Taking a Proactive Approach to Cybersecurity

In today’s world and threat environment, no organization or individual is safe from being the target of a cybersecurity attack or data breach. Over the years, more sophisticated and coordinated attacks are compromising systems and accessing confidential data, causing millions of dollars in losses.

It almost feels as if every day there is a new data breach or ransomware attack targeting companies, internet users or even entire countries, and this growing threat cannot be ignored. It is forcing companies to invest more time, resources and budget into building a “defense in depth” strategy to protect their systems, data and operations. The goal is to ensure that if one control fails, others can mitigate, detect or prevent an attack.

There are many safeguards that can be implemented as part of this multilayer approach to security. On one hand, there are technical measures as simple as keeping systems up to date or using antivirus software. There are also physical actions that can be taken, such as keeping servers in a secure location and limiting access to authorized personnel. Others include developing users’ skills and awareness as an integral part of the defense in depth strategy.

This is not about forcing every single user to become a cybersecurity expert; this is about educating users and creating the right environment for people to learn best practices, and transform unsafe habits into safe habits. All of this contributes to building a culture around security and allowing workers to report all incidents, including those that were caused by their own actions. If a user is afraid of losing their job and does not report an incident, they are putting more at risk than their employment – they are endangering the entire organization.

Each organization has unique security challenges, but there are key elements that must be considered as part of any effort to mitigate the risk of a user causing a security incident. At the very top, management plays a key role in approving and enforcing policies and procedures. Leaders are also responsible for choosing a path that ensures security is an integral part of the company’s culture. Board meetings, or any other high-level meetings, must be used to create awareness about the current threat environment, growing threats and likelihood of a threat exploiting vulnerabilities, training gaps, vector attacks and more. If leaders are not conscious of the risks, they will not push for the changes needed for the rest of the organization.

In case of a real incident, a detailed explanation about what caused the issue and what was done to recover from it can be used as a learning experience for all. The objective should always be to learn from the mistakes made, not to punish or embarrass anyone. Management should decide if an incident can be used as an example at annual meetings or company gatherings to get employees’ attention and feedback, or just to alert them about unsafe actions. These sessions can help employees understand what can be done to avoid these situations in the future, and determine whether policies, procedures or security countermeasures need to be reviewed and corrected.

A credit union’s annual training program should to be updated to include the latest threats and focus on increasing a user’s ability to spot and deal with identity theft, phishing, smishing (SMS phishing), war dialing, robocalls, vishing (VoIP phishing) and social engineering attacks, just to name a few. This will help users understand that they have an important role in protecting the confidentiality, integrity and availability of systems. Also, training programs must clearly make reference to policies and procedures for reporting suspicious events, and for protecting evidence in the case of a security incident.

When presenting acceptable use policies, instructing employees how to avoid risky behavior must be the objective. Users need to recognize that accessing personal email, social media or online shopping websites with company-owned equipment increases the risk of a malware infection and endangers the entire organization. Periodic reminders can emphasize the importance of compliance around these policies, and keep staff aware of the ways in which the network, websites or system may be used.

Throughout each year, users must be reminded and tested on the concepts and situations covered during training. Customized phishing campaigns can be deployed to evaluate how employees and management react to spear phishing and whaling attacks (which targets high-profile executives). The campaigns’ results can be used to highly improve future trainings. One important note is that organizations cannot ignore the fact that a high-ranking employee is the most valuable target for an attacker, therefore security controls should be re-enforced and policies cannot be bent for them.

IT personnel should be encouraged to use every opportunity to educate users about best practices, the importance of strong passwords and the benefits of multifactor authentication. Some educational topics may include:

• How passwords are captured when staff saves their credentials in the local computer or cloud;
• What sites are really protected through checking for valid certificates;
• How long it takes before a weak password can be broken;
• How users who reuse passwords for multiple logins are at risk if only one of those credentials is uncovered by a data breach;
• The risk of external drives;
• The importance of a clean desk policy to protect confidential information; and
• The importance of reporting any suspicious activity, such as unknown objects connected to computers and networks.

Awareness includes encouraging people to ask questions. Raising the right one could give you the clarity to spot a suspicious encounter with a potential attacker. You do not really know who is listening to, phishing or sniffing your network.

Many types of scams include a sense of urgency and use words like “immediately,” “urgent” or “out of compliance.” One of the best ways to develop the skills to detect them is to incorporate social engineering and phishing campaigns as part of an internal penetration test, and then discuss the findings with staff and incorporate the outcome into regular training exercises. Another important thing to consider is that if users know they are being tested, the effectiveness of these drills will be compromised, and they will lose their value.

The threat landscape will keep shifting, and credit unions need to leverage technology and their work force to stay protected and current. It does not matter how big or small a credit union is – a single user can put the entire organization at risk, while on the other hand, a committed and alert employee can protect the credit union from external and internal threats with the right tools and training.

Yudel Arbella is Senior Network and Systems Specialist for JetStream FCU. He can be reached at 305-821-7060 or yarbella@jetstreamfcu.org.