Cyberattacks on the rise? Time for a client lunch
Some of Peach State Bank’s business clients this year have had it rough online. On two different occasions, clients have been the targets of ransomware attacks.
One client, for instance, discovered it couldn’t access any of its receivable and payable records until it met a demand for $40,000 in bitcoin. It called Ron Quinn, the Gainesville, Ga., bank's CEO, for help. Quinn was at another customer's office working on a loan proposal but called Peach State’s deposit operations department and told it to put a hold on all the client’s accounts and went back to the bank.
“Before I could get back," the client "was coming into the bank to pay off this ransomware,” Quinn said. “We told them, ‘No, we don’t need to do that,’ and got them hooked up with the FBI.” In addition, the bank pointed the business to a company that could help it recreate its files.
Quinn pondered the experience afterward. The bank’s technology budget, which included additional cybersecurity spending, doubled in the last five years. But tech measures alone wouldn’t address any knowledge gaps among employees, so last year the bank began adding cybersecurity education at quarterly lunch sessions to help build preparedness for cyber incidents.
Could it work for business clients, too?
The $213 million-asset bank will hold a September luncheon for customers to show them how their employees can help prevent attacks. The outreach, Quinn said, will also help build closer relationships with commercial clients.
“We have a lot of people in the market interested in cybersecurity and learning about what threats are out there,” Quinn said. “If this is as big of a success as we anticipate, we’ll probably make it an annual event.”
The frantic behavior of Peach State’s client is an example of the need for banks to school their clients on preventive measures in cybersecurity — password management, securing Wi-Fi connections, more secure email behavior and device protection — and on actions to take when they discover a vulnerability or a breach.
“You can find triggers and scenarios to present to help customers understand what to do,” said Ron Shevlin, director of research at Cornerstone Advisors.
For the client lunch, the bank will have presentations from its virtual chief information security officer, DJ Landreneau. Landreneau is chief customer officer for DefenseStorm, a cybersecurity and cybercompliance vendor for banks.
“Small businesses are more limited in resources, and they aren’t under the same regulatory scrutiny that a bank or credit union would be under,” Landreneau said. “When educating customers, banks should make the topic nontechnical about what’s happening, what are the most common threats and what are some of the things they can do around not clicking on things and getting multifactor authentication.”
Cybersecurity awareness sessions should also be coupled with regular written materials sent to business clients, experts advise.
“There’s this whole list of things banks can educate customers on,” Shevlin said. “In some respects, the banks have to think about this as if you were educating anybody on anything ... it isn’t about how much you’re teaching but how frequently is the education happening and at what points in time. When somebody logs in to their bank account does it pop up with cyber reminders?”
Community banks especially are well positioned to influence customer behavior, Landreneau said.
“I come out of the banker world as a former chief information officer and chief technology officer, and there is a truism in the whole notion that a community bank is part of that community whether in a major metropolitan area or elsewhere,” he said. “The customers of that community trust that financial institution. They may have gone to school their entire lives with a customer service rep. This is where I think these community banks can take this leadership role.”
As Peach State’s small-business customers hear about large breaches in the news, they look to the bank for answers, Quinn said. (In March, the city of Atlanta was the victim of a ransomware attack.)
With over 100 clients planning to attend, the bank has prepared a space that can fit 200 for the luncheon. Quinn hopes to communicate to as many employees as possible that keeping customers safe is a joint effort.
“Over the last few years, we’ve seen much more of a volume to in cyberattacks, especially on smaller companies,” Quinn said. “We have our own internal monitoring of their accounts and identify what things are going on … but customers have a strong desire to learn more about what’s happening.”