Jesse Davis (standing), IT governance and risk program manager for American Airlines Federal Credit Union, walks attendees through a data breach exercise.
Data breaches aren’t a matter of “if,” they’re a matter of “when,” according to two information security experts.
“You have to accept the fact that you’ll be breached,” says Marty Hetzel, manager of cybersecurity at BCU in Vernon Hills, Ill. “The question is, will you be ready?”
“If big companies like Capital One are being breached, more than likely it will happen to us,” adds Jesse Davis, IT governance and risk program manager for American Airlines Federal Credit Union in Fort Worth, Texas. “We have to know how to respond.”
Key to preparation is having an effective incident response plan, they say, which entails:
1. Involving all areas of the credit union and all aspects of your business in the plan. “If you involve only the IT people, they’ll do the IT portion,” Hetzel says. “But you need to ensure everyone is part of the planning process.”
2. Basing your plan on NIST (National Institute of Standards and Technology) protocol.
3. Customizing your plan for your particular credit union.
4. Updating your plan regularly. “Update it with lessons learned after an incident to make it better,” Hetzel says. “The landscape, threats, and technology are evolving.”
“Ten years ago, we weren’t thinking about the cloud,” Davis says. “Now we need to think about cloud response.”
5. Testing and practicing your plan regularly to drive improvements. “Testing once a year isn’t enough,” Hetzel says.
Ultimately, incident response plans must be strategic, consistent, efficient, documented, confidential, and empowered.
“Empower your groups and teams,” Davis says. “Train your people and get the right people involved.”
“Seventy-seven percent of organizations do not have a formal incident response program,” Hetzel adds. “That’s alarming.”
Credit Union Magazine’s Fall 2022 issue highlights credit unions’ role in cryptocurrency, the state of digital assets, cannabis banking compliance, the human side of technology implementation, and involving the board in financial discussions.
