You’ve been thinking about cybersecurity all wrong, says Theresa Payton, former White House chief information officer (CIO) under President George W. Bush.
“That’s not your fault,” says Payton, who delivered a keynote address at the CUNA Technology Council and Operations, Sales & Service Council Conferences in Orlando, Fla. “You were told to create these firewalls and install antivirus software and hunker down behind that. That isn’t going to work. You need to go on offense.”
Defensive systems simply can’t keep up with the legion of cybercriminals who release a new deviant of malware into the wild every 90 seconds, Payton says. Their coding acumen and technology allow them to quickly detect and circumvent obstacles in antivirus and antimalware software simply by changing a line of code.
“These systems only block about one-third of all the bad things out there,” says Payton, founder/CEO of Fortalice Solutions and co-founder of Dark Cubed, and a member of two military-oriented credit unions. “That’s why it’s so important for you to have an offensive strategy.”
Components of an offensive strategy include:
►Prioritizing and segmenting your data so a breach can compromise only your least sensitive data. Maintain your public-facing domain as a marketing tool but consider creating a separate, hidden domain for business purposes, and require different sets of credentials for various areas.
►Committing to regularly practice plausible digital disaster scenarios, such as your response if a cybercriminal gains control of a member’s holdings and demands a ransom.
“A breach is inevitable but my response as a victim is not inevitable,” Payton says.
►Designing user-friendly cybersecurity defenses and processes.
“Do you ask humans to conform to the technology, or do you ask the technology to conform to humans?” Payton asks. “If it’s not operationally friendly, someone’s going to find a workaround to get the job done. And now we’ve lost line of sight to that data.”
►Assessing your vendor contracts and renegotiating them if necessary to demand immediate notification of a breach that compromises sensitive member information.
“Ninety percent of the time, the contracts call for the company to notify you within a ‘reasonable’ amount of time”—too vague and ineffective a requirement, according to Payton.
►Investigating the specifics of your cyberinsurance coverage. Will the insurer pay a ransom to retrieve data, or cover the costs of a marketing and public relations campaign to restore members’ trust after a breach?
Is the credit union covered if a vendor breach compromises member data? If a credit union employee causes the breach by clicking on a bad link, does that invalidate the claim?
Click here for more coverage of the CUNA Tech/OpSS Council Conference.