It is common to find that credit unions pay lip service to security. They tend to be driven more by compliance than security, resulting in a false sense of security and complacency. In most cases, boards and senior management of credit unions don't fully understand the complexity of cyberattacks.

As a result, they either lack sophisticated cyber security programs, or fail to make sufficient budget and resource commitments to secure IT assets, and protect their customers and business data.

We recommend the following as a starting point for credit unions to prepare for and reduce the odds of suffering a security breach.

1) Implement a comprehensive risk management program, which should include a comprehensive disaster recovery plan as well as regular backup of all data.

2) Implement, measure and enforce a comprehensive security program. All credit unions must understand that they are susceptible to cyberattacks and vulnerable to a sophisticated data breaches.

They should be committed to investing in building a comprehensive security program. This should include a well thought out process, implementing the program across the entire organization, monitoring and measuring the effectiveness of the program on a regular basis, enforcing the controls and proactively taking corrective action to minimize and or eliminate potential vulnerabilities.

More: Security doesn't just mean the latest tech …

Think Comprehensive Security Program, Not Latest Technology

Buying and implementing the latest anti-malware, anti-spam, AV, Firewall and IPS technologies alone will not be sufficient to prevent a security breach. A comprehensive security program should take into account the investments required in people, process, technology and culture. Weaknesses in any one of these four areas can be catastrophic for the business.

Technology. Invest in appropriate technologies to protect against new and evolving adversaries. Understand that implementing a security technology that is not updated regularly to deal with the latest attacks would mean inadequate technology defenses. Not having proper security controls – such as a limited number of super-admin credentials, continuously monitoring for super-admin activity, poor authentication credentials across the enterprise or not enforcing stringent standards across IT systems, and not regularly patching systems against vulnerabilities – will expose credit unions to potential attacks. Understanding where your data resides, who accesses it, how it is stored and what data is critical for your business can go a long way in prioritizing your technology investments. Prepare a comprehensive inventory of all your assets, start at the core where critical data resides and then expand to the entire network of assets. Remember, protect the core first and then think of the network perimeter.

Process. In addition to investing in and deploying appropriate technologies, credit unions need well defined processes for implementation, monitoring effectiveness of technologies in protecting IT assets and monitoring 24×7 for unusual activity, such as unauthorized users accessing sensitive systems, accessing the system outside standard hours or activity from known bad sources and unusual egress of data from the network or between internal and external points. Credit unions must embrace well thought out common sense best practices such as the SANS Critical Security Controls, which allow them to build proactive security defenses. We have seen that perpetrators are sophisticated and patient, so continuous monitoring is an important aspect in protecting credit unions from APTs and highly targeted cyberattacks and data thefts.

People - Credit unions need to either invest in a skilled cybersecurity team to monitor and assess security posture or partner with a third-party service provider to bring that expertise. Unfortunately, there is a severe security professional shortage today in the market. By one count there is a shortage of upwards of 1 million security professionals today. Even though several universities have introduced cybersecurity programs and courses, the fact remains that to be an effective security professional one needs hands on, in the weeds experience. This means that the security professional shortage will not be solved for several years to come. No wonder cybersecurity analyst was the fastest growing job in 2014. What this means is that credit unions are better off partnering with an outsourced security service provider whose trained security team can act as an extension to the credit union's IT team.

Culture. Every credit union should invest in improving the security IQ of their employees – not once a year, but on a regular basis to ensure they don't fall victim to cyberattacks via malware, phishing or social engineering, where bad actors impersonate a known/trusted source.

An effective security program that deals with proactive security monitoring as well as security intelligence will go a long way toward making it harder for cyberattacks to disrupt the business. Perpetrators will always look for the low hanging fruit – the easiest targets. By investing in and implementing a well thought out security program that properly aligns people, process, technology and culture, organizations can make it more difficult for attackers.

And in turn, they may opt for other easier targets.

Vijay Basani is CEO of the Acton, Mass.-based security intelligence firm EiQ Networks. He can be reached at [email protected] or 978-266-9933.