Cybersecurity: It's Not Just an IT Responsibility
Develop a culture of awareness and learning to keep your credit union and members from being victimized in an attack.
It seems all modes of media decry new and emerging cyber threats daily, with tales of large companies and government agencies victimized and severely damaged by these attacks. Cyberattacks, ransomware, data exfiltration and phishing (the kind that has nothing to do with psychedelic-rock music or ice cream) create heightened fear and anxiety – and pose constant threats for all industries. In 2021, social engineering attacks reached an all-time high, and these types of attacks had the highest rate of success globally.
With all the other strategic concerns and competition facing credit unions, how can you combat this increasingly hostile and expensive landscape more effectively? It is imperative that you develop, implement and cultivate a culture of ongoing cybersecurity awareness and learning.
Imagine what the cyber threat landscape would look like if the white hat hackers didn’t exist to help identify and combat emerging threats. And what would happen if your IT manager didn’t constantly worry (every single second of every single day) about where and how the next attack would emerge and what was being done to prevent it? The best IT managers continuously prepare for, anticipate and implement processes to foil an event; it is the foundation of their cyber-defense. IT professionals respond and consistently employ new, robust tools and methods to thwart these attacks, but if you talk with anyone who has had the unenviable task of remediating a cyberattack, particularly a ransomware or phishing attack, you will inevitably hear, “I wish we had,” “We should have” and “Why didn’t we?” By continuously preparing all employees for a cyber event, you can forestall some of the remorse and potentially minimize the damage of an attack against your credit union.
Often companies place responsibility solely on the IT team to prevent attacks. However, it is imperative to recognize that to truly provide the best protection for your members, every employee needs to be engaged in the process. Because regardless of the preparedness, attacks still succeed and the number one reason why they do is humans. IT professionals regularly invest in anti-virus, monitoring and exfiltration identification tools to continuously shore up the defenses protecting their network. It is taxing and costly to keep pace with the changing threat landscape that mutates on a minute-to-minute basis. But, there is something everyone in your organization can do to support your IT department and their cybersecurity efforts: Implement a cadence of learning with consistent, timely and effective training.
I have observed the escalated pace of these attacks in parallel with my experience leading the IT team at our credit union. Over the last several years, the increase in risk of these attacks has been exponential in scope, and the resources (both solutions and people) needed to prevent harm are also rapidly increasing. At Financial Plus Credit Union, we have made it mandatory for all employees to receive regular, continuous and timely training in ransomware and phishing. Financially, the investment in automated training software and reporting has been the most cost-effective method we have employed in our response to the ever-increasing attempts made to breach our data. The use of training and prevention tools has created a culture of awareness, accountability and continuous learning. This focus on learning in all aspects of our operations has elicited tremendous growth in our employees’ skills and preparedness.
Like all businesses, our employees receive comprehensive new hire and annual IT training, which spans all areas of data protection. But, we have augmented the training to include tools that make a dramatic difference in forestalling and preventing attacks. These tools are available to every employee and allow them to report expected threats; encourage them to become accountable for their engagement in the cyber landscape; and help them pause, think and respond with caution to the many emails they receive from known and unknown sources each workday.
To improve your cyber-defense posture, I encourage you to consider the following:
- Implement an encryption button for email that ensures data is transmitted safely to its destination and prevents the exfiltration of private information.
- Insert a pop-up alert that appears before opening any attachment in an email, along with a phishing button that can be used to report an email of concern to your IT team – one that an employee is suspicious of. A strong culture of defense includes the prolific use of these buttons by every employee.
- Ensure all employees receive training in the form of regular phishing campaigns orchestrated by your third-party audit firms when performing Pen/Vulnerability examinations. Your internal IT department can utilize training software, which provides templates and up-to-the-minute realistic scenarios that test employees’ recognition of things within an email communication that are likely to be malicious. By clicking on a phishing test, a “fail” if you will, the software elicits a response training module for the employee to take. The module reinforces what could have been recognized as a threat and teaches our employees to be more speculative and careful about the emails and document attachments they open.
- Help employees who eschew robust password requirements by providing the use of a token credential for password encryption and generation. This tool significantly reduces the risk of password compromises and potential infiltration into your network.
- Share regular reporting of employee response rates and phishing prone percentages with your executive management and board to ensure engagement in cybersecurity in all aspects of your operation.
Providing these tools and focusing daily on awareness and preparedness has led to a remarkable change for our employees. You might presume employees will have a negative response to extra training and tools, but rather than seeing resentment for additional training, we have seen a reduction in fear, anxiety, carelessness and error throughout our credit union. In addition, we have realized consistent, measurable improvement in the reduction of the number of employees who fall for a scam email.
Employees are more responsible for maintaining our security and take pride in being part of the defense system that protects our credit union and members at a time of utmost concern. A substantial portion of employees now work remotely, and it has never been more critical to your organization’s safety to support vigilance in cybersecurity across your entire organization. IT may be responsible for the processes and equipment that provide and support your cybersecurity, but keeping your credit union and members from being victimized in an attack is the responsibility of every employee. Developing a culture of awareness and learning is an endeavor that will pay continuous dividends, and might one day be the difference maker in preventing substantial harm and loss at your credit union.
Susan Bennett Vice President of Operations & Technology Financial Plus Credit Union Flint, Mich.