Mitigate Risk This Holiday Season: Train Your Employees & Members to Be Cyber Smart

Cybersecurity has been a top concern for businesses for the past year as the number and impact of cyberattacks has increased drastically.

The FBI and CISA announced an “increase in highly impactful ransomware attacks occurring on holidays and weekends – when offices are normally closed – in the United States” and warned businesses to be “especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques and procedures (TTPs), and cyberattacks over holidays and weekends during the past few months,” in a statement earlier this year.

Industry research has found a 70% average increase in attempted ransomware attacks in November and December compared to January and February.

Ninety percent of cyberattacks are the result of human error, and this time of year especially, employees can be distracted and consumers are not always as aware or concerned about how certain behaviors could expose them to risk. Any device that stores information or is connected to the internet can be a vulnerability including thumb drives, laptops, printers, phones, tablets, thermostats and vehicles.

As reported by SCMedia, FICO’s recent 2022 Digital Consumer Banking and Fraud Survey found that financial customers are “too complacent about the risk certain fraudsters pose, with only 5% worrying about real-time payments fraud, and many unwilling to accept new fraud management measures.”

Financial institutions, including credit unions, must develop, monitor and evolve risk management strategies to reduce threats to members and their data.

SCMedia quoted Nikhil Behl, chief marketing officer at FICO: “Even if consumers are not overly worried, financial institutions still need to be on their behalf. Organizations will need to continue to adapt and evolve to fight existing and emerging fraud threats. At the same time, they need to carefully balance fraud management with sustaining customer trust, and delivering frictionless digital and in-person customer experiences.”

With the increase in access and use of digital banking and digital currency, credit unions need to have more heightened awareness of potential cyber threats and ways to protect members as the cyberattack surfaces grow.

According to the FICO study, nearly three in 10 U.S. consumers say they would change banks if they feel their fraud incident was poorly dealt with.

With an awareness campaign and cyber safety tips, credit unions can proactively train employees and members to reduce the risk of a cyberattack.

Educate employees and members about cyberattacks and ways to mitigate risk. Using email, branch signage, text messages and social media, provide members with insights and tips that are easy to understand and use. Provide employees with simple talking points and educational materials to share with members. Here are a few examples:

Update Passwords

It can be difficult to think of new passwords, and with so many devices and apps requiring them, it’s a real challenge to remember them all. However, strong passwords are extremely important to protecting personal and professional data and devices.

Password or credential stuffing is a cyberattack that tries “stuffing” already comprised usernames and passwords from one site into another site in hopes that the user uses the same login information across platforms.

Changing passwords often and creating complex passwords reduces the risk of hackers accessing systems. Use different passwords on different systems and accounts – reset your passwords every few months and use a password manager to keep track. When creating a password, use the longest password allowed along with a mix of uppercase and lowercase letters, numbers and symbols.

Antivirus Protection

Do all devices have anti-virus software installed? Do your employees and members have anti-virus software on home computers, phones and tablets? Just as important, are all devices up-to-date and regularly scanned for potential threats?

Phishing Attacks

Phishing attacks are fake messages from a seemingly trusted or reputable source designed to convince you to reveal information, give unauthorized access to a system, or click on a link. These can come through emails, text messages, phone calls or social media messages.

Employees need to be aware of what these messages can look like – HR and accounting departments can be particularly vulnerable to fake bank emails, customers “changing” their accounts for deposit, and emails asking for payroll, tax or HR info from the “CEO” or “CFO.” Before transferring money to any individual or business, members should call or visit them in person to make sure it is a legitimate request.

For those accessing office networks on a personal computer or bringing work devices home, understanding these types of fake communications will be critical to preventing hackers from accessing company data and networks.

Cyber threats are not a lost cause, and the risk can be mitigated with the right partners and training. Without a strong security plan in place, the costs that come with a cyberattack – such as employee and member data loss, business disruption, revenue losses and brand reputation – can last for months or even years, and in some cases, organizations are unable to recover.

Michael Seidelman is Director of Cybersecurity for Think|Stack, a Cockeysville, Md.-based managed IT services CUSO specializing in cloud and cybersecurity solutions for credit unions and non-profits.