Tom Dedman, CEO at the credit union, admitted, "The one thing we missed in this whole process was updates to the software that drives the website. That is really deep into the heart of Web development."

Dedman asserted the credit union will make sure the software is updated going forward, and said he believed his institution did proper due diligence prior to the hacking.

"We have done vulnerability assessments or vulnerability penetration tests against the site and those passed," he said. "But with this one software, it was a zero-day flaw or vulnerability they found that they exploited. I don't get or hadn't been getting the notifications on websites on zero-day vulnerabilities. I mean, geez, we don't think about that."

A zero-day vulnerability is a software gap unknown to the vendor.

Financial institutions need to start making third-party vendors provide a list of all products including open source plug-ins that they incorporate while doing development, Jim Stickley, a cybersecurity expert and CEO of Stickley on Security, a security education firm in San Diego, suggested.

"The smaller financial institutions are not very good in patching and properly testing patches after installation," Ondrej Krehel, founder/principal of LIFARS, a digital forensics and cybersecurity intelligence firm, said.

He said they frequently use an application that is running on top of the web server, such as WordPress, and recommended web application security programs utilize a layered approach. Only a few credit unions have adopted these tactics, however.

The ISIS hack also drew attention away from a recently discovered vulnerability called FREAK (Factoring Attack on RSA-Export Key). FREAK is a relic of the U.S. government's restriction on the export of strong encryption in the 1990s, which compelled developers to devise a system that could deliver strong encryption for U.S.-based users and weaker encryption for foreign users.

According to the website freakattack.com, this new vulnerability allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. The number of actual attacks is unknown.

The vulnerability affects the Android, Apple Safari Web browsers that rely on OpenSSL to establish secure connections, and Microsoft's Secure Channel in all currently supported versions of Windows.

Apple, Google Android and Microsoft announced that updates to fix the FREAK attack should be available for all major browsers soon.

For credit unions, there are good and bad sides to the FREAK story. Carl Mazzanti, founder/and CEO of IT consulting firm eMazzanti Technologies, explained, "A lot of the credit unions cannot afford some of the technologies you would need to support mobile banking, so because of that, they might have less or no exposure," Mazzanti said. "Those that are less vulnerable developed their mobile systems within the last five years and don't have a legacy system to support it. Older systems are more susceptible than newer systems. Those running platforms that have some sort of legacy back to the late 1990s are the ones with the largest exposure."

The $2.4 billion Texas Dow Employees Credit Union of Lake Jackson, Texas, took a proactive approach when it comes to its members' Internet safety by providing an update to keep members informed of the FREAK exploit.

The alert reads in part, "Internet researchers have discovered a new browser vulnerability you should know about. The exploit is called FREAK."

The alert goes on to explain that for FREAK to affect members, both the browser and visited website must be vulnerable, and provides assurance that TDECU's servers are not vulnerable.

Paul O'Malley, vice president of e-commerce at TDECU, said the alert grew out of policy resulting from member concern over last year's much-publicized data breaches.

"Our goal here is to alert our members so they can be educated, and know that they need to pay attention to Internet security," O'Malley explained. "We understand our members are not expected to be experts on these types of things."

TDECU also maintains a very close relationship with its technology partners.

"Typically what will happen is, they will see something out in the blogosphere or we'll see something, and we'll immediately call each other and ask if we've heard about it and what we're doing about it," O'Malley said.

Maintaining members' reassurance levels when it comes to cybersecurity is good business. O'Malley pointed out,

How does a credit union protect itself? "Update servers and devices with a patch for the vulnerability," Mazzanti said.

That's the short answer; however, Mazzanti also pointed out new threats emerge every day, and organizations must develop a security-first mindset.

Brooks suggested, "Take charge of the process [technical workload] and take a look to see where and what is vulnerable in your environment. Compromise is a terrible 'strategy' for discovery."