Cybersecurity for the banking industry

Show Notes

In this episode, Pat Morin speaks with Pawel Wilczynski about  the current cybersecurity landscape, covering issues impacting the banking industry such as ransomware and third-party risk, as well as  strategies organizations and bank leaders can use to minimize cyber risk. 

For additional resources check out: 

https://www.bnncpa.com/resources/cybersecurity-risks-in-the-banking-industry/

Transcript

Joseph Jalbert: Hello, and thank you for tuning in today to Issues of Interest from Baker Newman Noyes, where we cover assurance, tax, business advisory, and technology topics and trends affecting the banking and financial services industry. I'm Joe Gilbert, and I lead the banking and financial services practice here at BMM. Banks and financial institutions are constantly navigating volatility and change. Here at Issues of Interest, we help you stay current on what's happening in the industry so you can achieve success for your institution. Now let's get into the episode.

Patrick Morin: Hi, everyone. Thanks for joining us once again for Issues of Interest, BNN's podcast for the banking and financial services industry. I am your host today. Pat Morin, information Systems and Risk Assurance principal at Baker new Minis. I am here with Pawel Wilczynski, cybersecurity Manager at BNN. Hi, Pawel.

Pawel Wilczynski: Hi, Pat, and hello, everyone for listening.

Patrick Morin: Thanks for joining, Pawel. Pawel, before we dive in, can you take a moment to share a bit about your role at BNN and what you focus on?

Pawel Wilczynski: Yes, of course. I joined BNN just over a year ago, and since then, we have been expanding cybersecurity services. Traditionally. BNN's Information Systems and Risk Assurance group offered Sock to services, general controls, reviews Recently, BNN recognized the need to offer more services, and specifically in cybersecurity realm. So we are now offering services like Virtual Chief Information Security Officer compliance readiness assessments for frameworks like PCI or HIPAA. And then we offer risk assessments, third party risk management, and things like that. And we have a lot of fun doing that. We get to help our customers achieve the cyber goals and improve everybody's cybersecurity posture.

Patrick Morin: That's great, Pawel. Thanks for that. We're here to talk about a few topics I'm sure you get to see quite a bit while you're out there helping our clients. But let's talk specifically about trends in attacks and what institutions and their leaders should be looking out for to keep the organization safe. So let's talk a bit about what are some of the most critical activities that people should be thinking about right now.

Pawel Wilczynski: So there's obviously a lot there's a lot to do. There's a lot of things to pay attention to, but we like to always dial it down and think about the basics. There's few basics that people on the individual level can do to improve overall security. A couple of them are email safety. People are subject to voice phishing, and I'll talk about it in a second. And web safety in general, we do spend a lot of time surfing web for research and things like that. So there's few things that I will mention about that that individuals can do to improve. Let's go back to email safety. Social engineering, generally speaking, plays on emotions that we as human are susceptible to. There's two of them. Specifically, there's fear and there's greed. So any email that comes in unexpectedly that you didn't specifically anticipate, or maybe it comes in from a person that doesn't usually communicate with you. And if that email creates a sense of urgency and it's trying to entice you either through quick reply to get a gift card or a pair of AirPods, or on the other side, it creates a sense of urgency. For example, pretending to be an HR department, and they tell you that you need to update your paycheck information because you will not get paid. That should trigger you to take a moment and take a look at it again, because HR usually will not send you that email and other gift card situations are usually a sign of something that's gone wrong with an email. So when you have that sense of something is wrong, you should look at things like where's this email coming from? You want to look at the email address. You make sure that the person's name as displayed and the person's name in the email matches up, that it's from the company. The email address is at the company name that you would anticipate, not from Gmail or Yahoo. That's one thing. Two, you want to make sure that the links that are within the email actually go where the displayed link shows you. So if you hover over the link and the link matches, for example, it goes to Bnncpa.com as displayed and you hover over it and it says the same information, then you know that link will go to that website. If it's something else, especially with very long domains, you should not click on that link. Same with the attachments. Any attachments that you don't really expect, you should, as a rule of thumb, not open.

Patrick Morin: So what you're saying, Pawel, is if it's too good to be true, it probably is.

Pawel Wilczynski: It usually is. So we want to always take a double take, be almost on the verge of being paranoid, check the details, check the email, check the links. Don't open attachments unless you specifically know that this person was supposed to send you something. And you're not going to get a bill unexpectedly to pay. And if it's a real bill and you think it's a spam and you delete it, they will send it to you again. So you don't have to really respond to it right now. You don't have to click on those links right this second. It's never that urgent.

Patrick Morin: In your intro, you mentioned something about voice phishing. That sounds pretty interesting. What's that all about?

Pawel Wilczynski: Yeah. So voice phishing is another version of pretty much the same thing as email phishing. So voice phishing is basically a social engineer or an attacker would call your number and pretend to be somebody else. Maybe pretend to be a vendor, maybe pretend to be a partner or somebody else and try to get some information out of you. So they may name drop somebody who works in it, or maybe name drop somebody else from a finance department. It depends what they're trying to achieve, but you always want to be cautious what kind of information you offer, want to make sure that you don't specifically give up information about what technology a company is using, anything specifically about how you process financial information. Any specific questions like that should be a red flag and you should not give up this information easily over telephone. That's interesting in the new kind of 2023 way. There's also an AI version of voice phishing where AI voice generator would pretend to be somebody you know. So you may get the same old techniques from voice phishing, from social engineering, but now they are enhanced by the fact that they can mimic pretty much anybody's voice. If there is a sample of it online through podcasts or they record you, or there's a YouTube video of you speaking, it could be cloned. So just be on the lookout for things like that and don't let your guard down.

Patrick Morin: Let's take a minute, Pawel, and talk about what an officer who works at a bank, what they may be doing in their day to day life that could impact their institution.

Pawel Wilczynski: Yeah, so everybody to some extent is visible on the Internet. Officers of banks or other organizations are exposed on a different level. Every company has a website and there's a management team listed there with your names and pictures, sometimes links to LinkedIn Profile or other websites. So we can't really not do that. But what we can do is to be extra careful in the sense that we know that this information can be used against us, especially with social engineering. So social engineers can gather this information, figure out where you live, maybe what are the local teams that you care for, maybe you are very active in your school that you went to and you participate in their events, go to their games. All this information can be used against you in a sense of spear phishing email, where this phishing email is not just a generic one. It's very tailored to who you are and what you care for, and therefore may be more successful in tricking you into clicking on that link. Maybe there's a link to a fundraiser or a new gear or something else like that. So anybody who know they are visible online, they should take another layer and not trust the things that come in their email or the voice, the telephone conversation that they are having with people that they don't know.

Patrick Morin: So let's change perspective a little bit. We've been talking about items to watch out for, to protect yourself, but what are some of the best practices for protecting the information, particularly information at a financial institution?

Pawel Wilczynski: So there's, again, many different controls companies can apply, but the basic ones are strong passwords. There's a trend of going password-less, but we're not there yet. There's still a lot of legacy applications that don't support those new authentication methods. So passwords are here to stay for a long time. But it doesn't mean that we are out of luck. We can apply multifactor authentication on a lot of those systems and add another layer of security to that. But generally speaking, strong passwords and passwords that are not repeated anywhere else should be a standard practice. Long passwords with less complexity are better than those short ones that nobody can remember those long passwords. Generally speaking, anything over 16 characters not breakable by the current computing standards or it will take really long time. So long passwords combined with MFA will save the day most of the time. Want to make sure that MFA is used the proper way. Want to make sure the users are trained on how to use it, so they don't just click Allow whenever the pop up comes up on their phone. Want to make sure that they look at it, to make sure that they generate it before they click Allow. Because MFA fatigue has been utilized by attackers to get into few companies in the recent past, some of those breaches were very visible. So MFA and passwords that's one encryption is another. Even if the information gets stolen or it gets lost on a USB drive, if it's encrypted, attackers would not be able to get to the actual data. So encrypt anything, make sure that the USB drives are encrypted. Make sure that whenever you send an email with sensitive information that that is encrypted as well. It's so easy these days to implement that that there is really no argument against it. And besides those two basic aspects, there's a lot more that companies can do to implement security controls. Generally speaking, security should be layered. So if one layer fails, the second layer will stop the attacker. And generally speaking, as many layers you can put in the better and hopefully the attackers will get discouraged or stopped at some point.

Patrick Morin: So speaking of layers Powell, I know a lot of our clients have transitioned their platforms, particularly at their back office and email to cloud providers. Does that present new risks and maybe better tools or opportunities to consider.

Pawel Wilczynski: The risk still exists, it's just a little different. When cloud was taken off a few years ago, companies were very happy about it and somewhat misinformed that all the security is now in the hands of the cloud provider. And that is just not exactly true. There is something that we call shared responsibility model where companies, cloud service providers are responsible for the security of the cloud and the clients, the tenants are responsible for security in the cloud in other way. If you have an account with AWS or Azure or Google, they are responsible for maintaining the infrastructure and making sure it's available to you. But whatever you put in there, you're responsible for encryption, for access control, even for backup. Because the data that's there, the cloud service provider is not going to back it up for you. So there's still a lot of things that we need to be doing. A lot of the same things that we used to do when we're on premises is just a little different because it's not physically in our building or in our collocation. But the most important thing about security is there is no firewalls now as we used to have them. So the new firewall, the new parameter is the access controls, those usernames and passwords and MFA, and making sure that only people who need to have access to these resources are able to get to that. So things like publicly opened S three buckets on Amazon are very easily exploited. And so the misconfiguration is something that we didn't really deal with while things were on premises. But now in the cloud, we need to pay attention to how things are configured. So between the configurations and IAM, these are really the two points that the companies should be focusing.

Patrick Morin: And IAM is what? Again?

Pawel Wilczynski: Identity and access management. So username passwords and access controls.

Patrick Morin: Two resources, passwords and particularly large or complex passwords have been a recommendation quite a bit so far today. The only problem is that with long, lengthy passwords, those can be hard to remember and you shouldn't write them down. And I think I heard you say that you should use unique passwords for every system. For bank leaders, if they're encouraging their employees to follow that practice, it can be really frustrating. How could we help them? Give them some tips on how to make that a little more livable.

Pawel Wilczynski: They should get a lot of sticky notes. The best way to manage passwords is to use password managers. There's a few popular ones. OnePass LastPass. There's a lot of commercially available products. They're generally speaking, very good. Some of them are free, some of them are paid. Any of them is better than written password.

Patrick Morin: On a sticky note, bitwarden I've seen, has become pretty popular too.

Pawel Wilczynski: Yeah, these are especially popular with healthcare organizations. A lot of them integrate with other systems, which is great, because then you have less to worry about. You don't have to copy paste those passwords so that they are integrated. There's many different solutions to pick from. Any password manager is better than trying to remember those passwords, because then people can actually create those unique passwords that are really long. They could be 30 characters long at this point. If it's in password manager, the length really doesn't matter because we are not physically typing anything besides when you create them, or maybe not even because you can use a password generator. So these are great to use. One of them recently had a breach, but that should still not deter people from using password managers. They were very transparent about it, let people know, and there was plenty of time for people to change those passwords that may have been affected. So password managers are the solution for those complex, long passwords and unique to every system.

Patrick Morin: That's good to know. There are tools out there that can help us. So let's shift again, from what you said, these threats and risks are coming at us from all angles. What should we do to stay safe? Say I'm a bank president or vice president listening and I would like to keep my organization safe. What should I act on?

Pawel Wilczynski: Everybody should, generally speaking, be on the lookout for suspicious activity. So we talked a little bit about not falling victim to social engineering. We want to make sure that we offer as little information to the attackers as possible. Taking into consideration the fact that information is already out there, either on the corporate website or LinkedIn or on Facebook, we shouldn't give more than we already do. For example, if somebody has a personal Facebook account, at least be aware that if they post pictures from vacation from far away places attackers can see that impersonate this person, especially if they are a CFO or CEO and send a proof text message to a staff saying that they are on vacation but they need something done really quickly. And that would add another layer of credibility because presumably that person would know that their CFO or the CEO is on vacation. So these are the type of things that could be used against us in a really quick amount of time. So we just need to balance this information giving situation as much as we can and be mindful about what can be taken advantage of. Just like we talked about earlier, we should not fall to the sense of urgency. Always be a little aware about why am I getting this email? Why are they asking these questions? If there's a link, definitely be careful. If there's an attachment that you didn't expect, definitely be careful about that. So just pay attention to those things and don't let your emotional reaction be faster than your skepticism. And as an organization, we can offer cyber training. Obviously a lot of companies do that. A lot of times. This training is once a year, maybe a 45 minutes video, maybe it's an interactive training. We want to strive for something that's more engaging, maybe shorter, but more frequent. It's also important to kind of make it fun and recognize that different groups of people absorb information in different ways. So kind of try to figure this out. Maybe the younger generations of our users will be more receptive to different type of training than the older generations. So we basically need to be creative because the attackers are very creative and we need to keep up with that and to make sure that everybody knows to be skeptical and know what to look for. There's always new influx of people either coming to the work from school or maybe from different industries. So we should never assume that people just know how to be cyber safe out there.

Patrick Morin: I am sitting here realizing that the listeners can't see me nodding along as you're saying these things. And in particular with the training, I like the idea of shorter trainings that are more relevant more often to keep it more front of mind, and in particular when you can, to make it fun. And then are there any organizations that may be leveraging AI in how they're protecting themselves in the cybersecurity space?

Pawel Wilczynski: I'm sure there are some solutions out there. AI is a really hot topic right now. It's not a new concept, but since last March of March 2023, it really exploded with the Chat GPT adoption and people started getting very curious and asking it questions. And what I always say about that is if you limit access to these tools from your corporate devices, people still try to get to it, either through their phone or the personal device. So I would lean back into the training and explain how it works, explain that the data that they put in there is not public. Any data that's put into a tool like Chat GPT becomes part of that learning model now. And there are people out there that are really skilled in trying to query it out. So, for example, a tax preparer would just put in the tax information into that tool and try to get a report out. They need to be aware that this information is now part of that public domain and there's no getting it back. There's no undo button in this sense. It's just there now. So we need to focus on training and making our users aware of what it is and how it works. And it's a great tool. There's a lot of tools like that out there now, and there's going to be a hundred more probably tomorrow. But we need to make sure that people know how to use that. And as far as using AI to defend our infrastructures, there are companies out there already that have been doing that for years. And these tools are really good. They learn faster than they respond faster, they learn faster than humans do, and they're great. They may not be available to every organization.

Patrick Morin: Yeah, I think I read Expensive, I read recently that some of the malware or antivirus vendors are incorporating AI to more readily detect potential phishing scams in the language. It's constantly evolving.

Pawel Wilczynski: It's evolving, it's changing pretty much daily. And we need to do even more to stay silent with it and not fall behind because the attackers are not taking a day off. They keep innovating and we need to do the same if we want to be able to defend.

Patrick Morin: Well, Pawel, that's I think, is our time for today. Is there anything else you would want to add that we haven't touched on? Are there any key points that we should have our listeners take away with them?

Pawel Wilczynski: I would say social engineering is obviously the biggest are and you might have heard it before. We are the weak link. Technology will defend us as much as we design it, but we as people are susceptible to those emotional reactions of either giving up too much information or maybe sending an email to the wrong person with sensitive information or clicking on the link or opening attachment. So be aware of that. On that topic, it's October, and as of airing of this episode, which will be in late October, October is Cybersecurity Awareness Month. We, BNN, and other organizations are putting out a lot of content out there. Pay attention to these posts, articles, videos, and just be aware that a lot of those topics that are shared right now, they're really evergreen. So they're not going to be irrelevant in November. They will be just as good to read in March as they are now in October. So just keep in mind that attackers are not slowing down, and we need to focus on cybersecurity year round, not just in October. So, strong passwords MFA good cyber hygiene software updates, good backups will help you defend and just stay vigilant. Try not to be too paranoid, but just verify those things before you click on them.

Patrick Morin: Well, Pablo, it was great to chat with you today. We covered some really good topics and have a lot of things to think about in the world of cyber. As you know, the banking industry is one of the more sensitive areas when it comes to thinking about attacks. So tips and reminders about how to stay safe are really important. Thank you.

Pawel Wilczynski: Yeah, thank you. And thank you for staying down with me. And thank you for listening us to tuning in.

Patrick Morin: Yes, and we are always monitoring and sharing updates and developments. So stay tuned for more articles, podcasts, and resources from our team. Thanks all. Bye.

Joseph Jalbert: Thank you for listening to issues of interest from Baker Newman Noise. The BNN banking team thrives on solving complex business challenges and helping institutions meet their goals. You can find more of our industry content and subscribe to our newsletters at bnncpa.com. If you'd like to connect with a member of our team, email info@bnncpa.com. Bye, now.

Baker Newman Noyes Disclaimer: This podcast is brought to you by Baker Newman noise. The information contained in this episode is based on data available as of the date of its release. BNN is under no obligation to update this information as changes occur. BNN podcasts events and publications are intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice, nor is it intended to convey a thorough treatment of the subject matter. The information in this podcast may or may not apply to your individual situation. Consult a professional for help applying these concepts to your personal circumstances. Please contact Baker Newman Noise for additional assistance at info@bnncpa.com. More information can be found online at bnncpa.com.