news.cuna.org/articles/122928-5-ways-to-boost-your-cyber-hygiene

5 ways to boost your cyber hygiene

Discover what steps to take to improve cybersecurity controls and manage complexity.

September 1, 2023

Cybersecurity can be overwhelming: The many threats, control frameworks, regulations, changes, and guidance make it difficult to keep up, says Ed McMurray, general manager at CoNetrix Security, an information security and cybersecurity testing, auditing, and consulting company.

The news isn’t all bad. “There are steps you can take without a huge budget to improve cybersecurity controls and manage complexity,” McMurray says.

He offers five tips to manage cybersecurity complexity and improve cyber hygiene.

Identify what matters

Credit unions can ease the complexity by revisiting the basics to understand what applies to them and what doesn’t. Flash cybersecurity audits allow organizations to quickly understand what cybersecurity issues impact them, concerns they need to address, and key controls that warrant regular auditing to ensure they’re effective.

“A flash cybersecurity audit would be if somebody came to me and said, ‘You have one day to audit us,’” McMurray says. “I don’t have time to dig into all the details, so what are the key pieces I need to hit? Doing an audit quickly forces you to identify what’s most important. It’s a great way to bring focus to your cybersecurity efforts.

“If you look at frameworks and standards as your starting point on how to be secure, there are a million possibilities,” he continues. “Finding the right starting point is key so the process stays manageable. Know your systems, data, and processes. By knowing your institution, you can determine with confidence what applies to you and eliminate what doesn’t.”

Understand the essentials

While cybersecurity essentials differ by organization, they often fit into a few categories, which include: responsibility, asset inventory, internet exposure, vulnerability management, user account management and authentication, audit logs, social engineering, data recovery, vendor management, and incident management.

“Essentials are the things that apply to everybody,” McMurray says. “Find out how they apply to you.”

NEXT: Prepare for change

Cybersecurity threats to watch

NCUA identifies four current and emerging cybersecurity threats in its 2023 Cybersecurity & Credit Union Resilience Report:

Geopolitical tensions. Given current geopolitical threats, the agency encourages credit unions of all sizes to adopt a heightened state of awareness and to conduct proactive threat hunting. The agency advises credit unions to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). It directs credit unions to CISA’s Shields Up website (cisa.gov/shields-up) for information and mitigation measures.

Ransomware. This remains the most immediate threat to credit unions, NCUA reports. Many ransomware operations now integrate extortion in data-theft campaigns. They leave organizations without the data they need to operate.

To increase pressure on organizations to satisfy extortion demands, cyber intruders now demand payment in exchange for not releasing sensitive information obtained during a cyberattack. This crime has evolved to ransomware as a service, whereby multiple intruders coordinate their activities to conduct a single intrusion event, making it more challenging for financial institutions to defend against such attacks.

Supply chain risk. This risk continues to increase and evolve with attacks that target vulnerabilities in software systems many credit unions use. Threat actors exploit vulnerabilities in third-party hardware and software systems to conduct malicious cyber activities. These attacks demonstrate the importance of assessing the risks posed by third-party vendors, including the supply chain, and developing a comprehensive approach to operational resilience.

Third-party risk. Criminals continue to increase their efforts to exploit vulnerabilities of third-party providers. The number of credit unions using information technology service providers, such as managed and cloud services, has dramatically increased in recent years because they enable institutions to more cost effectively scale and support network environments. Outsourcing doesn’t eliminate credit union responsibility for the safety, security, and soundness of those processes and functions.

Prepare for change

Navigating the modern pace of change is the biggest challenge in cybersecurity, McMurray says.

“Technology is constantly changing,” he says. “If things moved slowly, we could get our heads around them better and secure our systems and data. But we have to move so fast.”

He recalls how information technology (IT) departments scrambled in the immediate aftermath of the COVID-19 pandemic, when many organizations began using Microsoft 365 and meeting via platforms such as Zoom and Microsoft Teams. These raised new vulnerabilities.

Artificial intelligence, quantum computing, and blockchain also are gaining momentum as IT departments work to identify the cybersecurity concerns that exist within these industry-changing technologies.

“There are all sorts of questions we haven’t even begun to ask,” McMurray says, noting there also are everyday changes, updates, revisions, and services to keep up with.

“I started auditing in 2006, and technology is moving leaps and bounds faster today than it was then,” he says. “It’s good to go back, focus on the basics, reassess, and make sure you know if and how these changes apply to your credit union.”

‘The best way to improve your cybersecurity is to have a champion.’

Ed McMurray

Keeping those priorities, questions, and updates in check requires having a designated individual or team—in other words, a champion, McMurray says.

“The best way to improve your cybersecurity is to have a champion,” he says. “You need someone who’s doing it regularly, even if they’re doing other things in the institution.

“You also need a champion in management— someone with authority,” McMurray adds. “If you do, you’ll find your way. If not, you’ll have false starts and inconsistent progress. Those champions have to believe in it.”

Examine the horizon

If a household waits until spring to clean, it will be a large undertaking. The same goes for cybersecurity, McMurray says.

“It’s a royal pain and a huge production if you clean your house once a year,” he says. “We often treat IT audits as a big project we do once a year, but technology moves faster than that. So, we’re experimenting with the concept of agile auditing, where we can do smaller audits more frequently and with less burden on the credit union.”

Therefore, when a new vulnerability arises, the fix can be implemented and verified immediately rather than waiting months until the next IT audit.

McMurray says IT agile auditing is relatively new to community financial institutions, but it can be a useful tool to manage cybersecurity complexity.

Know your credit union

Understanding your credit union is key to managing cybersecurity, McMurray says.

“Know your credit union better than the attackers,” he says. “Focus on your environment and eliminate the rest—that’s your advantage."