Build a culture of security to detect and prevent cyber attacks.
Keeping up with evolving cybersecurity threats is daunting, never-ending, and time- and cost-intensive. The alternative is worse. According to global research by IBM Security and the Ponemon Institute, the average cost of recovering from a data breach in 2018 across business sectors was $3.86 million.
Every business with an online presence is at high risk for cyberattacks, but credit unions and other financial services providers are especially targeted, both because they deal with money and because their member and vendor data is useful to criminals, says Daniel Cherrin, founder of North Coast Strategies, Detroit. Hackers are relentless in efforts to infiltrate member and employee data, financial transactions, credit card information, even merger and acquisition activity.
Over his years working in the financial services industry, Heath Renfrow, CISO of CUES Supplier member and strategic partner LEO Cyber Security, Fort Worth, Texas, has seen the threat facing credit unions increase as overseas cybercriminals, thwarted by the significant security efforts mounted by big banks, have turned to financial cooperatives, which they perceive to be more vulnerable.
“One of the greatest things about credit unions and the people who work for them is that they’re wonderful human beings serving tight-knit communities, and that can make it easy for somebody to come in and manipulate that trust,” says Renfrow. “We’re seeing a shift in focus away from the largest institutions to credit unions and other smaller organizations.”
Beware Weak Links
The biggest cybersecurity threat facing credit unions today comes from inside their organizations. “Your employees are your greatest asset, but they can also be the weakest link when it comes to cybersecurity,” Renfrow says. “Cybercriminals are taking advantage of the human tendency to be trusting as they launch sophisticated phishing campaigns.”
Insider threats, involving both negligence and malicious intent, “will continue to be a significant attack vector,” agrees Shea Lambert, chief technology officer of United Solutions Company, Tallahassee, Florida. “You can have all the latest preventative security products in place at your credit union only to be tripped up by the insider threat.”
Over the years, most organizations—both within and outside the financial services industry—have focused on external threats, shoring up their firewalls with intrusion detection and prevention systems, Lambert notes. “We’ve reduced the footprint available to hackers on the perimeter but haven’t put enough work into detection on the inside of our networks.”
Cloning of internal email accounts to facilitate illicit wire transfers is a tactic that has been on the rise over the past year, notes Christopher Pippett, chair of the financial services industry practice of Fox Rothschild LLP, Exton, Pennsylvania.
“Employees think they’re getting instructions via an email from the CEO or CFO to wire funds to an account, but it didn’t come from inside the credit union,” Pippett says. “We’ve seen a slight uptick in those claims, enough of them that we’ve been warning people to verify these requests by phone.”
Another risk that must be monitored closely is infiltration through third-party relationships. Renfrow cites the example of a credit union’s myriad digital partnerships to underwrite and process a mortgage—not just the lending platform, but also for access to credit reports, income verification and title insurance, among other systems. Every one of those third-party connections to a credit union’s systems and members’ personal data is another door to guard.
Cyberattacks by nation-state actors like Iran and North Korea also pose a threat to U.S. credit unions and banks. “They’re finding that it’s very profitable to attack financial institutions and try to get money out of those institutions’ accounts,” Renfrow says. Selling member and corporate data mined during such attacks can be valuable too. (Read more about this in “An Introduction to the Dark Web”.)
Another threat may arise for credit unions that migrate to the cloud, Lambert suggests. Cloud-hosted products offer cost and operational efficiencies, but they also present an additional attack vector.
“When moving to the cloud, it’s important to understand where the cloud providers’ security responsibilities start and end,” he cautions. “Let’s take, for example, email with Microsoft Office 365. When moving your email into the cloud, ask what kind of logging capabilities the product provides. Does the service’s log retention match your credit union’s log retention policy? Can events be forwarded to your centralized logging facility for correlation?” This could be crucial, for example, when investigating the origination and impact of a phishing attack.
Conduct a Business Impact Analysis
A first step in developing a proactive cybersecurity policy is to conduct a business impact analysis to determine the most critical infrastructure elements to protect, like the core processing system, so the credit union can start formulating a security strategy around those elements.
“It’s not a matter of if a cybersecurity attack will happen. It’s a matter of how and when,” Renfrow cautions. “Credit unions need to be prepared for that. Without conducting a business impact analysis, credit unions can’t really build a sound IT security policy and instant response plan, because they’re in the dark about some of their most critical assets.”
Conducting a BIA involves all business units. “You can’t just settle for the pat answer that everything is critical. You have to identify your most critical elements and build your security program around them,” he adds.
Key questions explored in a BIA include:
- What systems are most likely to be targeted?
- What is the cost of infiltration, temporary outages and longer-term outages?
- How can targeted systems be returned to service as quickly and securely as possible?
- How does the credit union build its cybersecurity program around those infrastructure-critical assets?
Start at the Top
Developing and maintaining a cybersecurity program is an enterprise-wide responsibility, beginning with the board and executive team. The board, supervisory committee and executive management must take the lead in learning and educating the organization about evolving threats, insisting on vigilance—including writing organizational policy around cybersecurity best practices—and bringing in outside expertise when necessary to develop and test security measures.
IT professionals are heavily involved in conducting the BIA and developing security policies, procedures, training and testing, alongside their colleagues in finance, operations, marketing and other departments, Renfrow says. Leaders across the organization are responsible for the practices and systems within their business units and through their connections with third parties, from technology providers to legal advisors.
For every major data breach in recent years, the CEO of the targeted company has had to answer publicly to customers and shareholders, he notes. CEOs and boards are being named in lawsuits, and there are bills before Congress setting out stiff penalties, including the potential for prison terms, for the leaders of companies that are found to have inadequate data security programs.
“To build a cybersecurity culture within an organization, if it doesn’t come from the top, it will not succeed,” Renfrow concludes.
Leading cybersecurity efforts from the board and executive management levels is essential, Pippett concurs. “If people on the frontlines don’t believe this is important to the upper echelons of the credit union, then you’re not going to develop that culture. But if the importance of security is promoted, enforced and reinforced by upper management, it becomes part of the culture.”
Commit to a Culture of Security
“Everybody always thinks of cybersecurity as an IT function, but it goes beyond that, especially when you’re trying to develop that culture of security,” Pippett says.
HR should underscore the credit union’s commitment to cybersecurity in new employee onboarding and ongoing staff training. Risk management professionals work alongside colleagues in IT and other business units to operationalize security practices. And managers across the credit union must model and emphasize cybersecurity in daily operations, including simple but essential duties, like asking questions to verify identity.
As just one example, “if someone is knocking at a side door to gain access and they’re wearing a uniform, employees shouldn’t assume they’re a vendor and let them in,” Pippett notes. “Employees should be trained to always ask for an ID and direct the individual to the main entrance unless someone in the organization with authority to do so has instructed otherwise.”
In a culture of security, Cherrin recommends these processes and procedures become part of the daily routine:
- Offer regular training with refreshers on cybersecurity practices.
- Maintain an early warning system, with programs in place and people assigned to monitor for weaknesses and infiltrations of the credit union’s defense systems.
- Monitor the internal and external environment by encouraging all employees to report any suspicious emails or activities, consulting with colleagues across the industry and evaluating media reports on emerging cyber threats.
- Test system defenses and response to threats through tabletop exercises and penetration tests that simulate intrusions. Involving the credit union’s incident response team in regular testing “will illuminate your blind spots and help you know how to respond when a breach does occur,” he says.
- Regularly back up sensitive information in remote locations and observe other business continuity practices.
- Keep software up to date.
“You need to enlist your team members to watch out for improper activity, and you need to constantly remind them not to click on emails from unknown sources, even test them at times,” Cherrin adds. “Educate your employees on how to handle sensitive information and require users to create strong passwords and change them regularly.”
Continual training and regular testing help support a culture in which “employees are thinking about security all the time,” Pippett says. When employees click on emails sent as part of a phishing test exercise, they’re likely to remember that lesson.
Pippett emphasizes the need to incorporate security awareness into organizational culture and encourage employees to keep asking, “What do I need to do? How might we be exposed?” He offers another simple example: If the credit union has a copier that stores information, how do employees ensure that all data is wiped clear and not exposed when the machine is decommissioned?
“You have to be vigilant and thorough in considering: Where does all the credit union’s information sit? And how it is protected?” he notes. “The more people who are thinking about that, the better, because the answer to that question is ‘us.’”
Maintain Best Practices
Lambert cites a security industry mantra: “While prevention is ideal, detection is a must.” Credit union leaders should expect that attackers will eventually get around preventative measures and equip IT to detect and respond quickly to intrusions. Two primary tools to enable early detection are centralized log management, which combines data from across applications to help pinpoint issues and errors, and security information and event management, which analyzes security alerts generated by systems and network hardware. These tools can help prevent and detect both insider and external threats, he notes.
The Cybersecurity Framework from the National Institute of Standards and Technology offers practical recommendations and best practices, Lambert says. The FFIEC Cybersecurity Assessment Tool and/or the National Credit Union Administration’s Automated Cybersecurity Examination Tool can also guide credit unions in regular reviews and revisions of their risk assessments. (You can request the latest version of ACET by emailing CU_cybersecurity@ncua.gov.)
Know the Law
In addition to NCUA regulations, the Gramm-Leach-Bliley Act requirements for cybersecurity and other federal laws, credit unions must also adhere to state laws, not just in their home base but in every state where their members reside. As just one example, the state of California has rigorous privacy regulations requiring companies to secure the personally identifiable information of customers, including names, Social Security numbers, account numbers and passwords, current and past addresses, and IP addresses. The potential penalty for data breaches is a fine of $7,500 per record.
Many states require businesses to inform customers about data breaches that may have compromised their personal information. The timing on those disclosures can be a quandary because the required time periods may differ from state to state, Pippett says. Credit unions need to develop a complete picture of the extent of the breach before sounding a public warning. That goal must be weighed against the benefits of prompt notification to help minimize the potential for losses.
“If members are notified within 24 hours of a breach, that quick notice can help them take the steps they need to take to protect their accounts,” he notes. “But if managers drag their feet over concerns about reputation damage and wait three weeks, all sorts of bad things can happen over that period of time if member information was accessed and is somehow utilized.
“In the end, an assessment by regulators of the credit union’s response to report a breach will attempt to establish whether that response was reasonable. That’s always subject to Monday-morning quarterbacking, but at some point, you will need to take action to promptly report a breach,” he adds.
Rely on the Experts
Keeping pace with shifting cybersecurity threats can be a daunting challenge, especially for smaller credit unions that don’t have the resources for an in-house IT security staff. But in some ways, smaller financial cooperatives may have an advantage in maintaining a cybersecurity culture, Renfrow suggests.
“A $50 million to $100 million credit union may have 30 or 40 employees, and everybody knows each other. The CEO can drive home the importance of building a cyber-aware culture within that organization and work to eliminate the insider threat by emphasizing that everyone plays a role in ensuring security,” he says.
The ability to attract cybersecurity talent is extremely difficult for credit unions of all sizes these days, he adds. With a negative 20 percent supply of professionals in the field, many organizations rely on business partners to outsource or supplement cybersecurity.
“You don’t need a full-time chief information security officer in a $50 million credit union, but you do need an expert who can come in and identify what’s working well within your infrastructure and what other actions must be taken,” Renfrow recommends.
Cherrin suggests supplementing internal and external cybersecurity expertise by connecting with such law enforcement agencies as the FBI, Secret Service and postal police. These agencies can provide information about emerging threats, and it’s helpful to know immediately where to turn in the event of a data breach. A phone call or in-person meeting to introduce the credit union is a good first step to develop a relationship that could be “crucial to mitigating risk in the long run.”
“Many attacks can be averted if we all share information on what we know when we find out about it,” he notes. “Federal agencies frequently communicate with each other and share information on what they are learning in the field. The private sector needs to step up and be just as vigilant, and that begins with knowing who to turn to and having direct access.”
An additional measure that should be considered is cybersecurity insurance to help protect a credit union and its members, Cherrin suggests. “Policies will differ depending on the insurance companies you use and the coverages you seek but, in the end, this insurance will save you hundreds of thousands of dollars when you do experience a breach. A cybersecurity policy is a must-have in your insurance portfolio, and you should explore what kind of coverage your current carrier provides or ask around the industry.”
Avoid Cybersecurity Fatigue
Cybersecurity is not a fix-and-forget-it responsibility. It requires continuous attention both to existing systems and procedures and to new business endeavors and threats that may arise along the way, Renfrow says. In every business decision, managers must identify and address data security components.
“The threat is so broad and shifting that it’s easy to feel overwhelmed. But you can’t just throw your hands in the air,” he adds. “These criminals and threats are not as sophisticated as they may seem. A lot of these attacks involve cyber-basics that can fall through the cracks. Adhering to cybersecurity standard practices and training will eliminate a significant percentage of the threats.” cues icon
Karen Bankston is a long-time contributor to Credit Union Management and writes about membership growth, operations, technology and governance. She is the proprietor of Precision Prose, Eugene, Oregon.