Smaller Institutions and Phishing: Donâ€™t Be Complacent
When it comes to phishing, the smaller institutions out there that arenâ€™t prepared for a phishing attack to hit their brands are playing â€œRussian Rouletteâ€ with their brand and reputation, says one leading security solutions firm.
â€œSmaller institutions should not be complacent. Brand and reputation are on the line when a phishing attack occurs,â€ said Marc Gaffan, director of marketing with RSAâ€™s consumer solutions group. â€œLarge banks when they get hit with phishing, get the national headlines. But when small banks and credit unions are hit, they will appear in local paper or radio and TV. Thereâ€™s more of a buzz factor around the pool, or in the grocery store,â€ Gaffan explained.
Reputational risk is a major factor, but also consider the monetary loss to a smaller institution, he said. â€œBigger banks look at a certain percentage of churn in their customer base as acceptable. But for the smaller institutions the percentage point means much more to their bottom line,â€ he said.
Gaffan recommended that small banks and credit unions need to copy the actions of large banks, and take same approach as they do. â€œService providers offer anti-phishing solutions, so why not leverage the same level of protection for their customers. Is there anything more valuable than your brandâ€™s reputation?â€ he asked.
Gaffan likened the anti-phishing response plan of an institution to an insurance policy. â€œIf youâ€™re ready and have it waiting in the drawer when it happens, youâ€™ll be much better off than if you didnâ€™t have it there,â€ he said. â€œWaiting for it to hit your institution first, youâ€™ll then spend days, even weeks figuring out where it came from, and getting it stopped,â€ he noted.
He echoed what many already have come to know through experience, â€œIdaho, Indiana, Iowa â€“ it doesnâ€™t matter where your institution is located, or how small your institution is. It doesnâ€™t mean youâ€™re immune to phishing.â€
Gaffan sees a wide spectrum of preparation for phishing attacks. â€œAt one end of the scale, there are those institutions that handle brand management; they have forward-thinking risk management processes and procedures in place; those are people who can sleep soundly at night.
At the other end are those institutions that havenâ€™t gone through the planning process; they donâ€™t have a plan in place, and they only go through process after a senior banking official says â€˜We have a problem, weâ€™re under attack, get it fixed now.â€™â€
He recommended smaller institutions need to take same type of security practices the larger ones are already taking with a layered security approach against phishing and pharming.