More than two thirds of the credit unions surveyed said they did not believe or were unsure if they had total protection against internal data threats.

They were right to be concerned. CUNA Mutual Group, the insurer for the majority of U.S. credit unions, reported in 2014 that internal fraud accounted for 46% of the money it paid in claims between 2009 and 2013.

According to the NCUA, internal fraud has also now been identified as a significant reputational threat for credit unions, but these breaches can be difficult to find.

The question, therefore, is how can credit unions best defend themselves against external and internal threats, which are evolving and have the potential to cause significant reputational, financial and operational damage?

Insider Threats

While credit unions should certainly continue to improve perimeter security, the smartest approach to cybersecurity should start with the assumption that threats are already inside your perimeter defenses. This may be as a result of a sophisticated external attack that has infected your network with malicious code, lying in wait to discover, collect and extract your most valuable data; or an insider attack via an employee with "keys to the kingdom."

To make things more difficult, the insider threat can come in many forms. It may be a result of an employee's accidental, rather than deliberate actions, such as clicking on an infected email or visiting an infected site that downloads malicious code to your network. A report carried out by Verizon shows that nearly one in four employees is likely to open a phishing email – and one in 10 is willing to open an email attachment from an unknown person. Phishing emails can be vehicles for malware, which once opened can infiltrate a network and quietly access information without the knowledge of the organization. This malicious threat can go undetected as the complexity of today's computing environments creates the perfect hiding place for malware. On average, it can take 200 days from an initial compromise taking place to its detection. By this time, the damage has usually been done.

Threats can also come from a disenfranchised employee committing straightforward fraud or IP theft for personal gain. Unfortunately, however, the insider threat is often more sinister. Organized criminals are clever, prepared and insidious. Criminal gangs are looking for account and credit card information, corporate trade secrets, financial reports, and employee and customer information. They understand that it is often easier to place one of their own on the inside or encourage an existing employee to reveal information, rather than mount an uncertain attack on the institution's cyber defenses.

Cyber Threat Analytics

As discussed earlier, perimeter security layers, such as anti-virus tools and firewalls, are important for blocking out the vast majority of known external threats but ineffective when it comes to insider threats or sophisticated "unknown external threats." Defenses, therefore, need to be built on the assumption that threats are already on the inside. Good information assurance and security practices, and segregation of duties and processes to ensure that users do not accumulate excessive privileges on critical information systems all are important approaches when it comes to tackling these insider threats. However, these are no longer enough.

In order to mitigate the insider threat, security professionals within credit unions must be able to detect suspicious activities within their networks and prevent valuable digital assets from leaving the organization. Analytics software that continually analyzes logs, events, users and asset data to quickly identify unusual patterns and indicators of malicious activity is key. This approach identifies "oddities" in the behavior within the network, either as a result of malicious code or a malicious employee, and alerts organizations to any unusual activities before significant damage is done.

These powerful tools can constantly survey inside perimeter defenses and search for anomalies in network behavior, data flows, file access and traffic logs. Unusual and outside-the-norm behaviors – such as people accessing data outside normal working hours from unusual IP addresses, or from another geographical location – are alerted for further investigation. These could be hidden in multiple data sources including domain name server, proxy, firewall, active directory, virtual private network, netflow and dynamic host configuration protocol logs. Identifying these threats means an organization can pinpoint issues and isolate the threat in a timely manner. By taking action quickly and responding rapidly to threats, a credit union can reduce the damage to its reputation, its members and its finances.

The use of proactive cyber forensics and anomaly detection to discover malicious activity is, therefore, an essential piece of the cybersecurity puzzle.

Derek Brown is vice president for the Americas for Wynyard Group. He can be reached at 866-969-2555 or [email protected].