The Fraud Blog with Tracy Kitten

Small Banks: Prepping for DDoS Attacks Core Processors Have Obligation to be Stronger Resource
Small Banks: Prepping for DDoS Attacks

For tiny First Landmark Bank in Marietta, Ga., cybersecurity is a priority, even though smaller financial institutions have not yet been prime targets for recent distributed-denial-of-service attacks against banking institutions.

See Also: IoT is Happening Now: Are You Prepared?

Because the community bank's leaders fear the institution could eventually be a target for a cyber-attack, they are taking a proactive approach to mitigate potential risks - an approach that others should emulate.

Small banking institutions have to depend on third parties to keep them abreast of emerging fraud schemes and attack trends, such as DDoS. 

First Landmark Bank, which has only $182 million in assets, is working with its core processor, Fiserv, and third-party service providers, such as CSI, to ensure its online-banking channel is secure. The bank is leaning on numerous vendors because relying solely on Fiserv alone would not meet its needs, says Leigh Pharr, senior vice president.

More community banking institutions should embrace this approach. Too many of them lean too heavily on their core processors alone for security, technical support and intrusion testing services. Doing so invariably leaves gaps.

Small banking institutions have to depend on third parties to keep them abreast of emerging fraud schemes and attack trends, such as DDoS. Without that open communication, banks like First Landmark would be in the dark.

DDoS: Every Institution's Worry

Federal banking regulators have warned community institutions they have obligations to take emerging cyber-risks seriously. And the National Credit Union Administration issued its own DDoS warning for credit unions in February.

But many community banks and credit unions don't know where to start.

First Landmark, however, knew from its founding in 2008 that it had to outsource most of its information technology and security management, says Leigh Pharr, the bank's senior vice president.

"As we were organizing the group, there were only five of us, and none of us had true IT or technology experience," she says. "We knew the best thing we could do was go out and hire vendors that are on bleeding edge."

First Landmark's management has, from the beginning, understood the need for strong security, Pharr says. And this understanding has helped propel the bank ahead of other similarly-sized institutions in its dedication to security.

"We are very fortunate in that senior management here and our president are very in-tune with DDoS attacks, and we keep all of our employees well-educated on what might happen, what can happen," Pharr says.

If more community banks had that kind of buy-in from management, then security investment challenges would be less of an issue. But many smaller institutions have their leadership spread too thin to make cybersecurity a priority.

Core Processor's Role

Fiserv provides First Landmark with bulletins and alerts about emerging risks and DDoS attacks, Pharr acknowledges. "They tell us what to be on the lookout for. They give us the information about the attacks that they identified - and one recently was DDoS."

But the bank is turning to others for technical support on data security issues.

"While we do rely on our core processor to provide us with all of the technical, online banking products, we are not satisfied that is all we need to ensure we are secure and that our accounts are protected," Pharr says. "That's why we have hired other third party providers [such as CSI] to come in and test our systems - try to break us. Because of that, I feel comfortable that our network is secure and monitored."

Cyber-attacks are not going away. Phishing schemes and DDoS strikes are only going to become more prevalent and complex. And community banks need all of the support they can get, from numerous sources - especially core processors.

As the managers of online-banking platforms for the majority of small and mid-tier banking institutions throughout the U.S., core processors have a responsibility to ensure their institution customers are protected and are investing in up-to-date solutions.

The DDoS attacks that major U.S. banking institutions are now battling are continuing to evolve. Smaller banking institutions should follow First Landmark's example and take proactive steps today to ensure they are adequately mitigating their DDoS risks.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network