By now, we should all accept humans as the weak link in the information security kill chain, but if you still need some convincing read the recent article from Reuters highlighting Verizon and Symantec cybersecurity reports released this year. So what is a credit union board, executive management team, or information security officer to do? More security awareness training is an option. Unfortunately training employees doesn't seem to be the answer according to a recently released study by ISACA and RSA. In the April report, State of Cybersecurity: Implications for 2015, more than 700 respondents confirmed enterprises with security awareness programs are fairing worse than those without. The intent of this article is not to debate the merits of security awareness training programs, but rather illustrate how a credit union can mitigate the impact of the inevitable human error causing so many of the cybersecurity incidents happening today.
Make their weakness a non-issue. If the data being gathered in these respected industry reports is accurate, how do you effectively mitigate this substantial risk to your credit union with the limited resources available? Simply put, move your IT infrastructure to the cloud. In doing so, you need to consider what to look for in a cloud provider, while answering why moving your IT infrastructure to the right cloud solution(s) makes the human error weakness a non-issue.
Recommended For You
Cybersecurity benefits of utilizing a financial services community cloud provider ("community cloud" as defined in the NIST Special Publication 800-14) include:
FFIEC examinations: Similar to your credit union, the right cloud provider is subject to FFIEC IT examinations. When evaluating potential partners, look for service providers who have recurring regulatory examinations.
No out of date operating systems: End-of-life operating systems (think Windows Server 2003) and unpatched production systems are a huge risk for any organization. Relying on a cloud provider that ensures the infrastructure you will utilize in their cloud is always compliant is key. As I heard from the DHS and NCCIC Deputy Assistant Secretary of Cybersecurity recently at the FS-ISAC Annual Summit in Miami, you might as well put a cyber "kick me" sign on your back if you are operating on outdated and unpatched systems.
Data is all in one place: Do you know where all of your electronic member data is currently residing? Servers, workstations, laptops, USB drives, email stored locally and the list could go on. With the right cloud solution, all of your data can be centrally located, reducing the risk of data leakage and security incidents.
Data is encrypted in transit and at rest: Notice I said in transit AND at rest. This is starting to become the norm, and the expectations from regulators will be that your credit union is not only encrypting data in transit (think VPN, SSL, HTTPS), but also at rest while sitting on your file and database servers. Look for a cloud provider that has the capability baked-in to the solution.
Resiliency is built-in: Quick recovery after an incident is vital. Ensure your due diligence effort of potential partners uncovers the true recovery capabilities if their primary datacenter(s) are impacted. Especially with the new Appendix J in the FFIEC BCP IT Handbook released in February, the NCUA will now be taking an even harder look at your own capability and your third-party partner's ability to recover from security incidents.
If your users fall victim to social engineering, and your infrastructure is in the right cloud:
- Your systems will be fully patched, mitigating the latest known vulnerabilities.
- Your data will not make it out of the credit union since your provider has implemented the necessary data loss prevention controls as part of the cloud solution.
- Your data is encrypted and unusable if somehow the data makes it out.
- If your data becomes unavailable due to malware, your service provider will be able to quickly recover in more than one location.
It may be time to adjust your information security program and start thinking about how the cloud can help mature your security posture. The NCUA's Part 748 Section III.E encourages credit unions to adjust their information security program in light of relevant changes in technology and other factors. Technology continues to change, and with the evolution in cloud services, there are solutions available to help your credit union stay ahead of the security curve.
Don Baham is director of account management for D+H. He can be reached at 972-923-1442 or [email protected].
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
