By Mike Lee
LSCU Director of Regulatory Advocacy
While cybersecurity can be a very complicated issue, it still rings true that the best way to approach it is by realizing simple changes in practice can prevent the most breaches. Before credit unions purchase expensive systems and hire expert staff, know that basic, effective cybersecurity practices are well within the control of those who have very little knowledge of the subject. Because for most credit unions, very basic safeguards will prevent most breaches.
Who are the bad actors seeking to steal your members’ money and data? They generally fall into one of three categories: state sponsored hackers, criminal syndicates and hobby hackers. While the state sponsored hackers are probably the most sophisticated, the criminal groups are not far behind. In fact, many of them collaborate with, or are endorsed by, the state hackers. And while there has been greater interest by foreign states to attack American financial institutions in recent years, the greater likelihood of attacks come from less sophisticated criminals, often implementing tools bought cheaply and easily from the internet. The good news is those amateur, hobby hacker criminals can be easily deterred using simple techniques. If you harden your credit union’s systems, there is a good chance most hackers will move on to softer targets.
Credit union leadership can implement these simple steps with policy changes and some basic training to mitigate the greater risks of a breach to your system.
The next step for leadership to better protect the credit union from cyber threats is taking an interest in cybersecurity. Educating leadership on basic cybersecurity principles and investing in qualified people and products could make a tremendous difference.
The main lesson credit union leadership can take from those resources is that cybersecurity should not be a one-off project; there must be a transformation in investment, education and awareness. The corporate culture should be transformed. For instance, the cybersecurity professional at your credit union should have access to the executive team (if they are not on it) and the board of directors. Perhaps most importantly is to be proactive in approaching potential breaches. All credit unions should have a plan ready to go that is well tested in case your credit union’s systems are breached. With that preparation, you would be prepared if a hostile actor has accessed your member’s personally identifiable information or when ransomware has encrypted your institution’s most important data, thus bringing your operations to a standstill. Your institution should have a plan in place to mitigate the technical and the reputational challenges when they arise.
To protect your credit union’s reputation, consider having a trusted law firm or forensic accountant firm handle the investigation (you want to make sure you are protected by client confidentiality) and respond to the event. Also, consider how much access or cooperation you’ll give to law enforcement.
Another issue related to this is cyber insurance. These products can cover any variety of items, such as paying for technical support in the event of a breach, covering the costs of ransom to hackers, professional costs (hiring lawyers, IT, PR), notification and identity theft costs for members and legal liabilities arising from the breach. While these products are important, the policies are written in very specific format, so credit unions should be vigilant that they’re in compliance with any policies. For instance, a failure to maintain standard security updates may allow the insurer to deny a claim.
Finally, cybersecurity will continue to be a supervisory priority for NCUA and state regulators. The examiners will continue to thoroughly scrutinize the largest credit unions, but smaller credit unions can expect more thorough reviews of their controls and processes. Similarly, you should scrutinize your third-party vendors closely, considering there is a push to give the NCUA exam authority over third-party vendors and the degree to which credit unions rely on them for their cybersecurity. It is important to evaluate those relationships prior to any breach, but also so your credit union can focus resources on areas not covered by your vendors.
Many common breaches can be prevented by implementing simple safeguards that minimize the most common cause of breaches — human behavior. Having a plan of action in response to the occurrence of a breach will minimize harm to your credit union’s operations and reputation. And exposing your credit union’s leadership to the basic premises of cybersecurity and the importance of investing in people and technology in this area will better prepare your credit union for these common threats to our industry. If you have any questions on these topics, please contact Mike Lee, director of regulatory advocacy, at Michael.firstname.lastname@example.org.
What simple steps can you take to better secure your credit union?
1. Develop and enforce good password habits (complex passwords that are regularly changed – not written down and taped to your monitor).
2. Multifactor authentication — when you want to access a program, you must input a code sent by email or text message in addition to your password.
3. Prohibiting use of private email/social media on company computers — phishing and social engineering pose a high risk to your institution. By disallowing personal browsing on company computers, you can greatly reduce risk.
4. Limiting access — programs, systems and files should be available only to those that must have user capability. Also, making sure that former employee’s access privileges are quickly removed.
5. Eliminating the use of external flash drives — allowing only approved storage devices on your institution’s computers greatly limit the possibility of stray malware from entering your system. Criminals will often discard an infected flash drive in the hope that a passerby will pick up the drive and use it at home or work. ne university study found half the bystanders picked up and used the discarded flash drive, which could have risked exposing their systems to a breach.