With headlines constantly announcing new cyberattacks that involve the large-scale theft of sensitive data, the public has gradually become indifferent to data breaches. Americans are becoming primed to believe nothing can be done to prevent hacking and have become apathetic regarding their own personal protection. Meanwhile, cyber criminals have become more sophisticated with their attacking techniques and are able to profit by selling breached data on the Black Market (Dark Web), where personal information ranging from social media credentials to banking login credentials can be sold quickly for hundreds of dollars.
In today's digital world, an individual's personal data is increasingly valuable and vulnerable; yet, a majority of Americans lack knowledge about key cybersecurity concepts that could help protect themselves online. According to a Pew Research Center survey, only 1% of individuals could answer 13 cybersecurity-related questions correctly. The same survey revealed that 17% of adults are not sure how to identify the strongest password from a list of choices and 20% are unsure whether public Wi-Fi is safe for sensitive activities like online banking.
Given that cybersecurity knowledge is so low, it can be difficult for credit unions to ensure that members are adequately protecting their sensitive financial information. This means it is also challenging for credit unions to find quality hires for cybersecurity and IT teams. Cybersecurity talent is a scarce commodity. In fact, according to the U.S. Bureau of Labor Statistics, there were more than 200,000 security jobs left unfilled in 2016. This shortage is felt by small regional credit unions, which already have an even smaller pool of resources to select from in their respective markets.
Recommended For You
Additionally, the demands of members are changing – they want more innovative, remote services, such as online and mobile banking, mobile check deposit, online bill pay and other technology-related products. However, these services provide cyber criminals with more avenues to hack a member's account or the credit union's network.
Despite these challenges, there are some steps that credit unions can act on immediately to enhance their level of security, without overstretching their resources or skimping on the services that today's members demand.
To accomplish this, credit unions should first leverage the FFIEC's Cybersecurity Assessment Tool to determine their risk profile and cybersecurity maturity level. The NCUA adopted the FFIEC CAT to ensure all credit unions meet proper cybersecurity standards. The first part of the assessment evaluates a credit union's risk profile based on several factors, including its technologies and connection types, delivery channels and online or mobile products. Characteristics like the number of internet service providers used, third-party connections, wireless access, which products and services are available through online or mobile delivery channels, and the credit union's overall IT environment all impact its inherent risk profile.
Once the risk profile is determined, the credit union can then use the FFIEC CAT to evaluate its overall cybersecurity maturity level and assess its current state of cybersecurity preparedness. By evaluating its risk profile and maturity level, the credit union can determine whether its maturity levels are appropriate according to its risk exposure. Based on this assessment, any security gaps within the network can be identified and remediated.
In addition to the FFIEC CAT, it is advised that credit unions conduct an internal penetration test to verify that applications, networks, systems and even employees are not vulnerable to a security lapse that would enable unauthorized access to sensitive data. An internal penetration test will also be useful in evaluating how credit union employees respond to breach attempts.
According to PwC's "2016 Global State of Information Security" report, employees are the cause for 34% of data breaches. By testing how employees respond to breach attempts, the credit union can develop an employee training program and teach staff best practices for handling sensitive information and safeguarding the network. Staff training is just one facet of a strong security program. Reviewing common techniques used by cyber criminals, including social engineering and phishing scams, can significantly lower the risk and cost of a data breach.
Furthermore, implementing an organized incident response plan can mitigate the risk and impact of a breach. In fact, Ponemon's "Cost of a Data Breach" report revealed that having an incident response team can reduce the average cost of a stolen record from $221 to $195.20. While the savings may not seem substantial, it can make a difference when thousands of records are stolen. Credit unions must operate with the mindset that a data breach is inevitable, so when a breach does occur, the credit union has an incident response plan already in place that the team has practiced and is ready to act on. Ultimately, the faster a credit union can identify and contain a breach, the lower the monetary loss and reputational damage.
A strong cybersecurity strategy also requires real-time intelligence about the latest cybercrime tools and tactics. While traditional attacks, like phishing emails and ransomware, are still used, cyber criminals evolve their tactics to bypass new security measures. One new attack method is called cross-site scripting and works against all operating systems, servers and browsers. Attackers convince a user to open a hyperlink with malicious data, whether via email, instant message or through a website. The hyperlink directs the user to a trusted website, but the attacker formats the hyperlink so that malicious data is written as code inside the website where harmless data would typically go. These attacks can be highly damaging because they do not require stealing a user's login credentials. Instead, they take advantage of the user that is already logged in to hack the account. This is also difficult to detect because the user is visiting a trusted website. By sharing intelligence about these emerging attack vectors among other institutions, regulators and infrastructure providers, the frequency, magnitude and consequences of a data breach can be reduced.
While it may seem as though credit unions have the odds stacked against them when combatting cybercrime, the FFIEC CAT provides a solid foundation for credit unions to build a strong cybersecurity program. By leveraging the assessment, credit unions can determine their risks and vulnerabilities, unique to their organization and service offerings. From there, initiatives such as employee education and proper cybersecurity protocols can be established and reviewed regularly to maintain a high level of security. This proactive approach to cybersecurity will allow credit unions to focus on providing innovative services that their members want without taking on undue risk.
Bob Thibodeaux is CISO for DefenseStorm. He can be reached at [email protected].
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
