How to bolster your credit union’s security amid latest NCUA cyber warnings
The National Credit Union Administration recently wrote to credit union leaders about the increased risks of cyberattacks in the industry, citing the ongoing conflict in Ukraine as evidence for the latest concerns. President Biden also signed a new law last month that contained specific reporting rules for any incidents.
Any organization affected by a cyber attack would have 72 hours to report the breach or attack and 24 hours to report a ransom payout. The affected organization would also need to be in regular contact with officials to ensure that mitigation is being carried out properly. With the increase in warnings and additional pressure being placed on credit union leaders, we look at how organizations can protect themselves from chaos.
Shields Up
The frequency and severity of attacks are going haywire and it doesn’t look like they will settle any time soon. With the patterns more unpredictable than ever, CISA’s new “Shields Up” initiative is warning U.S. organizations that now is the time to really focus on preventative cybersecurity measures.
To round out your credit union’s security, consider the following:
MFA
Part of the Zero Trust model, multi-factor authentication is one of the best ways to send attackers packing. The more times they must verify their identity, the more likely it is that they’re going to give up and move on. If your credit union isn’t requiring at least two forms of identification (e.g., confirming a text message or authentication app), now is the time to implement the additional step.
Disaster Recovery
Should the worst happen to your organization, does your backup and DR plan account for ransomware encryption? If you’re working on a legacy system without offline gapped and inaccessible backups, even a poorly planned attack could debilitate an organization. Having a well-crafted IT disaster recovery plan and business continuity plan management strategy that is grounded in a robust data backup and recovery solution is essential.
Next-Gen Security Tools
A credit union needs gateways, filters, governance measures, data loss prevention systems, and vulnerability management tools to withstand the numerous ways in which a hacker might try to infiltrate a system.
Tabletop Exercise (TTX)
A tabletop exercise quizzes people on what they would do in an incident, essentially providing hands-on training for people on how to handle and neutralize complex threats. It also assesses the team’s knowledge on whether they know who to contact and when if something goes wrong.
Encryption at All Applicable Levels
Encryption starts under the impression that thieves will find a way into your system to steal your information. When you implement encryption, it ensures that a thief won’t be able to read the files they take, which can be a great way to halt criminals who don’t want to decode endless lines of indecipherable characters and symbols.
Refresh Cyber Awareness Training
If thieves are going to constantly switch up how they attack, it stands to reason that you’ll need ongoing training to give employees new information to combat threats. Refreshing and updating lessons ensures that even the most exhausted of employees are less likely to fall prey to a fake email or errant malicious link.
Establish Relationships with Local Officials
A credit union that is already in touch with their local FBI or CISA office is more likely to have a smoother time if and when anything goes wrong. The White House has asked people to be proactive about establishing relationships, which means knowing who’s in charge and when to contact them.
If IT and Security leadership have no idea where these offices are or how they work, it can drag the process out longer than need be. It can also lead to more catastrophic damage and costs.
Nothing New
These suggestions from the NCUA may not be new, but they remain as important as ever for any credit union that wants to keep itself intact. In light of the latest war, it’s clear that hackers aren’t just going after financial organizations for personal gain and glory. Cyber warfare aims to disrupt and cripple the target’s infrastructure. We’re already seeing a slew of distributed denial of service (DDOS) attacks on Ukraine and there’s no reason these attacks won’t spread to the West in short order.
Is Your In-House Team Enough?
Implementing the above suggestions is far easier said than done. The 24/7 monitoring of threats and the involved response to attacks might be too much for a small IT team. This is particularly true if they’re attempting to focus on improving your bottom line. Having staff work after hours, weekends, and holidays can cause burnouts and a work/life imbalance for employees.
Outsourcing to a reputable Managed Security Services Provider (MSSP) provides you with a pool of talented experts that are up-to-date on the latest in cybersecurity and maintaining their certifications. Taking the pressure off your in-house employees frees up time for them to concentrate on the things that matter like innovation that positively affects membership growth and customer satisfaction.
If you’re not sure about whether you need to outsource your credit union’s IT, or even adopt a hybrid approach, our guide can help you discern what is best for your organization.
Bottom Line
Even if your credit union’s in-house IT team is large enough and experienced enough to handle the ever-evolving cyber threat landscape, there’s no better time than now to revisit your organization’s security stance.
A security gap assessment is a useful tool to help you understand where your security blind spots are and how to address them. No matter what the current security maturity level is for your organization, an assessment provides you with a baseline and a customized strategic roadmap of short-and long-term milestones, as well as a plan of action to achieve your security goals. Don’t wait for the worst to happen before having a plan in place.