To Win the Fight Against Cyberattacks, Stop Shaming

Shaming can take on many forms. There’s fat-shaming, single-shaming and the shaming of those who choose to be a bit more promiscuous than us. We shame men for not being “masculine enough,” and women for either deciding not to have kids or for deciding to become stay-at-home moms. People who are “too shy,” have certain physical or mental health conditions, or are seen as “low-class” or “rich snobs” can also be victims of shaming – whether on social media, in conversation or through story lines told in the media and popular culture.

People who shame others accomplish little more than hurting their victims and creating further divisions in our society. And I’d like to add another type of shaming to the list – one that could be potentially dangerous for credit unions – cyberattack victim-shaming.

While conducting interviews for this month’s Focus Report feature story on Ransomware & Cybersecurity, one of my sources, Jack Henry & Associates Managing Director of Financial Crimes Allen Eaves, shared an anecdote about an Indianapolis-based financial institution’s experience with ransomware. He said the financial institution traced the attack back to one specific host machine on its network and approached the employee, a teller, who uses that machine. It turned out that this person had in fact been working one day when a frightening banner popped up on her screen stating that she must hand over the equivalent of approximately $200 or lose access to the computer’s data.

Because she was afraid of what could happen to her at work if she reported the incident, and perhaps worried that she had made an error that led to her machine being targeted, she paid the ransom out of her own pocket, regained access to her files and went back to work without saying a word. Meanwhile, the bad actor had begun making their way through other parts of the institution’s network.

If the leaders of this organization had trained their employees to report suspicious cyber activity and assured them that they would not be punished for doing so, this person may have responded differently, leading to a better outcome for the organization in its attempt to thwart the attack.

Eaves said having technical cyber protections in place is important, but what’s also important is “the culture of not just teaching employees who are using your systems what to do and what not to do, but not having an attitude of shaming.” He noted that some organizations incentivize employees to report phishing emails and other suspicious cyber activity by rewarding them with gift cards and other perks.

He also pointed out that cyberattack victim-shaming can extend beyond the shaming of individuals in an organization and to the organization as a whole – and this can have major negative implications for a credit union. In this case, instead of an individual employee being shamed by their colleagues for their potential role in a cyberattack, a credit union is shamed by its members and the public for being a victim.

Think about this: When people hear on the news that an armed robber walked into a credit union branch and demanded money, maybe even threatened the lives of employees and members who were present there, how does that typically affect their perception of the credit union? Aside from the natural instinct to want to stay away from that particular branch until the dust settles, they’ll view the credit union as a true victim. “Oh my gosh, I can’t believe that happened to those poor people,” they’ll think.

But what if the credit union is a victim of a major cyberattack? Some common reactions from the public might include, “How did they let that happen?” “Their systems can’t be too secure,” and even “I wouldn’t trust them with my money.”

“In the physical sense, the nature of people is to have more compassion toward the organization that finds itself the victim there, when somebody comes in with a gun, but that compassion oftentimes doesn’t translate to the cyber world,” Eaves said.

And if that lack of compassion leads to mistrust, the victimized credit union could suffer from a debilitating loss of business – something that would not be expected after a physical attack.

There’s clearly a disconnect between what actually happens when an organization becomes a cyberattack victim and what the public thinks happens. But why? And what can we do about it?

A lack of knowledge about cyber warfare certainly plays a role, and to be fair, people have been robbing banks in America since the early 1800s while cyberattacks are a fairly new concept. They’re complex and invisible, and people might not understand that they’re being carried out by highly skilled, sometimes state-sponsored groups that are becoming more clever and sophisticated – not some kid in a hoodie in their parents’ basement. This is where the credit union marketing and communication pros can step up to provide messaging that educates the public, not just to protect the organization’s reputation after an attack, but to help people understand that even credit unions with the best cybersecurity safeguards in place can have their systems breached.

Within credit unions, we need to develop cultures where employees are not afraid to be totally transparent about the suspicious activity they encounter online. Like the best whistleblower programs that assure employees they will not be retaliated against in any way for reporting suspected internal fraud or harassment, even if they feel threatened by the perpetrator, employees should feel comfortable coming forward with cyber incident reports and not have to worry about being treated like a suspect. Cybersecurity education and incentives are a good place to start when it comes to addressing this, but it’ll take time to see a true shift in attitudes.

If we can create an industry-wide culture of openness and transparency when it comes to cyberattacks – not only within individual credit unions, but among the credit unions, CUSOs, third-party vendors and other groups that make up the movement – valuable information can be shared more quickly, helping victims intercept attacks before they get worse and helping others know what to look for in their efforts to prevent attacks. With the cyberattack landscape becoming scarier by the day, and so much at stake for both credit unions and their members, we must do better.

Natasha Chilingerian Executive Editor nchilingerian@cutimes.com