The IT Threat Matrix: Dangers Near & Far Require Diligent Defenses
CUs must develop a level of cyber resilience that builds on their operating philosophies, regulatory requirements and market priorities.
Like every sub-sector of the financial services industry, credit unions are susceptible to malicious cyberattacks and related crimes. However, it’s important to understand that, also like the industry overall, this sector is very diverse: Given that there are 6,000-plus providers in this category, the reality is that some will be more vulnerable than others. More to the point, most of these threats are not developed specifically for credit unions; many could be just as easily aimed at other lending institutions and indeed different verticals.
In other words, most of the attacks are quite general, even random – they seek weaknesses in technology infrastructures and processes at all kinds of financial services enterprises, and go for the monetization opportunity where they find an opening. From the largest and most mature investment banks (with massive cyber defense budgets) to local institutions trying to keep pace with technological advances, there’s a broad range of potential targets. For their part, credit unions need to develop a level of cyber resilience that builds on their particular operating philosophies, regulatory requirements and market priorities.
As with organizations in many regulated industries, some institutions continue to focus on ensuring compliance rather than achieving optimal security. The pending capital requirements statute has been postponed to 2022 but of course takes up mindshare, and implementing tighter security controls consistent with requirements imposed by the FFIEC is also a priority. Most credit unions don’t run their own systems, and the technology their suppliers have in place can be quite outdated.
We also see more issues come to light as institutions seek to scale: The bigger their operations get, the more glaring their security problems become. Of course, there are issues in smaller programs too, but they’re less obvious. It’s equally important to understand that cyber resilience is not purely about technology. Human factors or threats – such as business email compromise (BEC) or phishing – can be devastating to smaller enterprises. We find that these attack vectors can lead to a variety of outcomes from fraud to unauthorized access to ransomware. The best protection from these attacks is strict process enforcement, ongoing education about emerging tactics used by adversaries and appropriate business controls.
There are other challenges too. Debit and credit card fraud is still a potent danger. In this arena, the best security comes from requiring multifactor authentication – securecode, vbv, 3dsecure, etc. – on all transactions, coupled with robust technical fraud detection solutions on member channels (technologies offering proactive, early detection of fraudulent and malicious behavior can go a long way). These technical controls can be a challenge for some credit unions. Even more significantly, there’s the third-party issue: Even the most rock-solid defenses can fall prey to vulnerabilities within partners and suppliers that have authorized access to the credit union’s network.
One major limiting factor is that while many credit unions have a local focus – sustaining a community and helping neighbors throughout their lives – some of the greatest dangers come from sophisticated criminals in distant lands. Current threat matrices feature coordinated attacks from gangs in Russia and eastern Europe, as well as some in African regions where English is a common language. These operations typically build on technical expertise, major resources and a high level of dedication. The attacks are surgical more than random – the most popular strategy involves ransomware, and again, they pursue a broad spectrum of potential targets, from credit unions to local governments.
While some familiar dangers have lessened over time – for example, botnets of infected systems are less used now than before, but still present – there’s unfortunately no indication that the larger risks will go away anytime soon. The attacks often succeed: Victims pay the ransom in order to get their technology and data assets back, and that validates the criminal business model and encourages other bad actors. Even a large-scale ransomware attack or BEC scam doesn’t require much financial or technical investment from a cybercriminal collective. They’re targeting smaller organizations with vital assets and operations but without sophisticated cyber resilience and security. For organizations from credit unions to government agencies, it means the attacks will likely keep coming.
So what can and should credit unions do in order to ward off cyber threats? Keeping cyber resilience solutions up to date is one critical tactic; another is to implement strict policy- and process-based controls, such as requiring out of band verification or dual-lock releases on large, anomalous or otherwise critical operations. While these measures seem obvious, they can become obstacles to necessary business practices, and it’s unrealistic to enforce them across the board. However, these restrictions definitely have a place in particular situations.
As for third-party vulnerabilities, remember that outsourcing particular operations – most notably IT operations and systems – doesn’t mean outsourcing the risk. Even if there are contractual clawbacks or other forms of compensation available in the event of a data breach, every credit union needs to undertake the necessary due diligence. It must evaluate the security posture of all suppliers, examine their contracted obligations around continued cyber resilience, and stress the importance of being kept informed in the event of a breach. Ensuring compliance with industry mandates is one driver here, but retaining member trust is even more critical.
Ultimately, it’s not only about what credit unions can learn from the financial services industry at large, or even what the financial services sector can learn from other verticals. In many cases, it’s more about smaller companies learning from larger corporations. Those enterprises have bigger budgets to lean on and deep resource pools, but their priorities set the standard. Here’s a topline primer:
- Ensuring compliance with existing mandates is not enough; achieving true operational resilience is a higher bar.
- Cybersecurity is not a binary state, as in, we’re secure or we’re not secure. Imagine a spectrum of resilience and find ways to stay on the high side.
- Operational resilience means more than checking a box or two, as in, deploying a few security tools – it spans people, processes and technology.
- Cyber-resilience is a business risk: It needs executive ownership and awareness to make inevitable decisions that involve tradeoffs.
None of this can be done by a technical security team alone, or even the IT shop in general. It requires inter-departmental collaboration, information sharing around tactical intelligence, the development of viable processes (that are adjusted as necessary) and management support at every level. Cyber threats and fraud are very real problems, whether they come from rogue nations or disgruntled employees, and every credit union may be in the firing line. Guarding against these dangers is a digital-era imperative, and those that do it right will be rewarded by the market.
Ollie Whitehouse is Chief Technical Officer for global security firm NCC Group in London.