Pub. 13 2018-2019 Issue 1

NEBRASKA BANKERS ASSOCIATION 15 Counselor’s Corner — continued on page 16 As with many data breaches, TaxSlayer did not understand its own risk profile until it was too late. While banks are not subject to the FTC enforcement authority, other federal regulators have been active in this arena, and the DBIR clearly indicates that hackers are actively looking for holes in online banking security. 92 percent of all malware attacks used email as the initial attack vector. 21 The best response to a ransomware attack is the ability to efficiently restore the system frombackups, which should play an important role in any company’s information security plan. In a rare bit of good news, users seemed to be getting better at identifying and avoiding phishing emails: 78 percent of people don’t click a single phish all year, and only 4 percent of people in any given campaign will click the phishing link. 22 The latter figure is down from 11 percent in 2004. Unfortunately, of course, a hacker only needs one person to take the bait to infiltrate the system. Verizon closed its section on the financial sector with three recommendations for 2018 and beyond: The banking industry has seen a steady streamof DoS attacks over the last few years. It is unlikely that will change anytime soon, so be sure you have adequate protection against this very common problem. . . . The high showing for Everything Else is largely due to social attacks in the form of phishing. Make sure employees know what to look for with regard to this kind of attack, and give them a quick and easy way to report it. . . . Ensure that you have routine backups to fall back on in the not unlikely case of a ransomware attack. Segregate assets that are more critical to protect and prioritize them with regard to business continuity. 23 Lessons Learned As withmany data breaches, TaxSlayer did not understand its own risk profile until it was too late. While banks are not subject to the FTC enforcement authority, other federal regulators have been active in this arena, and the DBIR clearly indicates that hackers are actively looking for holes in online banking secu- rity. 24 The risky practices identified in the TaxSlayer complaint would be just as problematic for a bank as for a tax preparation service. While no one can ward off every hacking attempt, every company can and should take appropriate steps tomitigate their security risks. The following are synthesized from the TaxSlayer enforcement action and the DBIR: 1. Implement and regularly revise a written information security plan that complies with the Safeguards Rule implementation applicable to your organization. Tax- Slayer could certainly have reduced its exposure with the FTC and might have even been able to thwart the attack itself if it had not put off creating a formal information security plan for its first two decades of online activity. 2. Conduct a thorough risk assessment no less than an- nually, especially with regard to authentication issues. The TaxSlayer enforcement suggests that financial institutions must assume their users engage in poor security practices and design their systems accordingly. At a minimum, require users to use sufficiently complex passwords, validate their email addresses, and offer or require multifactor authentication. 3. Educate and test your employees regarding phishing at- tacks, and implement technological controls tominimize exposure. DBIR found a positive correlation between a user’s likelihood to click a phishing link and the num- ber of phishing links that user has previously clicked. 25 Encourage users to report phishing campaigns: in 2017, only 17 percent were reported, and almost no campaigns were reported by the majority of users. While phishing does not appear to have played a role in the TaxSlayer hack, the DBIR shows that it remains one of the most important security risks for banks. 4. Deploy the basic security tools you have available to monitor and mitigate attacks. Put automated