Credit union management should not assume they are too small toserve as targets in distributed denial of service and ransomwareattacks, according to a cybersecurity expert.

Ashley McAlpine, fraud prevention manager of Des Moines,Iowa-based payments processor TMG warned credit union personnel,despite recent coverage of high profile incursions, it might looklike these attackers are only after the big guys. “In fact, smallorganizations are very much on the radar of these criminals,”

A DDoS attack occurs when many compromisedsystems attack a single target. The result is denial of service forusers of the targeted system. Ransomware, a type of malwaredeployed for data kidnapping, allows attackers to encrypt avictimized organization’s data so it becomes completelyinaccessible. Ransomware attackers typically demand payment viabitcoin or another untraceable digital currency before they willdecrypt and release the kidnapped data.

A recent notable DDoS attack disrupted Visa, Twitter, Spotify,Airbnb, Netflix and other major websites, causing an hours-longoutage that prevented users from accessing the sites or theiraccounts. In 2015 a an Office of Personnel Management network hackexposed the personal information of 21.5 million former, currentand prospective U.S. employees.

Incidents like these massive attacks can give smaller financialinstitutions a false sense of security, McAlpine suggested beforean audience of credit union staff earlier this month. Yet,community financial institutions are vulnerable for two reasons,she said. First, they can present an easy test bed for attackersworking to hone their craft. Second, credit unions and communitybanks may have fewer layers of protection against DDoS and ransomware.

Most ransomware threats hinge on two factors: tricking peopleinto clicking on malicious content, usually email attachments, andcounting on devices not having advanced threat protection.

Ransomware, in particular, strikes small businesses at a rateeight times higher than that of larger counterparts, according toTMG. Some cybersecurity experts predict ransomware will become asprevalent as DDoS attacks in 2017.

“Community financial institutions must prioritize cybersecuritygoing forward,” McAlpine said. “Large banks and financial servicesproviders are getting better at protecting themselves with everypassing attack. As they become stronger, the target on smallerorganizations becomes that much bigger.”

To mitigate the risks of both DDoS and ransomware attacks,McAlpine suggests credit unions consider the following:

• Educate and train employees.Cybersecurity threat education and awareness campaigns must extendto the C-suite because of the increasing threat of whaling,phishing attempts targeting those at the highest levels of anorganization.
• Update firewalls and routers. Neverfall behind on system updates. The risk is too critical to allowpatches and firmware updates to slide.
• Change default passwords. Systemsconnected to the internet, such as Wi-Fi routers, should never bein operation with factory or default passwords. Change it upon setup and update often.
• Hire a white hat hacker. Severalorganizations in financial services are finding creative ways totap into the collective expertise of cybercriminals. By networkingat ethical hacking events and working with local colleges, creditunions can recruit or contract with students and other youngcybersecurity experts who can find gaps in security protocols.
• Designate a cybersecurity leader.“Your cybersecurity will only be as strong as the people you’vehired to manage it for you,” McAlpine said. Collaborating withoutside security firms is a best practice for smaller organizationsthat do not have the appropriate internal resources. “However, evenwhen you partner with an outside organization, there has to be aninternal champion to monitor evolving threats and oversee a plan toprotect against them.”