Protecting Your Credit Union From Cybercrime

Community banks and credit unions have special appeal for cyber attackers. They maintain large amounts of financial and personal data, but are perceived to lack the same well-fortified defenses that big banks utilize. In 2017, almost two-thirds of cyber breaches targeted small businesses, up from 53% in 2016, according to the Verizon Data Breach Investigations Report.

One reason for the spike is that cyber attackers have become more organized and sophisticated, leveraging dark web chat forums and government-grade software tools. Even credit unions with strong security protocols can be tripped up through spear fishing and social engineering attacks that target an individual employee’s credentials. The good news is that financial institutions of all sizes can sharply reduce their exposure by taking these proactive measures.

1. Combine multiple layers of monitoring and response protection. Single solutions like a strong firewall or antivirus measures can’t protect against every cyber threat. Comprehensive around-the-clock protection requires advanced endpoint detection, ransomware and malware blocking, network defense, threat intelligence and an orchestrated real-time response. While it would be costly for the typical credit union to acquire the technology and specialized talent to maintain this level of coverage, managed service options exist today that offer equivalent or better support for less than the cost of hiring one experienced full-time cybersecurity professional.

2. Establish the right process controls. It’s important for credit unions to develop a written cyber protection policy with clear protocols for employee devices, passwords, social media, payment authorization and other process controls. Examples include mandating that any transaction over an agreed upon amount receive at least two written approvals, instructing employees not to accept email orders without first validating the orders with a phone call to the requesting firm or office, and requiring the use of VPNs to access financial institution networks from home Wi-Fi routers. Requiring strong password protections is also crucial.

3. Implement data backups. Backups are one of those dull essentials that too many organizations neglect. But the damage that can occur when records are destroyed or altered as the result of a ransomware attack or other breach can be catastrophic. Such events can result in the permanent loss of important personal and business data. With ransomware attacks on businesses occurring at rates as high as one every 40 seconds, credit unions can mitigate the risk of data loss by backing up regularly and verifying the integrity of their backups to ensure all necessary information is captured.

4. Get an annual cyber check-up. While it is certainly important to conduct regular cyber risk assessments in partnership with the head of IT, the chief information security officer and other members of management, it is also important to get an outside perspective to validate internal protocols and objectively assess your credit union’s preparedness. Bringing in outside advisors to conduct a cyber risk assessment across your portfolio will provide your board with the information it needs to understand those risk factors to make truly informed investment decisions and encourage sound practices across the enterprise.

5. Consider cyber insurance. Cyber insurance can offer additional protection against cyberattacks. Credit unions should ensure that their policy is priced appropriately for their risks, and be careful to consider the coverage, since some policies are written to cover financial losses while many others are narrowly written to cover just the aftermath of the immediate attack.

6. Protect your delivery chain. Credit unions not only need to keep their own house in order, they need to look out for the needs and vulnerabilities of their channel partners and suppliers. Firms should ask for quarterly cyber hygiene reports and require that at least one board meeting a year include a discussion of cyber health. Insist that each entity conduct an annual cyber health review and encourage them to engage a managed security service provider to improve their cybersecurity defenses. These measures help establish and sustain better cyber discipline.

Finally, don’t let cost be a barrier. The onset of a breach is the very worst time for a business to be scrambling for help. Lining up the right relationships now will ensure there is someone to call and a plan in place when an event does happen. To protect their reputations and assets, credit unions need to manage their cybersecurity as thoughtfully as they’re managing their business interests.

Milan Patel is Chief Client Officer for BlueVoyant. He can be reached at 646-889-2511 or milan.patel@bluevoyant.com.

Nayan Patel is Vice President, Strategic Alliances, Open Solutions Division for Fiserv. He can be reached at 856-874-4883 or nayan.patel@fiserv.com.