Cyber-attacks aren't just targeting top-tier banks and Fortune 500 businesses, says Scott McGillivray, senior vice president and chief information officer of Pacific Continental Bank, a $1.7 billion institution based in Eugene, Ore. In fact, community banks and credit unions, along with all types of small business, are even more likely to be targeted by cyber-attacks because hackers believe these smaller organizations have their guard down, he says.
"It's one of the paradoxes of being in a business," McGillivray explains during this interview with Information Security Media Group. "You want to be big enough that everyone notices you; but when it comes to cybersecurity, suddenly, you're a very small person and you're a very small organization and so why would anybody worry about me when there so many other big fish out there?"
That kind of thinking gets community banks and credit unions in trouble, McGillivray says.
"Cybersecurity and cybercrime, really, is a cost-benefit game," he says. It's less expensive and more fruitful for cybercriminals to target smaller institutions, rather than top-tier banks, which often are more difficult to penetrate, he adds.
The biggest frustration for security professionals is that banking institution executives and boards of directors get too focused on the big attacks that make headlines, McGillivray says. As a result, those executives and directors fail to recognize the ongoing threats, such as ransomware, that pose the most risk to their institutions and customers, he says (see Ransomware Attacks' New Focus: Businesses).
"The type of cybercrime that most of these smaller businesses and financial institutions, for that matter, are exposed to are things like ransomware, where a piece of malware gets into a computer network and encrypts a bunch of valuable information," McGillivray says. "That's something that can affect anybody."
And institutions that lack mitigation strategies, such as employing offline backup drives and servers - as well as stronger security controls - run the risk of losing money and data, he says.
That's why CISOs and CIOs must ensure executives and boards of directors understand the risks their institution faces.
"One of the most effective ways to get that buy-in from the executive team and board of directors is education," McGillivray explains. "There are plenty of threats out there. But educating them about what the actual risks are is really valuable to get buy-in."
Another important breach prevention strategy, McGillivray says, is stronger vendor management.
"I would encourage all banks to become more involved with your vendors," he says. "For smaller institutions, the general model is to outsource your core processing, to outsource very key pieces of your technology operation to these very large vendors that don't really have any interest in helping you achieve your security unless there's money in it for them."
During this interview, McGillivray also discusses:
- Steps Pacific Continental is taking to prepare for its upcoming cyber-risk assessment security exam by regulators;
- Why investing in flexible and modular security technology is critical for smaller institutions interested in planning for threats three to five years out; and
- How CISOs at smaller institutions can compensate for having smaller security teams and budgets.
McGillivray joined Pacific Continental in 2014. He has more than 20 years of technology leadership experience, including 10 years in the financial services industry. McGillivray has also held a number of IT management roles in industries such as transportation, chemical manufacturing, high-tech and the public sector.