Security-as-a-Service Helps Credit Unions Protect Member Data, Stay Compliant

With smaller staffs and budgets on top of juggling compliance and your other responsibilities, credit unions still have the same responsibilities big enterprises do when it comes to cybersecurity. So if the big guys get breached, you must wonder – do you even stand a chance?

IT leaders at credit unions know that cybersecurity should be a priority, but they also know cybersecurity is hard work, painful, ever-changing and now existential. While attacks are rising, your staff and their time to dedicate to cybersecurity isn’t. It’s becoming increasingly more challenging to form an in-house cybersecurity program, as security technology becomes more expensive and complicated, and skilled talent harder to find.

Large banks like JP Morgan Chase can spend $600 million a year on cybersecurity, according to CNBC. You need to find a way to protect member data and digital business assets without this level of investment. It is imperative that you find a way to guard against these determined adversaries. So what do you do?

This is where Security-as-a-Service can help. It can grow your team, resources and security expertise. For credit unions, the major value proposition for partnering with a Security-as-a-Service company falls into three categories: Security, compliance and operations.

Security

Now more than ever, credit unions want to avoid being called out for a successful data breach or insider threat. To avoid this, credit unions need to monitor and hunt for threats, respond to incidents and patch systems to reduce their attack surface in the first place.

• Monitoring and Hunting for Threats: Most IT teams at credit unions wish they had additional personnel to properly investigate the large volume of security alerts that their technology provides. A good Security-as-a-Service provider will pick up the slack and triage alarms for you, letting you know what’s important and what isn’t. You will want a Security-as-a-Service provider who will perform root cause analysis and help remediate a situation quickly before damage from a breach gets out of hand.
• Responding to Incidents: Security incidents are a deviation from the organization’s security policy and can include unauthorized access to a specific file share, unusual traffic on an unsanctioned port, or a range of other activities that violate an organization’s acceptable standards. Having a Security-as-a-Service provider removes the time-heavy burden of security monitoring and provides 7x24x365 notification in the event of a security incident or other issue. This allows risk to be mitigated quickly and prevents catastrophic damage.
• Patching Systems: Patch management is a vital part of any cybersecurity program, but while the rate that patches need to be applied is steadily increasing, lean IT teams don’t have time to continuously scan for vulnerabilities and regularly patch systems. A Ponemon Research cybersecurity study found 57% of breaches were due to an unpatched vulnerability and 34% of breached organizations knew they had unpatched vulnerabilities but did nothing. With proper patch management, those breaches could have been prevented.

Security-as-Service providers can help credit unions manage a systematic program to scan for vulnerabilities, and unpatched or misconfigured software across the whole organization. But finding vulnerabilities is only half the job, as they should also help locate needed patches and help with executing patch deployment.

Compliance

You must have a well-defined process and implement necessary technologies for FFIEC compliance. These can include continuous monitoring of audit logs to detect, identify and respond to suspicious and anomalous activity, checking for and fixing vulnerabilities and patching systems and applications to protect member data. In addition, you must now pass the Automated Cybersecurity Examination Tool, which aims to provide a repeatable, measurable and transparent process that improves and standardizes supervision related to cybersecurity in all federally-insured credit unions.

Look for Security-as-a-Service providers who understand the specific requirements for the FFIEC and ACET, since different industries have very specific requirements. Don’t be afraid to ask to speak with their references in the banking and credit union sector.

Operations

Many credit unions have security tools but are still working on a solid, tested and repeatable process to handle security incidents.

By using a Security-as-a-Service provider, credit unions can offload burdensome, highly-manual tasks and spend more time aligning a credit union’s security program to the business, improving service offerings and quality while maintaining complete visibility. This will ultimately allow the IT team to be less reactive and more proactive.

If Security-as-a-Service sounds like a good solution for your credit union, you’ll want to make sure you find a provider that is right for your organization. There are four basic elements that a good Security-as-a-Service provider will offer:

• 24x7x365 active security coverage;
• Instant access to skilled cybersecurity expertise;
• Technology that you may be lacking; and
• Field-tested and mature cybersecurity processes.

To ensure the partnership is right for you, make a checklist of considerations that are key to your business. That way you can determine which cybersecurity provider can deliver trusted advice, since they should become an extension of your IT team and become familiar with your security goals, business processes and compliance requirements. You also need to feel confident that they can do this while navigating the ever-changing cybersecurity and compliance landscapes in parallel.

Cybersecurity for credit unions doesn’t have to be daunting. You don’t have to do it alone – Security-as-a-Service can help improve your cybersecurity posture. In the end, everyone’s goal is the same – to keep member data safe.

Kevin Landt is Vice President of Product Management for Cygilant. He can be reached at klandt@cygilant.com.