CUNA is now America's Credit Unions.
A stronger voice to advance the credit union industry.
Cybersecurity can be overwhelming: The many threats, control frameworks, regulations, changes, and guidance make it difficult to keep up, says Ed McMurray, general manager at CoNetrix Security, an information security and cybersecurity testing, auditing, and consulting company.
The news isn’t all bad. “There are steps you can take without a huge budget to improve cybersecurity controls and manage complexity,” McMurray says.
He offers five tips to manage cybersecurity complexity and improve cyber hygiene.
Credit unions can ease the complexity by revisiting the basics to understand what applies to them and what doesn’t. Flash cybersecurity audits allow organizations to quickly understand what cybersecurity issues impact them, concerns they need to address, and key controls that warrant regular auditing to ensure they’re effective.
“A flash cybersecurity audit would be if somebody came to me and said, ‘You have one day to audit us,’” McMurray says. “I don’t have time to dig into all the details, so what are the key pieces I need to hit? Doing an audit quickly forces you to identify what’s most important. It’s a great way to bring focus to your cybersecurity efforts.
“If you look at frameworks and standards as your starting point on how to be secure, there are a million possibilities,” he continues. “Finding the right starting point is key so the process stays manageable. Know your systems, data, and processes. By knowing your institution, you can determine with confidence what applies to you and eliminate what doesn’t.”
While cybersecurity essentials differ by organization, they often fit into a few categories, which include: responsibility, asset inventory, internet exposure, vulnerability management, user account management and authentication, audit logs, social engineering, data recovery, vendor management, and incident management.
“Essentials are the things that apply to everybody,” McMurray says. “Find out how they apply to you.”
NEXT: Prepare for change
NCUA identifies four current and emerging cybersecurity threats in its 2023 Cybersecurity & Credit Union Resilience Report:
Geopolitical tensions. Given current geopolitical threats, the agency encourages credit unions of all sizes to adopt a heightened state of awareness and to conduct proactive threat hunting. The agency advises credit unions to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). It directs credit unions to CISA’s Shields Up website (cisa.gov/shields-up) for information and mitigation measures.
Ransomware. This remains the most immediate threat to credit unions, NCUA reports. Many ransomware operations now integrate extortion in data-theft campaigns. They leave organizations without the data they need to operate.
To increase pressure on organizations to satisfy extortion demands, cyber intruders now demand payment in exchange for not releasing sensitive information obtained during a cyberattack. This crime has evolved to ransomware as a service, whereby multiple intruders coordinate their activities to conduct a single intrusion event, making it more challenging for financial institutions to defend against such attacks.
Supply chain risk. This risk continues to increase and evolve with attacks that target vulnerabilities in software systems many credit unions use. Threat actors exploit vulnerabilities in third-party hardware and software systems to conduct malicious cyber activities. These attacks demonstrate the importance of assessing the risks posed by third-party vendors, including the supply chain, and developing a comprehensive approach to operational resilience.
Third-party risk. Criminals continue to increase their efforts to exploit vulnerabilities of third-party providers. The number of credit unions using information technology service providers, such as managed and cloud services, has dramatically increased in recent years because they enable institutions to more cost effectively scale and support network environments. Outsourcing doesn’t eliminate credit union responsibility for the safety, security, and soundness of those processes and functions.