As demonstrated by recent headlines, credit unions continue to be prime targets of cybercriminals due to the highly confidential nature of the data credit unions possess.
Should this data fall into malicious hands, it can result in potential windfalls for the bad guys through the sale of stolen, exfiltrated data or through the collection of ransom which can be extorted from the credit union.
Let's take a look at what trends appear beneficial to protecting credit unions from cyber risks, as well as what challenges may exist in the future.
With financial risks that are large and real, credit unions face numerous challenges when developing their cybersecurity plans. First, the bad guys must only be right once, while a credit union must be right every time. All it takes is one team member, particularly if that user has elevated privileges to electronic resources, to potentially provide a bad actor with keys to the credit union digital kingdom. As a result, continued diligence and user education are critical components of your cyber resilience plan.
According to email security firm Proofpoint, users can be a powerful line of defense in the fight against phishing attacks. In fact, in top-performing companies with an educated workforce, users successfully spotted over 60% of malicious emails. Similarly, the best defense against other social engineering schemes are users applying a healthy dose of skepticism to spot potentially malicious calls to action in emails, phone calls, or via other means.
But risks don’t end with employees. Credit union board members are often not up to speed on the latest cyber risks and continuing education can be a challenge. Credit union leagues often try to assist with board education efforts, but the lack of general understanding of technology and cyber security basics may be found among long-tenured board members. The lack of understanding can often create a barrier to securing proper funding and support for a thorough cyber-security program that properly addresses technical, physical, and administrative risks through appropriate controls.
An added challenge is that cybersecurity risks do not sleep. Platforms like online banking and remote access systems exist for the convenience of members and users alike, but also provide a welcomed attack surface for cyber criminals to target.
As a result, while internal IT support resources are often hired to work only during business hours, many credit unions have engaged with managed services providers that can provide extended around-the-clock coverage. In addition, many have also adopted advanced security solutions such as Security Information and Event Management (SIEM), provided through outsourced engagements. SIEM dashboards are most valuable if monitored 24 hours a day, 7 days a week (24x7) by a Security Operations Center (SOC) staff consisting of incident response professionals.
It is critical that credit unions work with credentialed managed services providers who have a demonstrated ability to properly secure their environments. Attaining certifications such as AICPA SOC2 Type II and ISO27001 should be a prerequisite for any vendor working to support credit unions.
Credit unions work on tight margins, making funding for cyber security solutions such as SIEM quite challenging in the past. However, the good news is that advance security solutions such as SIEM are becoming an expected part of the security framework not just for credit unions but for businesses in many industries which have data security regulation, including medical, insurance, legal, and any business that works in the military supply chain. As a result, the costs for such solutions are decreasing as they move from early to mainstream adoption.
Unlike many other industries, however, credit unions have security auditors like state regulators and the NCUA regularly reviewing their environments and making recommendations. These reviews will result in audit findings and recommendations, and it may feel overwhelming should the list be extensive.
Therefore, it’s best to apply priority to the items, focusing first on those that best address the items which will have the most benefit to advancing the security posture of the organization. If an organization tries to remediate EVERYTHING all at once, they are delaying the remediation of the most important items.
In addition, the scope of findings from external auditors can be reduced if a credit union adopts a security mindset and monitors and tests internal systems regularly through engagement with an outsourced managed security services provider. In this case, recommendations can be generated, prioritized, and remediated on the credit union’s schedule, rather than because of an external finding.
While building a cybersecurity plan can feel like a daunting task, creating and working to a plan can ease the process. By reinforcing end-user training, extending to board member training, allocating an appropriate budget, outsourcing to adopt 24x7 coverage as well as advanced solutions such as SIEM, and prioritizing your remediation plans, you can be best positioned to protect your credit union from cyber-attack.
Dave DelVecchio is the Sourcepass Vice President of Marketing and Communications. Reach out to Dave at (877) 678-8080.