Cybersecurity: It’s Not a Matter of ‘If,’ But ‘When’

gloved hacker hands with keyboard and screen
Michael Jennings, CBCP Photo
Director of Advisory Services
Infinite Blue

4 minutes

What is coming and what are the best things to do ahead of time?

Sponsored by Infinite Blue

Cybersecurity genuinely affects all of us. Whether you are a private citizen, a business, or even the government, you and your organization are susceptible to significant damage should a bad actor succeed. Cybersecurity is so important for credit unions that the National Credit Union Administration has made it a top priority for exams.

Given recent geopolitical events, cyber-attacks have climbed to the top rung of threats. Nation-states have openly targeted the West. The U.S. Department of Homeland Security, Cybersecurity, and Infrastructure Security Agency recently issued two alerts addressing risks from Russian state-sponsored cyber threat actors highlighting malicious cyber incidents suffered by both public and private entities in Ukraine. The U.S. government has warned that our critical infrastructure is being targeted and to take measures to secure systems.

The National Credit Union Administration, along with CISA, the Federal Bureau of Investigation, and the National Security Agency encourage credit unions of all sizes and their cybersecurity teams nationwide to adopt a heightened state of awareness and to conduct proactive threat hunting. Credit union leaders are urged to be aware of critical cyber risks and take immediate action to reduce the likelihood and impact of a potentially damaging attack.

The cybersecurity landscape will continue to evolve; therefore, it is important now, more than ever, that your credit union is prepared to withstand potential threats. According to this article, 2020 data breaches resulted in $36 billion worth of records  being exposed. Malware increased by a staggering 358%. Cyber-crime costs organizations $2.9 million every minute, and major businesses lose $25 per minute as a result of data breaches. IBM’s Cost of a Data Breach report shows that the US has the highest data breach costs with the average attack costing $8.6 million.

Common Attacks Faced by Cybersecurity Teams

Where is the vulnerability? Thomas Reid in his Essays on the Intellectual Powers of Man wrote, “The chain is only as strong as its weakest link ….” The human is the weakest link in the cyber chain. Threat actors use phishing exploits to target credit unions and other financial institutions. Phishing campaigns are usually email-based exploits that attempt to introduce botnets and other malware to unsuspecting recipients with the aim of stealing data. They have been successful in mimicking official banking information and fooling customers into divulging private information. Phishing attacks cast a wide net in the hopes that a few people will become entangled.

Spear phishing is a more targeted campaign where the threat actors focus on a single organization or on a small number of individuals in that organization. Sending an email that appears to come from a trusted source, bad actors attempt to obtain personal financial information. It is very tempting for people and they can be taken in by some of the offers the threats use to lure them in. After all, we are human and part of the chain.

What Can Be Done About Cybersecurity?

The National Institute of Standards and Technology is the US version of the International Institution for Standardization. Similar to ISO, NIST provides a wide range of information security requirements, including cybersecurity compliance, which is addressed in NIST document 800-53. NIST 800-53 was originally mandated to the federal and government institutions. It has now been expanded to include non-government entities. Compliance with NIST is mandatory for all US federal entities and their contractors. Compliance with NIST is voluntary for private sector businesses, including financial service providers. NIST is a comprehensive set of controls that ensures an organization’s network, systems and employees are all effectively ready to securely handle controlled and private information.

There is no doubt that cyberattacks, especially aimed at the financial industry, will continue to increase. The environment is ripe. Numerous vulnerabilities, such as the “human factor,” still exist, and technology is becoming more powerful and sophisticated. Nation-state actors will continue to exploit weakness.

What can you do to protect your organization? First, implement NIST 800-53 or ISO27001. Both assist organizations with proper controls and protection. Develop and test a strong cybersecurity program. Create awareness campaigns to strengthen the “links” in your organization; awareness and education are powerful tools to thwart threats. Finally, you and your team need to be nimble and ready to respond to an ever-changing landscape.

Michael Jennings, CBCP, is director of advisory services at Infinite Blue.  Jennings brings more than 27 years’ experience in business continuity, enterprise risk management and disaster recovery. Prior to joining Infinite Blue, Jennings was the business continuity and disaster readiness executive for Blue Cross Blue Shield of Massachusetts where he was responsible for the enterprise business continuity, incident and crisis management programs. Jennings has held senior-level practice management and consulting roles with RSM, Strohl Systems and most recently Assurance Software Inc. In each of these roles, he worked with clients to improve their business continuity programs. He holds a Master of Science, Business Continuity, Security and Risk Management from Boston University and is a member of the editorial board for the magazine Continuity Insights. He also is an adjunct professor and instructor at Boston University teaching business continuity and risk management at a master’s level.

Compass Subscription