Case Study:
Farmers & Merchants Bank

Financial institutions are disproportionately targeted by threat actors because of their rich financial and data assets, and attacks on SMBs are on the rise. Learn how Tyler Morgan integrates Nomic’s tools into his overall cybersecurity strategy, guided by the latest version of the CIS Controls.

In March 2020, work-from-home suddenly accelerated from a perk to compulsory. Businesses scrambled and hackers pounced on millions of vulnerable IT connections. As you would expect, healthcare, finance and government bore the brunt of the incursions. Studies show financial institutions faced a 238% spike in attacks.

So how did a midsize bank, with over $1.6 billion in assets and 30 branches spread across the state of Arkansas maintain a high level of security and business continuity?

FMB and Nomic

“Luckily, we weren’t a traditional VPN type shop,” says Tyler Morgan, Chief Security Officer at Farmers and Merchants Bank. “I know you have a lot of different organizations out there that participate in a traditional roaming device type of remote access, or even going as far as BYOD [bring your own device].

“We were more of a remote access, Web portal to a VDI type experience on the backend. From a security perspective, that was valuable because we were able to immediately spin up as much access as we needed.”

Indeed, remote workers using VPNs that lacked adequate safeguards increased the attack surface for hackers by orders of magnitude. Studies have shown there has also been a marked uptick in the number of phishing email attacks, malicious keylogger attacks and the distribution of password-stealing software, exploiting companies’ reliance on digital technology, and the vulnerabilities that surround these systems.

Another pandemic challenge was the strain on governance controls and cybersecurity education. In a normal office setting it is easier to establish and reinforce a strong culture of cybersecurity. Replicating that culture following a sudden surge in remote working, however, is less straightforward. For example, employees who work remotely may take unnecessary risks that go undetected.

“I think we’re way past the point where [a firewall on the perimeter] is sufficient from a security perspective.”

Digital Transformation Can Strain Security Resources

Headquartered in Stuttgart, AR, about an hour east of Little Rock, Farmers and Merchants Bank has grown from a small, legacy brick-and-mortar institution founded in 1945, to an innovative bricks and clicks regional influence.

Morgan is responsible for both physical and cyber security, fraud, and vendor management, having spent the last 10 years in cyber risk management for a number of banks and five years before that as a compliance enforcement attorney.

He said moving Farmers and Merchants Bank into the 21st century meant offering more banking services online and a digital transformation that emphasizes a frictionless user experience.

But along with digital acceleration comes a wider footprint that, for some companies, can extend beyond the capacity of its cybersecurity teams to keep up. Worse still, the Achilles’ heel of many organizations during the pandemic crisis was an astounding lack of basic cyber hygiene.

“From all the breach data and reporting that we’ve seen through the pandemic, you have to scratch your head and say, ‘Why weren’t some of these things caught by [security] tools?’” Morgan asks. “It’s because basic hygiene is very important. You look at things like, ‘Do we know what’s in our environment? Do we have a solid inventory? Do we control the level of privilege on the endpoint? Do we do basic things like enable the Windows firewall natively?’

“You can point to several things that could have been done that, while they might not have prevented malware from making it into the environment to start with, would have prevented some of the lateral movement in terms of preventative controls.”

“We know statistically, if we go do these four or five things, we’re going to be a lot better off than the organizations that may go spend a ton of money on a tool.”

Building A Baseline for Cyber Hygiene

Morgan is a big believer in taking advantage of freely available resources and frameworks for building a cybersecurity baseline. One of his, and ours, favorites is CIS Controls, developed by the nonprofit Center for Internet Security. “If you put a lot of value in security hygiene, [it’s] a great control framework,” he says.

Updated in 2021 to version 8, CIS Controls’ safeguards consist of fundamental security measures that get to the heart of an organization’s security posture. As such, organizations of any size can use them to mitigate some of the most prevalent digital threats facing their systems and networks.

“I like the fact that with the CIS Controls, you can kind of say, “OK, we know there’s a lot of really bad stuff out there, but we know statistically, if we go do these four or five things, we’re going to be a lot better off than the organizations that may go spend a ton of money on a tool.”

“Our mindset starts at the endpoint,” Morgan says. “Let’s lock an endpoint down as much as we can and then work out. In the past, we were especially bad about saying, ‘Well, there’s a firewall there on the perimeter,’ and that becomes your control that firewall.

“A lot of the regulatory documentation and the questionnaires you answer are still geared that way. ‘Do you have a firewall on the perimeter?” Well, I think we’re way past the point where that is sufficient from a security perspective, so we have continued to make sure that we evolve the stack.

“I do believe detection is very important, and we invest a lot in logging and log analysis,” he says. “At the same time, if you give me a dollar to spend on prevention versus detection, I’m probably going to spend that money on prevention first.”

“The fundamental truth, regardless of the technology stack, is that you can’t protect what you don’t know about or don’t understand.”

Why MNDR Gives Financial Institutions an Edge

Luckily Morgan doesn’t have to choose. Having added Nomic’s managed network detection and response (MNDR) platform to his cybersecurity stack two years ago, he’s supported by a fully monitored, advanced threat detection, threat intelligence and threat prevention solution with a security operations and control center (SOC) team available 24/7.

Banks are disproportionately targeted by threat actors because of their rich financial and data assets. Advanced threat intelligence from Nomic can have an enormously positive impact on financial institutions, ensuring they have the most up to date information on what is happening inside and outside the network, and that important security alerts rise to the top.

“We are alerted very quickly about IPs that need to be blacklisted or signature traffic that needs to be adjusted, and we don’t have to do that internally,” Morgan says. “That’s a big benefit to us just in and of itself. But then to be able to reach out to [Nomic’s Managed SOC support] and ask questions, like ‘is there SSH traffic outbound?’ or ‘is there FTP traffic?’ This is very valuable to us.

“The fundamental truth, regardless of the technology stack, is that you can’t protect what you don’t know about or don’t understand. We want to make sure that security is as seamless as it can be, that it’s not an inhibitor, but a contributor to our overall success.”


We can help.

From small financial firms to Fortune 100 companies, we help understaffed and overworked IT teams solve their network security and compliance problems.

Give us a call