"A lot of organizations are completely oblivious to the fact that they've been breached," Eaves said. "That is certainly a big challenge because we almost always are in a very reactive mode, responding to that breach, when the customer data is out."

Eaves maintained there are four top cybersecurity concerns for financial institutions: Phishing (links and download attachments), employees, ransomware and vendors/supply chain. From a credit union perspective, the biggest concern continually and overwhelmingly is phishing, the fraudulent attempt to acquire sensitive information through electronic communication.

Another cybersecurity risk that can overlap with phishing involves member-focused internal users. "Regular frontline staff is one of the largest areas of exposure and risk to their credit unions. It's very easy for the bad guy to come in and take advantage of somebody being nice or get somebody to click or take some action they shouldn't be taking," Eaves said.

Another big concern is ransomware, especially vulnerabilities initiated through vendors and the supply chain. Eaves noted, "Over the last year we've seen several publicized attacks that have gone after different partners, ultimately impacting the downstream users of those services."

Eaves added there is a growing need to understand the benefits and risks of encryption. "Most security practitioners are thinking of the positive components of encryption and how it's useful to help protect their data, and it should be used when possible for that purpose."

The other side of that sword, which is very dangerous and problematic, is how much encrypted traffic emanates from regular customers' networks. Eaves warned, "What that means is the systems designed to protect and inspect that traffic are not able to do so at the level they typically would." Traditional intrusion detection systems cannot truly act as the traffic cop of what is going in and out.

Gladiator, a team within ProfitStars, a division of Jack Henry & Associates, helps credit unions strengthen their security through several methods. With managed services, Gladiator sets up a security blanket around the organization using firewalls, prevention systems, perimeter protection devices and unified threat management boxes. It can also provide a Virtual Information Security Officer that helps credit unions identify informational asset risks, controls in place and the efficacy of those controls, and where to focus a cybersecurity program to best improve defenses.

Eaves explained, "It's a significant challenge to take that information and figure out how to actually protect your organization, and see if any of those threats are really truly currently impacting the organization."

The $1.8 billion, Midland, Mich.-based Dow Chemical Employees' Credit Union looked to Jack Henry for help focusing more strongly on a cyber and information security strategy, starting with a move from an on-premises core system to EASE, the outsourced delivery model of the Episys core processing platform from Symitar, a JHA division.

Mark Gandy

Mark Gandy, director of security at DCECU, pointed out having its core hosted at a data center relieved the pressure on its relatively small, skilled staff, which was pretty short on resources. "It allowed us to take their broad control infrastructure, which includes not only the standard technology management practices but also the processes that go along with managing platforms and security, network security and data center security. We've definitely valued the security aspects of their capabilities."

Also, in September 2019, the credit union moved to JHA's Banno digital banking solution. "That allowed us to take advantage of their scalable and industry best practice technology management control processes, and introduce a modern two-factor authentication solution for our members." Gandy added, "We definitely have seen password spray attacks against our members, which Banno has been responding to. Using good practices in their security operations center help mitigate and monitor, and make sure our members' information stays safe."

DCECU also vacated its own disaster recovery structure in favor of a Jack Henry co-location facility in Branson, Mo. "It's easy to manage it remotely," Gandy noted.

Jack Henry provides DCECU with a business continuity client portal, Centurion's Online Planning Expert, as well. Gandy said the credit union recently pulled documentation from COPE to implement business continuity protocols while managing through the coronavirus pandemic.

DCECU's said its first priority during its virus response was the health and safety of employees and members. Next was business continuity, and managing member and community outreach according to its incident response plan.

Gandy noted the biggest area of deployment during DCECU's social-distancing responsibility, part of its continuity planning, was giving people the capability to work from home quickly. "We've gone from about a dozen laptops [for about 150 employees total] to about 135 deployed laptops. We did that in about a week."

Getting the laptops, which were in somewhat short supply, required leveraging two channels: The Denver-based Agility Recovery and the local Best Buy. Gandy said, "We just needed the hardware; then with mobile device management software, application management and identity management such as multifactor authentication, we were able to get those devices quickly configured and deployed."

Gandy recalled last year the credit union partnered with the Santa Barbara, Calif.-based Novacoast, which staffs its security operations center 24/7. "We were able to have regular meetings with our SOC manager as [the outbreak] unfolded about the bad actors and phishing attacks trying to take advantage of COVID-19."

Gandy said Novacoast, along with the Westlake Village, Calif.-based cybersecurity awareness training firm NINJIO, and Atlanta/Israel-based IRONSCALES, which provides bad email detection including a COVID-19 phishing campaign test, helped train and protect employees who do not normally work from home to recognize coronavirus-inspired attacks.

Jack Henry also responded to the coronavirus outbreak-related threats with a statement:

"COVID-19 and the pandemic emergency declared in the United States continues to cause a lot of concerns and issues for all. Gladiator, working with our partners, have identified several new threats leveraging the panic caused by COVID-19, also known as coronavirus. As the numbers of people and businesses affected due to the pandemic continue to increase, threat actors and malware campaigns who use this situation as bait will continue to rise.

"Due to this situation and increased time of risk, Gladiator would like to remind all customers to please exercise additional caution regarding email content and attachments, including clicking links in emails of any nature regarding the pandemic emergency."