While major cybersecurity breaches like the recent attack on Target tend to grab headlines, smaller banks are actually much more vulnerable to cyberattacks than their larger peers. Yet many community banks have failed to invest sufficiently in security.
Large banks are more inclined than their smaller counterparts to belong to an information-sharing organization like the Financial Services Information Sharing and Analysis Center, according to a May 2014 report from the New York State Department of Financial Services. More than 60% of large institutions belong to FS-ISAC or a similar center that alerts organizations to industry threats, compared to 25% of small institutions. Smaller banks would benefit from participating in information-sharing groups and should be privy to the same cybersecurity intelligence that large banks receive.
Large financial institutions are also far more likely than small institutions to have a dedicated information security position, according to the report. More importantly, 90% of large institutions have a documented information security strategy, while only 62% of small institutions have one. Smaller institutions also lag behind in cybersecurity technology: 57% of small institutions have invested in data loss-prevention tools, compared to 78% for their larger counterparts. In addition, smaller institutions are less likely to use effective methods of authenticating their customers, such as smart cards and one-time passwords.
One major reason why smaller banks trail their larger counterparts in cybersecurity is that they lack the resources to make necessary but expensive investments. This problem could be solved by adopting a model currently available to small law enforcement agencies. Because many of these agencies could not individually afford to maintain a computer forensics examiner, purchase digital forensics tools and train officers in digital forensics investigations, the Federal Bureau of Investigation set up regional computer forensics laboratories across the country. The centers provide local law enforcement agencies with much-needed training, access to forensics technology and a place to conduct computer forensics investigations.
This highly effective model could be instituted by the United States Secret Service, which spearheads financial crime investigations in the U.S., in order to help smaller banks with tight IT budgets share cybersecurity resources, train staff and investigate potential breaches.
Small banks might also look to utility companies for inspiration. Many small utility companies have cut costs by centralizing their IT departments into one main department. In addition, universities could be a cost-effective resource for finding security vulnerabilities in the networks of small banks, determining new methods of authentication, and providing many other security solutions for financial institutions.
Small financial organizations must learn to be better prepared for cyberattacks. Luckily, the vast majority of security breaches can be avoided at little or no cost. If small banks share information and resources with one another, they can protect both themselves and their customers from hackers and hefty losses.
Darren R. Hayes is assistant professor and director of cybersecurity at Pace Universitys Seidenberg School of Computer Science and Information Systems. A former investment banker, Hayes began his career in the financial services industry with Cantor Fitzgerald at the World Trade Center.