Cybersecurity Month: Thinking Beyond Education

While credit unions need to think about cybersecurity every month of the year, October’s official designation as Cybersecurity Month serves as a good reminder to read up on emerging threats and review defense strategies.

I’m not sure if it was a coincidence or intentional, but this month I was required to complete my annual company cybersecurity training, which emphasized that using a work laptop is kind of like being at an airport: If you see something suspicious, you should say something. But employee education isn’t everything when it comes to cyber-defense at an organization, as I learned during a recent interview with Allen Eaves, managing director of financial crimes for the Monett, Mo.-based Jack Henry & Associates. We previously spoke in May 2022, when looming security threats stemming from Russia’s invasion of Ukraine were top-of-mind for cybersecurity professionals.

This year, Eaves’ top concerns include continuing ransomware threats, large-scale attacks like the one that hit the Las Vegas Strip last month, and the overlooking of vulnerabilities within open APIs. Here’s a portion of our Oct. 9 conversation, which has been edited for clarity and should hopefully help credit unions fine-tune their cybersecurity strategies heading into 2024.

CU Times: Last year, we talked a lot about ransomware. What have you been noticing this past year as far as new or trending attack tactics?

Eaves: I wish I could say ransomware was so last year and that it’s no longer top of mind. It certainly is still prevalent, and we’ve worked with several financial institutions that have been hit by it. And the circumstances for each of them was very unique. Even though ransomware tends to have a playbook that is somewhat predictable, the technology, environment and what the organization knows in the moment is so varied.

In the middle of an attack, the [victim’s] view into what’s going on is like driving through a torrential downpour – you can see a little bit of the storm, but not the full storm radar. Detection endpoint response, which is essentially the industry’s answer for ransomware, is doing its job, but sometimes that isn’t the full story. One of our customers was hit by ransomware on a system with endpoint protection response, and while it didn’t get encrypted, it got infected. So then they found themselves in a situation similar to if an earthquake had just hit and some buildings were still standing – you still wouldn’t want to go inside those buildings because they may have been compromised. The same goes for servers. Even though the customer still had access to the server, they could by no means trust it.

CU Times: Has the ransomware problem worsened?

Eaves: Verizon’s Data Breach Investigations Report, which I always like to reference, shows that it hasn’t gone down, but it’s not increasing at a faster rate. We’ve kind of hit a plateau. In our experience, it’s still relevant and gets a lot of attention. So while it’s not ramping up, it’s still at a historically high level.

CU Times: What else do credit unions need to be concerned about heading into 2024?

Eaves: There are a lot of actors out there using malicious code to pull data out of the organization’s environment, and they may not even encrypt the systems at all. When you look at what happened to MGM Resorts and the Las Vegas Strip, the entire Strip was nearly brought to its knees, and the cyber-attack was estimated to have caused at least $100 million in damages. And just this week [the week of Oct. 9], it was announced that there was data exfiltration.

There are absolutely particular threats that target credit unions and banks, but the technology isn’t custom-created, meaning the systems used by MGM, hospitals or hotels many times are the same or similar to what banks and credit unions use. So when there’s malicious code floating out there in the wild, it’s always wise to look at what’s going on in the whole cybersecurity ecosystem, not just at banks and credit unions, because there’s a lot of good intel that can come from that broader net.

Phishing is still the number one attack vector, and it’s gotten better and better. AI has really hit a flashpoint in the past year, both in terms of the solution providers saying they’re using AI to help protect you, and at the same time the malicious actors using AI for deep fakes and to come across as someone they’re not in phishing emails. They’re more convincing now than they’ve ever been.

CU Times: Is educating employees on how to identify phishing emails still a key defense strategy?

Eaves: I think it’s a losing battle, if I’m honest. We train people to constantly click links. Every single organization out there sends marketing, follow up and informational emails that have links, even security companies. So we tell users not to click [suspicious] links, but then literally everybody sends links that have the good information that people want, so it’s like we’re speaking on both sides of our mouth. The takeaway is that technology providers need to do a better job of making sure links and attachments are safe, or else not present those links and attachments to their end users.

CU Times: Have new or evolving attack tactics required credit unions to adjust their defense approaches?

Eaves: It’s a bit of both. Don’t abandon the fundamentals, certainly, but also stay in tune with what the latest and greatest variation looks like. We are seeing a recurrence of multi-method attacks at once, so while there’s an attack going on from the cybersecurity side, there’s also an attack going on from a fraud perspective. And at that point, the cybersecurity attack is more of a diversion. There’s been an uptick in DDoS (distributed denial-of-service) attacks as well.

CU Times: What are your recommended actions for credit unions?

Eaves: If [the attackers] are going after the availability of your systems, most of the time the immediate response is, how do we keep service going? Which is great, and that’s absolutely where the focus needs to be, however as you go into your business continuity plan, the majority of the time that plan is not designed with fraud as one of the key concerns. So that’s a weakness. I think organizations need to look at their contingency plans and say, when we’re in these stress environments, how are we making sure that we’re not becoming victims because we’re not using the same protection mechanisms that we would under normal circumstances?

Another [threat] that’s really hot right now relates to APIs (application programming interfaces). Most organizations are being tasked to be more open, integrated and collaborative, and APIs have been the answer for that. Part of the challenge there is, yes, they can provide that functionality, and they may be secure enough in their inception, but give it a few months. Is there a long-term plan to make sure they’re being maintained, and to see if there’s a vulnerability or exploit potential? Who’s patching them, and do you have a solid understanding of what data points they can pull from your system?

CU Times: You mentioned that educating employees can’t stop attacks – is it still worth it to provide cybersecurity training?

Eaves: Yes, it’s still a good practice. What it accomplishes is it helps people understand that just being online is a risk and you need to be careful, especially when using corporate resources. But if that’s truly the financial institution’s strategy to protect itself, it’s really missing the mark.

CU Times: If education can’t solve the problem, what should credit unions be focusing their resources on instead?

Eaves: We need to think about how to minimize the damage that’s going to happen when a [malicious] link is clicked on. We also need to do a better job of filtering links so there isn’t a time bomb just waiting to be clicked on. And, if I’m a regular user at a credit union and I click on a malicious link in my email, should I have privileges in my account that I’m logged in with that would allow me to take down the organization? I think the obvious answer is no. It goes back to how your system is architected. Are you architected for failure, or are you architected for resilience?

Natasha Chilingerian Executive Editor nchilingerian@cutimes.com