Practical Steps for Improving Credit Union Cybersecurity

Cyber threats are on the rise, perimeter security is dead, endpoints are proliferating, and don’t forget about the troubles that companies have experienced trying to hire employees with the appropriate level of cybersecurity talent. Adding to this list of challenges is the sudden spike in credit unions having to suddenly work remotely due to the coronavirus pandemic. While I can’t make these issues go away, I hope to make your life a little easier by sharing some tips and practical advice on improving cybersecurity for your credit union.

This article is categorized into two parts. In the first part, I cover the “tools of the trade,” or the industry tools and resources available to help build and strengthen your organization’s compliance and prepare you for an audit. The second part of the article offers practical steps to improve your credit union’s cybersecurity posture.

Tools of the Trade

Credit unions are in a constant cycle of compliance reporting. The Federal Financial Institutions Examination Council is a great resource with guidelines to help protect a credit union’s member information, but it can also be a source of headaches when it comes to the audit process.

The FFIEC’s main resource is the FFIEC Information Technology Examination Handbook, which provides guidelines on how your organization can run its information security program to manage risk effectively. Some of these requirements include building a strong information security culture within your organization, having defined risk identification processes, establishing effective risk monitoring and reporting processes, and creating consistent security operations processes, among others. The FFEIC IT Exam Handbook also stipulates that credit unions allocate adequate resources to their information security program, which may include resources such as staff or technology.

In addition to providing guidelines on how to run your credit union’s information security program, the FFIEC IT Exam Handbook serves as the primary guide that auditors use when assessing compliance. It’s important to note that while the handbook details most requirements during an audit, it does not include everything – and there may be additional controls that are not outlined in the handbook that an auditor will want to see implemented.

The FFIEC also provides credit unions with a helpful resource called the Automated Cybersecurity Examination Tool (ACET), which is based on the FFIEC Cybersecurity Assessment Tool (CAT). The ACET enables credit unions to input information and get back readable results that you can actually leverage, versus spitting out a PDF that’s hard to interpret.

The last tool from the FFIEC that I encourage credit unions to leverage is CIS Controls® (CIS). The CIS is a prioritized set of actions to protect your organization and data from known cyber-attack vectors, and also includes clear implementation guidelines. The CIS is a great, free tool that credit unions should leverage when building their own cybersecurity program, including credit unions with third-party cybersecurity tools/solutions.

Credit unions face a unique set of challenges. They must ensure data protection and meet strict compliance requirements as laid out by the FFIEC. However, as a not-for-profit, your IT teams, dedicated cybersecurity resources and budgets may be stretched thin. Tools like the FFIEC IT Exam Handbook and CIS framework offer excellent, free resources for helping build your credit union’s cybersecurity posture – regardless of maturity level or preparation for an audit.

Practical Steps for Improving Your Cybersecurity Posture

1. Identify Weaknesses: It’s essential to understand and audit your credit union’s entire information security landscape as part of maintaining FFIEC compliance. In addition to this audit trail, credit unions must have security monitoring processes in place. This means continuously checking for threats and vulnerabilities within your organization’s information system. Security monitoring only works if it’s continual, since information systems are constantly changing.

Security monitoring is one aspect of managed detection and response (MDR) services. MDR services also provide threat detection, compliance monitoring, SIEM (security information and event management) and log management. As you can imagine, sifting through your credit union’s logs and SIEM results alone is extremely tedious and time-consuming. This is where a security operations center (SOC) comes in.

An SOC is a centralized command center that monitors and analyzes your organization’s cybersecurity posture 24/7/365. The SOC is responsible for identifying potential threats, filtering out false positives, reviewing event logs and more. While some large enterprises are able to field their own SOC, most credit unions and mid-sized organizations lack the necessary resources to establish their own. Fortunately, vendors offering Cybersecurity-as-a-Service enable credit unions and other organizations to outsource their SOC teams, without requiring them to hire and pay for their own security analysts that could provide around-the-clock monitoring. With a Cybersecurity-as-a-Service or SOC-as-a-Service provider, a credit union can save a massive amount of time that would have been spent digging through thousands of events or alerts and analyzing raw log files to determine what’s happening in their network.

2. Know Where You’re Vulnerable: Every credit union has vulnerabilities in its system – the key is knowing where your vulnerabilities are. Look at vulnerability management as a practical tool to help you understand your system’s weaknesses, so you can fix them before you get hurt.

What exactly do I mean by this? Vulnerability management is the process of identifying, evaluating, treating and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside other security tactics, is vital for organizations to prioritize possible threats and minimize their attack surface. Vulnerabilities are typically categorized in two main buckets:

• Known vulnerabilities with patches; and
• Vulnerabilities in systems without patches.

The process of identifying vulnerabilities, classifying them using the buckets bulleted above, and then searching for patches is another resource intensive activity. This is another example of where an outside Cybersecurity-as-a-Service provider can help, especially for credit unions with limited resources.

3. Patch the Holes: Once a vulnerability is identified, it takes an enormous amount of time to sift through reports and determine whether or not a patch is required. The complex and repetitive process of sifting through identified vulnerabilities and locating the appropriate patch, then following auditable change management protocols to test and deploy the patch, is tedious and unforgiving toward any mistake. It’s a difficult process often requiring manual efforts to discover, categorize, prioritize, test and deploy patches based on critical risks.

Credit union IT teams need a simpler and less manually intensive process to deploy required updates and patches, so many rely on a patch management solution. Bonus tip: You can simplify and streamline vulnerability identification and patch application by developing a unified approach to both.

There is so much happening in the world right now and credit unions face endless challenges and obstacles. Fortunately, new technology has helped produce free online resources like the ACET, and Cybersecurity-as-a-Service providers have grown in prominence and are available to help resource-constrained credit unions. These outside solutions are key to navigating some of the thorny issues your credit union is facing.

Kevin Landt is vice president of product management for Cygilant, a computer and network security firm based in Boston.