Community Banks Brace for Cyberattacks

Community banks, which have largely dodged a recent wave of cyberattacks, must prepare for the next major online assault.

Big banks are getting the most attention from hackers, but smaller institutions could also be susceptible, industry experts warn.

"Smaller and midsize banks believe it won't happen to them," says Cara Camping, director of managed security services at SunGard Availability Services. "But attackers will go after them. Everyone's vulnerable."

U.S. intelligence officials have also issued warnings about cyberattacks as assaults have crippled the online and mobile banking platforms at banks such as Wells Fargo, JPMorgan Chase and Regions Financial.

The Office of the Comptroller of the Currency has reached out to its banks to reinforce the need to stay vigilant, a spokeswoman says. At a recent meeting hosted by the Federal Reserve Board, a speaker told the audience that cyberattacks against smaller banks are inevitable, says Lowell Dansker, chairman and chief executive at Intervest Bancshares in New York.

Many of the recent attacks have involved distributed denial of service, or DDoS, which flood a website with so much information that the bank can't respond to legitimate requests. A study issued in December found that nearly two-thirds of respondents had experienced a DDoS attack in the last year.

Hacktivists have claimed responsibility for many of attacks, which they characterize as a form of protest. But there are entities, such as organized criminal enterprises and foreign governments, that also target U.S. financial institutions, says Greg Bell, service leader for information protection at KPMG.

Over the last five years, cybercriminals have moved from finding targets of opportunity — companies that lacked the proper security to thwart an attack — to specific victims. The latter strategy is more difficult to defend against, Bell says.

"I hate to be a doomsayer, but you have to understand these guys are highly motivated and they only have to be right once," Bell says. "We have to be right 100% of the time, so the odds are not in our favor."

Smaller banks can complete a few simple steps to better guard against a breach, industry experts say. Educating employees about potential threats and scams is important, Bell says. This includes outlining the types of seemingly innocuous data that is sometimes posted to social media sites, but could prove useful to hackers.

Community banks should also review their operations and identify their most-valuable data, such as customer account information. Managers should set up strategies to protect that data, even if the information is stored with an outside provider, Bell says.

Banks must have proper monitoring for detecting attacks. Most companies don't realize they've had a breach until they are notified by an outsider, like a customer or a law enforcement agency, Bell says.

A proper level of security requires quarterly testing, Camping says. This could include penetration testing — where an expert examines a bank's response by trying to break into the network — or simulations to review things like traffic patterns based on known threats, she says.

Smaller banks should utilize their close ties to customers to fight cybercrime, says Doug Johnson, senior advisor of risk management policy at the American Bankers Association. "Smaller banks know their customer base, so they can view those accounts and see if a transaction is unusual since they personally know them," he says.