Navigating the modern pace of change is the biggest challenge in cybersecurity, McMurray says.
“Technology is constantly changing,” he says. “If things moved slowly, we could get our heads around them better and secure our systems and data. But we have to move so fast.”
He recalls how information technology (IT) departments scrambled in the immediate aftermath of the COVID-19 pandemic, when many organizations began using Microsoft 365 and meeting via platforms such as Zoom and Microsoft Teams. These raised new vulnerabilities.
Artificial intelligence, quantum computing, and blockchain also are gaining momentum as IT departments work to identify the cybersecurity concerns that exist within these industry-changing technologies.
“There are all sorts of questions we haven’t even begun to ask,” McMurray says, noting there also are everyday changes, updates, revisions, and services to keep up with.
“I started auditing in 2006, and technology is moving leaps and bounds faster today than it was then,” he says. “It’s good to go back, focus on the basics, reassess, and make sure you know if and how these changes apply to your credit union.”
Keeping those priorities, questions, and updates in check requires having a designated individual or team—in other words, a champion, McMurray says.
“The best way to improve your cybersecurity is to have a champion,” he says. “You need someone who’s doing it regularly, even if they’re doing other things in the institution.
“You also need a champion in management— someone with authority,” McMurray adds. “If you do, you’ll find your way. If not, you’ll have false starts and inconsistent progress. Those champions have to believe in it.”
If a household waits until spring to clean, it will be a large undertaking. The same goes for cybersecurity, McMurray says.
“It’s a royal pain and a huge production if you clean your house once a year,” he says. “We often treat IT audits as a big project we do once a year, but technology moves faster than that. So, we’re experimenting with the concept of agile auditing, where we can do smaller audits more frequently and with less burden on the credit union.”
Therefore, when a new vulnerability arises, the fix can be implemented and verified immediately rather than waiting months until the next IT audit.
McMurray says IT agile auditing is relatively new to community financial institutions, but it can be a useful tool to manage cybersecurity complexity.
Understanding your credit union is key to managing cybersecurity, McMurray says.
“Know your credit union better than the attackers,” he says. “Focus on your environment and eliminate the rest—that’s your advantage."