One Cannot Improve What One Cannot Understand

Cybersecurity can be an elusive subject and entail nuances that require varied expertise, yet, it is an important aspect of everyday business that cannot be disregarded. This is true for regulators, boards, management, employees and auditors alike.

Learn the History

The root cause of cybersecurity's complexity is attributed to the evolution of digital services provided to end users. The nature and productivity of digital services has dramatically changed in the last 40 years – first with personal computers, next with smartphones and now with Internet of Things devices such as smartspeakers. Even though this change in digital services has been dramatic, the way in which we authorize access to such digital services has remained inanely stagnant.

When you turned on a personal computer in the early days of digital, you perhaps may have typed a password to get access to the services available from that device. Today we pretty much do the same thing to access almost all digital services. Yes, we have some minor changes – tokenized passwords instead of fixed ones and biometrics as a proxy for passwords. These changes are insignificant compared to the dramatic changes in the nature of digital services over the past 40 years.

We still manage passwords in one form or another centrally in bulk. This fundamental layer has remained the same with all of its flaws. These flaws get amplified more and more as time goes on because computers are becoming faster and faster, making it easier to hack such passwords. It is like a slice of Swiss cheese with a cluster of holes that become bigger over time. To cover these expanding holes over the past four decades, we have added layers and layers of Swiss cheese with holes, hoping that none of the holes will line up. Such a patchwork of solutions, including an array of reactive machine learning tools and analytics, has now resulted in a complex maze that is nearly impossible to decipher. This is probably why we all believe cyber compromise is just a matter of when and not a matter of if.

Standards

Instead of this flawed approach to protecting information by covering it with layers of “Swiss cheese,” we could instead place the information in a lock box and proactively protect the keys. This is the digital equivalent of encrypting data and keeping the decryption keys safe. (Note the safe-keeping of decryption keys should not be reliant on centrally-managed passwords of any kind.)

This cryptographic access to digital services is easier said than done because it will require a behavior change from end-users, just like EMV chip cards required a behavior change to bring cryptographic access to services at the point of sale. EMV's success took years of planning, cooperation and global scale, and it was all made possible by unified standards – Europay, Mastercard and Visa, or EMV. One will need similar standards in the credit union industry to achieve cryptographic security for digital services. Credit unions rely heavily on vendors that may not follow standards for digital services. Vendors often control the centralized digital credentials but do not take on the liability. At some point this has to change. And the appropriate change may not be the shift of liability to vendors, but rather the shift of credentials control to the credit unions and the use of standards for cryptographic authorization.

While credit unions can rely on open standards such as OpenID, PKCS and blockchain, getting your ecosystem of vendors to migrate will take time. Until then you are exposed to the risk of owning the liability without being able to control your destiny. Therefore it is important for you to be able to quantify your risk.

Quantify

One way to measure “the worst that could happen” is to quantify liability in relation to your asset size. Let us go through some examples, albeit they may not be the most accurate, but they will illustrate the possible methods for quantifying risk.

According to the World Bank, the global real GDP is $77 trillion, which is a measure of money transacted between two parties in 2017. The estimated readily spendable cash in the world (also called M1) was about $24 trillion. So, if 1% of the transactions are fraudulent due to cyber compromise, then in three and a half years 11% of the spendable cash will be in the hands of cyber criminals. If the fraud increased to 10%, within four months 11% of the spendable cash will be depleted from legitimate accountholders.

Let us look at a second example. In the U.S., the personal consumption expenditure, a measure of money transacted, in 2017 was $13.6 trillion according to Wolfram Alpha. The readily available cash in the U.S. according to FRED was $3.2 trillion. So, if 1% of the transactions are fraudulent due to cyber compromise, then in two and a half years 11% of the spendable cash will be in the hands of cyber criminals. And if the fraud increased to 10%, within three months 11% of the spendable cash will be depleted from legitimate accountholders. Comparing global data to the U.S. one, we observe that the more vibrant an economy is, the bigger the need is to understand cybersecurity, especially when almost all of the money is digital.

It is hard to say what time constraint is acceptable or how much loss is acceptable for your institution, but I recommend that you undertake an internal effort to quantify the duration of cyber compromise and the loss that could happen within that duration. The reason why duration is important is because the reaction times to fix cyber compromises are much slower than the pace at which money moves digitally. This is because fixing cyber compromises is related to the interdependency of data and disclosure of the loss of such data. For example, services providers such as Equifax and Uber lose information and won't disclose it for months, which in turn could compromise your member and you may not even be aware of it. To make matters worse, according to Barclays Bank nearly 75% of cyberattacks go unreported.

Act

There are basically two specific sets of actions to take. One is to collaborate with the ecosystem of your peers in the credit union industry to create standards for cryptographic access to digital services and push vendors to follow such standards. And two is to undertake an internal effort to quantify your risks in both loss of assets and a time duration during which you are likely to be exposed to such loss. Then evaluate through a sensitivity study whether such a range of loss is acceptable compared to an appropriate measure of your assets. Neither of these two actions will require you to unravel the complexity of cybersecurity arising from the historical evolution of digital services.

Siva G. Narendra is CEO and Co-founder for Tyfone, Inc. He can be reached at 661-412-2233 or siva.narendra@tyfone.com.