5 Cybersecurity Trends Every Credit Union Needs to Know
Here's what CUs should be thinking about when balancing members’ expectations against prudent risk management.
It’s not your imagination. The world of financial services is moving faster than ever before. The challenge facing today’s credit unions is how to satisfy members’ need for speed while simultaneously guarding against fraud and cyberattacks. As fraud and cyberattacks become increasingly prevalent and costly for consumers and businesses, there are five trends credit unions should be thinking about when balancing members’ expectations against prudent risk management.
1. Increasing Sophistication of Cybercriminals
Each year cybersecurity threats multiply as attackers adopt new schemes and targets. As credit unions develop more sophisticated cybersecurity toolkits, criminals are doing the same.
Attackers are better organized, better financed and better equipped, using automated technology, machine learning and pre-built toolkits that make it easier to launch sophisticated attacks and penetrate financial institutions’ systems. Credit unions are particularly at risk because attackers may assume they are not as well protected as larger banks, and therefore easier targets. In 2017, almost two-thirds of cyber breaches targeted small businesses, up from 53% in 2016, according to the Verizon Data Breach Investigations Report.
Attackers can exploit gaps between systems to coordinate events that may not seem like threats until they are viewed and interpreted holistically. As a result, single, standalone security components, such as a strong firewall or antivirus measures, are no longer enough to protect against today’s threats. Instead, the devices and tools used to protect against cyberattacks need to work in concert with each other.
Achieving this single view requires a high level of device communication and monitoring. Ideally, monitoring systems should also be intelligent enough to distinguish real threats from false positives to reduce the time and effort wasted investigating and responding to security “noise.”
2. Third-Party Risk
Consumer-focused technology companies such as Amazon have raised the bar for financial services.
To keep pace, financial institutions are embracing technology at every step of the consumer experience, whether through in-branch teller kiosks, artificial intelligence-based consumer assistance or integration with third-party fintechs.
Open banking regulations in Europe and other parts of the world are making it a priority to integrate with fintechs and other third-party companies with which consumers have relationships. Under the regulations, financial institutions must provide trusted third parties access to customer or member information when consumers allow it. Whether or not open banking becomes a regulatory standard in the U.S., financial institutions are expanding their integration capabilities to hasten innovation and meet consumer demand.
While integration with third-party fintechs offers benefits to consumers and financial institutions alike, it widens the net for potential security vulnerabilities across multiple channels and services. Engaging consumers through third parties makes identification and validation more crucial than ever and requires closer scrutiny of the companies that are accessing information from your systems.
To address the risks of third-party integration, credit unions will need to review and adjust their strategies in terms of due diligence, updating processes, and monitoring and evaluation. It’s no longer enough to ensure your own channels are secure. An interconnected financial services landscape requires that everyone is secure.
3. Proliferation of Endpoints
Today, virtually anything – or anyone – that connects to your networks and data is a potential vector for a cyberattack. As attack sophistication increases, expect credit unions to secure member interactions across emerging channels, including the ever-expanding range of mobile and IoT devices, in-branch technology and even communications tools including email, telephone calls and texts that can be used for phishing and social engineering schemes.
To keep pace with the sophistication of today’s attacks, credit unions need to take a layered approach to security that encompasses every IP-connected device from the network and firewall to the endpoint, and implement a cybersecurity strategy that enables them to manage their organization as a single security ecosystem. That’s part of an emerging concept known as SOAR – which stands for security orchestration, automation and response. SOAR platforms enable organizations to collect security-related data from the many different sources that comprise an institution’s security ecosystem, and apply machine learning and automation to that data in order to quickly detect, identify and remediate malicious attacks.
4. Poor Quality Data
Transactional and member data are highly prized commodities to fraudsters and cybercriminals. As a result, credit unions’ ability to assess, leverage and control their data determines how well they can manage risk.
This becomes clear when considering the huge volume of information that is stored within and flowing through your credit union. How do you manage all of this data? How do you ensure its accuracy and usefulness? These are questions that every credit union leader needs to think about. According to a September 2016 article by the Harvard Business Review, poor-quality data cost companies $3.1 trillion in the U.S. alone that year.
And, all that data doesn’t stand still. The pace of change within your data is staggering, and credit unions must manage it in the context of financial crime risk. The best defense, then, is making sure your data is accurate.
In the coming year, expect to see greater emphasis on technology that enables credit unions to manage data quickly and efficiently. Advanced analytics, artificial intelligence and machine learning will play a prominent role in anti-money laundering strategies and data management.
5. Shortage of Cybersecurity Expertise
Along with increased risk from cybercriminals, credit unions are faced with a scarcity of qualified cybersecurity expertise. A survey of cybersecurity professionals conducted in 2017 by the Information Systems Security Association and analyst firm Enterprise Strategy Group found that:
- Approximately 70% believe the cybersecurity skills shortage has impacted their organization;
- Approximately 30% said the number one cybersecurity challenge is cybersecurity teams being understaffed for the size of their organization;
- More than 65% claimed they are unable to keep up with skills development and training; and
- Nearly 20% said their cybersecurity team is unable to keep up with the workload.
This is a major concern, as the assessment of cybersecurity risk and preparedness requires both technical and cyber intelligence competencies. Many midsized organizations do not have the expertise on staff to properly assess their current cybersecurity “maturity” level and develop a plan to close identified gaps in associated information technology, business processes, policies and procedures, and management. It is a significant task to design a foundation based upon best practices to mitigate cybersecurity threats, and demonstrate due diligence to regulators, customers and other interested parties.
To manage the challenge of acquiring and keeping qualified security expertise, credit unions are likely to gravitate toward managed security services that are well-staffed and equipped to monitor, analyze and, in some cases, remotely remediate threats before they can expose the credit union to risk.
A Multifaceted Approach to Security
No single solution can protect your credit union from the myriad threats that put its data and reputation at risk. That’s why it’s essential to take a broad view of security that encompasses every IP-connected device from the network and firewall to the endpoint, which accounts for integration with third-party channels and services, and ensures the accuracy of your data. Most importantly, you must manage your organization as a single, living ecosystem and determine whether you are equipped to do so in-house or by leveraging the resources and assistance of a managed security service provider.
Nayan Patel is Vice President, Strategic Alliances for Fiserv. He can be reached at 856-874-4883 or nayan.patel@fiserv.com.