Cybersecurity Costs Extend Beyond a Price Tag

Credit unions and other organizations pay a hefty price, directly and indirectly, when a data breach affects their environment. The costs can arise from repairing damages to resurrecting tarnished reputations.

The “2018 Cost of a Data Breach” report, sponsored by IBM Security and conducted by the Ponemon Institute, reported the global average data breach expense at $3.86 million per breach. The average tab for each lost or stolen record containing sensitive and confidential information runs $148 per file. Costs vary and include hidden costs such as lost business, adverse effects on reputation and time spent by employees on recovery.

The criminal enterprises causing these events are organized and fully armed, Gene Fredriksen, chief information security strategist for the St. Petersburg, Fla.-based CUSO PSCU, said. He indicated the big threat still emanates from phishing, and attack methods continuously improve.

Fredriksen explained in the past, bad actors generated their own attacks and some were more sophisticated than others. “Now it’s just simply hiring a service bureau to make those attacks,” he said. He noted cybercriminals don’t need a PhD anymore – they just need a credit card.

Fredriksen maintained there’s certainly a direct expense for breached organizations. “Credit unions are very good about tracking the direct costs related to fraud – what it costs them to make the member right.”

Costs related to member attrition get a little fuzzy, he added. “There isn’t always a lot of definition around why people leave and the costs associated with moving those accounts.”

Fredriksen offered a list of costs related to an attack, many of which are not obvious:

• Costs of making organizational changes to fix process issues contributing to the attack;
• Deploying additional personnel and protection technologies;
• Additional training for employees, including how to respond to member questions and issues;
• Use of third-party experts and consultants to ensure complete remediation;
• Lost revenues resulting from fraud or unauthorized information use;
• Remediation costs to recover data or expenses related to liability for stolen assets or information;
• Repairs of system damages stemming from an attack;
• Good will incentives to members to maintain post-incident relationships;
• Upgraded/increased cybersecurity technology costs to make organizations more attack-resistant;
• Failure to retain or sign up members post-breach;
• Legal costs, including those originating from regulatory actions by state and federal regulators;
• Increased cyberinsurance premiums; and
• Reputational damages, which can adversely affect member confidence.

The Minneapolis, Minn.-based Entrust Datacard’s chief information security officer, Mark Ruchie, pointed out that post-breach, consumers often scramble to cancel payment cards and regain control of their information and finances. Many issuers, usually optimized for approximately 20,000 cards per day, face a jump to 40,000 to 50,000 per day after a breach.

Ruchie held criminals using social engineering have made data incidents more personal, infiltrating every aspect of people’s lives. “People can get to know you more easily, but it also increases [a financial institution’s] own attack surface massively.”

Phishing remains a go-to con because it allows scammers to be rewarded by people who repeatedly use the same simple passwords to access everything from IoT devices to social networking sites and credit union accounts. “That might tangentially give [phishers] enough social engineering capability to steal your money or parts of your identity,” Ruchie said. “The bad actors not only have that commoditized, they have people who specialize in malware, and they sell malware for pennies.”

Nayan Patel, vice president, strategic alliances at the Brookfield, Wis.-based Fiserv, described two different credit union ecosystems: One involving members and everything going on in their lives and digital presences; and the other incorporating technology and fintech partners. “The credit union has an enormous responsibility to protect their most critical data and assets, which is the member data.”

Patel said he sees some threat trends targeting credit unions and members that involve the criminal groups initiating the attacks. “These are actual organizations that are working off of profit and loss.”

They’re consolidating, and getting more effective and highly focused on increasing their return on investment. Patel noted some 90% of all compromises take place through email because it is the most cost effective for cybercriminals. “It doesn’t cost them anything to send an email,” he said, adding, “Being able to understand what assets you have, the criticality of those assets and where your most important data lies – and then understanding the vulnerabilities around those and what your plan is to remediate those vulnerabilities as quickly as possible – really lessens your threat attack surface from bad actors.”

The concept known as SOAR (security orchestration, automation and response), could catch on with credit unions going forward, Patel said. SOAR platforms enable organizations to collect security-related data from different sources and then apply machine learning and automation to quickly detect, identify and remediate malicious attacks.

However, Patel emphasized to implement an effective vulnerability management program, a credit union needs to identify and remediate threats, and that’s outside of any SOAR solution. “It’s about having an incident response plan, and the capability to test and execute a plan routinely. All of these things have substantial cost to the organization, but they are absolutely required.”

Fiserv’s proprietary security orchestration platform builds in automation around response. Patel explained a security operation center staffed by highly-credentialed cybersecurity analysts backs up the platform. Fiserv also offers Cyber Protect through BlueVoyant, an analytics-driven cybersecurity company.

“If we detect any malicious behavior or activity or data exfiltration, we will take automated response through our SOAR platform and mitigate issues as quickly as possible,” he said, also noting he anticipates over 100 credit unions using SOAR within the next several months.

The Chicago, Ill.-based AVANT’s Drew Lydecker, president and co-founder, and Ron Hayman, chief cloud officer and COO, also spoke about the biggest cyberthreats they see (phishing, spear phishing and malware) and the financial data risks they present.

“State-sponsored attacks are picking on the weak, generally the firms that have a shortage in IT talent, lack the resources and are doing what we call the ‘10-year playbook,’” Lydecker said.

The 10-year playbook refers to protecting an organization the same way for a decade by throwing outdated technology at security concerns even though cybercriminals continuously upgrade their proficiencies.

Lydecker noted that 15 years ago, a credit union would go to a value-added reseller for a firewall or another security measure. “Well, the game is changing. Companies like AVANT, we’re powering the trusted advisor movement. We’re the distribution arm for that,” he said. AVANT works with advisors to improve processes from network security to ID management.

Hayman placed the cost per record for lost credit cards at $5.40 and financial records at $4.12. “Multiply that by the number of customers or records, and you can see a real material cost in addition to the loss that goes against the company brand, as well as the remediation costs and trying to make your customer whole.”

Hayman observed for credit unions and some of the smaller banks, there isn’t enough security talent to meet the current demand, noting there are some three million open positions in cybersecurity going unfilled each year. “The amount of work the different disciplines require for security makes it almost impossible to solve that problem alone.”

As a result, organizations seek outside help, Hayman said. “We’re seeing a significant uptick in the sales of managed security services. [That involves] someone taking over the equipment that’s been purchased and making sure it’s up to date, and in a lot of cases, monitoring it 24/7.”

Lydecker explained how one of AVANT’s trusted advisors just helped one of the U.S.’s largest community banks, which was running an outdated playbook. “They were throwing hardware at what they thought were some of the problems.” AVANT completed some threat hunting with one of its providers, MSSP Trustwave, which has the ability to assess an organization’s security platform and equipment, and manage and monitor it.

Hayman recommended credit unions work with providers that understand the industry in three key areas: Managed threat detection, endpoint protection and incident response.

Credit unions can no longer assume they are too small for cyberattacks. “Once you’re hooked to the internet, we all face the same threat,” Ruchie explained. “The same cybercriminals are going after the big banks and credit unions.”

Patel said because larger organizations are protecting themselves better, it costs cybercriminals more. “So now they’re going after mid- and small-market organizations, which is a large part of our client base in the credit union world.”