Does Your Credit Union Follow These Four Security Best Practices?

digital cybersecurity icons connected by circuits
By Franklin L. Donahoe

6 minutes

Doing so will keep your CU protected from cyber risks and threats.

Sponsored by Lynx Technology Partners

Credit unions are facing unprecedented times. During the pandemic, many rallied to address the strain on credit union employees and members. But the changes and pressures on the credit union industry have created opportunities for malicious actors attempting to take advantage of challenges in the industry.

Credit Union Security Challenges

Credit unions must use technology platforms, implement technical infrastructure, and protect those systems just like any other organization. Many take the responsibility of security very seriously and make it part of their mission. However, technology and security come at a high cost—not just the actual cost of the technology, but the time and people required to implement and maintain new and emerging platforms. To manage these costs, many companies rely upon third parties to manage platforms and execute services. These third parties are not directly managed by the enterprise but may have access to sensitive systems and information.

The high price of technology is not the only issue, member demographics and expectations are changing while competition increases from non-traditional organizations. Competitors have identified and offer alternative methods to traditional needs, which may be appealing to credit union members.

A FICO study noted, “that US consumers are beginning to address … unmet needs by turning to non-bank financial services providers as opposed to traditional banks or credit unions. 34 percent of consumers have at least one account with or engage in financial services activity with a fintech company, large technology company, merchant, or other non-bank provider. That percentage jumps to 47 for Millennials.”

Although this challenge is not directly related to information and cyber protection, the confusion and complexity can create opportunities for malicious actors. Banking and personal information is already the most valuable information sought after and sold on the dark web. Organized cybercrime groups feed off chaos and convolution whether from a pandemic requiring more remote connectivity and communication or a merger and acquisition making new network connectivity, integration of systems, and business processes necessary.

According to Verizon’s 2021 Data Breach Investigation Report, financial gain is the top motivation of cybercriminals. Bank, debit and credit card, and personal information continue to be the most sought-after data types. In addition, bank, bins, bank identification number, card and CVV are among the top dark web search terms.

These criminals use personal and company information to conduct sophisticated social engineering attacks through phishing emails and SMS. The more they know about credit unions and their members, the more convincing they can be. They also target employees with privileged access to steal their credentials and gain access to important technology assets. New employees, especially, may be targeted as they are the most ignorant about company procedures and personnel.

Although it appears the storm is untenable, there are four practices that must be established or reinforced to address the risks and threats outlined above.

1. Know What You Own

Companies continue to be surprised by the amount of digital assets that enable their business. This becomes more difficult with the use of a mix of on premise, cloud, hybrid, and cloud to cloud architectures. But it is manageable, if you have a solid plan. You must know what you’re trying to protect. And moreover, understand its use and business value. The value of this seemingly simplistic concept cannot be overstated.

  • Keep a good inventory of your assets.
  • Proactively and aggressively manage vulnerabilities.
  • Scan your network more than your adversaries.
  • Hold third parties accountable to your security standards.

2. Trust No One’s Identity Until Verified

This principle has been around for a while. Remote and distributed workforces make identity and access control more difficult. Distinguishing and associating a person, device, application and even a piece of code is becoming more and more of a basic requirement. Until the user is identified to an acceptable level of certainty, they can do nothing or at least not what they want to do. If you know who the user is in your network, know what they should be doing, and how to identify them, you should be able to control their access and allow them to execute work in a secure manner. This is easier said than done and takes work.   

  • Clearly define what users can do.
  • Limit access to only what is needed. Employees and third parties need enough access only to get their specific work done, and no more.
  • Use multiple identifiers, not just one, to distinguish a specific user.
  • Define and monitor acceptable and unacceptable user behaviors. Understand the goal of a hacker is not just to get access to systems and information, but to do it while not being detected. The best way to do that is to use the credentials and permissions of your employees.

3. Design, Implement and Maintain Security Systems

For years security professionals have worked with business and IT partners to build security in from the beginning of a new implementation. Too often, security is still an afterthought or security requirements are not adequately defined. This happens for many reasons. Sometimes there is not a clear understanding of the system being developed or the data that will reside or flow through the system. If this is unclear, the right level of protections may not be implemented, or security professionals will default to a high sense of paranoia in the face of ambiguity. The high price of over protection and inadequate protection are equally undesirable.

  • Define how security will engage in the system development lifecycle. This is not just the security organization’s responsibility. If there is not a well-defined development, lifecycle security will fail no matter how hard they try.
  • Make sure security is considered a business imperative and requirements are elicited and treated with the same priority as any other business customer.
  • Security organizations must be prepared with security reference architectures and patterns to make the process easier.

4. Train Your People

People make mistakes every day. It only takes one employee or vendor misconfiguration or clicking on a malicious link in an email to create an opportunity for a cybercriminal. In fact, that’s all they are looking for. People are our first line of defense. Whether they implement and maintain the core banking system or work in back-office functions, employees must be knowledgeable and armed with training and resources to identify and report suspicious activity.

  • Incorporate training throughout an employees’ lifecycle. Start when an employee is hired and ensure they understand the importance of security to the credit union.
  • Develop training that is relevant to the employee’s responsibilities. Generic training is not enough. Employees need to be able to apply information protection practices to their every task.
  • Test your people. If you don’t, the hackers will. You can get ahead of potential mistakes by proactively testing your employees with phishing emails and other social engineering tactics and offer them feedback when they fail and kudos when they “catch the bad guy.”

Franklin L. Donahoe is CEO of CUES Supplier member Lynx Technology Partners, New York. He has over 30 years of experience in data, information, cyber security, business and technology risk management and military service in the United States Marine Corps. As a founding member of the Lynx board of directors, Franklin has been advising Lynx’s global service delivery business with an absolute commitment to excellence. He has consulted and had leadership and executive responsibilities in global multi-national companies such as Deloitte, Costco, Mylan Pharmaceuticals, and T-Mobile, and helped these companies develop and execute strategy, and improve operations and performance. Through his career, he discovered his passion assisting leaders in developing solutions to address difficult risk and business challenges by thinking broader and connecting business needs with the use of technology and addressing the risks associated with both. Franklin also enjoys serving as a Director for Haborstone Credit Union and formerly as Governor appointed commissioner for the State of Washington. These board, commissioner and advisor roles have given him the ability to help leaders see beyond the immediate and anticipate risks.

Compass Subscription