Don’t Overlook These Key Components of Cybersecurity11.12.2018
Numerous cyberattacks occur each day, which should re-enforce the need to increase cybersecurity awareness within the credit union. Unfortunately, it’s human nature to let down our guard when the attacks don’t hit us personally; however, the monetary and reputational cost of even a momentary lapse in cyber vigilance can be extremely consequential. And with members rapidly migrating to digital channels, credit unions must be mindful of the many touchpoints that must be monitored and protected.
Simply put, cybersecurity will continue to be a concern for credit unions because of the temptation that private digital information poses to criminals. This information is currency, and hackers are relentless in their quest for “easy money.”
To protect both members and the integrity of the institution—and stay ahead of hackers—credit unions must keep pace with cybersecurity best practices, and the best cybersecurity programs utilize NIST’s five functions in security preparedness: identify, protect, detect, respond, recover. Cybersecurity is no longer solely about keeping criminals out of a credit union’s systems; it’s about detecting when one of them has gained access, responding to the attack quickly and comprehensively, and recovering from any damage or downtime that may have been caused.
A comprehensive cybersecurity program incorporates not only information and IT systems, but also the credit union’s employees, board members, and members. Only by looking at each of these segments can credit unions put together a defense that lowers their risk exposure and satisfies regulators.
Practice Makes Perfect
Every cybersecurity program contains a number of plans, the most notable of which are business continuity/disaster recovery and incident response/handling plans. These types of preparations are cornerstones of a comprehensive cybersecurity program; after all, they embody two of NIST’s five security functions.
However, having the plans is only part of the fight; just as important is testing the plans. Athletes, military personnel, firefighters and many other professionals working in fast-moving, highly stressful or dangerous jobs know the value of drills. Many people don’t work well under pressure, so credit union staff need to practice various scenarios. It’s critical to know what to do and when, rather than trying to wing a security incident on the fly or cram the contents of your plans. Time is valuable when it comes to responding, and a well-rehearsed plan can be the difference between a breach on a teller’s computer, resulting in minor access, or one that compromises the main server with access to core data.
It’s not only important to test your plans, but you also must test the controls that you’ve implemented. Institutions must ensure their internal systems and operations are in working order by identifying vulnerabilities and ensuring the controls work as intended. This is best achieved through simulating cybersecurity attacks, using methods such as social engineering exercises and penetration testing.
The planning and testing are necessities, much like insurance, that dramatically reduce the exposure and loss in the event of an emergency. In addition, these cybersecurity simulations, routine security scans and proper patch management are required by examiners.
Train Employees and Board Members
Once the cybersecurity program is in place and properly implemented, every single employee must be trained. The level of training needed depends on each individual’s job function. For example, those who work heavily in IT and security need comprehensive training on every aspect of cybersecurity.
Outside of technical staff, all employees need to fully understand why security is important, as well as the role they play in securing the organization. Cybercriminals know that humans are the weakest link in any credit union’s security program. So, everyone from tellers to loan officers are potential targets for social engineering, which uses targeted messages to trick a victim into installing malware onto the credit union’s computers or providing confidential information such as usernames and passwords.
Board members and senior management also are high-level targets for cybercrime. They must be well-informed to not only understand cybersecurity best practices but also to understand the need for a comprehensive cybersecurity plan. After all, without the backing of the board and senior management, even the best-designed cybersecurity program is doomed to fail.
Don’t Forget Member Education
Finally, credit unions must consider how to protect members. Obviously, the organization can’t “train” members, but a strong member education program can limit the risk of cybercrime affecting individuals, which could then spill over into the credit union. Providing members with best practices for creating strong passwords and protecting personal data online can limit the cases of stolen accounts or identities.
Further, teaching members to be wary of email attachments, suspicious links or unknown software also greatly reduces their exposure to malware. These efforts serve to help members not only better protect themselves, but also, by proxy, the credit union.
Imagine the data that can be lost during a cyberattack, not to mention the financial and reputational cost that your credit union could face. By taking the time to build a comprehensive cybersecurity program, test and improve its controls, and educate staff and members on how to protect themselves, credit unions can reduce the number of cybersecurity incidents and limit the damage when one occurs.
Tyler Leet serves as director of risk and compliance services for CSI’s Regulatory Compliance Group, a provider of regulatory compliance software for financial institutions.