(Des Moines, Iowa, Nov. 16, 2016) – In advance of International Fraud Awareness Week (Nov. 13-19, 2016), TMG Fraud Prevention Manager Ashley McAlpine warned credit union personnel not to be fooled by news coverage of distributed denial of service (DDoS) and ransomware attacks. “It may look like these attackers are only after the big guys. In fact, small organizations are very much on the radar of these criminals,” McAlpine said before an audience of credit union staff on Nov. 11, 2016.
A DDoS attack occurs when many compromised systems attack a single target. The result is denial of service for users of the targeted system. Ransomware, a type of malware deployed for “data kidnapping,” allows attackers to encrypt a victimized organization’s data so it becomes completely inaccessible. Ransomware attackers typically demand payment via bitcoin or another untraceable digital currency before they will decrypt and release the kidnapped data.
One recent high-profile DDoS attack disrupted Visa, Twitter, Spotify, Airbnb, Netflix and other major websites, causing an hours-long outage that prevented users from accessing the sites or their accounts within. A similarly high-profile ransomware attack on victims of the 2015 U.S. Office of Personnel Management breach is threatening as many as 22 million government workers.
Incidents like this can give small credit unions and community banks a false sense of security, McAlpine suggested to the credit union employees in attendance. Yet, community financial institutions are vulnerable for two reasons, she said. First, they can present an easy “test bed” for attackers working to hone their craft. Second, credit unions and community banks may have fewer layers of protection against DDoS and ransomware.
Ransomware, in particular, strikes small businesses at a rate eight times higher than that of larger counterparts. Some cybersecurity experts predict ransomware will become as prevalent as DDoS attacks in 2017.
“Community financial institutions must prioritize cybersecurity going forward,” McAlpine said. “Large banks and financial services providers are getting better at protecting themselves with every passing attack. As they become stronger, the target on smaller organizations becomes that much bigger.”
To mitigate the risks of both DDoS and ransomware attacks, McAlpine suggests community financial institutions consider the following:
Educate and train employees – Cybersecurity threat education and awareness campaigns must extend to the C-suite because of the increasing threat of “whaling.” These are phishing attempts targeting those at the highest levels of an organization.
Update firewalls and routers – Never fall behind on system updates. The risk is too critical to allow patches and firmware updates to slide.
Change default passwords – Systems connected to the Internet, such as WiFi routers, should never be in operation with factory or default passwords. Change upon set up and update often.
Hire a “white hat” hacker – Several organizations in financial services are finding creative ways to tap into the collective expertise of cybercriminals. By networking at ethical hacking events and working with local colleges, banks and credit unions can recruit or contract with college students and other young cybersecurity experts who will find gaps in their security protocols.
Designate a cybersecurity leader – “Your cybersecurity will only be as strong as the people you’ve hired to manage it for you,” McAlpine said. Partnering with outside security firms is a best practice for smaller organizations that do not have the appropriate internal resources. “However, even when you partner with an outside organization, there has to be an internal champion to monitor evolving threats and oversee a plan to protect against them,” McAlpine added.