The move to hybrid work environments, which put laptops and cellphones in the hands of many employees, increases exposure to cyberattacks, says Kevin Ivy, director of security services at TraceSecurity, a CUNA Strategic Services alliance provider.
“You can't just focus on physical and logistical security anymore,” he says. “You now have to think about cloud security and other factors. It makes managing information security much more difficult because you have to look in so many different areas.”
While it’s difficult to guard against all threats, credit unions can take measures to manage threats and the damage they cause, Ivy says. His main recommendation: Conduct a risk assessment at least annually.
TraceSecurity offers a cybersecurity risk assessment service to identify potential weak spots and protect credit unions from threats. The assessment works with organizations to identify their critical assets.
The company then uses the NIST Cybersecurity Framework or the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool to examine potential threats those assets face any given day.
The end goal is producing a service report that has control implementation levels, as well as any residual risk left over for each asset.
“Risk assessments are a great fundamental first step,” Ivy says. “You’re going to identify elevated risks that need attention and build from there. It’s a cyclical approach where you work through the life cycle of the risk.”
Ivy cites two cybersecurity threats that won’t go away: ransomware and social engineering.
The most common threat facing credit unions in recent years has been email phishing campaigns, he says. For example, a threat actor can buy a domain name that is close to a legitimate address and then send an email to someone at the legitimate company.
If the employee clicks a link within the message, malicious payloads enter the organization and, as Ivy says, “it’s off to the races.”
“It could be devastating,” he says. “Depending on the extent of the breach, you can infect your internal employee systems. But that could also extend to business partners and, what we definitely don't want, to members.”
From a technology standpoint, it can be difficult to catch these curated email attacks. Therefore, it’s crucial for credit unions to consistently train employees on security awareness, including the basics of not clicking on suspicious links.
“Sometimes we get stuck focusing on implementing technical things like a good data backup solution, email phishing filtering solution, and firewall,” Ivy says. “But a lot of times we forget we still have disaster recovery and incident response administrative controls we should put into place.”
Damage can be significantly lessened by a well thought out response. Ivy suggests creating formal processes for handling public relations and for managing your brand and reputation.
To avoid a worst-case scenario, credit unions should have fail-safe options and disaster recovery plans. However, Ivy says these are frequently vague plans that are only known by high-level employees.
He stresses the importance of sharing the plan throughout the organization. When an incident occurs, employees should know who to contact and whether they should power down their computers.
“Every second on the clock is detrimental to the business,” Ivy says. “Having detailed incident response procedures could save you from a massive breach and turn it into something you can contain within 10 minutes.”