A Halloween-Themed Guide to SMB Cybersecurity
For Patrick Keating, President and CEO of Keysec Advisors in Cherry Hill, N.J., Halloween is more than just a night of tricks and treats. It’s the opportunity for a timely reminder that cybersecurity threats often hide behind masks of their own.
“Cybercriminals are a lot like movie monsters,” Keating observes. “They wait for the right moment, often disguising themselves as something harmless. The danger usually starts when someone lets their guard down.”
Keating uses a lineup of classic horror films to frame essential cybersecurity lessons for banks and credit unions. The advice, while playfully themed, is anything but fiction.
1. Defeat Phishing: Treat Every Communication as a Call You Didn’t Verify
In Scream, the killer never shows up unannounced. Rather, he pretends to be someone trustworthy. Keating sees a direct parallel in the world of phishing.
“Phishing messages mimic trusted senders and catch people off guard,” he explains. “It’s always the call — or the email — you didn’t verify that gets you.”
His advice is straightforward: “Train your employees to stop and think before clicking, verify every request, and make skepticism part of your culture. Awareness is your first line of defense.”
2. Patch the Ghosts: Exorcise Hidden Threats with Automated Updates
Outdated software is the digital equivalent of the undead, Keating warns.
“I think the demon’s target…is us . . . the observers . . . every person in this house” he jokes. “When banks ignore updates, they’re haunted by vulnerabilities they can’t even see.”
He recommends automating updates where possible and conducting monthly reviews to ensure no system remains unpatched. “Keep everything current,” Keating advises. “It’s the simplest way to exorcise invisible threats.”
3. Drive a Stake Through Weak Passwords with Multi-Factor Authentication
Passwords remain one of the most common points of failure, and Keating doesn’t mince words about their importance.
“Like Dracula, weak passwords drain your defenses,” he says. “If your team is still using ‘Password123,’ you’re practically inviting the vampire in.”
Keysec Advisors recommends multi-factor authentication, password managers, and Passkeys wherever possible. “Strong credential management is the garlic that keeps attackers away,” Keating adds.
4. Empower the Human Element: Build a Security-Minded Culture with Training
Employees, Keating reminds, can either be a company’s biggest liability or its strongest shield.
“In Hocus Pocus, teamwork and knowledge save the day,” he says. “The same goes for cybersecurity. When employees understand the risks, they’re less likely to fall for a trick.”
He encourages quarterly awareness training and simulated phishing exercises. “Reward employees who spot the threats,” Keating recommends. “Positive reinforcement builds a security-minded culture.”
5. Ensure Resilience: Implement and Test the 3-2-1 Backup Rule
Keating points to The Nightmare Before Christmas as a lesson in resilience. “Even when Jack Skellington’s plan went terrifyingly wrong, he bounced back — because he had a backup,” he says. “Businesses need to do the same.”
His guidance: follow the 3-2-1 rule: three copies of your data, two different media types, and one offsite. “And don’t just store backups,” Keating cautions. “Test them. Otherwise, you might not realize they’ve failed until it’s too late.”
6. Clean Up the Digital Graveyard: Conduct Quarterly Access Reviews
Dormant user accounts are another haunting risk for banks. “In The Others, unseen presences linger long after they should have moved on,” Keating says. “The same goes for old employee credentials.”
He recommends quarterly access reviews and strict role-based permissions. “Unused accounts are open doors,” he notes. “Close them before someone else walks through.”
7. Handle AI with Care: Establish Clear Governance and Data Use Policies
As bank experimenting with artificial intelligence, Keating urges thoughtful oversight.
“Like Dr. Frankenstein, companies sometimes create tools they don’t fully understand,” he warns. “Feeding sensitive data into AI systems can expose proprietary or client information.”
The fix, he says, is governance. “Establish AI use policies, monitor integrations, and know where your data goes. Innovation is healthy — but not if it turns into your own monster.”
8. Expect the Sequel: Develop and Practice Your Incident Response Plan
If there’s one movie that captures the relentlessness of cyber threats, it’s Halloween.
“Michael Myers always comes back,” Keating says. “So do cyber incidents.”
Preparation, he stresses, is the antidote to panic. “Every bank should have an incident response plan and run annual tabletop exercises. Decide who acts, who communicates, and what gets shut down. The best time to plan for a breach is before it happens.”
Every Trick Needs a Treat
Keating’s Halloween metaphors underscore a serious message: cybersecurity isn’t seasonal.
“From phishing ghosts to credential vampires, the threats are real — and they never take a holiday,” he concludes. “The key is awareness, discipline, and preparation. When you combine those, even the scariest attacks on your bank lose their power.”
