Pub. 7 2016 Issue 2

SUMMER 2016 19 West Virginia Banker TommyBailey,GovernmentRelations& ITSpecialistforSpilmanThom- as &Battle andDirector of Government Relations for Next Consulting, provides technology-related services to clients, including information/ technology consulting and project management. He has experience designing and implementing information security solutions, including biometric technology, across a variety of industries. He advises clients on information and technology needs, including data securitymatters. Mr. Bailey also is a registered federal and West Virginia lobbyist. He can be reached at 304.720.4059 or tbailey@spilmanlaw.com. City National Bank LeAnn Cain recently joined the bank as Senior Marketing and Public Relations Manager. AWest Virginia native, Cain holds a bachelor’s degree in Public Relations fromMarshall University and a master’s in Integrated Marketing Commu- nications fromWest Virginia University. She comes to City after serving on the marketing team of the Clay Center for the Arts & Sciences of West Virginia for nearly six years, most recently as Marketing & Communications Manager. Premier Bank Deborah Sizemore recently joined the organization as Senior Vice President – Commercial Banking. Sizemore joins Premier Bank from BB&T, where she recently retired as Market President for Raleigh, Fayette, Nicholas and Greenbrier counties. She began her career with New River Banking and Trust Company in 1982 as a Customer Service Represen- tative. She held positions of increasing responsibility throughout her career, with the successor banks, One Valley Bank and BB&T. (P) Bank Notes many media sources and outlets are constantly reacting to a new cyber-attack in 24-hour news cycles and social media alerts. Large breeches, such as the successful attack on Target (in which criminals accessed information through a third-party contractor) brought the threat home, while changes to credit card ‘chip’ readers provide a constant tangible and personal reminder that we are all at risk. While we all have a responsibility to safeguard our own PII, those charged with protecting our financial data have arguably the most critical and sobering task. For these professionals, the process of staying current with the newest threat evolution, let alone effectively addressing it, is complicated, frustrating and often becomes very expensive. This is a criminal activity that pays no regard to nationality, industry, size or ownership—they are equal opportunity outlaws in an environment often very fertile for their purposes. Now, part-way through the 2010’s, we in the cyber security space long for the kinds of scams and early ‘phishing’ attacks (a common cyber security attack using an email or webpage link to redirect the victim to a page or message infected with a virus or malicious software, or ‘malware’) from 10 years ago. These scams involved a farfetched story, usually a foreign dignitary with a fortune waiting if you follow a set of instructions or a *CLICK HERE* banner described in poor grammar to claim your prize. Today’s cyber criminals are much more advanced—and use social engineering to better lay their traps. For instance, emails from your bank or from the government asking you to submit information to unlock an account are very common and very effectively disguised. Another somewhat aged, but not extinct phenomenon, the ‘hacktiv- ist’ (a person or group promoting a cause, political agenda or raising awareness through the use of cyber-attacks) remains a headline-mak- ing cyber terror threat. For example, the early May 2016 attack on Greece's central bank by a group known only as ‘Anonymous,’ which impacted service on the bank’s website, used another tried-and-true method called a ‘denial-or-service’ attack (a method of attack that disrupts service through flooding a system with requests). While only a few minutes in duration, the attack is symbolic of the group’s aim to disrupt services all over the world. In a statement on YouTube, Anonymous stated, "Olympus will fall. A few days ago we declared the revival of operation Icarus. Today we have continuously taken down the website of the Bank of Greece. This marks the start of a 30-day campaign against central bank sites across the world." Shortly after the story broke, the national bank in Cyprus reported a similar incident. Also in the news, and more disturbing in its outright criminal intent, is the March 2016 heist of nearly $100MUSD from the Bangladesh Central Bank, stolen from its account at the Federal Bank of New York. The Bangladesh Central Bank said hackers had transferred the money to bank accounts in the Philippines and Sri Lanka using a common payment instruction messaging tool called “SWIFT.” Given the multi-layered infrastructure used by SWIFT (and similar tools), the multiple access points provided an opportunity to alter the instructions and move the resources to the criminal’s accounts before anyone was the wiser. This is an adaptive, advanced enemy. So what can we do? Using the traditional bank robbery paradigm, most security experts agree that a ‘defense in depth’ strategy involving multiple layers of controls, balanced with awareness, transparency and on-going training is an effective deterrent. On the other hand, those who are overly cautious risk the organization’s success by over- spending and/or creating a severe negative impact on the network user’s experience. Please join us in July at the West Virginia Bankers Association Annual Convention to learn how, in a vendor-saturated market, to effectively approach cyber security, balance information security con- cerns with fiscal management, and develop a strategy to effectively protect your organization’s information through a requirements-driv- en, vendor-agnostic process that considers budgeting, training, policy creation and in/out sourcing. n