One of the biggest challenges credit unions face is determining how to advance their cybersecurity maturity to protect their customers’ data and to meet the compliance demands of today’s regulatory environment. There are a great number of credit unions that are stuck and unsure of how to advance. They lack resources and are short on the knowledge and expertise needed to make the next leap on their journey toward more robust cybersecurity.
EDR Was the Missing Link
Traditional prevention-focused strategies are important. Access controls, effective firewalls, antivirus software, and other preventative technologies are foundational musts that reduce the number of breaches and help keep systems in check. However, prevention measures are not enough to foil today’s sophisticated and constantly evolving cybercriminals. To successfully secure your organization, you must incorporate a detection approach, like intrusion detection and monitoring systems that allow you to assimilate and analyze data to catch attacks and breaches early.
More sophisticated data analysis methods that detect problems in a systematic manner must be employed. Unified threat management (UTM) appliances were the focus for a while, and they are quite effective. However, as credit union networks have developed to extend beyond the traditional perimeter to include many mobile, remote, and IoT devices, endpoint detection and response (EDR) tools are necessary.
Historically, we counted on technologies like antivirus software to secure endpoints. We must now use analytical and behavioral analysis EDR technologies, in conjunction with UTM appliances, to strengthen the ability to detect breaches regardless of where within our IT estate the attack might occur. For instance, behavioral technologies will pick up logins occurring at unusual times for a given geography or “impossible journey” behaviors where a “user” logs on in New York and then twenty minutes later logs on in Paris.
When a sophisticated EDR approach is a part of a well-rounded cybersecurity approach, credit unions can advance to the next level of cybersecurity. EDR was the missing technology, but the cybersecurity community, including SilverSky, has made great strides in this area.
Evolving Credit Union Regulatory Expectations
Compliance demands, including the need to secure consumer data, are rapidly advancing, and regulatory organizations at the federal, state, and local levels are now demanding more of credit unions. As a result of this changing environment, many credit unions, particularly smaller organizations, are struggling to determine how to get to the next level of security that regulators are demanding.
Historically, regulations and compliance were not highly prescriptive. Guidelines were issued by the FFIEC and other organizations and this non-prescriptive approach was appropriate because different credit unions have different issues that result in different levels of exposure. However, today’s cybercriminals are more advanced, and regulators need to be confident that credit unions can rise to the challenge of protecting consumer data.
Credit union cybersecurity must mature, but instead of taking a rigid, prescriptive approach, regulators are taking a risk-based approach that allows credit unions to understand where they are on the security spectrum, to pinpoint the risks specific to their companies, and to define effective programs to address their unique areas of exposure. However, it is not easy for credit unions to objectively assess themselves—to truly look inward. But this is where the Automated Cybersecurity Examination Tool (ACET), required by NCUA for all credit unions holding in excess of $250 million in assets, is useful.
ACET was designed to consider that credit unions are the smaller guys within the financial services industry. The NCUA anticipated that companies would struggle a bit, so they took a phased approach that allows credit unions to progress from one phase of security maturity to another over time.
Although the tools are now available, most small- and medium-sized businesses can’t afford the portfolio of technologies, programs, and expertise needed for today’s advanced security and compliance needs.
As an MSSP, SilverSky’s advantage is that we bring an extremely well-stocked cybersecurity toolbox to the table. We can combine these various technologies and approaches together in ways that our clients often cannot.
I can’t tell you what a great feeling it is when we can significantly change the manner in which a client looks at the way they secure their business. It’s an amazing feeling when we’re able to elevate a business’s security and compliance. If you’d like to learn more about how SilverSky can help you on your cybersecurity maturation journey, contact your sales representative, email us at firstname.lastname@example.org, or call us at 1-800-234-2175.