BOSTON - Not every bank has the money or the staff to do everything on the \u201cbest practices\u201d lists of multiple regulatory agencies.As one member of the audience at the Federal Reserve Bank of Boston\u2019s 2017 Cybersecurity Conference this week noted, it is much more difficult for the \u201cminnows\u201d to comply with all the \u201cguidance\u201d out there, than it is for the \u201cbig fish.\u201dBut multiple speakers and panelists agreed that most financial institutions, no matter their size, can do the basics. And, if they do the basics, while it won\u2019t make them bulletproof, they will no longer be \u201clow-hanging fruit\u201d for cyber criminals.But too many of them, said the Boston Fed\u2019s Lead Security Systems Engineer Jasvinder Khera, aren't doing the basics, as evidenced by the low priority they put on information security.In a presentation on the benefits of threat sharing, Khera said a survey of the more than 60 participating organizations found that 67 percent had five or more full-time equivalent (FTE) staff in IT, but 33 percent had zero information security FTEs and another 37 percent had only one.Among other weaknesses, the survey found that only 37 percent of the participating organizations required users of their guest wireless network to enter a unique ID and password. The majority \u2013 54 percent - didn\u2019t require it, while the remaining 9 percent required only a passphrase, used a shared ID and password or were \u201cstarting soon\u201d on an authentication program.An overwhelming majority, 84 percent, used third parties for data processing or storage, which meant their security depended not only on their own security posture, but that of vendors as well.Khera\u00a0said improving security doesn\u2019t always have to be costly \u2013 that a policy change can have a major impact. He said a major topic at the group\u2019s first meeting was social media. He said the Boston Fed now blocks all employee access to social media \u2013 with a few exceptions like the public relations department.\u201cAny change like this will produce resistance,\u201d he said, \u201cbut it was worth it. The drop in malware was significant and immediate.\u201dSpeaking to other preventive measures, Khera suggested using automation as a means of flagging external emails in order to reduce the number of successful phishing attacks. \u201cIt would help you think twice,\u201d he said, noting that criminals have become much better at overcoming skepticism by improving the apparent credibility of their phishing attempts.Indeed, throughout the day there were several mentions of the most recent Verizon Data Breach Incident Report (DBIR), which found \u2013 yet again \u2013 that technology can\u2019t trump human weakness. It reported that 43 percent of data breaches came from phishing and 81 percent of hacking-related breaches succeeded because of stolen and\/or weak passwords.Other recommendations for covering the basics came during a session titled, \u201cSupervising Cybersecurity: Regulator Perspective.\u201dMichael Flynn, an examination specialist in IT for the Boston area office of the FDIC, noted that the agency has produced 11 handbooks for examiners and bankers, covering a range of cybersecurity issues, and that also provide cybersecurity assessment tools (CAT). Again, most of it came down to basic cyber hygiene, including employee awareness.\u00a0Peter Chiola, bank information technology lead expert for the Northeastern District of the Office of the Comptroller of the Currency, said that, \u201cphishing is more of a threat than zero-days."\u201cPatch, patch, patch,\u201d Flynn added. \u201cMost attackers are going after low-hanging fruit. So understand what you have. If you have reasonable controls, you will reduce the target tremendously.\u201dHolly Chase, of the Massachusetts Division of Banks, said all financial organizations should, \u201cstart looking through cyber attack scenarios. You need an incident-response plan. The only way to make it effective is to walk through it,\u201d she said. \u201cYou can\u2019t be scrambling around on a Friday afternoon and expect it to work.\u201dFinally, former CIA officer Daniel Hoffman, in an earlier presentation on using a human intelligence model for cyber defense, noted that the humans can be an enormous advantage \u2013 even better than high-tech surveillance.He cited Russian intelligence officer Oleg Penkovsky, who in an effort to prevent nuclear war between super powers, spied for the U.S. and Britain in the late 1950s and early 1960s. He was eventually caught, tried and executed in May 1963. (Also see 7 of the most famous spies.)But Hoffman said he had, \u201cprovided critically important intelligence during the Cuban missile crisis.\u201dBut humans, especially malicious insiders, can be just as damaging to US national security, he said, citing massive document leaks by former NSA contractor Edward Snowden or former US Army private Chelsea Manning.\u201cNone of us wants to think we have malicious insider,\u201d he said. \u201cWe didn\u2019t want to think that at CIA. But it\u2019s true. So one good principle is need to know. Not everyone needs access to everything.\u201dSend your basics to our Facebook page.