by Kyle Benson, Product Marketing Manager
I recently listened to an interview with two CEOs of mid-sized credit unions. The interviewer asked them about what keeps them up at night. Without a pause, they both answered, “being the victim of a cyberattack.” Their concerns are well placed—the risks associated with cybersecurity are tremendous, and the impact of attacks continues to grow daily.
As the interview progressed, they discussed the complexity of compliance and how much more effort is required to meet today’s regulatory requirements. The compliance struggle is real and will continue to grow as new threats, new attack vectors, and new legislation is enacted. Ultimately, achieving the right balance between a security program’s people, process, and technology is a significant undertaking.
One of the challenges of implementing a security program that drives down risk in a credit union is the sometimes fuzzy lines between IT functions and security functions. Because IT infrastructure is often the target of cybersecurity threats, many people in credit unions think security is an IT issue. It’s not. Cybersecurity is a business issue.
One of the ways to drive down risk is to acknowledge this fact and to commit the resource needed for a robust cybersecurity program. In many cases, IT professionals are asked to include cybersecurity as an “other duty as assigned.” This informal approach is a recipe for disaster since already overstretched IT teams might not have the skills or expertise to properly execute on a cybersecurity plan.
The numbers are telling. Studies have shown that just 54% of alerts are investigated1, and 51% are not being remediated.2 This lack of investigation and remediation can lead to impacts like dwell time where the average number of days to detect a data breach has swollen to more than 200 days3. From a cost of business standpoint, the average cyberattack has a cost of over $180 thousand dollars.4
Approaches to Reduce Business Risk for Credit Unions
So, how can credit unions reduce their business risks? It begins by understanding your data. We recommend creating diagrams that illustrate where your data resides at rest, then how it traverses through your network as it is being used. By understanding this, credit unions can build and test the right defenses at each stage of data residency. Since data moves throughout the various departments of a credit union, your processes must support securing your data while it is in flight and not just when it is safely protected inside the data center or cloud.
As credit unions hone their data mapping, they can then put the processes and technologies required to secure it into place. This mapping will include monitoring the entire network and server infrastructure, along with making sure endpoints are secured for transactions like mobile banking. Ensuring vulnerabilities are assessed, and patches are implemented promptly reduces risk as well.
Education goes a long way toward improving the cybersecurity maturity of a credit union, so making sure credit union employees are made aware of what potential threats look like is critical. Through email phishing or social engineering, cybercriminals know that human nature and the desire to help, particularly in an industry that is judged by customer service, can accelerate their access to sensitive data or infrastructure control.
Regulatory Complexity Challenges
Regulatory legislation is becoming firm on compliance requirements. The NCUA exam has seen a marked increase in the number of topics concerning cybersecurity, and the Automated Compliance Examination Tool (ACET) now includes almost 500 declarative statements and requires over 70 pieces of documentation to prove that a credit union is compliant with current regulations. This level of complexity and workload strains the limited resources in many credit unions, pushing the compliance exercise to become an effort checked off the list solely to pass the audit. In these cases, many of the learnings and potential process improvements can be lost as teams work on the tactical checklist to meet compliance.
Finance has a role to play in driving down business risk as well. As decision-makers for many of the investments needing a robust cybersecurity plan, finance professionals need to understand the risks and impacts that cyberattacks can have on their credit union. “Breaches open wallets” is a common refrain among cybersecurity professionals. This statement may be accurate, but once a breach has happened, it’s too late —a great deal of time and money is required.
At SilverSky, we’ve focused our business on ensuring that credit unions have the cybersecurity skills and expertise to protect their members. From security program development and testing to active monitoring and management of IT infrastructure, we work around that clock to provide the safety and security credit unions need. If you’d like to learn more, including the “10 Step Risk Readiness Checklist for Credit Unions to Drive Down Business Risk,” listen to a replay of our recent webinar as Gerrit Boele, CISSP, discusses the business risks threatening credit unions and what can be done about them.
1. Cisco 2018 Security Capabilities Benchmark Study
2. Cisco 2018 Security Capabilities Benchmark Study
3. Ponemon Institute – Cost of a Data Breach