How Credit Unions Can Improve Incident Response

Financial institutions have become increasingly focused on cybersecurity in recent years. And according to Brinknews, hackers favor targeting smaller financial institutions as they possess less robust data security systems and personnel than larger banks.

Regardless of the institution's size, most staff members understand that it is critical to protect customer and member data and are aware of the issues that could arise if a breach occurs. However, at small banks and credit unions, many employees have not received sufficient training to detect, prevent or respond to an incident.

The Current State of Incident Response

Despite the urgent need for all organizations to have an effective, efficient and complete incident response plan, the plan is seldom completed. Some statistics from a recent survey, "The State of Incident Response," reveal a troubling picture.

Approximately 54% of the survey participants stated that automating incident response would be immediately beneficial, but fewer than 11% had already embraced automation for incident response.

More than half of the respondents reported that their incident response plans are updated no more frequently than annually.

More than 30% stated that their IR actions were not documented.

Almost 18% reported having no personnel dedicated to incident response. More than 45% had no more than five staff members devoted to incident response.

Almost 41% reported that there was no formal system in place to measure incident response.

Approximately 33% of the respondents stated that there was no training program offered by their organizations for IR processes.

Why Smaller Financial Institutions Are Challenged

A typical Demisto playbook that helps orchestrate both automated and analyst-driven tasks. Demisto playbooks are open-sourced and can be easily shared and modified through a drag and drop interface.

Credit unions and other small financial institutions face a variety of challenges when it comes to incident response. Staffing limits can impact the number of employees who are dedicated to attack response and prevention. Even without budget restraints, finding qualified candidates can be a challenge; retaining top cybersecurity professionals can be even more difficult. As a result, the response team may be composed of individuals who lack the experience and training to respond effectively.Despite these challenges, financial institutions must ensure that they comply with the applicable federal and state regulations. Unfortunately, regulatory compliance is not necessarily a guarantee of adequacy. Regulations change frequently, but there is typically a grace period before they go into effect. During this period, an institution may be in full compliance, but it could still be woefully unprepared to respond to a cybersecurity incident.

How Credit Unions and Small FIs Can Improve Incident Response Efforts

Demisto's Related Incidents feature, which provides users with a streamlined, customizable view of how incidents are related over time.

Incidents can take many forms, including worms and viruses, DOS attacks, unauthorized access, natural disasters and employee behavior that violates policies. Different incidents can have different levels of severity. The most severe attacks can disrupt critical communications or business continuity, result in data theft, or have a long-term effect on the institution's reputation. Low-level attacks, including viruses that are detected and quarantined on a single computer, have little or no effect on normal operations. Regardless of the type and severity of an attack, credit unions and other financial institutions must have a workable plan to respond to incidents. The longer it takes to resolve an incident, the greater the damage may be.

The first step is to form an incident response team. Typically, the team consists of an information security expert or IT staff member who has received adequate cybersecurity training. The team may also include someone from the help desk, a telecommunications professional, an individual with public relations experience, a representative from the legal department, a member of the human resources department, someone with physical security responsibilities and a member of senior management.

Preparation is critical. Assemble current server and network documentation, ensure that there are always quality backups available, and establish baseline data for the network and system.

Create automated playbooks or checklists for employees to follow. This helps ensure that important steps are not overlooked during the response efforts.

Create a written incident response plan. Details that should be covered include contact information for key personnel, the levels of authority for each team member and the individual who will lead the response efforts.

Practice, train, evaluate and repeat. Frequent drills help employees learn what they need to do, but drills can also reveal gaps in the plan or procedures that need to be modified. Establish a goal for each drill as well as the metrics that will be measured. Conduct a postmortem after each drill to determine what worked well and what was a dismal failure. If necessary, modify the plan to incorporate the lessons learned.

Educate all employees on ways they can detect potentially suspicious incidents and how to report these incidents. Incidents that warrant reporting include website defacement, harassing or threatening emails, unexpected changes to user rights, emails containing unknown links and removable storage devices that "just appear" on their desks from an unknown source. Employees who have confidential information stored on their laptops must make sure that all data is encrypted.

Automate every aspect of incident response that can be automated. By allowing machines to filter out duplicates and false positives, for example, staff members will have more time to concentrate on serious incidents. In addition, automating response tasks via playbooks can provide consistency and accuracy in response.

Incidents will continue increasing in the coming years, and credit unions and financial institutions must continue finding effective ways to respond to them. Organization size is not an automatic limit on the effectiveness of incident response. By embracing automation and sound procedures, it is possible for credit unions and small financial institutions to respond to incidents quickly and effectively.