Source: Adobe Stock
There is currently much fear, uncertainty and doubt surrounding cybersecurity, as hackers continue to find new and creative ways to try and steal sensitive information. Complex geopolitical issues, like the war in Ukraine, are only contributing to the unease.
Earlier this year, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued two alerts addressing risks from Russian state-sponsored cyber threats and highlighting recent malicious cyber incidents suffered by public and private entities in Ukraine. Following this, the NCUA, along with CISA, the Federal Bureau of Investigation and the National Security Agency, encouraged credit unions of all sizes and their cybersecurity teams nationwide to adopt a heightened state of awareness and conduct proactive threat hunting.
While the current geopolitical turmoil and the subsequent threats certainly shouldn't be downplayed, it's important that credit unions remain level-headed and committed to the basics of cybersecurity. While some headlines would make it seem like the sky is falling, credit unions will do well to keep business as usual, placing an emphasis on implementing and maintaining key controls.
Back to Basics: Strong Cyber Hygiene
Breaches are unfortunately nothing new for credit unions; it's not a matter of "if they occur" but "when they'll occur." Given that institutions have an abundant source of member information and there's potential for a high pay-out, they are viewed as prime targets. To best protect themselves against the risk of any cyber threats, credit unions need to practice good cyber hygiene.
First, basic controls such as implementing multifactor authentication should not be overlooked. Member portals are often still vulnerable to traditional intrusion methods, so safeguards must be steadily in place. Immutable backups should also be prioritized to prevent against ransomware. Steps as basic as making sure software is up to date can go a long way in eliminating vulnerabilities that hackers could potentially take advantage of.
Credit unions can't afford to leave cybersecurity as an afterthought; after all, seemingly small mistakes can result in major fallout. For instance, take the July 2021 ransomware attack against Kaseya. The Kaseya VSA supply chain cyberattack hit roughly 50 MSPs and the REvil ransomware attack spread from the MSPs to between 800 and 1,500 businesses worldwide, according to MSSP Alert.
This type of business email compromise is also one of the top threats for credit unions. According to the FBI, victims of email compromise schemes reported nearly $2.4 billion in losses in 2021 alone. To better mitigate this threat, the appropriate controls must be implemented. Awareness and training for credit union personnel and members is key. After all, people are often the weakest link.
Prioritizing Zero Trust
Given the increasingly risky and dangerous cybersecurity landscape, more credit unions should consider a shift to the Zero Trust framework to optimize security. Zero Trust is an approach that assume no user or software should ever be trusted; instead, they are continuously validated. Even though Zero Trust provides stronger protection and minimizes potential damages, many credit unions have been hesitant to embrace this approach given its complexity. It requires significant time, money and executive buy-in to implement. However, given the benefits and value in the current cybersecurity landscape, expect to see more credit unions move to a Zero Trust model. The benefits are well worth the effort in the long run.
When it comes to cybersecurity, credit unions must carefully determine how real trending threats are to their institution versus what is more akin to fear mongering. Though the current climate is certainly fear-inducing, institutions must not get distracted by speculative hype and instead conduct business as usual, practicing good cyber hygiene and focusing on the key issues that will directly impact their members.
Matt Baaki Matt Baaki is Chief Technology Officer for Member Driven Technologies, a Farmington Hills, Mich.-based core processing and IT CUSO.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
