Hardening Security Efforts

Below is a list of initial steps that credit unions can take to "catch up" in order to harden security:

Security awareness training – always and often. CUNA (Section 748, NCUA Rules and Regulations, NCUA Letter 02-CU-1), GLBA Rule, 16 CFR 314.4, FDIC and PCI DSS r. 12.6 all require security awareness training because we know that insiders are the first line of defense and the weakest link against social engineering tactics like phishing and whaling. However, ongoing communication to supplement annual compliance-required training helps establish a culture of security that might not happen if employees are only exposed to security awareness for a short time once a year. During Cybersecurity Awareness Month in October, many vendors promoted free tips and tools to help educate employees and customers outside of scheduled-annual training. Like all cybersecurity, awareness is not just an annual box to tick, but an ongoing initiative.
Increase vulnerability scanning frequency. Most vulnerability scanning is not done frequently enough, which limits security and IT teams' understanding of their security posture and fails to help them with remediation prioritization. We recommend going beyond the compliance-required quarterly cadence and scan at least monthly and on-demand if your vulnerability management (VM) platform has that capability. Effective vulnerability management is about proactively identifying threats and prioritizing the vulnerabilities that have the greatest risk of exploitation.
Do your due diligence on third-party cloud vendors connecting to your infrastructure, including having full visibility to entrance and exit points; investigate their APIs; ask for their SOC2 report or in the case of PCI DSS, their Report on Compliance or Attestation of Compliance; and require third parties who are going to access your infrastructure to take security awareness training to communicate that third-party employees are held to the same set of expectations as internal employees.
Rely on network-based (agentless) scanning and supplement with agent-based scanning to ensure all network-connected assets are scanned and secured. Agentless scanning provides a much lighter footprint, less negative performance impact and drastically reduces false positives. However, security and IT teams have less oversight and control over remote endpoints, which places them at greater risk as they connect to corporate networks. Installing agents on laptops, mobile devices or even applications hosted in the cloud can fill in those gaps to provide a comprehensive real-time view of at-risk systems and ensures they have the right patches, security controls, software, etc., to protect them from being compromised and spread the infection to corporate networks.
Use the advanced features in their VM platform, including the threat intelligence and machine learning functionality available to them, so they can focus on weaponized vulnerabilities that exist inside their networks first.
Consider a "zero trust" approach and provide only application-level access to cloud and premises-based solutions and applications, and lock them down to only the access the user needs.

Most regional banks, credit unions, accounting firms and asset managers tend to be smaller and may not have the expansive IT or security staff to implement all of these recommendations like their large counterparts. However, security doesn't have to be hard. Since vulnerability management is foundational, for effective cybersecurity, smaller financial institutions like credit unions should look for vendors that understand their challenges and have built their platform to be easy to install, own and use, or leverage the experience of an managed service provider or managed security service provider to bolster their ecosystem and take on more in-depth security monitoring and management.

Instant Insights /

Haste of Digitization During COVID Opens Door for Security Vulnerabilities

Related Stories

Recommended For You