To help financial institutions sort through protections, the FFIEC's Cybersecurity Assessment Tool users' guide encourages cyber risk programs to build upon and align existing information security, business continuity and disaster recovery programs.

Because FIs use a collection of technologies including core and payment systems, automated teller machines, internet and mobile applications, and cloud computing, the FFIEC's CAT documentation cautioned, "Each type of technology introduces complexity and potential vulnerabilities."

DefenseStorm CISO Bob Thibodeaux recommended credit unions use the CAT to help determine effectual risk treatment methodologies assessing their inherent risk, relevant threats, vulnerabilities and exposures.

Another issue is many organizations do not have the trained staff to shore up weaknesses on their own. Cybersecurity professionals in a recent ESG and ISSA survey revealed the top contributing factors of security incidents are insufficient training of non-technical employees and adequate cybersecurity staff.

Eldon Sprickerhoff, founder and chief security strategist at eSentire, said, "If you have talent in cybersecurity it is pretty easy to get a job." For credit unions, this might impact their fortification. "It's going to be a challenge to keep those people."

So why the overabundance of solutions? Sprickerhoff attributes the market's growth to risk concerns from many organizations, especially finservs, which need many processes to challenge cybercriminals continually probing for weaknesses.

"Unfortunately, there is no single solution available that would protect us from all the security risks that are out there," Mike Morris, systems partner for Porter Keadle Moore, said.

Constantly evolving cybercriminals make it even more difficult. Matt Riley, a group president at Jack Henry & Associates, added, "As attackers change their tactics, techniques and procedures, so must the security community, which leads to the evolution of existing products or new products all together."

"Many vendors offer services to the financial industry primarily because there is need, budget and willingness to spend on solutions," A.N. Ananth, CEO of EventTracker, a SIEM company, said. "The industry is subject to a larger threat profile; it's where the money is, after all. The market is efficient in weeding out low value offerings and thus a 'glut,' to the extent it exists, is corrected quite quickly."

John Horn, director, cybersecurity services, digital banking at Fiserv, pointed out: "There is an unprecedented amount of venture capital flowing into this area, and established security companies are taking existing products and reorienting them to focus on new markets."

The profusion of solutions can make it more expensive for credit unions who need to hire security experts or consultants to help wade through the mess, DefenseStorm CTO Sean Cassidy claimed. "Or you make a mistake and buy an expensive product you don't need or can't afford."

Stephen Boyer, co-founder and CTO of BitSight, maintained, "Financial services organizations also need to rapidly identify and adopt products that help them understand and mitigate cyber risk internally and across their extended business ecosystem."

Having multiple vendors in a space leads to competitive pricing and ensures they are getting the best security and value deal possible, Tom DeSot, CIO of Digital Defense, Inc., held.Paul Love, chief information security officer for CO-OP Financial Services, advised most of these solutions focus on a single risk or threat. This creates challenges for security teams.

Singular, disparate tools designed to protect against a new threat or trendy issue pull security teams away from their overarching security strategy.

Many dissimilar tools marketed today are difficult to integrate. "There are plenty of tools out there, but credit unions may not have the people to support them," Love said.

Where are credit unions most vulnerable? "Chasing the solution of the day, or a 'Whac-A-Mole' strategy, leaves the organization at significant risk against a blended or zero-day threat," Gene Fredriksen, chief information security strategist for PSCU, explained.

"Employees are still the weakest link in the chain. The most common attack vector is still phishing," Riley maintained. He added systems or processes that are not managed appropriately, such as a lax patch, and a failure to restrict user accounts, also introduces significant organizational risk.

Cassidy concurred, "The way [spear phishing] works is one of your employees receives an email with a Word or Excel document attached from a potential customer. They open the document, which has a macro inside with malicious code."

DeSot explained most website and system attacks require very skilled attackers searching for vulnerabilities such as SQL injection and buffer overflows. "Attacking the human element does not require the attacker to have the same knowledge set."

Often it is the "front door" controls – the systems supporting user registration and authentication – that need the most improvement, Horn pointed out. "Attacks designed to crack or circumvent user authentication measures have reached unprecedented levels of complexity, and there has been a significant uptick in success in conducting account-takeover attacks." He added credit unions exhibit vulnerability in areas requiring manual intervention from internal teams, such as password resets, or control mechanisms relying on users' personally identifiable information.

Then there is the threat from the credit union's supply ecosystem, Boyer acknowledged. A recent BitSight study found a large security gap exists between finservs and the technology, business services and legal vendors they do business with.

Johnston voiced similar concerns, stating, "Credit unions have broad partnerships with core solutions, online and mobile banking vendors, and a plethora of other service providers." He recommended a robust vendor due diligence program and scrutinizing audit documentation to minimize these risks.

Credit unions must also comprehend the threat to public-facing payment mechanisms such as online banking, wire transfers, and peer-to-peer and ACH payments, Morris explained, because money leaving the organization many times relies on insufficient end-user security controls.

Keeping systems, networks and appliances up to date is a necessary discipline to maintain a strong security posture, Thibodeaux emphasized. "Attackers are taking advantage of poorly designed/implemented network security."

Avoiding buyer's remorse requires a strategic approach. Morris recommended credit unions start with what they have and assess how they can better secure the environment. "Then look for the gaps or areas where additional layers of control may be needed," he said.

Boyer outlined how a proper assessment should start with the highest-risk areas; next steps include setting targets, and measuring and reporting progress. "You can't manage what you can't measure."