“The bad guys don’t know we exist.”
“We are not on the cyber criminals’ radar screen.”
Every week credit union executives say exactly this to me, but now the Comptroller of the Currency, Thomas Curry, has a wakeup call for you, too.
In a Sept. 18 speech to the Exchequer Club of Washington, D.C., Curry spelled out what your biggest problem is: “As our largest institutions improve their defenses, it is very likely that hackers will turn their attention to community banks. These smaller institutions can provide a point of access into the system, and they may have less-sophisticated defenses than large banks.”
For “community bank,” substitute “credit union.”
Bottom line: the least-defended institutions – which includes most credit unions with assets below a few hundred million dollars – now loom as tasty targets for hackers.
But, just maybe, there is a simple, comparatively low-cost line of defense that would be especially suited to credit unions – at least that’s a thought put forward by Tim Clouse, vice president of information technology at Advantis, a $1 billion credit union in Milwaukie, Ore.
First, however, understand that Curry’s contention is that cyber threats are multiplying daily. He noted in his talk that financial institutions, really in just a very years since online banking debuted, have become technology companies that depend on Internet and cellular channels for distribution of vast amounts of information and also money. That also puts them in the sights of cyber criminals.
Curry, in the way of Washington mandarins, speaks a hedged language where meanings may be shrouded. Trend Micro Vice President J. D. Sherry offered this blunt interpretation: “The key message is that many credit unions have antiquated approaches to sophisticated cyber-attacks. Curry is telling credit unions that are on tight budgets to take a new look at this. The lack of investment in defenses – it’s like going into a gunfight with a knife.”
Tom DeSot, chief information officer at Digital Defense, offered kindred thoughts. “There’s an expectation on the part of the member that their credit union – whether it’s $1 billion or $1 million – will offer the same services. They are implementing home banking, mobile apps, all kinds of things.
“The problem is that they don’t have the ability to secure them. The small credit union is at great risk. It is positive that the regulators are recognizing the risks. They are telling the credit unions to build security into their budgets. This will become an issue in the exams.”
Here is how bad matters get. In its research, WhiteHat Security found that 81% of the banking websites it analyzed had at least one serious vulnerability, said Gabriel Gumbs, the Santa Clara, Calif., company’s director of solutions architecture.
Many have multiple flaws, Gumbs said.
Exactly what do credit unions need to do to ramp up their defenses? That’s where Advantis’ Tim Clouse’s idea kicks in. In an interview, he said that in his mind the single best defense would be more – and faster – information sharing about attacks. He elaborated: “Criminals share information. They share hacks, they share processes. As a group, credit unions now are openly sharing information learned.”
Advantis, he added, shares information through a system operated by vendor Guardian Analytics.
Added Clouse: “By their nature, credit unions are collaborative. We need more of that, we need more group protection. In the past you didn’t want to embarrass yourself or suffer reputation risk (by revealing breaches.). Now, we really need to share experiences, for mutual defense.”
Hear how hackers looted institution A, hear how other institutions now can alert themselves to the early signs of similar attacks and, maybe, ward off intruders before suffering losses, suggested Clouse.
Of course, credit unions also have to continually step up their cyber defenses and, suggested Clouse, “I believe there will be a role for CUSOs in this.” That is, a CUSO may be an ideal structure for delivering cost-effective defensive tools, he said.
Clouse sighed that “the ability of smaller credit unions to pay for adequate defenses is a concern,” especially – he added – when even modestly skilled criminals can go to hacker forums, spend a few hundred dollars to buy exploit kits, and, suddenly, that criminal can mount a polished attack against an institution that may have scant defenses.
It’s not a fair fight? No, it isn’t – but exactly that is Curry’s message. There will be more instances where crooks go after credit unions that had thought they were too small to bother with.
Which is why hard work on security now has to be on the to-do list of every credit union, regardless of size. And there will be work, plenty of it. “There is no silver bullet” said Clouse.