Fostering a Culture of Cybersecurity Helps Credit Unions Defend Against Attacks

Modern cybersecurity realities present a daunting challenge for credit unions. Increased member demand for online convenience, the expansion and variety of software applications and hardware types to protect, the increasing sophistication of cyber “bad actors” and a shortage of cybersecurity talent all contribute to this sobering fact: It’s no longer acceptable to operate as though cybersecurity is the domain only of IT professionals. Instead, credit union leaders must bolster their IT-related initiatives with more comprehensive programs that foster a cyber-aware culture and make all employees accountable for cyber safety and soundness.

Committing Everyone to Cyber Safety and Soundness

Making cybersecurity a team commitment rather than an IT-only issue recognizes the roles best practices and compliance play in keeping data safe. It also acknowledges the very real challenge of securing cyber-certified talent. Experts predicted that by 2019, there would be two million fewer certified cybersecurity professionals than positions that require them. Some see that number rising to 3.5 million unfilled cybersecurity positions by 2021.

While some credit unions might respond to this challenge by choosing to fully outsource cybersecurity to a managed security services provider, industry analyst Anton Chuvakin of Gartner has noted a number of challenges to consider, especially for specialized and regulated organizations such as credit unions. These include a “one-size-fits-all” approach, lack of deep insight into unique IT and business environments, and lack of follow-through to handle incident containment and response as opposed to just monitoring and alerting.

A better approach is to enlist everyone across the credit union to play a role in cyber safety, both ahead of breaches and in their aftermath. Each year The Ponemon Institute publishes a definitive report on data breaches. It now predicts the odds of an organization having a material breach (one in which 10,000 or more records are exposed) in the next two years have risen to one in four. Perhaps as a nod to the increasing likelihood of experiencing a data breach, 2018 marked the first year the cost-lowering impact of security automation and other processes for quickly detecting, neutralizing and recovering from breaches once they occur has been included in Ponemon’s “Cost of a Data Breach” study.

Organizations with cybersecurity automation platforms in place slashed the cost of identifying and containing cyber exploits by 35%. Other cost reducers speak to the importance of elements beyond technology, including training and testing employees on cyber defense, involving your board of directors in cyber preparedness and having an incident response team in place. These findings point to the wisdom of taking an approach to cybersecurity that extends beyond the IT department.

Cybersecurity for the Next Generation

A study conducted by Cornerstone Advisors and sponsored by DefenseStorm shows that concerns about cybersecurity have risen to equal importance with more traditional concerns of the interest rate environment and the cost of funds among credit union and bank senior executives. Yet many have not set in place definitive goals and objectives for cybersecurity within their organizations.

There’s no doubt that next-generation cybersecurity goals should include complying with best practices in the NCUA’s Automated Cybersecurity Examination Tool. However, doing so is complex. Five categories of actions, called Domains, each detail multiple Assessment Factors. Each Assessment Factor has multiple Components, each of which lists a variety of Declarative Statements to guide a credit union’s cybersecurity actions. Declarative statements change based on which of the five Maturity Levels a credit union aims to achieve. That’s a lot to track, measure and prove.

While credit unions can map cybersecurity data to the ACET manually, incorporate cybersecurity compliance-related tasks and workflows into a governance, risk and compliance system, or use a system that is built for banking and manages cybersecurity data and compliance-related tasks and reporting together, Cornerstone’s study shows that credit union executives understand they need more than technology.

Our next generation of credit union leaders tend to agree with analyst firm Gartner’s assessment that, “Securing information has become less about having firewalls and policies, and more about complex interactions among people, machines and processes.” To that end, the Cornerstone study shows that credit union executives include among their cybersecurity priorities, first, the ability to ensure policies, procedures, people and products consistently deliver expected levels of protection, and second, clearly communicating and demonstrating the organization’s cyber risk profile to the board of directors and other non-technical decision-makers.

While having 100% protection against cyber breaches might seem to be a worthy goal, experts agree the cost would be prohibitive and human error would remain a risk factor. Verizon’s “2018 Data Breach Investigations Report” noted the continued success of phishing, which is using booby-trapped emails to launch an attack. While you can train employees to identify and avoid phishing, 100% of them have to avoid 100% of the attacks, whereas a bad actor has to find only one vulnerability to get inside.

A more reasonable expectation is to help board members and other stakeholders understand the delicate balance between investment and exposure that cybersecurity demands. Being able to assess the credit union’s current cybersecurity risk profile and the rationale behind it, as well as what will happen when a breach occurs, is essential. While documents such as an information security policy, a business continuity plan and an incident response plan get everyone in the credit union on the same page with respect to their roles in cybersecurity, Cornerstone’s report noted only 48% of financial institutions have these documents in writing. That is a metric likely to change as NCUA examiners begin more widespread application of the ACET. Once plans are documented, then stress test simulations, penetration testing and social engineering testing, including simulated phishing attacks, will help solidify both cybersecurity awareness and compliance.

Cyber-Aware Supports Cyber-Safe

Maximizing the effectiveness of security policies, procedures and technology is predicated on employees’ understanding the importance of cybersecurity and their roles in it. Creating a cyber-aware culture starts with understanding how your cyber policies and controls align with regulatory expectations, and creating an efficient way to manage actions and evidentiary data together.

As more credit union leaders broaden their expectations for cybersecurity effectiveness beyond the IT department, they will improve their ability to protect cyber safety and soundness on behalf of their members.

Sean Feeney is CEO of DefenseStorm. He can be reached at feeney@defensestorm.com.