How Credit Unions Can Take the Next Step in Securing Their Apps

The finance industry is winning over customers with mobile tools and services. In fact, two-thirds of consumers say they “can’t live” without their banking apps, according to the 2023 Chase Digital Banking Attitudes Study, as 87% use these apps no less than once a month.

Credit unions and other financial institutions are achieving great success here because software development teams create seamless, easy-to-use and efficient mobile apps with positive user experiences. In only a few taps of the screen, members can pay off their credit card balance, set up recurring payments, transfer funds, deposit checks and call up their credit score.

But utility without security will obviously undo all of the goodwill that these institutions have built with consumers – it takes just one breach for users to lose confidence in a company’s ability to protect their accounts. Fortunately, credit unions and other banking institutions take a very proactive approach to cybersecurity. This extends to the oversight of their popular apps. Many, for example, have focused on upskilling the defense capabilities of their developer teams.

They’re doing so for good reason: Because attackers go where the money is, finance remains among the top five targeted sectors, according to the most recent Verizon Data Breach Investigations Report. Stringent regulations – including the Payment Card Industry Data Security Standard (PCI DSS), the EU’s General Data Protection Regulation (GDPR) and additional global and national ones that address issues such as insecure data storage, insufficient authentication/authorization, poor code quality and code tampering – also drive the industry’s vigilant mindset.

However, if we’ve learned anything about modern technology and cyber threats, it’s that everything is in a constant state of flux. Today, credit unions face rising pressures to deliver high-quality experiences in new apps and features more swiftly than ever. Subsequently, they need to go beyond a developer “one and done” compliance-only mentality. Upskilling the developers responsible for  underlying code and writing secure code has never been more important.

Without this training and verification, a lack of expertise will result in teams taking shortcuts and/or lapsing into human errors, which can trigger configuration issues and code-level vulnerabilities. Clearly, every effort should be made to avoid this as credit unions/other financial sector leaders continue to set the standard for their counterparts in other industries. Here’s how you can do so for your organization:

Elevate engagement. The financial sector can stay out in front by identifying and supporting engaging, holistic training programs not only for application security (AppSec) professionals but developer teams. A dynamic approach based upon real-life threat management scenarios – as opposed to a static learning approach – will gain traction very quickly. This can include the leveraging of motivational tools, such as rewards for successful “wins” and skills acquired. A dynamic learning environment sparks much enthusiasm, along with unprecedented motivation to earn certifications and collaborate with peers to upskill them as well.

Gain buy-in from senior management members. You must convince top executive decision-makers that security is not a “set it and forget it” discipline. Their sophistication – in addition to their investment strategies for tools and training – needs to expand as rapidly as the technology and threat landscape does.

Engage the entire organization. You can achieve this with a positive security program focused on role-based training and awareness. While you need to modify the level of technical depth depending on the individual’s position, you still have to convey the same message of “security first.”

Investing in engaging training and skills verification isn’t simply the right thing to do – it’s the smart thing to do. For starters, the global cybersecurity workforce gap has reached 3.4 million people, according to the The (ISC)² Cybersecurity Workforce Study. Incorporating a proactive protection posture – especially within development teams – has emerged as a non-traditional, but effective way to alleviate the pressures caused by the talent shortage. Second, it’s a proven cost-savings driver: It’s far less expensive to fix vulnerabilities as code is written rather than in post-release.

By transforming your culture to place a high priority on security as an indicator of software quality and brand integrity, you will help nurture important relationships with your AppSec professionals. This will build a positive sentiment that fosters responsibility and ownership organization-wide, ensuring credit union user experiences that are both successful and safe.

Pieter Danhieux is the CEO and Co-founder of Secure Code Warrior, an Australia-based secure code learning platform and software integrations provider.