banks in 2022. Starting in May, banks are required to report any major cybersecurity incident to their primary governmental regulator within 36 hours of discovery. Banks also must notify customers if an incident, with impact, lasts more than four hours. Cybersecurity is a mutual responsibility in the business community. Here are strategies recommended by our bank’s CIO to help business owners keep data and information safe.
In 2020, the number of data breaches in the United States totaled 1,001 cases. Over 155.8 million individuals were affected with the accidental revelation of sensitive information due to less-than-adequate information security. Nearly 44% of attacks in 2019 were business related followed by medical (nearly 36%), banking (7.3%), government (6%) and education (8%).
Cybercrime costs are projected to exceed $6 trillion by the end of 2021. These eye-popping stats should make business owners stop and think about what they can do to prevent cyberattacks. No matter the type of size of business, there are strategies to defend against cyberattacks – protect, plan, and practice.
I recently hosted a cybersecurity webinar for our customers with Nick Ritter, Chief Information Security Officer at First Financial Bank. He explained strategically building a protection plan for IT systems this way: I’ve got a piece of Swiss cheese with all of those holes. I put another piece of Swiss cheese with similar holes on top of it, and the holes don’t overlap. Now we add a third piece of Swiss cheese, and it’s now a solid piece of cheese. In the same way, layers of defense are best when combined with other layers to protect the inner circle of your most important assets.
There are several tools available to business owners to defend against cyberattacks. Nick recommends Microsoft Windows operating system with Defender built into it. Other options are subscription services such as CrowdStrike and Carbon Black. He says these software options tend to be more effective against more modern ransomware.
Develop a plan that details how to handle cyberattacks and partner with experts in cyber security. Think about a worst-case scenario and ask yourself, how would you react if your business were to succumb to a ransomware or business email compromise? Having a plan before the attack happens will mitigate loss. To help small businesses create a plan, the Federal Communications Commission created this Cyber Security Planning Guide.
Additionally, find a trusted cybersecurity partner to develop a reaction plan that incorporates best practices applicable to your organization. Nick says when shopping for a partner, find a company with a reliable security professional who understands your business and can give practical planning tips and tools.
Practice good hygiene when it comes to cyber security, especially when it comes to banking and accounts that hold credit card information. Share these best practices with staff.
Dual Controls:Cybercriminals target businesses is through email compromise. For example, the hacker, who impersonates a trusted person, sends an email to an employee that reads, “I’m away from my desk right now. Please wire $10,000 to this account right away.” What’s the process for approval? It should involve more than one company representative. If the company does not have dual controls in place, the employee could wire the money without a moment’s hesitation. However, with dual controls requiring two individuals to sign off on a transfer, there is an increased chance the business will not succumb to the fraudulent wire hack.
Password Protection:Another practical approach to cyber security is proper password storage. In our webinar, Nick stressed passwords should not be shared. He says to make sure they’re really complicated, so people don’t memorize them. And it’s important to store them in a password vault. Apps such as 1Password are available for a small monthly subscription fee. Change your passwords frequently, so if someone attempts to log in as you, the password is incorrect.
Multi-Factor Authentication:Multi-factor authentication is crucial to prevent cyber hacks should your passwords become compromised. According to the Verizon 2021 Data Breach Investigations Report, 61% of breaches involved credential theft. Adding layers of identification helps ensure only authorized users access the most vital data in your company.
Awareness:The final aspect to practice is awareness. If something doesn’t feel right, it probably isn’t. Be extra cautious when providing personal information such as social security numbers, tax identification, or contact information. Make calls directly to the company to verify the validity of the person or organization asking for your information.
Rick Dennen is the founder, president & CEO of Indianapolis-based Oak Street Funding, a First Financial Bank company with customized loan products and services for specialty lines of business including certified public accountants, registered investment advisors and insurance agents nationwide.