Why Cybersecurity Needs to Be on Your Bank’s Radar in 2022

Intro: Helping community bankers grow themselves, their team, and their profits. This is The Community Bank Podcast.

Erik Bagwell: Welcome to The Community Bank podcast. I’m Eric Bagwell, Director of Sales and Marketing for the correspondent division of SouthState Bank and joining me as always Caleb Stevens. Caleb is a Business Development Officer and works on the podcast. Caleb, how are you?

Caleb Stevens: I’m good, Eric. It’s good to be back on the show. We had a great episode last week with Chris Nichols talking all about the future of payments. We got into cryptocurrency a little bit, and we’re keeping the trend rolling a little bit here with cyber security. We’ve got two great guests a day talking all about what banks need to be thinking about here in 2022, as they address their cybersecurity plans.

Erik Bagwell: Yeah, we’ve got, Joshua Sitta and Trafenia Salzman. They are with a company called Sittadel and they sit down with Caleb and I, and it’s a good talk. I don’t think we’ve done a specific cybersecurity show. It’s something, obviously banks are always going to have to deal with, banks are dealing with and haven’t for a few years now, but this is a good interview, you guys will like it. They talk a little bit about the future, what they’re seeing now, what regulators are seeing and asking. So, let’s go straight to that interview right now.

Caleb Stevens: Well, Joshua and Trafenia, I thank you guys both for joining us this morning, how are you doing?

Trafenia Salzman: We’re doing Great.

Joshua Sitta: Yeah. So excited to be here. Thank you for having us Caleb and Eric, really appreciate it.

Caleb Stevens: Well, this is our first show on cyber security, which is a hot topic in today’s world. Give us a little bit of your background in terms of how you came to start Sittadel; your company and just your passion in general for cyber security.

Trafenia Salzman: Yeah, so Joshua and I used to work at a bank and obviously we were together there, and we were servicing the bank and protecting the bank during different incidents and situations that came up. And we found that a lot of the people that were attacked were the customers of the bank, and those are smaller businesses; those are the AC people, the plumbers, the electricians, those are the small businesses of the community. And we really were like, it would be great if there was another company that would be able to supply, that enterprise level being top tier, the best of the best security for those small businesses because of how important they are to our community, and we looked, and we could not find any. So, we were just like, hey, let’s start one, and that’s how we start; we started in 2019, yeah.

Joshua Sitta: Yeah. Caleb, we put together this program that protected over a million customers, but I became obsessed about just one.

Trafenia Salzman: Yes., he really did.

Joshua Sitta: Just one that had, it was the sheep, that wandered away from the flock. It was the only customer that I cared about because it was somebody who had a major cybersecurity incident. It rifled.

Trafenia Salzman: Yeah.

Joshua Sitta: Through their business; they actually had two businesses, both of them were involved in this incident and what I got to see for the first time is just how integrated a business owner’s personal and professional lives are. So when we were at the bank, we were protecting money, we’re protecting accounts, but working with those end clients directly.

Trafenia Salzman: Yeah.

Joshua Sitta: Well now we are really defending people’s lives, livelihoods, their families.

Trafenia Salzman: Yeah.

Joshua Sitta: People having a good Friday. That’s really the kind of work that we’re doing now today.

Trafenia Salzman: Yeah.

Erik Bagwell: Guys, let’s talk quick, just generally about cyber security and the attacks. And I heard a speaker a couple years ago at a conference and he told a story of how a major foreign power got on the us power grid through a major retailer here in the United States. And it was actually through a HVAC contractor that, that major retailer used, and it was an extreme story, probably I think it was like a year and a half in the making, maybe two years. How do these incidences occur? What’s a typical one? That one seems kind of atypical, maybe it’s not, but do these things occur?

Joshua Sitta: There’s some commonalities that are all.

Trafenia Salzman: Yeah.

Joshua Sitta: Throughout that we’re over here smiling, because we actually covered that story in great detail on our podcast.

Erik Bagwell: Okay.

Joshua Sitta: One of our earliest ones, you were kind and not saying the retailer’s name, so.

Erik Bagwell: I was going to say nothing.

Joshua Sitta: Yeah. But it’s a retailer and it’s on our catalog. There’s going to be a case specific thing that go wrong every time that are only going to apply to that one cybersecurity attack. But when we start talking about commonalities, listen, I go to tell you that none of this makes sense until we stop thinking about hackers and cyber criminals as sweaty guys in a basement that are clacking away at all hours, and it’s all on one person’s shoulders.

Trafenia Salzman: Yeah.

Joshua Sitta: Who is trying to take over these organizations to steal their money, to steal their data or whatever? We have to start thinking about the way business works today because cyber criminals have adopted business models. You’re not looking for one business to go out and provide every service in the same way you’re not looking for a cyber-criminal to go out and provide soup to nuts, everything that is required to commit a cybersecurity attack. If I want to steal data, maybe I’m really good at just the taking data part, but maybe I’m not so good at working with the initial compromise. Maybe I don’t know how to get a virus onto somebody’s computer, or maybe I’m not even a technical guy, I’m good at coming up with scams.

Trafenia Salzman: Yeah.

Joshua Sitta: I’m a con artist, I’m going to get somebody to click on a link or a virus that somebody else has prepared. And I’m going to build this kind of Oceans11 brand tag, motley crew of people who are good at one thing. And together we’re going to stand to steal a tremendous amount of money because we’re all playing to our strengths.

Trafenia Salzman: Yeah.

Joshua Sitta: Right.

Trafenia Salzman: Sounds like a founding team.

Joshua Sitta: It operates just like a team of co-founders.

Trafenia Salzman: Yeah.

Erik Bagwell: A lot of banks listen to this podcast, obviously, what does a bank need to be? Somebody that’s listened to this and saying, man, well I’m out, I’m in a rural area and surely there’s, nobody’s trying to hack into my system here, there are systems here at the bank. What does a bank need to be thinking about? Whether it’s billion-dollar bank or a hundred-million-dollar bank.

Trafenia Salzman: I love this question. We get this question quite frequently, because there’s always the one-person hair salon, or I think about my dad, he’s a HVAC plumber and what’s the risk? It’s just me, there’s no one in Russia or China or wherever they are, is going to be looking for a little me. But going back to your story about that major retailer, that HVAC company, they were a smaller company; they were a small business in the community, and it always goes back to how integrated everyone is. So it’s not whether, how big you are or how small you are and the attackers, they have a business model and it’s not just one guy typing in code, it’s that person constantly sending out a million different scripts so that they find the weakest link and it doesn’t matter if you are a huge retailer or it’s just one person, you’re still vulnerable.

Joshua Sitta: Yeah. Eric, the scariest possibility is what if that rural bank is right, that there’s not somebody who is targeting them? If somebody was targeting them, you just have to be better than that person who is targeting you. But the reality is because there’s nobody who is targeting you specifically, you are working against an army of computers, they’re running software 24 hours a day, tirelessly poking everywhere that.

Trafenia Salzman: Yeah.

Joshua Sitta: They can. Not specifically targeting you, but you don’t get the satisfaction of saying, great we know who is attacking us., we know how to beat that thing. You have to suddenly have a security defense that protects from all of the unknowns that happen 24 hours a day. And to me that’s a much more difficult challenge than to just beat one guy.

Caleb Stevens: So, to shift gears a little bit for the executives, listening, CEOs, CFOs, folks who are entrusted with leading their bank, I think a lot of times as leaders, we sort of just think, well, that’s the IT department’s job and they’ll figure that out, but they themselves really don’t have any kind of firm knowledge or grasp of even just the basic building blocks of cybersecurity. Can you speak to the importance of communication and really the CEO himself or herself, trying to get a good understanding of what is cybersecurity, what are the basic building blocks, and that way, when they’re in a meeting, it’s not this mindset of well that’s IT’s issues, they’ll figure it out, we can just outsource it to them, but there’s really no true understanding on the leader’s part. Can you kind of speak to that?

Joshua Sitta: Yeah, Caleb. I’ve worked with enough leadership team that I understand, that if I just answer your question from a cybersecurity perspective, people are going to skip through it.

Caleb Stevens: Right.

Joshua Sitta: They’re going to check out. so, bear with me. I’m going to tell you a story from when I was a kid, and I was on a garbage soccer team.

Trafenia Salzman: The red team?

Joshua Sitta: If there was a trophy for being in last place, we would’ve gone home with a trophy; this is before participation trophies. And we had one of our last games and it’s our team against this other team and right away, we scored a point and this like never happened. So, we’re winning this game from the first whistle getting blown, and we’re all excited about this. And then right at the end of the game, there’s a shot on the goal; a ball makes it in. Now it’s tied and all of us are like, come on Jack or whatever the goalie’s name, we all pointed to the goalie, and we were like, you’re losing this game for us. And we were so disillusioned about this that right on the next kickoff, another goal goes in. Our coach asks us afterwards, which we were like nine- and ten-year-old kids, we were not ready for this conversation, but it did stick with me. Our coach asked us afterwards, at what point we lost this game? And because it was lost on us we were like, at the end of the game, when the goals got scored against us, when Jerry couldn’t block that goal, that’s when we lost the game. And he was like no. You’re making a good point about Jerry losing that game, let’s talk about that. Jerry’s job is to block those goals, but is it Jerry’s fault? And this team of nine-year old’s is like, yes, of course he’s only supposed to block, he didn’t block. And he is like, okay, but let’s talk about the defenders, it’s their job to make sure that the goalie isn’t in the position where he has to block shots on goals, and we’re like, oh, okay, good coaching. It’s not Jerry’s fault, it’s those dang defender; they lost the game for us. And he is like, hang on, if you think about it’s the attacker’s job or the Striker’s job to make sure that they score more points than you guys give up, so really your attackers didn’t do enough. And we’re like, oh right, good point, it’s the attacker’s fault, it’s the strikers, we need better strikers if we want to win games.
And then at the end of all of it, he tells us the person who was accountable was the coach because the coach understood that he didn’t give us the perspective that we all needed to work as a team. We went into this game, blaming each other for the losses that we had, rather than understanding that we all participate. The CEOs; the leadership teams of banks, they by far have the hardest job when it comes to security and compliance, they have to care about the things they did not get into banking to do. It has to be important to the leadership team that people take cybersecurity seriously, even if they don’t take cybersecurity seriously. You’re required, if you get a bunch of leadership teams together and you have a little round table, they’re all eventually going to complain about their compliance costs. GOB is killing the profit margins of these banks. And if you’ve been in business for long enough to remember a time before GOB, all of a sudden, these line items on your spreadsheet, where it’s just, you’ve got this huge team, huge compliance department, huge compliance tools. If your sentiment towards that, is I can’t believe we have to do this thing, that infects all of the people at the bank. They look at the compliance team, they look at the risk management teams as the bad apples that they have to carry along. They become the Jerry’s, who aren’t blocking shots on goal. You’ve really got a lot of responsibility when it comes to being a CEO, to who just care about cybersecurity, and that’s probably the hardest thing

Caleb Stevens: And that probably gets into your infecti culture after a while if it’s just, you guys are the burdens, you guys are the things that we have to do. I would imagine that really takes a toll in your culture over time, and I love that perspective from your coach with soccer, because it really is a team effort. And, unfortunately it sounds like that might be one of the roles in the IT world where you’re only really noticed if you mess up, but you could create an amazing plan and you, maybe you get a pat on the back, but boy, if there’s a breach or there’s something that goes wrong, I would imagine you get singled out and you’re sort of seen, to your point Josh was that’s the bad guy.

Joshua Sitta: Yeah, absolutely. The worst thing that can happen during a cybersecurity incident, when everything is actually in that moment where the alarms are going off and you realize there’s somebody’s account who has been compromised or fraudulent wires are being processed when something actually is going wrong. That is the worst time to ask the question who is responsible for this.

Trafenia Salzman: Yeah.

Joshua Sitta: But it’s everyone’s favorite question because the answer brings safety, it brings a feeling of security. Well, if I’m not Jerry, if I’m not at fault, then I’m not going to get blamed for this, and I know that I’m safe here instead, all we need to think about, especially when an incident is going on, all we need to be thinking about is how can we support the overall mission of being this great place to continue to do banking.

Trafenia Salzman: Yeah.

Erik Bagwell: Right. I’ve told this story a couple of times on the podcast, but I go to tell it again because it fits. And I’m amazed Joshua that you remembered a story from being nine years old and a coach asking you a question, that’s unbelievable. I don’t remember what.

Joshua Sitta: Thank you, sir.

Erik Bagwell: Team. I was on when I was nine years old, hardly.

Joshua Sitta: We were called the bombers.

Erik Bagwell: There you go, you weren’t the red team. So, when I used to leave Atlanta 20 years ago in correspondent banking, I could not check my voicemail when I got 30 miles out from the city. Technology was not there for me to be able to call into my office and check voicemail, couldn’t VPN into the network; you were basically off the grid. Fast forward, we probably in cyber security probably was a thing. It obviously is not what it is today. Sophistication, wise it’s probably unbelievable, the attempts and what happens. What’s the most common thing that attacks that we see on banks? And what’s that going to look like five years from now? This has got to be an ongoing thing where you literally have got to have somebody this 24 /7, knowing how this is changing and talk about that just briefly. We’d like to get people to look into their crystal ball, but first talk about what the most common attacks are now.

Joshua Sitta: Yeah. So, I think the two low hanging fruit that every organization has to deal with, not just banks specifically, but everybody, you go to deal with Phishing emails, every bad guy in the world knows that you’re using email so they’re going to flock to that. Okay, great, they have to use email, we’re going to send them emails, that’s got the virus, that’s got the whatever. Or it’s just the scam, we’re go to ask people to send us money, hey, it’s me your CEO, and I’m locked out of my account so I’m using my personal account instead. I need you to send me a bunch of gift cards so that I can get those over to some key prospects that we’re trying to razzle dazzle. You have to have some kind of a strategy for dealing with those phishing emails. There’s a million different ways you can deal with that challenge, but the most important thing is that you have a formal strategy that somebody says, here’s our approach, here’s what we’re going to do to combat the problem of phishing emails. And then the other one is it’s a basic it hygiene thing, it’s patching the vulnerabilities that happen over time. We buy all this technology for our bank, even if it’s a cloud system, there’s still vulnerabilities that are built into all of these different systems that we use. If it’s a program, if it’s running somewhere on your computers or on computers that are in the cloud that you’re using over time, there are vulnerabilities, whose responsibility is it to update the patches that fix those vulnerabilities? If you can’t answer that as an organization, then you’re not doing effective vulnerability management. And you’re just sitting with doors open and windows open, and you got all these different points where people can get in. And that’s when it gets really scary for that rural bank who says I’m not being targeted because the more vulnerabilities you have, the more easy ways that the automated scams can find different holes in your bank and they can get it in, they can steal money when you’re not looking, and they can get out. Where are things going to be in five years? I think that we’re still going to be dealing with a problem; the first two problems, I don’t think those are ever going to go away. But the new thing that we’re starting to see is we’re past the hype curve on blockchain, we’re starting to actually see blockchain get applied in some really interesting and compelling.

Trafenia Salzman: Yeah.

Joshua Sitta: Financial services. People are looking at NFTs as this new way of, I don’t know, having all these different kinds of different revenue streams. I’m not going to go into what NFTs are, but just the real quick thing here is that think of a Bitcoin that doesn’t carry any value itself, it’s a service contract and it says that as often as ownership of this thing, imagine it’s a deed, as often as ship of this deed changes hands, the first person who created it, they get to have 5% of the sale on whatever the deed stood for. So, if there is contractual language that is built into an NFT and your cybersecurity threat actor is trying to figure out how he can get paid overtime, wouldn’t it be great if he could add information for himself on the bottom of that deed, if every time your legitimate deed changes hands, you are supposed to get money? If they can somehow put their own payment information in there will then every time your product that you’ve developed changes hands the bad guys get paid, instead of you. I don’t know that we’re there yet, but that’s maybe something that we should start thinking about now before we get into the NFT business.

Caleb Stevens: What do you see, especially when you guys were in the banking world day to day, what do you see on the regulation side of things? Of course, when regulators come into your bank, they’re going to look at your capital, your asset quality liquidity, the whole CAMELS ratio, where does cybersecurity sort of fall into the regulatory examination process?

Trafenia Salzman: The first thing that comes to mind is documentation; cybersecurity has a lot of documentation. You need to be able to show your strategy, like Joshua was saying about that phishing strategy. You have to be able to have that paperwork and those documents to show, these are our procedures, these are our standards, these are our policies. It’s just word processing at that point.

Joshua Sitta: GLBA regulations do not tell you how to run a bank, they don’t tell you how to combat cybersecurity risk. When a regulator comes in to see if you are doing all the diligence that you need to do for your risk management programs, they’re going to come in with a question, and that question is how are you dealing with this kind of risk? Whether it’s credit risk or capital, doesn’t matter, the kind of risk you have to answer the same questions from a cybersecurity perspective. They’re not going to come in and say, oh, we don’t like the way that you are using this antivirus instead of that antivirus. It’s not that, but what’s your strategy around antivirus? Do you have a strategy around antivirus? Do you require every computer to check in periodically? Just tell me about your antivirus program. The challenge is that these questions are boring to talk about. And a lot of times when you take the technical people who are required to kind of set up the technology to make the requirements for things like antivirus, they’re not the best to put in front of the documentation exercises.

Trafenia Salzman: You’re right.

Joshua Sitta: They might be able to do it, they might be able to tell you how they do it. They’re going to have trouble holding up a piece of paper and saying, here’s how we did it. So, you really need to get together and have some strikers and some defenders and some goalies, these get together with their different skill sets to come up with number one, the most important thing, what is their strategy for dealing with all these different kinds of cybersecurity threats, and then practically, what are they doing about it? But if you don’t have a strategy, that’s when regulators really start.

Trafenia Salzman: yeah.

Joshua Sitta: To get upset, because they’re auditing your ability to carry out the strategy that you are setting. If that makes sense.

Erik Bagwell: Guys, talk about the cyber security threats, not just to the bank itself, but to the customers of a bank. I’m sure there’s stories out there that would scare some folks but talk about that. It’s something that banks need to be aware of.

Joshua Sitta: Yeah. Eric, I love this question, thank you for asking. When I was working for a bank, I was really good at the technology side. I got hired to add some maturity to some kind of distributed processes, to really bring together a formal information security effort. And I worked for an excellent leader, he didn’t provide me a ton of coaching on the technology side; that was what I was hired there to do. He kind of let me go with that stuff, but I daily got more and more coaching on really two things.

Trafenia Salzman: Yeah.

Joshua Sitta: Number one was just leadership and leadership from a position of vulnerability because that’s how you create trust in a team, and then number two was actually how banks work. And I used to get reviewed annually on how much I understood the industry of banking. We didn’t talk very much about how much I understood cyber security, but we talked about how much I was understanding banking. And I’ll never forget that he asked me to start pursue the Florida School of Banking, and I was like, all right, hang on, guy. I’m not booked loans. They’re not going to look to me to be in an Alco committee yet, I don’t have a position that requires me to understand how bank finances work, I just got to kick hackers out of the network. So, I start reluctantly, begrudgingly I go to this banking school and immediately I learn what it’s a very simple that we talk about in cybersecurity. In cybersecurity, we talk about how information security has to support the business, and I was like, okay, great. That means we don’t lose money, we’re trying to protect information and that’s go to support business, whatever that means. But through Florida School of Banking, everything got recontextualized. The information security department has to figure out, particularly how it supports loan growth. So now I’m thinking about what lessons can I take from this and how can I go back and apply that to my department? How can I help my team understand this? And immediately we change from being the department that says, nope, you can’t have that, that’s against policy, you can’t do that, whatever. And we start working with people from what they’re actually trying to accomplish. This person is trying to book a loan and it’s getting blocked. How can we better provide support channels for those people to get what they need? That kind of thinking kicks in and once you’re leading an information security team from the perspective of how can we at the end of the day, support a bank’s goals in making sure that we’ve got enough core deposits to book out some loans that fundamentally that’s what it all comes down to.
You start thinking about all of the different ways, that core deposits that are affected by your line of work, which is cybersecurity risk. Job number one, make sure the banks protect it, but that’s not the only way you can lose core deposits if your bank accounts, if your one trying to say if the customers who are banking with you are having money stolen out of their accounts, that steals from your core deposits. So as a bank, you have to start asking some really difficult questions. How can we best support our customers with their cybersecurity risk? Because if they can’t manage their cybersecurity risk at the end of the day, we are the ones who lose money. Sure, yes, that person, that HVAC supplier, that whoever the small bus, the plumber, yes, they’re out of business because they lost money. But now we can’t turn around and book loans off of their entire operating account. So, we need to start asking ourselves as banks, what is the most that we can do for the people who are banking with us, not just from a financial services perspective, but how can we really teach them about how to manage their cybersecurity risk without stepping over some kind of legal accountability for their own cybersecurity hygiene?

Caleb Stevens: Well, for the listeners who are intrigued and they’re hearing this, and they’re saying, man, maybe I don’t have a great handle or not as big of a handle as I’d like to have on my cybersecurity procedures, software, all the things that go into it. How can they reach out to you guys to connect with you more and more, and just engage with all that you have to offer?

Trafenia Salzman: Yeah. So, we have the Sittadel podcast, check that out, that has a bunch of cybersecurity, cool stories. Also sittadel.com, S -I-T-T-A-D-E-L, and there’s a contact link there, right on the first page.

Joshua Sitta: Yeah, we’re easy to find, because the spelling on our name is kind of weird. S- I- T- T-A- D- E- L. If you just punch S- I-T-T-A- D- E- L into Google.

Trafenia Salzman: Yep.

Joshua Sitta: It’s going to get you to us.

Trafenia Salzman: Yeah.

Joshua Sitta: The first thing that intrigued bankers should do, though before they call us or anybody else, is they should take out a sheet of paper and they should talk about what their own cybersecurity goals are. If you can do that first, before you talk with any third party, or before you talk back with the team that you have hired currently on staff, if you can actually articulate what your goals are for cybersecurity risk management, that’s where you want to start. And then after you’ve done that, yeah, check out our website, check out our podcasts.

Erik Bagwell: Yeah. Well guys, we appreciate you all being on. I need to just tell a little bit about the story that we started with the guy I heard talk about the foreign power being on our energy grid. He was the head of the house; I think it was like finance. I’m not sure but he had information, some pretty high-level information at times because he was in the Congress for probably 10 years, but I went up to him afterwards and I said, hey, yeah, that foreign power that was on our grid, please tell me we’re on their grid. It’s kind of like a game and a stale mate and he said, oh yeah, we get on their grid as well, so that was good. I thought I’d throw that out there for anybody that was worried that we might lose power tomorrow or something. But guys, we appreciate you all being on, this is a subject that we’ll probably have to readdress with you guys again in the future. Probably a good show to do every now and then, because this stuff’s ever changing, banks are still getting hacked. I think some people think, yeah, we on cybersecurity for 10 years, we’re probably good, man. This stuff changes. We know of banks that have been hacked in the not-too-distant past. So, thanks for coming on with us.

Trafenia Salzman: Thank you so much.

Joshua Sitta: Absolutely. Thanks, so much guys looking forward to the next one.