I recently listened to an interview with two CEOs of mid-sized credit unions. The interviewer asked them about what keeps them up at night. Without a pause, they both answered, “being the victim of a cyberattack.” Their concerns are well placed—the risks associated with cybersecurity are tremendous, and the impact of attacks continues to grow daily.

As the interview progressed, they discussed the complexity of compliance and how much more effort is required to meet today’s regulatory requirements. The compliance struggle is real and will continue to grow as new threats, new attack vectors, and new legislation is enacted. Ultimately, achieving the right balance between a security program’s people, process, and technology is a significant undertaking.

One of the challenges of implementing a security program that drives down risk in a credit union is the sometimes fuzzy lines between IT functions and security functions. Because IT infrastructure is often the target of cybersecurity threats, many people in credit unions think security is an IT issue. It’s not. Cybersecurity is a business issue.

One of the ways to drive down risk is to acknowledge this fact and to commit the resource needed for a robust cybersecurity program. In many cases, IT professionals are asked to include cybersecurity as an “other duty as assigned.” This informal approach is a recipe for disaster since already overstretched IT teams might not have the skills or expertise to properly execute on a cybersecurity plan.

The numbers are telling. Studies have shown that just 54% of alerts are investigated1, and 51% are not being remediated.2 This lack of investigation and remediation can lead to impacts like dwell time where the average number of days to detect a data breach has swollen to more than 200 days3. From a cost of business standpoint, the average cyberattack has a cost of over $180 thousand dollars.4

Approaches to Reduce Business Risk for Credit Unions

So, how can credit unions reduce their business risks? It begins by understanding your data. We recommend creating diagrams that illustrate where your data resides at rest, then how it traverses through your network as it is being used. By understanding this, credit unions can build and test the right defenses at each stage of data residency. Since data moves throughout the various departments of a credit union, your processes must support securing your data while it is in flight and not just when it is safely protected inside the data center or cloud.

As credit unions hone their data mapping, they can then put the processes and technologies required to secure it into place. This mapping will include monitoring the entire network and server infrastructure, along with making sure endpoints are secured for transactions like mobile banking. Ensuring vulnerabilities are assessed, and patches are implemented promptly reduces risk as well.

Education goes a long way toward improving the cybersecurity maturity of a credit union, so making sure credit union employees are made aware of what potential threats look like is critical. Through email phishing or social engineering, cybercriminals know that human nature and the desire to help, particularly in an industry that is judged by customer service, can accelerate their access to sensitive data or infrastructure control.

Regulatory Complexity Challenges

Regulatory legislation is becoming firm on compliance requirements. The NCUA exam has seen a marked increase in the number of topics concerning cybersecurity, and the Automated Compliance Examination Tool (ACET) now includes almost 500 declarative statements and requires over 70 pieces of documentation to prove that a credit union is compliant with current regulations. This level of complexity and workload strains the limited resources in many credit unions, pushing the compliance exercise to become an effort checked off the list solely to pass the audit. In these cases, many of the learnings and potential process improvements can be lost as teams work on the tactical checklist to meet compliance.

Finance has a role to play in driving down business risk as well. As decision-makers for many of the investments needing a robust cybersecurity plan, finance professionals need to understand the risks and impacts that cyberattacks can have on their credit union. “Breaches open wallets” is a common refrain among cybersecurity professionals. This statement may be accurate, but once a breach has happened, it’s too late —a great deal of time and money is required.

At SilverSky, we’ve focused our business on ensuring that credit unions have the cybersecurity skills and expertise to protect their members. From security program development and testing to active monitoring and management of IT infrastructure, we work around that clock to provide the safety and security credit unions need. If you’d like to learn more, including the “10 Step Risk Readiness Checklist for Credit Unions to Drive Down Business Risk,” listen to a replay of our recent webinar as Gerrit Boele, CISSP, discusses the business risks threatening credit unions and what can be done about them.

 

Sources:

1. Cisco 2018 Security Capabilities Benchmark Study

2. Cisco 2018 Security Capabilities Benchmark Study

3. Ponemon Institute – Cost of a Data Breach

4. Symantec

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.

Healthcare

Affordable defenses for a sector under attack.

Retail

SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.

ACET

Automated Cybersecurity Examination Tool

HIPAA

Health Insurance Portability and Accountability Act

PCI DSS

Payment Card Industry Data Security Standard

FFIEC

Federal Financial Institutions Examination Council

GLBA

Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.

Resources

Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Press & Events

Press releases, upcoming conferences and trade shows, and future and on-demand webinars

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.

Careers

Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.