By Steve Fleming, President and CEO, River City Bank
Cybersecurity keeps me awake at night, and it should worry you as well. As the CEO of River City Bank, I know it’s not a question of whether we will be targeted by hackers. Cybercriminals are attacking all our businesses daily—at an increasing rate. As the bad guys get more sophisticated, businesses—both large and small—are vulnerable. Cybercriminals view large business as a big pot of gold for them to steal, and small or medium-size business as an easy target. McKinsey & Co. estimates that cyberattacks will cause $10.5 trillion a year in damages by 2025, a whopping 300% increase from 2015.
No one is immune to the risk. The news earlier this year that San Bernardino County paid a $1.1 million ransom to hackers who installed malware on the sheriff’s office computer systems is a wake-up call to everyone. The county had cyber insurance, which covered half the bill. It’s likely that many local businesses haven’t purchased such insurance, even though experts say it’s a best practice to guard against losses.
Closer to home, the news of the Oakland ransomware attack keeps getting worse, with non-public personal information from current and former employees now surfacing on the dark web. Ransomware, a major threat for businesses of all sizes, now accounts for 24% of data breaches, according to the Verizon 2023 Data Breach Investigations Report. In a ransomware attack, the criminals pierce security systems and install code or software that can shut down your business or hold it hostage until you pay up. To make matters worse, stolen information can be sold on the dark web—even after ransom is paid.
All it takes to find yourself in a big mess is someone at your company clicking on the wrong link or attachment in an email. Last year, sophisticated scammers lured five Sacramento County employees into handing over their official log-in information, a breach that exposed more than 2,000 sensitive health records. This was just one incident of phishing attacks last year as the tactic reached record levels, with more than 4.7 million attacks being recorded.
The Responsibility Is in Our Hands
At the end of the day, the buck starts and stops with the CEO. We’re the final risk manager, and regardless of whether we run a bank, construction company, law firm, farm, nonprofit charitable organization, or public agency, this is one of the biggest risks we face. Ignoring cyber risk is a critical error that will likely result in a painful and expensive outcome.
Let’s face it: We do our best to manage and control our businesses, but cybercriminals know they can penetrate our information security defenses through our vendors (particularly those in the software supply chain), our customers, and our employees when they let down their guard.
We need to think about what’s at stake. A cyberattack can cost us time, focus, and money, but it also can lead to lost customers, a damaged reputation, and even regulatory scrutiny. In its 2023 report, IBM estimated the average cost of a data breach at $4.45 million. In the U.S., it’s twice that. And the average time to identify and contain the breach was 277 days. Who has that time to spare?
No wonder this issue keeps me up at night—it represents a risk for the business that I run, but also a risk for all our clients.
At River City Bank we instill a business culture that teaches our staff to be hypervigilant about cybersecurity, while recognizing that mistakes can, and will, happen. In fact, the Verizon report found that 19% of data breaches were due to “internal actors,” meaning our own people or contractors, either intentionally or through error.
If your business does not conduct regular cyber training for your staff, you’re putting your company in danger. Educated workers are less likely to click on a suspicious link or use a password that is easy to hack, and, thus, mistakenly put your life’s work in someone else’s hands.
Every business, no matter the size, needs to understand cybersecurity best practices and use them to minimize losses if an attack happens. Have a business continuity plan in place, and make sure your critical data is backed up and encrypted. Build defensible space throughout your IT network to limit the damage from malware that has taken advantage of a vulnerability in your network. These suggestions, as well as other ways to safeguard your company, are why we developed this cybersecurity overview for our customers.
Last, when all else fails, don’t forget about the benefits of cyber-risk insurance coverage. The cost of this insurance is rising due to the success of the cybercriminals. But ask yourself if you can afford a massive loss from a cyberattack.
Since September ’08, Steve Fleming has been President & Chief Executive Officer of River City Bank, the largest and most profitable bank based in Sacramento. With over 40 years of banking experience, immediately before joining River City Bank, he was the Founder and CEO of Presidio Bank in San Francisco. Steve also worked for over 20 years at Bank of America in a variety of progressively more senior roles, including as Head of Credit Administration for its Europe, Middle East, and Africa division.
