Earlier this year, Filene convened a group of cybersecurity experts to talk about protecting a credit union's digital town. “You're being tested every day, whether you realize it or not,” David Luchtel, vice president of IT infrastructure and operations at $2.5 billion WSECU, said. Our findings are published in Cybersecurity: Credit Unions in the Crosshairs. The report discusses threats to credit unions that come from within and without.

Here are three: Employees, vendors and hackers.

Employees

The humans who run the credit union are both the biggest risk and the best protector against cyberattacks. Randy Gainer, a partner at law firm BakerHostetler and a certified information systems security professional, recounted a case where thieves downloaded malware onto a teller's computer, stole the teller's credentials and used them to add accountholders to existing accounts and to create new accounts. They then created sham electronic fund transfers into these accounts and sent in mules who held identification for the new account holders to withdraw the funds.

Another teller noticed that a fraudulent deposit made into a new account, which had supposedly occurred at another branch with the assistance of another teller, was made when the other branch was closed. Although the financial institution in question lost more than $500,000 in uninsured expenses, just imagine the damage if an alert teller hadn't been on the job.

Vendors

As credit unions are called on to offer a broader array of products and services, most have chosen to do so through vendor partners – in ways that often intermingle with core operational functions. In fact, it's not uncommon for credit unions to have six to eight vendors working to provide one service area. Multiply each service area by six to eight and it quickly becomes apparent just how vulnerable the average credit union is.

And data loss doesn't have to be malicious to be harmful. In an anonymized case shared by Jay Isaacson and Theran Colwell of CUNA Mutual Group, a vendor exposed personally identifiable information to another vendor that included names, addresses, loan numbers, loan balances and Social Security numbers. All of the credit union's mortgage holders – roughly 67,000 members – were impacted. This breach involved members in all 50 states.

These are the nameless, faceless bad guys. Isaacson and Colwell recounted another attack involving a complex form of malware that opened up dummy accounts at the credit union and then wired money out of accounts. The malware also allowed the thieves to compromise credit card information and commit plastic card fraud. When the forensic analysis was complete, the credit union discovered that more than 30,000 members had been affected. Total breach related costs: $350,000.

What's next?

Resolving each of the problems detailed above requires layered security, effective enterprise risk management and leadership commitment. But for a snapshot of what examiners are focusing on now, consider this shortlist from BakerHostetler's Randy Gainer:

• Failure to encrypt sensitive data;
• Failure to deploy data loss prevention software;
• Failure to manage vendor security;
• Failure to conduct periodic risk assessments or to correct vulnerabilities discovered in assessments;
• Failure to change default configurations or passwords;
• Absence of appropriate policies;
• Insufficient employee training or awareness; and
• Insufficient dedicated security roles.

These are just some of the checkpoints in your credit union's digital town. Don't leave them unguarded.

For additional guidance and three credit union case studies, download the full Filene report Cybersecurity: Credit Unions in the Crosshairs at filene.org.

Ben Rogers is managing director, research for Filene Research Institute. He can be reached at 608-661-3745 or [email protected].