Pub. 13 2018-2019 Issue 5

NEBRASKA BANKERS ASSOCIATION 15 Jeremy Smith is a Security and Compliance Consultant for CoNetrix. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cyber security needs of community banks. Offerings include: information security consulting, IT/ GLBA audits, security testing, cloud hosting and recovery solutions, and Tandem software, used by over 1400 financial institutions to help manage their information security programs, cybersecurity, and more. Visit our website at www.conetrix.com . often times lazy and definitely creatures of habit. In short, we’re low hanging fruit. The weak link. Your file server isn’t going to “forget” a security update after a late night at the office and no coffee in the morning. And the bad guys know it. Culture of Questions Are you creating a culture where employees are encouraged to ask? If someone receives a weird email that looks like it came from their supervi- sor, does that employee feel comfortable taking steps to question it? Don’t rely on assumptions – the strength of social engineering comes from the many social complications in play! “Well, the boss nevermakes amistake, it has to be legitimate.” “They are on vacation now and I re- ally shouldn’t bug them. This must be the report they mentioned.” “It was just a false alarm last time – and everyone chuckled at the fact I thought it looked fake.” Can your employees question some- thing potentially malicious, without fear? How do you know? Have you told them so directly? Have you told them again lately? People learn through experience – by having them participate in security awareness through asking questionswhen things don’t seem right, you are creating security agents and installing human “up- dates” that won’t be soon forgotten. The Power to Verify The drive to help is another social aspect that attackers find success ex- ploiting. Asking for the CEO’s email address over the phone or posing as IT support and requesting the user’s pass- word are common tactics. What will be their response when a person shows up, claiming they need access to the server room? Will politeness lead to pilfering? It can and does! There is nothing wrong with doing everything in our power to help someone. There is also nothing wrong with tak- ing a simple step to verify the request. Is it inconvenient? Yes – security and Fully registered Dealer Bank • Not FDIC Insured • No Bank Guarantee • May Lose Value FROM ONE COMMUNITY BANK TO ANOTHER. We have delivered fixed income strategies and support to banks of all sizes since 1985. Operating in over 30 states, the Capital Markets Group is always ready to meet the needs of our fellow community bankers. We keep investing simple so that banks can focus on what really matters — lending to the communities who support us. • Portfolio Strategy, Sales and Service • Bond and Securities Underwriting/Trading • BancPath® and FlexLoan® via Asset Management Group We speak the same language. convenience will always face off against one another. The goal is to strike a reason- able balance that protects your customers and your business. Do your employees have the power to walk that line? Do they have the power to verify? Human Patch Management You have deployed all the current sys- tem patches available – but when is the last time you checked the status of your human “patch” level? An “unpatched” hu- man is just as vulnerable as that forgotten legacy system sitting in a dusty corner. And the next exploit is only a call, email, or even smile away.  Sources (1) https://www.knowbe4.com/hubfs/ PhishingandSocialEngineeringin2018. pdf?t=1513870696549&utm_source=hs_ automation&utm_medium=email&utm_ content=585624