Credit unions, like most organizations, are bombarded by newsabout breaches and cybersecurity issues every day. So how do theysift through the hype and warnings to determine which threats arereal?

Despite excessive noise and vendor-generated fear tactics, theoverwhelming consensus from cybersecurity experts is to not totallyignore the messages that come at them.

“The threats are real, but the response an organization craftsmust be tempered with the expected risk to their business,” AndrewShoemaker, CEO of the Boston-based NimbusDDOS, said. Shoemakeradded using the Cybersecurity Assessment Tool provided by the FFIEC and itsmember regulators, including the NCUA and neutral security vendors,can help organizations sort through the tumult.

“Credit unions certainly need to be aware of sources that reallydon't have good information and good insights,” Rebecca Herold,president of the Des Moines, Iowa-based SIMBUS and CEO of ThePrivacy Professor, said.

The key is to find out what sources are talking about as far asbreaches and security vulnerabilities, and understand what trendscould impact members, Ashley McAlpine, fraud prevention manager forthe Des Moines, Iowa-based TMG, said.

Brian Soldato, senior director, product management for theAustin, Texas-based NSS Labs, noted most credit unions do not havefully evolved security operation centers or tools to sift through everysingle threat.

A credit union must understand its vulnerabilities, according toGene Fredriksen, chief information security officer for the St.Petersburg, Fla.-based PSCU.

“The credit union market is unique in the financial servicesspace, which means that through benchmarking and collaboration withother credit unions, an organization can identify the most probableattack vectors,” he said.

The CEO of the Boston-based EiQ Networks, Vijay Basani, pointedout most credit unions have small IT teams tasked with keepingsystems and applications running while also having to worry aboutsecurity.

“They really have to stay up to speed and expand their knowledgebase on a continuous basis to address the security challenges,”Basani said.

There are proactive solutions as well. “When you hear about aspecific breach or issue, start your peripheral analysis to see ifthere's potential for exposure,” John Buzzard, account executiveand fraud specialist for the Rancho Cucamonga, Calif.-based CO-OPFinancial Services, said. Buzzard suggested credit unions work withtheir fraud services provider to identify trends that requireimmediate action.

Defense-in-depth, which coordinates multiple securitycountermeasures to defend information assets, is a known mechanism,but not enough people are really defending their infrastructureusing those parameters, explained Stu Sjouwerman, founder and CEOof the Tampa Bay, Fla.-based KnowBe4. “It clarifies all the noisethat you get,” he said.

It's easy to feel overwhelmed, one expert noted. “Don't spendmoney on cybersecurity based on this morning's news or the scariestheadlines. Instead, take a methodical, structured approach that'sright for you,” Sherri Davidoff, CEO of the Missoula, Mont.-basedLMG Security, said. “Create a corresponding risk management planthat shows how you intend to address cybersecurity risks over aperiod of time, typically one to three years.”

Besides ignoring cybersecurity threats, the biggest danger mightbe thinking cybercriminals consider credit unions too small totarget. “This is a recipe for disaster,” Buzzard said. “Criminalshave proven that they are willing to fly across the country tovictimize unwitting credit unions.”

Herold added, “The danger of that type of thinking is that itleaves credit unions unaware and unprepared, without appropriatesafeguards in place.”

In fact, small organizations are very much on the radar of thesecriminals, McAlpine warned. Fraudsters who can't reach the largerfinancial institutions are just going to zero in on smallerfinancial institutions, where security is not as strong.

Research from the Woburn, Mass.-based cybersecurity firmKaspersky Lab found almost 40% of surveyed businesses, includingfinancial institutions, are not confident about protectingthemselves against threats like distributed-denial-of-service andother targeted attacks.

“I think the number is substantially less than the 40% mentionedby Kaspersky. Many credit unions think they have solutions in placethat protect them, but the reality is that when an attack occursthose defenses rarely are sufficient,” Shoemaker said. He addedcredit unions tend to be ill-prepared for a threat because theyhave flown under the radar while large banks absorbed the firstwave of extortion attacks.

“Most credit unions forget it is easy to target them becausethey don't have the SOC, IT staff and threat intelligence teams tocombat the cyberattacks,” Soldato said. “What we saw in Decemberwas about a third of all the payloads that target financialinstitutions were ransomware.”

The ransomware strike rate is eight times higher at smallbusinesses than it is at large businesses, according to TMG. Somecybersecurity experts predict ransomware will become as prevalentas DDoS attacks in 2017.

There are other threats as well. “Card skimming continues todominate the conversation as our cohabitation with magstripescontinue,” Buzzard said. “The best advice I can give to creditunions is to make sure you are familiar with the FICO Card AlertService.”

McAlpine said, “Skimming devices on ATMs and gas stations is thehotspot right now, and is very impactful to credit unions becauseliability shifts have not taken place yet.”

Email is the No. 1 attack vector from the outside, Sjouwermansaid. “An insider threat could be an employee clicking on aphishing link, infecting their workstation and having theircredentials stolen,” he said.

Buzzard added, “A workforce can often be the weakest link.Credit unions need to focus on retraining procedurally to ensureemployees are maintaining good security habits.”

Shoemaker warned future attackers might use targeted malwareinstalled on internal systems to attack other internal systems.

Risk assessments should address all the threats relevant to acredit union. “Issues such as insider threats could be a high risk,or a very low risk, depending on your employee screening measures,turnover rate, incident detection program and other factors,”Davidoff said. “This is why it's so important to conduct a qualityrisk assessment customized for your credit union.”

Still, Soldato maintained outsider threats to financialinstitutions is greater than insider threats, based on NSSresearch. “Only 10 to 15% of breaches are caused by insiders,” hesaid.

Fredriksen pointed out not all actions are malicious – negligentor accidental actions such as taking sensitive data home on alaptop that is lost or stolen can be just as damaging. “Last year,industry reports stated as much as 30% of security incidents arethe result of accidental exposures,” he said.

Some common-sense best practices can mitigate the chances of acompromise. Basani recommended implementing password security,ensuring staff members do not use simple or default passwords, andbacking up critical data.

To mitigate the attack risk, McAlpine suggested educating andtraining employees, updating firewalls and routers, changingdefault passwords and designating a cybersecurity leader.

Fredriksen added the National Credit Union Information Sharingand Analysis Organization, for which he serves as executivedirector, can help as well.

“While a large financial institution may have staff to process alarge amount of threat data, a typical credit union does not,” hesaid.

An ISAO, through collaboration and communication with itsmembers and other sources, can frame the intelligence into a formatthat can be understood and actionable at a typical creditunion.

When it comes to the price of cybersecurity, credit unions havelimited budgets, and that also poses an issue. “I believe the costfactor does not outweigh the risk factor at this point in time,”Soldato said.