Cybersecurity is a top consideration for today’s credit unions, and for good reason. Research has estimated that in 93% of cases, an external attacker can breach an organization's network perimeter and gain access to local network resources. At the same time, only 50% of small- and mid-sized businesses (the heavily targeted category of many credit unions) have a cybersecurity plan in place. Risks continue to rise and evolve every day, making proactive mitigation and issues planning that much more critical.
Take, for instance, robot networks (botnets). A botnet is a network of hijacked devices running one or multiple strings of infected software to imitate human activity, steal data, or send spam messages and emails. Botnets present a serious threat to company security, as they usually exist at scale and can include millions of hard-to-detect, human-like bots.
At the direction of a malicious party, botnets can carry out criminal actions that range from overwhelming a server and rendering services temporarily unavailable via a distributed denial-of-service (DDoS) attack, to phishing and theft of consumer financial information. Botnets can also take over an entire company system, including assets, by impersonating legitimate accountholders as part of a credential stuffing attack, through which criminals can simultaneously check hundreds of thousands of credential combinations across websites.
These attacks can disrupt credit union operations and halt services provided to members. They can also have serious legal, reputational, and financial implications. In response to these growing risks, credit unions can turn to centralized, integrated, and real-time cybersecurity solutions.
Cyber criminals increasingly are leveraging automation to carry out cyberattacks at a vast scale. For credit unions tasked with safeguarding important consumer financial information, one of these botnet-induced data breaches could have disastrous impacts.
Many credit unions pride themselves on their sense of community and relationships with their member base. As a result, education must be a critical component of their cyber strategy. Credit unions should look to provide educational materials or trainings to employees and members. One example is educating members on the warning signs of threats such as phishing attacks—which could include emails that are urgent, request sensitive information, are from an unusual or unknown sender, include suspicious attachments, or have mismatched information.
Through education, the credit union can give members the ability and confidence to detect and avoid malicious interactions with other people and businesses, helping ensure that the entire community is safer. Any connected individual, whether an employee or member, is a company’s first line of defense against cyber threats and could unknowingly provide a bad actor access to the company’s server.
An increasing number of credit unions are seeking out malicious parties on the dark web—where criminal cyberattacks often start. Financial institutions have invested resources to scour the dark web, find impersonations of their user credentials, and leverage cybersecurity services to stop them in their tracks.
Credit unions are reducing the sharing of usernames and passwords by adopting solutions that offer safe, credential-less logins, such as multifactor and multistep authentication, as well as suspicious pattern or activity detection. The latter includes the ability to understand user behavior over time; from where and when users traditionally log in, to what devices they typically use. Through this data collection and analysis, credit unions can determine when criminals may be operating with stolen credentials versus what is typical and valid user behavior.
While robust cybersecurity practices may seem daunting, credit unions don’t have to go it alone. Credit unions should look for a specialized partner who can easily integrate into their existing infrastructure and develop custom-fit solutions. For instance, many credit unions only have access to a small glimpse of account behavior. But by partnering with an organization that has expanded visibility across a broad swath of services, all parties can collaborate to corroborate account and user activity, and ultimately minimize related cyber risk exposures.
Additionally, credit unions should invest in their own cyber infrastructure. Budget and personnel resourcing are often significant obstacles, but these are not the only pieces of the puzzle. Credit unions can also focus on reducing and automating tedious tasks to create efficiencies in cyber issue diagnosis and improve skilled talent retention. By making sure that the right systems and teams are in place, credit unions can ensure they are prepared for a cyberattack.
As cybersecurity threats become more varied and sophisticated, implementing equally robust and sophisticated solutions and adopting behaviors that can mitigate risks can help protect credit unions and their communities from potential threats.
Ricardo Font is director of product management at Fiserv.