news.cuna.org/articles/120452-cybersecurity-and-small-credit-unions-collaboration-is-key
Mark Bigott and Jay Lee
Mark Bigott (left) and Jay Lee say effective cybersecurity at small credit unions starts with internal training.

Cybersecurity and small credit unions: Collaboration is key

The credit union system’s emphasis on relationships lets leaders focus on day-to-day service.

February 2, 2022

While cybersecurity challenges are daunting for all credit unions, they’re even more problematic for small credit unions due to insufficient financial and staff resources.

For Jay Lee, meeting formal cybersecurity requirements sometimes much like a formality, while providing the type of security that fosters growth and stability remains elusive.

“Right now, it’s more of a checklist item,” says Lee, vice president of information technology (IT) for three credit unions in California: $76 million asset CalCom Federal Credit Union in Long Beach, $28 million asset Mattel Federal Credit Union in El Segundo, and $82 million asset Nikkei Credit Union in Gardena. 

“We meet the examiners’ requirements so they’re happy with what we’re doing,” he says. “But once we want to grow, we need to make more significant investments, which is never easy.”

Lee uses vulnerability testing as an example. He typically runs vulnerability tests at the credit unions he serves on a quarterly basis. But he acknowledges these institutions would be better served he ran the tests monthly.

But the cost is prohibitive, especially with the remedial follow-up measures that are required. “Vulnerabilities happen every day,” he says.

Lee understands that the first line of defense in overcoming those vulnerabilities are employees, and he works to create an internal culture that prioritizes cybersecurity. 

He cites the 2021 Verizon Data Breach Investigations Report, which notes 85% of breaches involve human error. “It’s about sharing information and letting employees know they are the key players in this effort.”

Lee recalls a scene from an old National Lampoon movie in which a man with a beard, pretending to be a Girl Scout, approaches a house under the guise of selling cookies. The resident allows him entrance despite the security of multiple doors and locks.

“It’s a good analogy,” he says. “We can employ all the technologies and layers of security we want, but if we’re not trained well enough to see the Girl Scout with a beard and a manly voice, it doesn’t do any of us any good.”

‘It’s about sharing information and letting employees know they are the key players in this effort.’
Jay Lee

Valuable partnerships

At Texhillco School Employees Federal Credit Union in Kerrville, Texas, Mark Bigott employs a similar mentality. 

“So much of cybersecurity is about social engineering,” says Bigott, president/CEO of the $20 million asset credit union. “Employees have to be your first line of defense. We share information in staff meetings and work on hot topics. It’s about making cybersecurity and day-to-day diligence part of your culture.”

For deeper security needs he turns to his core provider, CU*Answers, a credit union service organization. “They are essentially my IT department, and they provide 24/7 security, including firewall protection, vulnerability protection, and compliance.”

Bigott also uses Cornerstone Resources, a subsidiary of the Cornerstone Credit Union League, for IT audits and other security consulting needs. “They have been a great resource, especially as compliance and security have become more complex and more of a priority over the years.”

The company provides IT audits, vulnerability testing, risk assessments, and policy and procedure reviews, and other services, says Idrees Rafiq, vice president of IT consulting.

“The cooperative approach is the only affordable strategy I’ve been able to come up with,” Bigott says.

The New York Credit Union Association partners with eScope Solutions, a managed security service-based technology organization providing network and security services and cybersecurity solutions to member credit unions. 

CUNA Compliance & Risk Council

One of the primary aims in establishing these relationships is to provide workable options for small credit unions, says Bill Bywater, chief operating officer and senior vice president of the New York Credit Union Association.

“Performing the proper due diligence on cybersecurity companies—or any third-party vendor—requires a tremendous amount of time and resources,” he says. “Some credit unions simply don’t have enough hours in the day to take on more.

“While it’s not uncommon for larger credit unions to use our strategic partners,” Bywater continues, “companies often offer pricing structures that make partnering with them particularly affordable for smaller credit unions.”

Similarly, the Northwest Credit Union Association partners with Think Stack, a managed IT services company specializing in cloud and cybersecurity. 

“Smaller credit union shops often do not have the staff with expertise to respond to a cyber event, and Think Stack can augment their IT teams for threat detection, compliance, and security incident management,” says Cameron Smith, vice president of strategic partnerships and resources for the Northwest Credit Union Association.

Bigott says the credit union system’s emphasis on relationships helps him focus on the day-to-day needs of serving his membership while addressing complex security issues. “We’re all working together for the same cause.”