CUNA News
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • Topics
    • Community Service
    • Compliance
    • Credit Union Hero
    • Credit Union Rock Star
    • Credit Union System
    • Directors
    • Human Resources
    • Leadership
    • Lending
    • Marketing
    • Operations
    • Policy & Issues
    • Sales & Service
    • Technology
  • Credit Union Magazine
    • Buyers' Guide
    • COVID-19
    • Digital Edition
    • Credit Union Hero
    • Credit Union Rock Star
    • Subscribe
    • Advertise
    • Contact
  • Advertise
  • Awards
    • Nominate Credit Union Hero
    • Nominate Credit Union Rock Star
  • Podcasts
  • Videos
  • Jobs
  • Contact

News

Home » Inherent risk is always dynamic
Operations

Inherent risk is always dynamic

Cybercriminals’ strategies, tactics are constantly changing.

February 3, 2021
Miguel Hablutzel
No Comments
Inherent risk is always dynamic

As the business landscape continues to evolve, accelerated by the coronavirus (COVID-19) pandemic, many credit union executives have revenue generation and cost containment at the forefront of their minds. There tends to be less appetite for ongoing investments that elevate cybersecurity.

For many credit unions, a sense of weariness sets in when, year after year, they repeat the same tasks to meet the same information technology (IT) risk requirements. IT or cybersecurity teams move through the Federal Financial Institutions Examination Council (FFIEC), Federal Deposit Insurance Corp. (FDIC), Automated Cybersecurity Evaluation Toolbox (ACET), or other tools and check the boxes they believe will keep regulators happy. Unfortunately, that approach misses the point

NCUA has made some tweaks to its oversight approach. But if ACET, which is now categorized as a self-assessment tool, is embraced as intended, credit unions will navigate toward increasingly robust cybersecurity postures. Risk reduction is a primary goal for most executives, and a more mature cybersecurity posture can accomplish that goal.

Recognizing true inherent risk

A credit union’s inherent IT risk profile is based on technologies and connection types within its digital ecosystem, delivery channels, use of online and mobile technologies, organizational structure, and experienced external threats.

Many executives maintain that if none of those factors have changed markedly, then an organization’s inherent risk profile is the same and there is no need to invest additional time and resources to graduate to higher levels of cybersecurity maturity. According to that line of thinking, maintaining the status quo, including investment levels, should be fine.

However, that thought process is fundamentally flawed. Even if the key risk factors of a financial services firm’s operations remain static—which is rarely the case—cybercriminals and their strategies and tactics are anything but static.

Because attackers constantly evolve, a firm’s inherent risk profile must be viewed as dynamic. A credit union’s risk profile does not naturally move in the direction of greater security, so without intentional efforts and investment to increase security, actual inherent risk will always increase.

‘Without intentional efforts and investment to increase security, actual inherent risk will always increase.’
Miguel Hablutzel

Attack strategies evolve

Attack strategies, and therefore risk, are continually changing. For example, USB devices used to be the leading endpoint threat. Most credit unions banned the use of USB devices, and that vulnerability all but vanished. Criminals had to perfect a new attack vector, and email currently leads that charge. However, it is a near guarantee that criminals will move to other vectors as email security continually strengthens.

What about novel attack strategies?

Cybersecurity technologies are often great at detecting and defending against known attack signatures. SilverSky can help protect organizations against a never-before-seen attack, such as the supply chain attack that utilized the SolarWinds update server.

SilverSky

Although none of SilverSky’s customers were infected, that attack reminded us of the critical importance of coupling around-the-clock monitoring with an intimate familiarity with our digital ecosystems. Only dedicated and diligent monitoring can spot unusual domain name system (DNS) query activity or unexpected queries to a command-and-control server.

The supply chain attack also reminded us of the importance of endpoint detection and response (EDR) capabilities to prevent malware from being dropped on endpoints. If malware infects endpoints despite sophisticated protective measures, EDR allows the infected organization to roll back endpoints to their pre-attack states.

A static approach is going backward

Criminals are constantly investing in both strategies and technologies to perfect their craft. Firms that opt to not evolve their defense strategies to keep pace are, in fact, going backward.

CUNA’s piloting of the Information Technology Risk Examination for Credit Unions (InTREx-CU) acknowledges that exact fact. InTREx-CU allows both examiners and credit unions to identify and remediate potential high-risk areas, particularly within the cybersecurity controls domain. ACET, now a self-assessment resource, helps credit unions meet InTREx-CU requirements while strengthening their organization’s overall security.

Fortunately, the industry is converging to help credit union executives accurately assess their organizations’ risk exposure and creatively balance budget realities with the imperative to evolve their firms’ defenses.

MIGUEL HABLUTZEL is the vice president of strategy at SilverSky, a CUNA Strategic Services alliance provider.

KEYWORDS cybersecurity

Post a comment to this article

Report Abusive Comment

Credit Union Magazine: Winter 2022

Winter 2022

Credit Union Magazine’s Winter 2022 issue highlights data-driven marketing, the board’s role in cybersecurity, elder abuse scams, credit unions’ auto lending advantage, and more.
Digital Edition •  Subscribe

Trending

  • Reps introduce bipartisan Credit Union Board Modernization Act

  • CDFI Fund announces CUNA-sought delay to consider application changes

  • CUNA makes recommendations for CFPB personal data rights rulemaking

Tweets by CUNA_News

Polls

How do you feel about the economy in 2023?

View Results
More

Champion for the Credit Union Movement

Credit Union National Association is the most influential financial services trade association and the only national association that advocates on behalf of all of America's credit unions. We work tirelessly to protect your best interests in Washington and all 50 states. We fuel your professional growth at every level and champion the credit union story at every turn.

More CUNA

  • Membership
  • Contact Us
  • Careers

Resources for

  • Credit Union Advocates
  • Leagues
  • Press
  • Providers

Our Affiliates

  • American Association of Credit Union Leagues (AACUL)
  • Credit Union Awareness
  • Credit Union House
  • CUNA Strategic Services
  • National Credit Union Foundation
GET CUNA UPDATES
© 2023 Credit Union National Association | ADA Compliance Notice & Legal
Email Us