As ransomware attacks surge across various industries, how should banks and credit unions protect their data, their customers’ data, and their reputation? ZDNet caught up with Steve Bomberger, head of SEI IT Services, to learn more about how banks and credit unions can avoid ransomware attacks and why they should pay close attention to what’s going on in the ransomware world right now.

Watch my conversation with Bomberger above, or read a few of the highlights below.


Beth Mauder: Steve, what are some best practices to prevent from falling victim to a ransomware attack?

Steve Bomberger: I think it’s pretty obvious these days that we’re all living in a digital and connected world. So to your point, businesses of all shapes and sizes, all industries are being affected by ransomware and other malware attacks. If we think about cybersecurity, we’d like to think about it as not just a technology planning solution, but also how it should be in the context of your business operations and your business planning. So a lot of times we have a common question that’s brought to light and it’s is ransomware a technology-related issue? Is it a policy issue? Is it a process issue?

Really to us, we think about it in all of the above. Some of those best practices that you would put within those categorizations to kind of go down a quick laundry list for you, Beth, are simple things like maintaining and exercising a simple cybersecurity incident response plan. I think we’re all very, very aware now of what’s going on in the industry, so it’s time for us to be prepared collectively, both in the public sector and the private sector. So maintaining a response plan is a critical start to that.

Also, from a preparation perspective, kind of keeping backups of data offline and regularly testing those backup procedures as an organization is pretty critical to being to rally after an event if it were to occur. Simple things like separating your network systems. So keeping your corporate environment separate from your operations or your productions environment is a good way to isolate different segments within your business. Practicing good standards for remote desktop. So we’ve all experienced this remote environment and working from home and that’s increased the surface area that we’re all dealing with from a cybersecurity perspective. So making sure that we are active with securing those connectivities to the best degree we can use multi-factor authentication certainly critical elements as well.

The other thing is vulnerability scanning. We’ve seen that through a recent event in the press. Doing regular scanning of your vulnerabilities and then timely patching of those vulnerabilities and making sure people and organizations are updating their software. Those are all things that are also critical. We know an attack vector is email phishing for ransomware. That’s the number one attack vector right now. So user education, good training can go a long way in combating this. Also, conducting regular exercises as an organization. So test the awareness of your users. Do third-party and regular phishing testings on your employees to see how they react and what their level of awareness is.

Couple of other things are keeping a good asset inventory. So understanding not just what hardware you have, but also what software you have, and keeping a tidy record of that is going to allow you for a better and more swift reaction too if there was an incident. Really, from a technology perspective, we talk a lot about being comprehensive in your approach to cybersecurity. So the concept of defense in depth, which we know is an industry term that’s been out there for a while, the concept of having a layered approach to cybersecurity is something that’s also very, very important. So this is a little bit of a defense that moves beyond just policy and procedure. So how do you position yourselves to be able to combat this as best as possible?

Beth Mauder: Regulations are starting to increase surrounding ransomware. What type of pressure is that adding to an already very pressured field?

Steve Bomberger: Yeah. Obviously, regulatory pressure can play a huge part in how we move forward with all this. Ransomware is not old as we all know. It’s been around for 30 years, probably, but it’s really been monetized and kind of in our face in the last decade. More recently, we’ve seen, to your point, about the Colonial Pipeline. We’ve seen a lot of big press on this. So ransomware is not going away. I think in general, if we look at regulatory pressure, it may help reduce the volume and potential severity of attacks. But again, by no means is it going away. If we think about a couple of ways to look at it, if regulation or increased pressure allows organizations to follow standards or to feel more apt to follow standards and strengthen their security posture, that’s going to make it harder for malicious actors, obviously, to get the pay off that they’re looking for.

On the other side, if malicious actors are held more accountable or if there’s a mechanism to hold them more accountable for their actions, that would clearly detour them to some degree. From a payment perspective, you look at kind of that hockey stick evolution of ransomware, and it really ramped up when digital payments became simpler. So being anonymous with how you receive your payments certainly has eased the benefit for malicious actors. So if you can take all of those things and kind of put the pressure on certain elements of those, maybe you can help reduce that volume of it.

I don’t want to minimize the severity and the importance of this topic, but I sort of think about it from a simple analogy. If you can walk into a convenience store and steal a candy bar easily and walk out of the store and not have any repercussions, you’re most likely or probable to steal that candy bar again. However, if you add in a defense system, if you add in a security camera, if you put the candy bar sitting right in front of where the clerk is, that’s going to detour you to some degree. So collectively, we talk internally here about a rising tide, the old quote, a rising tide lifts all boats. If we can collectively make it harder for these malicious actors through whether it’s regulation or through better standards ourselves, if we can make it harder, then make the payout more difficult, we’re all collectively going to make it a better spot for us.

Beth Mauder: What happens if banks specifically fall victim to ransomware?

Steve Bomberger: Yeah. Obviously, banks and credit unions and any other organization that has confidential, very proprietary information on clients and deals with financial transactions are going to be a heavily targeted group. I think you see that in a lot of statistics and data that are out there today. Specifically to banks, they’re going to have to deal with it like most other organizations are going to. Obviously with the added pressure of regulation and communicating through those regulations effectively what has transpired and what’s at a loss from a client perspective or a business perspective. I mean, I think if we talk about best practices and we talk about financial institutions, whether they’re banks or credit unions being prepared for this, you kind of go back to that incident response plan. Having that plan in place is critical.

If you walk through the steps of what that looks like, it’s going to vary from organization to organization. But the process that an organization goes through is you got to identify what was impacted by the attack and try to isolate that environment as fast as you can. Time to doing that obviously is critical in how effectively that potential virus or malware can spread across laterally through the organization. So identifying that early, as soon as possible is critical. Then you have to triage. You have to look at what’s been affected, what systems are affected, and then you have to prioritize that restoration and the recovery of that. Next, you analyze as an organization.

Certainly, thankfully banks are regulated and have typically teams, processes, and people around this, and they are able to analyze, work to understand kind of where this came from and what occurred. Once that’s going on, you then, this is a big part of what we see today, you have to communicate that. Depending on the appropriateness of what transpired in the communication, you have to work with internal and external stakeholders to get the word out as to what occurred. Moving from there, you start to think about getting up and running or dealing with getting back to business operations as they are. So recovering and assessing.

How do you keep this from happening again? How do you share intelligence? Go back to the quote I had earlier if we can all share intelligence and become smarter with what’s attacking us on a regular basis, especially not just within the private sector, but with the public sector, if we can collectively share information as a whole, financial institutions may get smarter because they have more data, more intelligence that can help prevent an attack in the future. I think the last thing that we shouldn’t be scared to talk about too is there’s a lot of resources out there now. I mean, this is a big topic with a lot of energy behind it, both in public and private sector. So if an organization needs assistance, they shouldn’t be afraid to go ask for that. There are some free resources out there and there are also some very good private sector resources that can help an organization through something like that.

Beth Mauder: Steve, any final thoughts, anything that you’d like to cover?

Steve Bomberger: Yeah. I guess I would just say this is a topic that we’re all heavily invested in across all of the world and within many organizations and sectors. I think the concept of looking at this collaboratively, we know that the malicious actors are collaborating and sharing tactics. So the degree that we can share tactics and all get a little bit more intelligent with how we’re approaching this topic in combating ransomware and other cybersecurity attacks, we’ll be better for it. We need to think about processes internally for organizations. We need to think about people and teams, and we need to think about the technology that we use and how those all work together outside of just the policy to make sure we’re doing everything we can to make it hard on these malicious actors.