Securing a family-owned business with St Louis’s First Bank
At First Bank, the vision is clear: for now and well into the future, they’re looking ahead to identify every available avenue to help nourish and support family-owned and privately held businesses, regardless of their size or tenure.
As a proud, family-owned business with a 100-plus-year history, First Bank specialises in privately held and family-owned businesses, in addition to offering extensive personal and wealth services ‒ so there’s an innate willingness to go the extra mile and partner in their customer’s long-term success. As a fitting example of this, First Bank launched the Center for Family-Owned Businesses, to offer tailored resources to serve the unique needs of family business members.
The Dierberg family, along with First Bank’s Chairman and Chief Executive Officer Shelley Seifert, remain committed to continued growth and innovation to establish it as the bank of choice for families and family-owned businesses, for now and well into the future.
Part of this service, and perhaps one of the most crucial parts for any business in today’s marketplace, is security: whether physical or virtual.
Marc Ashworth is the Senior Vice President & Chief Information Security Officer for First Bank. Under his management remit are four teams: the Networking Support Team; the Information Security Group; Fraud Team; and Physical Security. With the bank now for four and a half years, he has accumulated over 30 years in the industry.
Heritage drives culture at First Bank
First Bank, as Ashworth explains, more than understands how best to cater to the needs of other family-owned businesses, as well as their family employees.
“The family focus applies to more than just our clients. We refer to our team of colleagues as being family, so it's woven into all that we do. And you really feel it when you talk to the owners, as they're really supportive of what you do. It's a lot different when you're with a family-owned business versus just a corporation, in my opinion,” he added.
First Bank is uniquely positioned to understand the needs and challenges of other family owned and privately held companies, due to four generations of reliable ownership that offer the ability and experience needed to help businesses plan for the long term and ultimately thrive in today's environment. The bank offers consistent and high-quality experiences for their clients that cover a range of topics especially geared to family businesses.
Ashworth adds: “Whether it's succession planning, tax strategy, family, trust issues, estate planning, and more, we have the experience and expertise to support the family-owned businesses with any banking need. We help family businesses thrive across generations and in ways that go beyond traditional banking products."
Issues in cybersecurity for small- and medium-sized enterprises
Ransomware has been a big topic for most businesses in recent times, because of the potential destructiveness. According to Ashworth, even when companies have tried to pay the ransom, they may only get a limited amount back, and this exacerbates the need to build an infrastructure around that major threat, so that you can recover and be protected.
“Ransomware in a lot of cases is a symptom of an overall breach, because there's lateral movement going on. So, for me, I'm concerned about lateral movement. We protect against that and stop it or mitigate it as much as possible.”
Lateral movement is when an attacker or software can bounce from one machine to another within the network. Bouncing between servers and PCs can mean multiple places to install software that can then trigger at any time.
Attackers can quickly move through a vulnerability ‒ such as an admin area like a password ‒ so Ashworth insists that you want to get them to where they can't go anywhere else, causing them to finally give up and go somewhere else.
“You don't have to be the fastest person running from the bear, you just have to be faster than the last guy,” jokes Ashworth. “One of the main ways that they get in is via phishing. We concentrate on stopping that number one attack vector, as it is crucial for any bank, enterprise, or small company.
“I think with the current international tensions, we’ve seen a move towards pseudo ransomware where there's not a ransom. It's more of just a destructive nature, such as wiper wear, where it basically either wipes the drives or encrypts the data with no way of recovery.
Our team is always on high alert because of what's happening and the warnings by the federal government. Any CISO needs to worry about this tension; they need to be thinking globally,” says Ashworth.
The importance of patch management
Patch management and vulnerability management often go hand-in-hand, and it requires watching on a weekly basis, with the security teams providing oversight and guidance to the patching teams.
“For those out patching the systems and the applications, it’s all about keeping the numbers down as low as possible. Sometimes, it is one step forward and three back ‒ it's a never-ending problem and you have to really measure which vulnerabilities and patches you’re working on.
Sometimes applications are more difficult to patch, so it's a longer process, or maybe the vendor doesn't support it yet. You have to be very proactive to keep these things going, watching those numbers and making sure you're at acceptable levels, especially on higher risk ones,” said Ashworth.
Training to protect users on the front line of the cyber threat
First Bank has several annual training programmes that they offer, from a compliance standpoint. They also conduct monthly targeted phishing campaigns that function as training exercises to keep people informed, alongside training materials, so that if people do fail, there’s refreshers from time-to-time, as well as a weekly newsletter with tips and updates on current events in the cyber world, such as recent breaches.
“It's a learning experience for them and customised so they can share those tips with their families and friends, too.
We get a lot of great feedback from the employees on these from around the building. That feedback is really valuable, and we encourage involvement with other teams and projects in order to keep the bank safe,” said Ashworth.
For customers, too, there are periodic webinars that are also recorded and put up online, providing a bank of useful tips and cyber advice to protect from various fraudulent scams.
“We post these tips out on our social media feeds and update that on the website, too. We keep our customers and others in our network updated. I'm pretty vocal on LinkedIn as well as Facebook. It's a group thing. It's not just up to the security team to have to worry about this. We all have to worry about it,” he said.
Relentless risk management and learning to switch off
Based out of the St. Louis area in Missouri, the bank has a presence now in six states, banking specifically in California, Kansas and Illinois, too.
With this kind of customer reach, one of the biggest aspects of Ashworth’s job is the risk-management side of things. At times, the volume of risks out there can be overwhelming, but the CISO has ways to handle this.
“It's a constant flow of issues and threats, and it never stops, so it does get overwhelming. I think that's in part why CISOs have high turnovers,” said Ashworth.
He refers to the latest statistics on this matter, which suggest an average 20-month tenure for a CISO.
“I mean, I've been CISO here for four and a half years. I’m able to sometimes stop listening to my podcast for updates and reading articles. I live in nature, so working from home has helped as I can go for a walk or something.”
“What you have to do is constantly monitor. And the pressure to protect your customers, your company and your employees ‒ it's a lot! It is fun, though, as it changes daily. So, because of that, you really have to be willing to adapt and be open to constantly learning,” he said.
“The overall security community is very tight knit, and they're willing to share and talk about their experiences in a sharing infrastructure. If we can get the government to do that more in terms of mutual data sharing, that would be great, and I think we’ll get there. It's really a lot of fun and I hope more people jump into cyber,” said Ashworth.
Partnerships help handle new challenges
First Bank has won recognition by Juniper Networks for the lean processes that they've done, because of how they've automated many things within their core environments. Silver Peak, which is now owned by Aruba, a global leader in wired, wireless, and SD-WAN solutions that use AI to automate and secure the network from edge-to-cloud, has been instrumental.
“Even Aruba has come back afterwards and recognised what we've done, creating use cases for us and featuring the bank in their catalogue.
Last year First Bank partnered with Akamai to assist the bank in achieving strategic security initiatives: “Akamai is another great partner for us and they provide a solid suite of security and networking offerings. I’m really excited about this partnership and where we are going with it,” said Ashworth.
“There’s also great local partners out of St. Louis like Network Technology Partners (NTP), a great vendor that provides lots of different solutions. A good reseller and they work with us really well. They listen whenever you have a problem and can bring in a solution for you,” said Ashworth.
With their customers having faced significant challenges during the pandemic, First Bank pride themselves on building strong personal relationships. With programmes like PPP, they helped many existing customers to get business funding, as well as non-customers who were having difficulties with their current banking partners.
This involved lots of video calls in particular, with physical meetings not possible at the time, but that didn’t prevent First Bank staying focused and dedicated ‒ as Ashworth explains: “We are here for our customers to help them succeed and to help their employees succeed.”