In my previous post, “Can Credit Unions Really Prepare for the Unexpected?,” I discussed the need to review and adjust business continuity plans to be able to effectively pivot even when faced with dramatic business process changes.
The dramatic shift resulting from the COVID-19 pandemic will lead to substantial changes in credit union security and compliance frameworks and the need for ongoing employee engagement in cybersecurity and compliance issues.
Evolving Cybersecurity and Compliance Frameworks
This is the time to review your overall security and compliance program. As a credit union or bank, maybe you are required to adopt a regulatory framework like the NCUA’s ACET and FFIEC. But even if you are a small organization and are not required to adopt a formal regulatory framework, it is a highly recommended practice.
If you have already adopted a framework, explore how it can take you to the next level of maturity. Additionally, these frameworks will continue to evolve and offer guidance in key areas you must monitor to ensure your communications and networks are secure and compliant.
Your bank or credit union is ultimately responsible for your security and compliance. However, security and compliance skills are not your core business, so I recommend working with a partner who can help you adopt a framework allowing your credit union to expend more resources serving your customers. Additionally, find a partner who can help take you to the next level of cybersecurity maturity. This most definitely does not mean replacing your current compliance and security team, but rather providing them with the support they need to adapt to an environment that has dramatically changed and one that will continue to evolve.
Reflecting the considerable changes the industry has undergone, we can expect that regulatory frameworks will formally change as a result of the pandemic. We have seen many new types of attacks, and there are now gaps in these frameworks as a result of a business environment with much more remote activity.
In response to the changed and in some cases still paused business environment, CUNA launched its COVID-19 Restart and Recovery Task Force, which I expect will influence security and compliance frameworks.
Upcoming framework adjustments will likely be both substantial and ongoing. So for many organizations, continuous engagement with a security and compliance partner who can take you through this journey will be extremely valuable.
Ongoing Cybersecurity and Compliance Employee Engagement
The need for employee training and engagement is not new, but needs have evolved and grown more urgent. Credit unions must have ongoing programs to proactively engage and educate employees. As a result of increased phishing attacks and the new risks of at-home work being better understood, regulations are and will be changing to require security awareness training.
Credit unions will need to determine what is acceptable from a remote work point of view and train accordingly. This new training will need to be in addition to further emphasizing existing phishing and cybersecurity-related training.
Organizations will also need to be creative in the ways they engage employees and the policy update dialog must be a two-way conversation. Employees must be able to share the challenges they are experiencing within their remote work environments to avoid at-home workers creating workarounds that could compromise security.
It is all too common for employees to develop shadow ID systems for convenience, which was already happening when we were all in the office. A couple of years ago, I was working with a client and learned that one of their employees had set up an Access database on his hard drive solely managed by him so that he could run ad hoc reports more easily. An unsecure shadow ID system was sitting on his desktop rather than the employee more securely accessing the data directly from the reporting system. Clearly, the reporting system was in some way too cumbersome and needed to be adjusted to both maintain security and allow for work productivity. This problem could undoubtedly worsen in a remote work environment unless employees are educated on security and compliance work best practices and encouraged to share their work challenges.
Ultimately, rather than simply presenting a list of rules and procedures that might seem arbitrary, all employees must fully understand the security and compliance ramifications of their actions.
These are challenging times that require a great deal of thought and many technological resources. If you need help adjusting cybersecurity frameworks, compliance frameworks and employee training programs, SilverSky is here for you. Don’t hesitate to reach out to us at 1-800-234-2175 or firstname.lastname@example.org.