Improving Cyber Security Through Future-Proofing & Collaboration
As they increase in frequency, severity and sophistication, cyber threats have become part of the cost of doing business for most industries, and credit unions are no exception. In fact, threats can often leave a credit union’s small security team in a never-ending reactive state.
It is imperative that credit unions carve out time and resources to create a strategic plan to deal with near-future security issues and proactively secure their institutions. This is where a three-year strategy can be most helpful. The three-year time frame lets organizations more easily identify emerging technologies and trends to best deal with current and future attacks. It also allows security leaders and teams to craft a strategy that pertains specifically to their organization — one that focuses on security delivery, environment security and operational effectiveness.
On the service delivery front, credit unions should make sure they have technologies in place to prevent hacking and threat-related downtime. This includes making sure all patching is up to date: According to estimates from the information security organization SANS Institute, at least 80% of cyber security incidents exploit known vulnerabilities.
Credit unions should strive to continually improve the performance and security of their ecosystems while at the same time maintaining compliance with industry mandates and requirements, such as PCI. A critical component of this effort is to make sure new security measures do not have a negative impact on member or employee experiences or add delays or increased downtime. In addition, understanding emerging technology options and staying current with what is and what is not working should be top priorities.
Historically, security teams have put measures in place to safeguard applications. Today, however, the focus should be on member and credit union data, both of which are considered to be a credit union’s crown jewels. To achieve this, credit unions need to make data protection a higher priority in overall operational effectiveness.
Collaboration Boosts Critical Insight
Because security and IT teams are small and focused on keeping the credit union infrastructure running, many have no time to mine the terabytes of data they are collecting to find actionable insights. Often, these teams find it challenging to keep up with developments in the security industry, let alone with happenings at peer organizations. Such practices often leave credit unions operating in vacuums.
To help improve best practices and maximize resources, credit unions should begin sharing data and information so multiple parties can benefit. For example, if a nearby credit union has faced a physical threat, another can be alerted to be on the lookout for similar activity and prepare for it. Information sharing can be very helpful when it comes to formulating strategy.
Credit unions can also collaborate and share information regarding regulatory assessments, which not only helps inform what the regulatory body is looking for but can also help shape future policies.
Create a Three-year Cyber Security Plan
Creating a near-future security plan does not have to be a drawn-out process, nor does it have to be overly complicated. It is more important to put security measures in place quickly rather than endlessly talking about them. Here are a few steps to take to get started:
- If your credit union does not have an Information Security Officer, find one. After you have an ISO in place, document and gain approval for a written information security plan.
- Create a cyber security strategy linked to your credit union’s business model. The CEO’s business goal is to run a financially sound operation. Support that goal by learning how to speak in business terms and articulating why items are of importance to business resilience. Target security spending where it will have the biggest impact (e.g., patch-automation systems and incident-response applications).
- Redouble efforts to secure mission-critical assets. Decide which assets cannot afford to be breached, and dedicate more resources there. Make sure databases and file cabinets are very difficult to reach and breach.
- Improve the organizational effectiveness of your security structure. Give your security leader a more direct role in recommending and justifying spending proposals. Also, promote greater collaboration between security and operations teams, removing conflicting priorities. Make sure new products and programs are reviewed by the ISO and security team.
- Develop an enterprisewide plan to enhance a culture of security. Ideally, you want to see people within your credit union start “doing” security rather than just talking about it. Look for ways to make it fun. For example, host a lunch and learn with FBI agents to teach employees how to recognize the signs that fraud might be occurring.
- Shift thinking from safeguarding applications to securing the data itself. The ultimate goal of cyber thieves is to steal credit card numbers, customer information, intellectual property and other valuable corporate data, so make sure it is protected.
The recent Equifax security breach left many consumers — and perhaps your credit union’s executive team and board — questioning the strength of the security measures being deployed by their banks and credit unions. Now is the time to not only reassure them your credit union has a good, strong system in place but that you are also looking ahead to make sure it remains strong and can face and thwart future problems.
For more information, please visit pscu.com