With the report of every new data breach, credit unions learn more about what they can do better to protect the organization, its employees and its members. The sophistication of hacking requires credit unions to seek outside technological expertise.
One of the many challenges that credit unions and other businesses face is that technology is moving too fast to standardize safety measures. Currently, different vendors hold different standards as their measure of what constitutes strong security. For this reason, cybersecurity risk measures must take into account the size and scope of the credit union, and its allotted budget for cybersecurity protection.
While the current standards are not yet carved in stone, credit unions have enough history to put some best practices in place as a minimum level of protection for their organizations and their stakeholders.
Cybersecurity Measures Are Becoming Costlier
Credit union boards are finding it difficult to keep up with the high cost of protecting their establishments. Security measures must cover operational systems, employees and customers. Senior executives often need the help of outside consultants to ensure cyber safety. Ongoing third-party technological support is a necessity in today’s financial world.
George Rudolph, SVP of operations and technology at Alliant Credit Union, also serves as Second Vice Chair at the CUNA Technology Council. Rudolph recently disclosed that Alliant Credit Union had spent tens of millions of dollars on cybersecurity measures over the last five years. The cost accounts for 4–5% of its total budget.
Hackers Are Becoming More Sophisticated and More Organized
Perhaps the reason data breaches are becoming more commonplace is because hackers are becoming more dedicated to their craft. Cybercriminals tend to be well-funded and well-organized. They leave no industry off-limits to their attacks.
Hackers are becoming more sophisticated in their strategies for attacks and in the types of threats they impose. They often take advantage of opportunities to access data through insiders, either intentionally, or by taking a chance on an employee’s vulnerability or lack of education about cyber risks.
Cybersecurity Best Practices for Credit Unions
The National Institute of Standards and Technology (NIST) brought representatives from the government and the banking industry together to develop a framework for a cybersecurity planning tool that encompasses the standards, guidance and best practices needed to protect digital infrastructures. Smaller organizations can easily scale down the model for their purposes.
The framework includes definitions for terms and acronyms, components, and how to use it for assessing the strength of cybersecurity measures and demonstrating cybersecurity through measurements and testing.
Discussions With Vendors on Permission and Cybersecurity
One of the things that we’ve learned from hackers is that they sometimes breach businesses by gaining access to data by using one of the organization’s vendors. Credit unions should keep an updated list of third parties that have access to their networks. Vendors may need to be able to access certain areas of credit union data. Best practices indicate that credit unions should restrict their permissions only to the areas that they need to access for vendor use. The NIST framework is a credible tool for navigating discussions with vendors about permissions and other cybersecurity measures.
Collaboration With Peer Groups
Ideas for practical solutions often come through sharing strategies with similar types of organizations. Credit union executives may want to take advantage of shared knowledge by joining the Financial Services Information Sharing and Analysis Center, where they can network online with approximately 7,000 other members to share information about threats targeted at financial institutions. Members also share resources and information about how to ward off cyberattacks.
The Department of the Treasury’s Financial Crimes Enforcement Network is another program in which credit union leaders can share information about cyber threats. This organization aids credit unions in identifying risks and sharing information about attacks for the Financial Crimes Enforcement Network and law enforcement so they can help to fight crime that targets banks, credit unions and other financial corporations.
Planning and Testing for Potential Scenarios
Best practices for cybersecurity measures include looking for internal and external vulnerabilities. Credit unions need to be constantly on the lookout for attacks from every possible source. Phishing and malware are common tools for hackers. Cybersecurity teams can use brainstorming to identify the types of scenarios that have the potential for attacks and develop plans to prevent cyberattacks.
Using Technology in Tandem With Best Practices
While technology is part of the problem of cybersecurity, it’s also part of the solution. Behavior analytics and rule-based risk analysis can help cybersecurity experts to find patterns of normal behavior. This process makes abnormal user behavior and anomalies clear. Rule-based risk analysis is a helpful technology that narrows down security and policy violations by department and user. These applications include data loss prevention software, application monitoring and keylogging, to name a few. The applications alert administrators or managers for potential threats. Credit union executives can use these programs to take preventative action directly from the source of the problem.
Many software programs have built-in features that allow system administrators to restrict user permissions to only the specific areas or functions of programs that users need. Administrators can usually restrict access to internal employees as well as outside vendors. Best practices mean carefully following corporate policies regarding user permissions.
What Does the Future Hold for Cybersecurity Best Practices?
We can’t say for sure what technologies may become available to help fend off future cyber-risks. We can say that firewalls and intrusion prevention systems will probably continue to increase in sophistication to help inspect the many layers of communication. These efforts may develop more enhanced and more predictable security controls.
Advanced technologies such as machine learning and artificial intelligence are becoming more sophisticated and user-friendly. These technologies may be the tipping point for blocking suspicious and unusual activity. Advanced cybersecurity measures may also help to reduce false alarms and to make processes more efficient for clients.
Listservs and online threads about cybersecurity will continue to be resources of information for credit union executives to keep up with best practices, and updates from the Federal Financial Institutions Examination Council and the National Credit Union Information Sharing and Analysis Organization.
Board Portals Are Instrumental for Preventing Cyber-attacks
Board portals designed with the needs of credit unions in mind provide the top-level security that credit unions need. They’re a cost-effective solution that employs many of the best practices for credit union cybersecurity, including user permissions and managing internal risk prevention. The IT professionals at BoardEffect stay on top of cutting-edge security measures and stand ready to enhance their governance software solutions as necessary. BoardEffect provides the solutions that keep credit union board members and senior executives up at night.