The great paradox of cybercrime is that credit unions'biggest vulnerability isn't their technology, it's the people whouse it.

“It's low-tech. It's human error; people sending PII or SII.Folks are not breaking into the 256-bit encryption. They'recounting on human beings to not be aware [of risks] and to makemistakes,” according to Tom Embrogno, chief information securityofficer at Docupace.

That means simple steps can be very effective againstcyberattacks. Encrypting the devices employees use, and encouragingclients to do the same, is advisors' first step to secure theircredit union.

“Encryption works. It's why people do the low-tech hacking,because no one's figured out how to break into the Bank of Americasand the rest of them,” Embrogno told ThinkAdvisor onTuesday.

Financial experts should also take inventory of the devices intheir office, as well as the networks they're connected to.

“Technology providers want to meet you where you live. They wantto work on your mobile device because that's where you're at,”Embrogno said, but a bring-your-own-device policy can expose creditunions to unnecessary risk. A hardware inventory should show allthe devices used by employees, encryption status, and patches andupdates that have been installed. Regulators are “going to want tosee what is the point of entry,” he said.

Encrypting Wi-Fi networks, adding a firewall and implementing astrong password policy are other simple steps credit unions cantake to protect their data. Most passwords are “far too simple,”Embrogno said. “It's not just eight characters. You should go to10, 15; use some type of a pass phrase.”

Backing up data regularly is another important part of acybersecurity plan. A September public service announcement fromthe FBI stated that “in the first several months of 2016, globalransomware infections were at an all-time high. “ A Julyreport by Symantec found that crypto-ransomware, malware thatencrypts a network's files until a ransom is paid, is the mostcommon type of ransomware. Symantec discovered 100 new ransomwarevariants in 2015, and cybersecurity provider Proofpoint found inits Q3 report that variants have multiplied almost 10 times since2015.

Embrogno suggested storing backed-up data offsite to “make itgeographically difficult” for hackers to access.

Even if credit unions don't have the budget to hire a full-timecybersecurity officer, someone should be designated as a point ofcontact to handle these issues or communicate with third parties. Athird party can do penetration testing and vulnerability mapping toidentify your weak points and show them how to remediate thoseissues.

For example, “one common thing is you might bring your kid towork with you one day,” Embrogno said. “You're letting your kidplay on the computer and he's playing one of those games that toplay the game, he has to open up a port on your router. If you havea third party that's occasionally testing, they can say, 'Here's aport that's open.'”

Phishing testing is another popular service, Embrogno said,where a third party or someone within the credit union sends emailsto trick employees into clicking suspicious links. “When theemployee clicks in the fake email, guess what that kicks off?Training.”

Embrogno estimates phishing probably accounts for about half ofhacking attempts. “They wouldn't keep doing these ad nauseamif they weren't getting results,” he said.

Network monitoring services are another tool, especially forsmaller credit unions as they're “not too expensive nowadays. It'salmost getting commoditized.” These services will look for outdatedpatches and software on a credit union's network. “Most malwareviruses take advantage of patches to infect a system,” Embrognosaid.

“The bad guys invent stuff every day,” he noted. “They're whatwe call an 'advanced and persistent threat,' so you have to bepersistent in your protection.”

Don't Forget About Paper

Another low-tech security measure to have in place is a disposalpolicy for paper documents and hard drives with sensitiveinformation stored on them.

“If you get rid of a copy machine, are you getting that harddrive electronically shredded?” Embrogno said. “You can have200,000 or 300,000 private files on the hard drive of that copymachine.”

It's not too big of an investment for would-be identity thievesto spend a few hundred dollars on a copy machine if they can makemillions of dollars off the information they find on it, Embrognosaid.

There isn't currently a regulatory standard for integratingdifferent technologies, but ”both the SEC and FINRAcybersecurity frameworks are based on common standards,” like theNational Institute of Standards and Technology and the SANS 20guidelines developed by the SANS Institute, that many credit unionsalready have in their DNA, Embrogno said. “The good news is thatthe standards that are out there are good for people, it's good forprotecting folks and it's reasonable.”

Embrogno expects financial institutions will move towarddigitizing their document management not just for efficiency butbecause regulators will demand it.

“You can't be secure in a paper world,” Embrogno said. Auditors“can hold electronic documents to a much higher standard than youcan paper. Paper sitting in a filing cabinet that has had 20 peoplelook at it, [but] I don't know which 20 people looked at it. Withan electronic document, I have an audit log. I know who looked atit and what they did to it.”

As a vendor to financial services providers, Embrogno saidDocupace has had regulators reach out to them directly to confirmfinancial professionals' cybersecurity processes.

“We're seeing the regulators go right through the broker-dealersand talking to their vendors,” Embrogno said.

Anytime a credit union puts data on another provider's system,regulators are looking for proof that the credit union vetted theprovider to make sure its cybersecurity standards are strongenough, Embrogno said.

“Financial services has the most stringent set of masters itserves because of all the different types of information that arestored in these systems.”