Smaller Institutions and Phishing: Don’t Be Complacent

When it comes to phishing, the smaller institutions out there that aren’t prepared for a phishing attack to hit their brands are playing “Russian Roulette” with their brand and reputation, says one leading security solutions firm.

“Smaller institutions should not be complacent. Brand and reputation are on the line when a phishing attack occurs,” said Marc Gaffan, director of marketing with RSA’s consumer solutions group. “Large banks when they get hit with phishing, get the national headlines. But when small banks and credit unions are hit, they will appear in local paper or radio and TV. There’s more of a buzz factor around the pool, or in the grocery store,” Gaffan explained.

Reputational risk is a major factor, but also consider the monetary loss to a smaller institution, he said. “Bigger banks look at a certain percentage of churn in their customer base as acceptable. But for the smaller institutions the percentage point means much more to their bottom line,” he said.

Gaffan recommended that small banks and credit unions need to copy the actions of large banks, and take same approach as they do. “Service providers offer anti-phishing solutions, so why not leverage the same level of protection for their customers. Is there anything more valuable than your brand’s reputation?” he asked.

Gaffan likened the anti-phishing response plan of an institution to an insurance policy. “If you’re ready and have it waiting in the drawer when it happens, you’ll be much better off than if you didn’t have it there,” he said. “Waiting for it to hit your institution first, you’ll then spend days, even weeks figuring out where it came from, and getting it stopped,” he noted.

He echoed what many already have come to know through experience, “Idaho, Indiana, Iowa – it doesn’t matter where your institution is located, or how small your institution is. It doesn’t mean you’re immune to phishing.”

Gaffan sees a wide spectrum of preparation for phishing attacks. “At one end of the scale, there are those institutions that handle brand management; they have forward-thinking risk management processes and procedures in place; those are people who can sleep soundly at night.

At the other end are those institutions that haven’t gone through the planning process; they don’t have a plan in place, and they only go through process after a senior banking official says ‘We have a problem, we’re under attack, get it fixed now.’”

He recommended smaller institutions need to take same type of security practices the larger ones are already taking with a layered security approach against phishing and pharming.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network