What are your cybersecurity priorities?

This story is the latest entry in Credit Union Journal’s special report on cybersecurity, which will run throughout the month of October. Previous coverage is available here, here and here.

Cybersecurity breaches are a concern that remain at the forefront of many industries, including financial services. National Credit Union Administration Chairman Rodney Hood has even previously said that cybersecurity is an issue that keeps him up at night.

And for good reason. Cyber attacks continue to climb each year with the global cybersecurity market expected to eclipse $300 billion by 2024.

Credit unions have battled both external and internal attacks for years, and management teams need to decide where to put their resources to thwart criminals. From maintaining security protocols to preparing for new regulatory changes ahead, there's plenty for credit union executives and others to worry about in 2020.

Given the importance of the issue and its continued evolution, Credit Union Journal reached out to industry leaders to find out about their cybersecurity priorities for the coming year. Read on to see their responses, which have been edited for length and clarity.
Cary Tonne, Affinity

Cary Tonne, senior vice president of information technology at Affinity Plus Federal Credit Union

“One of the most important things that we’re really focused on is ensuring that our security awareness program is keeping up with all the various threats that are evolving. We are moving away from computer-based training and have moved toward using video and a lot of smaller more edible content over the entire course of the year. That’s proving to be pretty effective.”

“Another thing that we’ve been doing, which is a really important is that we do a lot of testing as part of our security awareness training. It’s really baked into the culture here. As we see threats occurring out there, we’ll internalize them, we’ll evaluate them, and we’ll turn around and test our employees. A lot of that will occur around phishing campaigns, so we’ll test different departments to give them the ability to figure out, 'What do I do if I see this come across my table?’”
Robert Paduano, SAFE Credit Union

Robert Paduano, manager of network & security at SAFE Credit Union

"As cloud adoption increases to drive credit union objectives, we should consider the information security implications since in many cases, a cloud offering will provide more security than a credit union is capable. But that is not always the case. Credit unions should not assume a cloud offering's security is better, rather we should evaluate the maturity and effectiveness of those controls before committing to use. For example, mainstream cloud offerings leverage economy of scale to employ more robust security features and expertise than a credit union can afford. On the other hand, small or niche cloud offerings may not provide as many security controls or expertise than are currently employed at the credit union. Do your homework."
Carrie Hunt

Carrie Hunt, executive vice president of government affairs and general counsel for the National Association of Federally-Insured Credit Unions

“From NAFCU’s perspective, cybersecurity comes up in two major areas for our members: One is compliance efforts and how we assist our members with making sure that they have the tools in place to be able to manage cybersecurity and a lot of credit unions do that through vendors and partners. And we also want to make sure that our members understand what the new National Credit Union Administration exam expectations are.”
Lance Noggle, CUNA

Lance Noggle, senior director of advocacy and counsel at the Credit Union National Association

“One thing that we’ve seen a lot this year and that gets worse and worse is ransomware. It’s costing businesses a significant amount of money, so that trend will probably continue for a while."

"A lot of it comes down to proper cyber hygiene and training of a credit union’s employees of what not to open in their e-mail. Make sure you have a system and a process in place.”
Robert Smith, Tropical Financ

Robert Smith, information security officer at Tropical Financial Credit Union

“You look at all these buzzword that are coming out now like robotic automation and AI and things of that nature. That applies to security as well. So one of the things that we’re trying to do is automate our security incidents. I think that's going to be critical going into 2020, especially when dealing with malware."
Lucy Ito, NASCUS (updated)

Lucy Ito, president and CEO of the National Association of State Credit Union Supervisors

"It’s to practice extreme cyber hygiene. I think we all know that the weakest link in credit unions and any institutions ⁠— the most vulnerable point of entry are employees that open up emails that contain a [maleficent] attachment. That’s a weak point ⁠— when staff are not trained to identify a suspicious email. Crooks are so good at coming up with a way to fool people. It’s not a one and done training, it has to keep going on.”
Jack Lynch, PSCU CUJ
Jack Lynch, chief risk officer at PSCU.

Jack Lynch, chief risk officer at PSCU

"Ransomware and phishing awareness are probably the biggest things right now. All the cybersecurity investment a CU makes will not matter if the user falls for a phishing attack and gives the bad actor their credentials or the entire CU’s computer system gets compromised. The attacks are getting better every day as well, so the threat is growing."
Libby Calderone,

Libby Calderone, president of LSC ICUL Service Corporation

"The most successful attacks target people. Therefore security awareness training for employees should be a credit union’s top priority. Training against anti-phishing tactics and techniques is crucial to effectively guard against cybersecurity threats."
Tom Kane

Tom Kane, president and CEO of the Illinois Credit Union League

“It really does depend on the size of the credit union. In Illinois, 40% of our credit unions are under $10 million so what their priorities are are different from large credit unions that are much more sophisticated. But any sized credit union and any sized provider is really worried about their employees doing something such as clicking on an e-mail or plugging in a USB drive that’s going to transfer some sort of virus or malware to one of their computers. And from there, it’s kind of game over so it’s the human aspect of their employees.”