A False Sense of Cybersecurity Is a Problem: What Do We Do Now?

When CU Times published an article in October titled, “Study: People Have a False Sense of Cybersecurity,” it was rapidly circulated throughout our offices at Tyfone, Inc. As a digital banking vendor that began our business life as a security company, we have often championed the idea that sub-par digital banking services, among other things, usually originate from a fundamental misunderstanding of the function and limitations of security within fintech. It’s completely correct to say that people (both individual credit union members and the credit unions themselves) have a false sense of cybersecurity.

I hope the eye-opening statistics provided in that article will be a clarion call to credit unions and individuals to take cybersecurity seriously. It’s equally important that we consider possible solutions. Security is a problem that can often seem so daunting and complex that our impulse is to shove it to the backburner rather than educate ourselves. So, I would like to suggest instead that we take a moment to discuss a few key elements when considering cybersecurity risk:

1. You can’t properly evaluate something if you can’t measure it. When having a conversation about cybersecurity risk, it’s important to critically evaluate how cybersecurity is being measured. The most important factor to keep in mind is an objective measurement value. Yes, it’s very important to be vigilant about cybersecurity, but many of the statistics in cybersecurity checklists can be distorted or flawed because a subjective point of evaluation has been used. Try to ensure that the checklist you are using to measure your cybersecurity is thoroughly objective, and that the metrics you are using consider all aspects of cybersecurity: Protection, or how you choose to avoid cybersecurity threats; detection, or how thorough and accurate you are at finding cybersecurity threats; and reaction, or how you choose to deal with cybersecurity threats once they happen.

2. Money spent on cybersecurity is often misplaced. One of the most critical errors I see financial institutions making is focusing all of their resources and energy into cybersecurity factors that increase their peace of mind or sense of comfort, but don’t actually do anything to add value to their security. According to a recent article by Regarding ID Magazine, only an estimated 4% of money spent in cybersecurity actually goes directly into viable solutions that contribute to security. The rest is often vaporware that sounds more secure, but isn’t, such as in the case of a multiple password login system that looks like a complex security feature, but doesn’t actually function as true multi-factor authentication.

3. Emphasize metrology and best practices. Once you’ve realized that metrics are at the foundation of any good cybersecurity practice, you’ll be open to focusing on sources that are more heavily vetted and thoroughly researched, rather than just focusing on cybersecurity solutions marketed to credit unions. For example, one of my favorite resources is the Electric Power and Resource Institute’s Cyber Security Metrics. These guidelines are obviously made with the electric sector in mind, but the vast majority of them would be useful and useable for a credit union. Seek out a wide variety of open source tools that are available and use them to suit your unique cybersecurity needs.

Finally, I would recommend that all credit unions look to have themselves and their vendors added to the list for National Cybersecurity Assessments and Technical Services Cyber Hygiene and Vulnerability Scanning tests. Such standardized scans will help you get a better sense of cybersecurity threats and base your knowledge of them on real data instead of distorted anxiety.

If you have questions, feel free to email cybersecurity@tyfone.com.

Siva G. Narendra

CEO and Co-founder

Tyfone, Inc.

Portland, Ore.