Revealing the Truth Behind Common Cybersecurity Myths and Related Best Practices

Joe Jalbert: Hello and thank you for tuning in today to Issues of Interest from Baker Newman Noyes where we cover assurance, tax, business advisory and technology topics and trends affecting the banking and financial services industry. I’m Joe Jalbert and I lead the banking and financial services practice here at BNN. Banks and financial institutions are constantly navigating volatility and change. Here at Issues of Interest, we help you stay current on what’s happening in the industry so you can achieve success for your institution. Now let’s get into the episode.

Pat Morin: Hi everyone. Welcome to Issues of Interest, BNN’s podcast for the banking and financial services industry. I am your host today, Pat Moran, Information Systems and Risk Assurance Principal at Baker Newman Noyes. I’m here with Pawel Wilczynski, cybersecurity manager at BNN. Hi Pawel.

Pawel Wilczynski: Good morning, Pat. Thanks for having me on this podcast. I’m excited to speak with you and the listeners.

Pat Morin: So, Pawel, today we’re here to talk about cybersecurity, which is particularly relevant as we’re coming to the end of Cybersecurity Month, which we recognize every October. I know in working with our banking clients, cybersecurity is a major area of focus and concern, but really, businesses in all industries at all sizes. Pawel, to get us started can you talk about some of the misconceptions that you’ve heard around?

Pawel Wilczynski: Sure. There are certainly a lot of misconceptions around cybersecurity. Some of the ones that we hear the most frequently are we are not the target for cybercriminal, cybersecurity requires a huge financial investment or cybersecurity is a one-time project, and the last one that we’ll talk about today is cybersecurity is the only IT department’s or cybersecurity department’s responsibility that can be achieved by technology alone.

Pat Morin: Boy, those do all sound familiar when you think about small and medium sized organizations. Pawel, why would a cybercriminal target those as opposed to a large business?

Pawel Wilczynski: To start, there are some common elements that organizations share, no matter of the size or revenue. Namely, all businesses, regardless of size, hold valuable data that could be exploited, such as customer or employee information, financial records, or intellectual property. At the same time, small and medium sized businesses tend to have more limited resources and can result in less robust security measures than the larger peers. That makes them easier targets for cybercriminals. Additionally, regardless of the size of business, cyber attacks are increasingly automated, meaning attackers can target many businesses at once without specific targeting.

Pat Morin: So we’ve heard about the automated attacks as we spoke a few days ago. Also Pawel, I like your point that regardless of the size of the business, every business has data that could be potentially valuable and used by a cybercriminal. So thinking along those terms, can you give an example of the types of resources that large businesses have and how a smaller business might be able to use similar tools?

Pawel Wilczynski: Yeah. So larger businesses with bigger cybersecurity and IT budgets have more tools at their disposal and more staff to handle all the elements of cybersecurity from risk identification to data protection through event detection and incident response efforts. Smaller organizations, even with very limited budgets, can still gain access to similar tools by outsourcing cybersecurity aspects to third-party vendors specializing in cybersecurity and risk management. Those third-party vendors have access to specialized tools, such as managed detection and response or MDR penetration testing, vulnerability and patch management, which then can be offered to small and medium sized businesses at lower cost due to economy of scale.

Pat Morin: So what you’re saying is by working with third-parties, the smaller businesses can take advantage of just the component that they need for their scale. And in fact, I think that’s a common theme among even larger clients that we service. There is definitely an opportunity for small businesses to leverage these tools. I think you mentioned something about cybersecurity being solely a technology issue as another myth. Can you talk about that?

Pawel Wilczynski: Yeah. So technology is just a piece of the equation. Cybersecurity is also about people and processes, not just technology and tools. Human error is a leading cause of cybersecurity breaches. In fact, 2023 Verizon data breach Investigations Report DBIR highlights that the human element is a factor in 74% of dollar breaches. This includes incidents such as clicking on a phishing link, making errors that can compromise security, or misconfiguring systems. Another aspect of cybersecurity programs is the employee training and cybersecurity awareness, which are critical components because they can help reduce the human error and ensure compliance with policies, foster a cybersecurity culture, enable quick response to evolving threats and drive the percentage of the incidents down. In addition to rigor, hopefully at least annual and ideally monthly cybersecurity awareness training efforts. Also, policies and procedures must be established and followed to ensure comprehensive identification of risks, data protection, anomaly detection, and response to the incidents.

Pat Morin: So there is a lot beyond technology when it comes to managing cybersecurity. Certainly the people are key factor of it. I believe another concern that organizations have is how much is this all going to cost? Is it going to be really expensive? How much do I have to spend to be secure. Let me know what you think on that.

Pawel Wilczynski: This is definitely something we hear from our clients. The good news is that there are some inexpensive elements of cyber hygiene that can give you a good bang for the buck. For example, some basic cybersecurity measures such as strong passwords, multifactor authentication, regular software updates, good backups could be low cost but highly effective. Also, many cybersecurity tools and resources are available for free or at low cost, especially for small businesses. For example, the Cybersecurity and Infrastructure Security Agency (CISA) offers a range of no cost cybersecurity services designed specifically for organizations of small and medium size to build and maintain a robust and resilient cybersecurity framework. The cyber hygiene services help secure interfacing systems from weak configurations and vulnerabilities. They really do a great job. Investing in cybersecurity can also save money in the long run by preventing costly cybersecurity breaches and data loss. According to IBM’s Cost of Data Breach report from 2024, the global average cost of data breaches was around $4.8 million, a 10% increase over last year and the highest total ever. Naturally, small businesses won’t experience that directly, but as the adage suggests, an ounce of prevention is worth a pound of cure.

Pat Morin: That’s very interesting, Pawel. Those sound like practical steps that organizations can take that probably don’t cost a whole lot, but can serve to provide a good foundation for the cybersecurity program. One other misconception I think you mentioned was that companies think that cybersecurity management is one and done. They can check it off and they don’t need to do it again. But that’s not how it works, right?

Pawel Wilczynski: It does not. It’s certainly not a one and done. It’s an ongoing process. It should be something that is constantly improved upon. So cybersecurity is an ongoing process that requires continuous monitoring, updating and improvement because threats and risks are constantly evolving, so security measures must adapt to the new challenges. One example is a ransomware, which just 10 years ago was starting to be a factor. Today, every organization needs to have protection measures in place and an incident response plan ready to be executed. Also, the assessments and updates are necessary to maintain strong cybersecurity postures. Risks don’t stay the same for very long and the IT environments and threats landscapes change often. Many organizations still have some in house presence, whereas others move to the cloud with every major change. The risk needs to be reassessed and acted upon. For example, we do a lot of work with our clients on two aspects of that. We do a lot of cybersecurity and risk assessments, which are the point in time assessments of where the organization stands in terms of cybersecurity measures and controls, which then feeds into an ongoing process of updating cybersecurity or information security programs, which then take those new risks into consideration and based on the risk tolerance and risk appetite are acted upon and mitigated or accepted as a risk. So this is very important and part of the ongoing process that we mentioned earlier. A lot of the risks that we do see are around the identity and access management. There are still a lot of organizations that have not increased the password complexities or length and have publicly facing systems without multifactor authentications. These are probably the easiest risks to mitigate, but also easy for attackers to exploit.

Pat Morin: Yeah, and Pawel, you were just saying a minute ago that many organizations are migrating their on-premises solutions to the cloud, like with Microsoft 365 or Google. And in that space another risk that you and I have come across is organizations that don’t quite recognize how important it is to have their administrator or high access credentials be used as little as possible and to instead use a regular low access or lesser permissioned account for their day-to-day activities. So could you speak to that just a little bit and then we’ll go on to the next myth.

Pawel Wilczynski: Yeah, so the idea of using your administrative account as your daily account is pretty risky because this daily account has access, in many cases, to all of the systems or the entire cloud infrastructure. And if that account got compromised, due to a weak password or maybe MFA fatigue, then the entire organization would be exposed to an attack. Whereas if an administrator has two separate accounts, one only used for those administrative tasks and the other one for regular day-to-day tasks. If this daily account gets compromised, the organization would not be at risk, they will just need to change their password and the resulting damage will be so much smaller. So there’s still a lot of organizations that maybe implemented their cloud infrastructure and use software as a service solution and had a limited number of employees testing it as administrators and then those administrative rights were not taken away. And that’s something that we see pretty often, unfortunately.

Pat Morin: Still, the Office 365 is a system a bank would commonly be using for their email effect. Well, when you look at financial institutions, the place where business email compromise happens is most commonly in Outlook, right Pawel?

Pawel Wilczynski: Yes, business email compromise is still a very big factor, also known as phishing emails. Phishing emails come in and the attackers pretend to be somebody else. They instill the sense of urgency or fear. And then employees who have not taken a second to evaluate the link, not implemented the cybersecurity lessons, could potentially expose the organization to an incident.

Pat Morin: Thanks, Pawel. So we’ve talked about steps companies can take and ongoing efforts and monitoring that’s required. And we hinted to this before, this doesn’t fall solely to the IT department. Right. It involves others at organizations and financial institutions.

Pawel Wilczynski: That’s correct. It’s not just IT departments or cybersecurity department’s role. In fact, cybersecurity is a shared responsibility across the entire organization involving all employees. In fact, anybody with an email address or any organization with a website is exposed to an attack. There’s a lot of automated attacks as we mentioned before and that’s why every employee should be paying attention to bad links and suspicious emails. Technology alone is not going to always stop it and the IT department does not have the visibility – it’s the employees that deal with the customers and emails every day. Technology alone cannot prevent all the attacks. Human vigilance and proper procedures are essential along with the incident response procedures that tell employees how to identify potential attacks and then how to report them to the IT department. A culture of security awareness must be fostered throughout the organization to be effective. Everybody needs to be trained from the highest level of the organization down to the staff. Phishing emails are reported to the IT department by employees. Could be a cybersecurity incident or data breach that never happened. So, if you see something suspicious in the email report it, and if it’s good, they will report it back that it’s fine and then you can act on that. So, it’s just really easy to take a second or two and look at those red flags in the emails that you learn from cybersecurity awareness training.

Pat Morin: That’s right. I like that word, vigilance. I always like to talk about organizations instilling the cultural vigilance. Basically, those organizations that make it be part of what they do every day, make a part of their culture, just makes it something they do and so it makes them successful in that space. Well, Pawel, that is the time we have for today. Is there anything you’d like to add that we haven’t touched on already? Are there any key points that our listeners should walk away with today to help them protect their institution going forward?

Pawel Wilczynski: Yes, as of the airing of this episode, we’ll be wrapping up the October Cybersecurity Awareness Month. BNN, and a lot of other organizations, have put out a lot of usable content out there. Pay attention to the evergreen topics of online safety and protect information both on personal and corporate levels. These include strong passwords, multifactor authentication, good cyber hygiene in the form of software updates, and good backup strategy. These simple and inexpensive steps can go a long way. Also, incorporate the lessons from the October Cybersecurity Month and review it often. The goal is for these best practices to be ingrained in your mind, just like you said, Pat, and instill the muscle memory for it to do its magic when we’re faced with cybersecurity challenge in the form of phishing email or a suspect website logon screen.

Pat Morin: Pawel, that was really helpful and a good wrap up. You mentioned about accessing resources that were made available during Cybersecurity Month. Is there anything in particular you would recommend our listeners take a look at?

Pawel Wilczynski: Sure. In addition to the articles available on our websites and the posts that we have been sharing along the way on LinkedIn, we recently published a cybersecurity e-book that is available on our website and the link to it will be available in the show notes. You can also email me or Pat to get a copy of it.

Pat Morin: Pawel, it was great to chat with you today and we covered some great topics and things to consider in the world of cyber. The banking industry is one of the more sensitive industries when it comes to thinking about cyberattacks, so tips and reminders on how to say safe are always important.

Pawel Wilczynski: Absolutely, Pat, and thank you for sitting down with me. And thank you to listeners for tuning in. I hope you found this information helpful.

Pat Morin: Yes, and we are always monitoring and sharing updates and developments, so stay tuned for more articles, podcasts and resources from our team. Thanks all. Goodbye.

Joe Jalbert: Thank you for listening to issues of interest from Baker Newman Noise. The BNN Banking team thrives on solving complex business challenges and helping institutions meet their goals. You can find more of our industry content and subscribe to our newsletter@bnncpa.com if you’d like to connect with a member of our team, email infoncpa.com. Bye now.