Trends & Challenges in Protecting CUs From Cyber-Attacks in 2022 & Beyond

Credit unions continue to be prime targets of cybercriminals due to the highly confidential nature of the data credit unions possess. Should this data fall into malicious hands, it can result in potential windfalls for the bad guys through the sale of stolen, exfiltrated data, or through the collection of ransom, which can be extorted from the credit union. As we head into a new year, we can determine what trends appear beneficial to protecting credit unions from cyber risks, as well as what challenges may exist as we head into the future.

Successful Small to Mid-sized Credit Unions at Risk

The good news is that according to ransomware remediation firm Coveware, while the average ransomware payment made to extortionists has increased, the median payment dropped in value. In Q2 2022, the average ransom payment was $228,125, an 8% increase from Q1 2022. However, the median ransom payment was $36,360, a steep fall of 51% compared to the previous quarter. Unfortunately, the median size of the companies targeted in Q2 dropped even further, with the bad actors looking for smaller yet financially healthy organizations to disrupt. This points a target directly at successful small and mid-size credit unions.

With financial risks that are large and real, credit unions face numerous challenges when developing their cybersecurity plans. First, the bad guys must only be right once, while a credit union must be right every time. All it takes is one team member, particularly if that user has elevated privileges to electronic resources, to potentially provide a bad actor with keys to the credit union digital kingdom. As a result, continued diligence and user education are critical components of your cyber resilience plan.

Users Spot Malicious Emails & Schemes

According to email security firm Proofpoint, users can be a powerful line of defense in the fight against phishing attacks. In fact, in top-performing companies with an educated workforce, users successfully spotted over 60% of malicious emails. Similarly, the best defense against other social engineering schemes are users applying a healthy dose of skepticism to spot potentially malicious calls to action in emails, phone calls or via other means.

More Education Is Needed

But risks don’t end with employees. Credit union board members are often not up to speed on the latest cyber risks and continuing education can be a challenge. Credit union leagues often try to assist with board education efforts, but the lack of general understanding of technology and cybersecurity basics may be found among long-tenured board members. The lack of understanding can often create a barrier to securing proper funding and support for a thorough cybersecurity program that properly addresses technical, physical and administrative risks through appropriate controls.

Greater User Convenience Increases Risks

An added challenge is that cybersecurity risks do not sleep. Platforms like online banking and remote access systems exist for the convenience of members and users alike, but also provide a welcomed attack surface for cyber criminals to target.

As a result, while internal IT support resources are often hired to work only during business hours, many credit unions have engaged with managed services providers that can provide extended around-the-clock coverage. In addition, many have also adopted advanced security solutions such as Security Information and Event Management (SIEM), provided through outsourced engagements. SIEM dashboards are most valuable if monitored 24 hours a day, seven days a week by a Security Operations Center staff consisting of incident response professionals.

Costs of Security Solutions Decreasing

Credit unions work on tight margins, which made funding for cybersecurity solutions such as SIEM quite challenging in the past. However, the good news is that advance security solutions such as SIEM are becoming an expected part of the security framework, not just for credit unions but for businesses in many industries that have data security regulation, including medical, insurance, legal and any business that works in the military supply chain. As a result, the costs for such solutions are coming down as they move from early to mainstream adoption.

Extensive Recommendations Require Prioritization

Unlike many other industries, however, credit unions have security auditors like state regulators and the NCUA regularly reviewing their environments and making recommendations. These reviews will result in audit findings and recommendations, and it may feel overwhelming should the list be extensive. Therefore, it’s best to apply priority to the items, focusing first on those that best address the items that will bring the most benefit to advancing the security stance of the organization. If an organization tries to remediate everything all at once, they are delaying the remediation of the most important items.

Regular Testing Reduces Overall Findings

In addition, the scope of findings from external auditors can be reduced if a credit union adopts a security mindset, and monitors and tests internal systems regularly through engagement with an outsourced managed security services provider. In this case, recommendations can be generated, prioritized and remediated on the credit union’s schedule, rather than because of an external finding.

While building a cybersecurity plan can feel like a daunting task, creating and following one can ease the process. By reinforcing end-user training, extending board member training, allocating an appropriate budget, outsourcing to adopt 24×7 coverage as well as advanced solutions such as SIEM, and prioritizing your remediation plans, you can be best positioned to protect your credit union from a cyber-attack.

Dave DelVecchio is the Vice President of Culture and Communications at Sourcepass, a New York, N.Y.-based digital IT services firm.