Security

Commercial Bank of California provides state-of-the-art cybersecurity education, awareness, and training for our clients. CBC is always looking out for ways to help our clients without compromise. We chose from our inception to remain privately owned rather than become beholden to the interests of public investors, and as a result, we have the utmost respect for our clients’ right to enjoy a private banking relationship. In our view, exceptional security and stringent privacy standards are not at odds with each other – rather, we believe that each reinforces the other.

Please review the following tips and tricks to sharpen and reinforce your cybersecurity skills:

Your home has locks on the doors and windows to protect your family and prevent thieves from stealing cash, electronics, jewelry, and other physical possessions. But do you have deterrents to prevent the loss or theft of your electronic assets, including bank account and other information in your personal computers, at home and when banking or shopping remotely online?

"Think about all of the access points to and from your computer — such as Internet connections, email accounts, and wireless networks," said Michael Benardo, manager of the FDIC's Cyber-Fraud and Financial Crimes Section. "These always need to be protected. Otherwise, it's like leaving your front door wide open while you are away so that anyone could come in and take what they please."

Consumers increasingly rely on computers, web-enabled devices, and the internet for everything from shopping and communicating to banking and bill-paying. While there are a number of benefits of using web services -- faster and more convenient services, for example -- bank customers should also be aware of the risks.

*Cybersecurity Basics

Common cyber-related crimes include identity theft, frauds, and scams. Identity theft is a crime in which someone wrongfully obtains and uses another person's personal data to open fraudulent credit card accounts, charge existing credit card accounts, withdraw funds from deposit accounts, or obtain new loans. A victim's losses may include not only out-of-pocket financial losses but also substantial costs to restore credit history and to correct erroneous information in their credit reports.

In addition to identity theft, every year millions of people are victims of frauds and scams, which often start with an email, text message, or phone message that appears to be from a legitimate, trusted organization. These messages typically ask consumers to verify or update personal information or they direct consumers to bogus websites (such as for credit repair services) in the hopes that consumers will visit the site and enter their personal information

*Tips to Avoid Identity Theft

The best protection against identity theft is to carefully guard your personal information. For example:

• Do not share personal information over the phone, through the mail, or over the internet unless you initiated the contact or know the person you are dealing with.
• Be suspicious if someone contacts you unexpectedly online and asks for your personal information. It does not matter how legitimate the email or website may look. Only open emails from people or organizations you know and, even then, be cautious if they look questionable. Be especially wary of fraudulent emails or websites that have typos or other obvious mistakes.
• Do not give out personal information in response to unsolicited requests. Be particularly careful about to whom you give your Social Security number, financial account information, and driver’s license number.
• Shred old receipts, account statements, and unused credit card offers.
• Choose PINs and passwords that would be difficult to guess and avoid using easily identifiable information, such as your mother’s maiden name, birth dates, the last four digits of your social security number, or phone numbers.
• Pay attention to billing cycles and account statements and contact your bank if you do not receive a monthly bill or statement. Identity thieves often divert account documentation.
• Review account statements thoroughly to ensure all transactions are authorized.
• Guard your mail from theft, promptly remove incoming mail, and do not leave bill payment envelopes in your mailbox with the flag up for pick up by mail carrier.
• Obtain your free credit report annually and review your credit history to ensure it is accurate. (Click here to read more about credit reports and credit scores.)
• Use an updated security program to protect your computer.
• Be careful about where and how you conduct financial transactions. For example, do not use an unsecured Wi-Fi network because someone might be able to access the information you are transmitting or viewing

*Tips to Avoid Frauds and Scams

Consumers should always exercise caution when it comes to your personal and financial information. The following tips may help prevent you from becoming a fraud victim.

• Be aware of incoming email or text messages that ask you to click on a link because the link may install malware that allows thieves to spy on your computer and gain access to your information.
• Be suspicious of any email or phone requests to update or verify your personal information because a legitimate organization would not solicit updates in an unsecured manner for information it already has.
• Confirm a message is legitimate by contacting the sender (it is best to look up the sender’s contact information yourself instead of using contact information in the message).
• Assume any offer that seems too good to be true, is probably a fraud.
• Be on guard against fraudulent checks, cashier’s checks, money orders, or electronic fund transfers sent to you with requests for you to wire back part of the money.
• Be wary of unsolicited offers that require you to act fast.
• Check your security settings on social network sites. Make sure they block out people who you don’t want seeing your page.
• Research any “apps” before downloading and don’t assume an “app” is legitimate just because it resembles the name of your bank or other company you are familiar with.
• Be wary of any offers that pressure you to send funds quickly by wire transfer or involve another party who insists on secrecy.
• Beware of disaster-related financial scams. Con artists take advantage of people after catastrophic events by claiming to be from legitimate charitable organizations when, in fact, they are attempting to steal money or valuable personal information.

**Avoid Phishing, Smishing, Vishing, and Other Scams

• Criminals are constantly trying to steal consumers’ personal data using fake emails, websites, phone calls, and even text messages. They use a variety of ways to try to trick people into providing Social Security numbers, bank account numbers, and other valuable information. In many cases, their goal is to steal money from you. This article defines some terms used for different online scams and how they work, so you can protect your money.
• Be suspicious if someone contacts you unexpectedly online and asks for your personal information. It does not matter how legitimate the email or website may look. Only open emails, respond to text messages, voice mails, or callers that are from people or organizations you know, and even then, be cautious if they look questionable.
• If you think an email, text message, or pop-up box might be legitimate, you should still verify it before providing personal information. If you want to check something out, independently contact the supposed source (perhaps a bank or organization) by using an email address or telephone number that you know is valid, such as from their website or a bank statement.
• Be especially wary of emails or websites that have typos or other obvious mistakes.

https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams

Source: https://www.fdic.gov/resources/consumers/consumer-assistance-topics/cybersecurity.html

https://www.fdic.gov/consumers/consumer/news/cnwin16/secure_computers.html

*What Can YOU Do?

*Prevent Financial Fraud with these Six Cyber Security Tips

#1: Upgrade Your Antivirus Solution to Endpoint Detection and Response or Managed Detection and Response

As mentioned previously, Security Operations personnel receives up to 11,000 alerts per day. Sifting through this large volume of notifications and choosing which alert to investigate is a resource challenge. In addition, per Crowdstrike and DFIR’s research, malicious actors are using automation with their malware.

For example, eCrime malware can laterally move across the network within an hour and 32 minutes after initial infection per Crowdstrike, a cyber security company. In 36% of these cases, the attacker was able to move across the network in less than 30 minutes.

Similarly, the Qbot malware, whose sole purpose is to steal browser data and e-mails from infected workstations, can do so 30 minutes after the initial infection. And it only takes 50 minutes before they infect additional workstations on the network.

Given the alert fatigue that Security Operations personnel are experiencing and the speediness of modern-day malware attacks, antivirus solutions might no longer be effective. Many antivirus companies now offer Managed Detection and Response (MDR) service. MDR service provides not only 24/7 threat monitoring, but some will apply remediation as well. Crowdstrike, Rapid7, and FireEye are some of the leaders in this space per IDC MarketScape.

Endpoint Detection and Response (EDR) is a good secondary option for those who cannot obtain MDR due to the size or complexity of their operations. EDR can enhance malware protection in the following ways when compared to traditional antivirus:

• EDR has additional features to not only detect malware, but also detect malicious or attack activities
• Some EDR solutions provide IT administrators remote access capabilities to contain and investigate compromised systems
• EDR often has visualization tools to help speed up the investigation and filter security alerts to prevent information overload

Per Proven Data, a data recovery service company, businesses can expect to pay $5 to $8 per user per month and $9 to $18 per server per month for EDR services.

#2: Be Politely Paranoid with Information Requests and Unknown Links or Attachments

Stopping unlawful requests for information is one of the most important (and easy!) things you can do. Letting so much as a single piece of information fall into the wrong hands is no small matter, as it allows the scammer to build a profile for further social engineering attacks, identity theft, or Account Takeover. Any "social engineering" attempts via phone or e-mail to obtain private data outside of secure and official lines of communication should be reported and used as an education or training opportunity.

Please note that CBC would never call or e-mail for personal information unless you have first contacted us about a particular banking product or service. If you ever receive an out-of-the-ordinary request from someone claiming to be CBC, please do not respond and contact the regional office that you bank with: www.cbcal.com/locations

It may seem extreme, but a lot of damage can happen from clicking on a seemingly innocent browser link or opening an attachment in an e-mail. Per Microsoft Digital Defense Report, phishing is responsible for almost 70% of data breaches. While the previously mentioned technologies can mitigate malicious content being delivered by e-mail, the human firewall (you and your employees) will always be the last defense when all else fails.

Continuous training and testing are the most effective forms of strengthening the human firewall. Luckily, many companies can provide security awareness computer-based training. The current leader in this space, per Gartner’s 2019 report, is KnowBe4. Depending on the size of the organization and the packages you need, as of July of 2022, the cost of KnowBe4 training and testing packages can run between $9 to $30.50 per user per year.

It is unnecessary to be afraid of all links and attachments from e-mail, especially if you are expecting the e-mail or the sender’s request is not out of the ordinary based on your interactions with them. However, the best defense is to be politely paranoid and check the source if you received an unexpected email or out-of-the-ordinary request. For example, do not click on the link with an unexpected email on a lost package, security warning, or billing change. Visit the online store or service through the web. If the notification/warning is true, you will also see the same notification.

If you received an out-of-ordinary request from someone you know, you can verify if it’s really from them by call, text, or meeting with them face-to-face. However, we recommend not replying to the e-mail or calling the phone number from the e-mail to confirm the authenticity, as the sender’s e-mail may be compromised without them knowing. This is also known as Business E-mail Compromise, which netted malicious actors $1.8 billion in 2020, per the FBI.

For an e-mail containing a news article of interest or the latest viral video, simply use the search engine or your favorite news website to find the content.

#3: Block Suspicious or Malicious Websites

The best security design is often compared to peeling an onion. The longer it takes a person to peel an onion, the more likely the person will be in tears. Deploying security tools in layers is important to slow down or even frustrate an attacker. In addition to having strong anti-malware controls and user education, another security layer is blocking suspicious or malicious websites.

Some business-grade antivirus programs or network firewalls will provide website (URL) filtering features where certain website categories can be blocked. The most relevant categories include malicious websites, scams, or hacking sites. The cost of the firewall varies between the hardware, the annual subscription, and installation fee. Per Proven Security, it can range between $1,500 to $15,000 (a month?), depending on the size of the network and needs.

For businesses with a remote workforce that are completely cloud-based, a network firewall might not be effective since the users do not need to use VPN to connect to their cloud environment to work. While a business-grade antivirus with URL filtering feature can still be effective in such cases, a secure web gateway is another possible solution to block suspicious or malicious websites.

At the basic level, Secure Web Gateway provides URL filtering and scanning for downloaded malicious codes. However, many of these services can also provide additional security features, such as a secure remote access solution known as Secure Access Service Edge (SASE). SASE is a more secure solution than VPN. According to Gartner’s 2020 report, Zscaler is the current leader in this space.

#4: Use Multifactor Authentication

Per Microsoft, multifactor authentication mitigates 99% of all password attacks. CBC customers are already familiar with the multifactor authentication used for Online Banking, which requires both your password and a one-time passcode sent to your phone number either by voice or text message. This essentially doubles the amount of work fraudsters must do to access your online banking account, because they have to know your password (knowledge factor) and access to your phone (possession factor).

However, because of telecom companies' poor customer verification process, it is possible that attackers can hijack cell phone numbers through a SIM-Jacking attack. To mitigate this attack, many technology companies have specific MFA applications that use push notifications instead of one-time passcodes to sign in. Therefore, it reduces the impact if your cell phone number is hijacked. Some of these mobile applications, such as Microsoft Authenticator or Google Authenticator, support other webpages that also use MFA. However, the app will display a time-based one-time passcode instead of push notification.

#5: Back Your Data Up

Backing up your data is important with today’s Ransomware attack. Our head Information Security Officer recommends backing up critical data daily, if possible. Modern backup program or services has features in place to do differential or incremental daily backup where only new or changed data is backed up, thereby speeding up this nightly process. If feasible, the best practice for backup is to store an online copy and also an offline copy. There have been cases in a destructive malware attack, the online backup was deleted in the process. Per Gartner’s 2021 report, Veeam, Commvault, and Veritas Technologies are leaders in this space. The cost of backup varies between the software licensing cost and how much data is being stored.

Most important of all, it is important to perform a periodic restore test. These periodic testing can help you understand how long it would take to restore your system and how to do it. This will help speed up the disaster or incident recovery process. Most important of all, to ensure that when the time calls, your critical data is recoverable.

#6: Keep Your Devices Up to Date

This last tip sounds like a broken record, but it is one of the most important tips. Unfortunately, developers are not perfect, each change in a software and application often has good intentions, but sometimes the change also make the software and application vulnerable to different malicious attacks. In addition, many of the security updates are often as a result of remediating a known vulnerabilities or in some cases, malicious threat actors become aware of the vulnerabilities as soon as the updates are released. As a result, it is important to patch your operating system (Windows) and applications at least monthly. If you are running operating systems or applications that are no longer supported by the manufacturer or software developers, we highly recommend coming up with a plan to retire or replace. If it is considered

Test your cybersecurity knowledge with the online quizzes from the Federal Trade Commission:

https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/quiz