Sifting Through the Cybersecurity Noise to Protect Data
Credit unions, like most organizations, are bombarded by news about breaches and cybersecurity issues every day. So how do they sift through the hype and warnings to determine which threats are real?
Despite excessive noise and vendor-generated fear tactics, the overwhelming consensus from cybersecurity experts is to not totally ignore the messages that come at them.
“The threats are real, but the response an organization crafts must be tempered with the expected risk to their business,” Andrew Shoemaker, CEO of the Boston-based NimbusDDOS, said. Shoemaker added using the Cybersecurity Assessment Tool provided by the FFIEC and its member regulators, including the NCUA and neutral security vendors, can help organizations sort through the tumult.
“Credit unions certainly need to be aware of sources that really don't have good information and good insights,” Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, said.
The key is to find out what sources are talking about as far as breaches and security vulnerabilities, and understand what trends could impact members, Ashley McAlpine, fraud prevention manager for the Des Moines, Iowa-based TMG, said.
Brian Soldato, senior director, product management for the Austin, Texas-based NSS Labs, noted most credit unions do not have fully evolved security operation centers or tools to sift through every single threat.
A credit union must understand its vulnerabilities, according to Gene Fredriksen, chief information security officer for the St. Petersburg, Fla.-based PSCU.
“The credit union market is unique in the financial services space, which means that through benchmarking and collaboration with other credit unions, an organization can identify the most probable attack vectors,” he said.
The CEO of the Boston-based EiQ Networks, Vijay Basani, pointed out most credit unions have small IT teams tasked with keeping systems and applications running while also having to worry about security.
“They really have to stay up to speed and expand their knowledge base on a continuous basis to address the security challenges,” Basani said.
There are proactive solutions as well. “When you hear about a specific breach or issue, start your peripheral analysis to see if there's potential for exposure,” John Buzzard, account executive and fraud specialist for the Rancho Cucamonga, Calif.-based CO-OP Financial Services, said. Buzzard suggested credit unions work with their fraud services provider to identify trends that require immediate action.
Defense-in-depth, which coordinates multiple security countermeasures to defend information assets, is a known mechanism, but not enough people are really defending their infrastructure using those parameters, explained Stu Sjouwerman, founder and CEO of the Tampa Bay, Fla.-based KnowBe4. “It clarifies all the noise that you get,” he said.
It's easy to feel overwhelmed, one expert noted. “Don't spend money on cybersecurity based on this morning's news or the scariest headlines. Instead, take a methodical, structured approach that's right for you,” Sherri Davidoff, CEO of the Missoula, Mont.-based LMG Security, said. “Create a corresponding risk management plan that shows how you intend to address cybersecurity risks over a period of time, typically one to three years.”
Besides ignoring cybersecurity threats, the biggest danger might be thinking cybercriminals consider credit unions too small to target. “This is a recipe for disaster,” Buzzard said. “Criminals have proven that they are willing to fly across the country to victimize unwitting credit unions.”
Herold added, “The danger of that type of thinking is that it leaves credit unions unaware and unprepared, without appropriate safeguards in place.”
In fact, small organizations are very much on the radar of these criminals, McAlpine warned. Fraudsters who can't reach the larger financial institutions are just going to zero in on smaller financial institutions, where security is not as strong.
Research from the Woburn, Mass.-based cybersecurity firm Kaspersky Lab found almost 40% of surveyed businesses, including financial institutions, are not confident about protecting themselves against threats like distributed-denial-of-service and other targeted attacks.
“I think the number is substantially less than the 40% mentioned by Kaspersky. Many credit unions think they have solutions in place that protect them, but the reality is that when an attack occurs those defenses rarely are sufficient,” Shoemaker said. He added credit unions tend to be ill-prepared for a threat because they have flown under the radar while large banks absorbed the first wave of extortion attacks.
“Most credit unions forget it is easy to target them because they don't have the SOC, IT staff and threat intelligence teams to combat the cyberattacks,” Soldato said. “What we saw in December was about a third of all the payloads that target financial institutions were ransomware.”
The ransomware strike rate is eight times higher at small businesses than it is at large businesses, according to TMG. Some cybersecurity experts predict ransomware will become as prevalent as DDoS attacks in 2017.
There are other threats as well. “Card skimming continues to dominate the conversation as our cohabitation with magstripes continue,” Buzzard said. “The best advice I can give to credit unions is to make sure you are familiar with the FICO Card Alert Service.”
McAlpine said, “Skimming devices on ATMs and gas stations is the hotspot right now, and is very impactful to credit unions because liability shifts have not taken place yet.”
Email is the No. 1 attack vector from the outside, Sjouwerman said. “An insider threat could be an employee clicking on a phishing link, infecting their workstation and having their credentials stolen,” he said.
Buzzard added, “A workforce can often be the weakest link. Credit unions need to focus on retraining procedurally to ensure employees are maintaining good security habits.”
Shoemaker warned future attackers might use targeted malware installed on internal systems to attack other internal systems.
Risk assessments should address all the threats relevant to a credit union. “Issues such as insider threats could be a high risk, or a very low risk, depending on your employee screening measures, turnover rate, incident detection program and other factors,” Davidoff said. “This is why it's so important to conduct a quality risk assessment customized for your credit union.”
Still, Soldato maintained outsider threats to financial institutions is greater than insider threats, based on NSS research. “Only 10 to 15% of breaches are caused by insiders,” he said.
Fredriksen pointed out not all actions are malicious – negligent or accidental actions such as taking sensitive data home on a laptop that is lost or stolen can be just as damaging. “Last year, industry reports stated as much as 30% of security incidents are the result of accidental exposures,” he said.
Some common-sense best practices can mitigate the chances of a compromise. Basani recommended implementing password security, ensuring staff members do not use simple or default passwords, and backing up critical data.
To mitigate the attack risk, McAlpine suggested educating and training employees, updating firewalls and routers, changing default passwords and designating a cybersecurity leader.
Fredriksen added the National Credit Union Information Sharing and Analysis Organization, for which he serves as executive director, can help as well.
“While a large financial institution may have staff to process a large amount of threat data, a typical credit union does not,” he said.
An ISAO, through collaboration and communication with its members and other sources, can frame the intelligence into a format that can be understood and actionable at a typical credit union.
When it comes to the price of cybersecurity, credit unions have limited budgets, and that also poses an issue. “I believe the cost factor does not outweigh the risk factor at this point in time,” Soldato said.