Cybersecurity can be an elusive subject and entail nuances thatrequire varied expertise, yet, it is an important aspect ofeveryday business that cannot be disregarded. This is true forregulators, boards, management, employees and auditors alike.

Learn the History

The root cause of cybersecurity's complexity is attributed tothe evolution of digital services provided to end users. The natureand productivity of digital services has dramatically changed inthe last 40 years – first with personal computers, next withsmartphones and now with Internet of Things devices such assmartspeakers. Even though this change in digital services has beendramatic, the way in which we authorize access to such digitalservices has remained inanely stagnant.

When you turned on a personal computer in the early days ofdigital, you perhaps may have typed a password to get access to theservices available from that device. Today we pretty much do thesame thing to access almost all digital services. Yes, we have someminor changes – tokenized passwords instead of fixed ones andbiometrics as a proxy for passwords. These changes areinsignificant compared to the dramatic changes in the nature ofdigital services over the past 40 years.

We still manage passwords in one form or another centrally inbulk. This fundamental layer has remained the same with all of itsflaws. These flaws get amplified more and more as time goes onbecause computers are becoming faster and faster, making it easierto hack such passwords. It is like a slice of Swiss cheese with acluster of holes that become bigger over time. To cover theseexpanding holes over the past four decades, we have added layersand layers of Swiss cheese with holes, hoping that none of theholes will line up. Such a patchwork of solutions, including anarray of reactive machine learning tools and analytics, has nowresulted in a complex maze that is nearly impossible to decipher.This is probably why we all believe cyber compromise is just amatter of when and not a matter of if.

Standards

Instead of this flawed approach to protecting information bycovering it with layers of “Swiss cheese,” we could instead placethe information in a lock box and proactively protect the keys.This is the digital equivalent of encrypting data and keeping thedecryption keys safe. (Note the safe-keeping of decryption keysshould not be reliant on centrally-managed passwords of anykind.)

This cryptographic access to digital services is easier saidthan done because it will require a behavior change from end-users,just like EMV chip cards required a behavior change to bringcryptographic access to services at the point of sale. EMV'ssuccess took years of planning, cooperation and global scale, andit was all made possible by unified standards – Europay, Mastercardand Visa, or EMV. One will need similar standards in the creditunion industry to achieve cryptographic security for digitalservices. Credit unions rely heavily on vendors that may not followstandards for digital services. Vendors often control thecentralized digital credentials but do not take on the liability.At some point this has to change. And the appropriate change maynot be the shift of liability to vendors, but rather the shift ofcredentials control to the credit unions and the use of standardsfor cryptographic authorization.

While credit unions can rely on open standards such as OpenID,PKCS and blockchain, getting your ecosystem of vendors to migratewill take time. Until then you are exposed to the risk of owningthe liability without being able to control your destiny. Thereforeit is important for you to be able to quantify your risk.

Quantify

One way to measure “the worst that could happen” is to quantifyliability in relation to your asset size. Let us go through someexamples, albeit they may not be the most accurate, but they willillustrate the possible methods for quantifying risk.

According to the World Bank, the global real GDP is $77trillion, which is a measure of money transacted between twoparties in 2017. The estimated readily spendable cash in the world(also called M1) was about $24 trillion. So, if 1% of thetransactions are fraudulent due to cyber compromise, then in threeand a half years 11% of the spendable cash will be in the hands ofcyber criminals. If the fraud increased to 10%, within four months11% of the spendable cash will be depleted from legitimateaccountholders.

Let us look at a second example. In the U.S., the personalconsumption expenditure, a measure of money transacted, in 2017 was$13.6 trillion according to Wolfram Alpha. The readily availablecash in the U.S. according to FRED was $3.2 trillion. So, if 1% ofthe transactions are fraudulent due to cyber compromise, then intwo and a half years 11% of the spendable cash will be in the handsof cyber criminals. And if the fraud increased to 10%, within threemonths 11% of the spendable cash will be depleted from legitimateaccountholders. Comparing global data to the U.S. one, we observethat the more vibrant an economy is, the bigger the need is tounderstand cybersecurity, especially when almost all of the moneyis digital.

It is hard to say what time constraint is acceptable or how muchloss is acceptable for your institution, but I recommend that youundertake an internal effort to quantify the duration of cybercompromise and the loss that could happen within that duration. Thereason why duration is important is because the reaction times tofix cyber compromises are much slower than the pace at which moneymoves digitally. This is because fixing cyber compromises isrelated to the interdependency of data and disclosure of the lossof such data. For example, services providers such as Equifax andUber lose information and won't disclose it for months, which inturn could compromise your member and you may not even be aware ofit. To make matters worse, according to Barclays Bank nearly 75% ofcyberattacks go unreported.

Act

There are basically two specific sets of actions to take. One isto collaborate with the ecosystem of your peers in the credit unionindustry to create standards for cryptographic access to digitalservices and push vendors to follow such standards. And two is toundertake an internal effort to quantify your risks in both loss ofassets and a time duration during which you are likely to beexposed to such loss. Then evaluate through a sensitivity studywhether such a range of loss is acceptable compared to anappropriate measure of your assets. Neither of these two actionswill require you to unravel the complexity of cybersecurity arisingfrom the historical evolution of digital services.

Siva G. Narendra is CEO and Co-founderfor Tyfone, Inc. He can be reached at 661-412-2233or [email protected].