CUNA is now America's Credit Unions.
A stronger voice to advance the credit union industry.
Education is key to preventing members and employees from placing personal information on social media or falling for phishing and vishing scams, experts say.
Technology also serves a purpose. Third-party providers, for example, offer services that allow credit unions to monitor networks and spot suspicious activity, such as an employee copying an unusually large number of files, an indication of malware being installed.
Corbett believes artificial intelligence (AI) tools, which learn members’ habits, is now essential for thwarting account takeover.
AI can detect anomalies, such as a transaction initiated at 1 a.m. when a member previously only logs in during the daytime. It can also determine if a request comes from an Android device when the member has previously used an iPhone.
Whatever its components, defense starts with a recognition of the risks, Montgomery says. “We have been here for 86 years, and we want to be here another 86. Any information that comes out that we are lax about security could shut us down.”
Additionally, even being temporarily unable to access funds could be “devastating” to members, she says, adding that FAMU Federal’s board is aware of the consequences and supports fraud protections.
“I don’t want to throw a tool at a problem that isn’t there,” says Barry, describing the delicate balance of fraud protection versus service “friction,” whereby constructing layers of defense are more irksome and inconvenient for members than the fraud threat.
For instance, requiring a member to answer security questions and input a code they receive via text or email may be unnecessary for commonplace transactions such as transferring a small sum from savings to checking. This would be necessary for an unusual wire transfer.
In the end, fraud is always under watch, and measures must be appropriate to the situation.
In the call center example Davis provided, receiving two calls within hours on suspicious card charges, Michigan State University Federal may respond by communicating with the affected members and watching the situation rather than immediately blocking all transactions from a particular retailer.
The credit union weighs the need to prevent undue panic or widespread inconvenience for members against further fraud, Davis says. “We are careful about the balance.”
The reality that virtually every credit union process and role have cyber components emphasizes the importance of cybersecurity.
Improving cybersecurity requires focusing on three areas, Carlos Molina, senior risk consultant for CUNA Mutual Group, writes in CUNA’s 2021-2022 Environmental Scan Report:
1. Hire a CISO. Some credit unions take a siloed approach to cybersecurity where security is “IT’s job,” and the chief operating officer or chief financial officer oversee the department.
But there’s a growing recognition that cybersecurity must factor into every business decision. That’s driving credit unions to add a chief information security officer (CISO) to the C-suite. This person is responsible for an organization’s information and data security.
Adding someone who understands the tactical application of security through a strategic lens is a great asset. If your credit union can’t afford to add this position, consider adding a virtual CISO for a cost-effective way to add critical expertise.
2. Address ransomware. Ransomware has grown in frequency and severity. Extortion demands have risen significantly, and remote work has only increased.
A ransomware incident is one of the most disruptive and costly attacks organizations can suffer. Six- and seven-figure demands have become routine: In the third quarter of 2020, the average ransom payment was $233,817, according to Coveware.
Common ransomware infection points include phishing emails, corrupt attachments, weak remote desktop protocols, unpatched system vulnerabilities, untimely antivirus updates, poor password protocols, and a lack of multifactor authentication.
To address this risk, keep all systems patched and up to date, implement application whitelisting and software restrictions, require multifactor authentication on all systems, back up your data, and vet and monitor third parties.
3. Engage employees and review processes. Firewalls, filters, and scanning are critical tools to maintain cybersecurity, but people and process can undo the best. While people trust information technology, what about the first-day teller?
Social engineering is a huge part of the challenge. Threat actors are masters of manipulation and often know just how to trick employees—for instance, posing as a member to a call center rep or sending an alarming email.
When credit unions perform phishing testing, it’s common to see employees click when the subject lines mention HR, personnel, or payment—topics that can create anxiety or fear.
In response, analyze and update your processes, engage and train staff, limit data access, address work-from-home challenges, and decide which employees really need a work email address.
► CUNA: