Why the pandemic is making cybersecurity even harder for credit unions

Earlier this year, credit unions across the country completed a task that was previously almost unthinkable — they managed to get the majority of employees working remotely with little notice.

But this accomplishment has created new cybersecurity concerns. Since the coronavirus became widespread earlier this year, institutions have had to be vigilant about a variety of issues, including new scams that utilize the crisis to try and trick consumers and workers into making a costly mistake.

That has been made even more difficult as employees may still not be housed in an office and instead could be spread out working remotely.

“Work from home suddenly meant that many institutions had to significantly beef up their remote access options for branch staff and others that were used to working out of physical locations,” said John Meyer, senior director at Cornerstone Advisors. “We were impressed with how rapidly our credit unions responded to this challenge. Fraudsters, though, are finding ways to exploit the holes in the remote workforce.”

The following are some cybersecurity concerns that credit unions need to keep in mind for the rest of this year and into 2021.

Aaron Passman contributed to this story.

BECU_Sean Murphy.jpg

A one-two punch

BECU has faced challenges on two fronts in terms of cybersecurity, said Sean Murphy, chief information security officer for Tukwila, Wash.-based institution.

The first issue was quickly getting the majority of the $24.8 billion-asset institution's employees set up to work from home. The credit union went from about 10% of its workforce being remote to more than 90% in about three to four weeks, Murphy said. That brings on new cybersecurity challenges, and required BECU to upgrade and increase its virtual private networking "to accommodate more users, secure data transfer and support external access to internal resources," he said.

"Our organizational perimeter is now every end point that our employees use to access network resources," Murphy added.

"Our cybersecurity awareness and training plan had to pivot to include specific topics for employees who are now working from home so they understand how to continue to be our first line of defense," Murphy added.

Secondly, there were increases in credential theft and stuffing attacks tied to fraud. Under these attacks, a cybercriminal gets valid credentials and then uses an automated bot to log in.

To combat this, BECU has increased its member outreach through free cybersecurity awareness and training.

“Fraudsters are increasing their attempts and sophistication to obtain sensitive, personal information from our members,” Murphy said. “This is typical any time there is a natural disaster or a time of crisis.”
Magnifying glass enlarging malware in computer machine code

First-time user error

Many credit unions didn't traditionally have many employees working from home. That presented a challenge as these remote-work novices learned to navigate being virtual this year, said Chris Hickman, chief security officer at cybersecurity firm Keyfactor.

“Remote workers at credit unions with traditionally fewer remote staff can introduce new risks and security gaps when connecting for the first time — especially when they use personal devices that haven’t been authenticated or are connected to the work network via home Wi-Fi that may be unsecured,” Hickman added. “Employees who are not accustomed to this remote work style of data protection and implementation of policies to protect their data become vulnerable to security risks.”

Cybercriminals will certainly take advantage of human error. For example, in September, various cybercriminals, including Chinese hackers APT41, were indicted by the Justice Department after breaching more than 100 companies globally. Part of the scam used malware tied to video games.

If an employee downloaded a game for one of their children, their device could potentially get infected with this malware. The malware then could spread through the worker’s home network and eventually potentially infect a work laptop, Hickman noted.

“The biggest threat is the remote worker,” Hickman said. “Many institutions have gone from having everything centralized to a now dispersed workforce. There are many challenges, to knowing what devices are on the network and how to keep things secure, especially within the smaller credit unions.”

Talent matters

Credit unions aren’t the only ones realizing that cybersecurity matters more now than ever. That means there will be more competition to hire those with the technological skills and expertise that financial institutions are looking for.

“The shortage of a diverse, skilled security workforce is always a concern and doesn’t appear to be abating in the next few years,” said Shari Ziebell, information security director for SPIRE Credit Union in Falcon Heights, Minn. “The security industry is doing a great job of attracting new talent, but the gap continues to widen as more industries realize the need to add security staff.”

Overall, the coronavirus pandemic has emphasized that criminals will take advantage of any disruption to breach an institution’s security. This includes a focus on phishing scams to steal credentials or infect computers with ransomware.

And all of this become even more challenging with staff members being remote.

“Remote workers always present a challenge but the sudden onset of remote workers due to the pandemic pushed a number of companies to leverage a cloud environment and created a new set of problems,” Ziebell said. “Cloud breaches will be a long-term concern as criminals move to phishing for business account credentials.”

Beware of sender

As the coronavirus spread, cybercriminals got to work with new attempts to scam consumers. One effective attack included sending out emails from a supposed contact tracer, telling the recipient that they had been in close contact with someone who tested positive for COVID-19, said Joseph Krull, senior analyst at Aite Group who focuses on cybersecurity, privacy and IT risk.

In addition to keeping an eye on those scams, credit unions need to be concerned about maintaining security in hybrid models where some employees continue to work from home, perhaps even after there is a vaccine for the coronavirus.

Employees working virtually add “complexity to a number of cybersecurity processes,” such as ensuring best practices even with decreased oversight of workers, training new hires on risks and remote patching of software to fix any potential issues, Krull said.

There is also the issue of employees using work devices from unsecured home networks. For instance, routers used at home are managed by the internet service provider and have default passwords from the initial installation. There are also other devices, such as thermostats, toys, appliances, tablets and other computers, connected to these home networks.

“All potentially contain some form of security issues which can affect the overall security of the home network and potentially introduce malware into the employee’s work network,” Krull said. “And we also see cases where computers used for work are increasingly used for non-work purposes, which present potential risk. Usage polices should be reviewed and updated for the ‘new normal.’”

Attack vectors on the rise

Cyber threats have been up during COVID-19. During the first quarter, attack vectors — the means by which a cybercriminal uses to gain access to a computer or network server — on financial institutions were up by 38%, according to John Meyer, senior director at Cornerstone Advisors.

Attacks are coming from state actors, such as the North Korean intelligence agency known as the Reconnaissance General Bureau, who are trying to hack banks and credit unions to help offset the financial suffering they face from economic sanctions.

But perhaps more concerning are the cloud vendors credit unions work with, Meyer said.

“Many of these cloud vendors are lulled into thinking they are immune to the [Federal Financial Institutions Examination Council] scrutiny because they use [Amazon Web Services], Azure, or Google Cloud Services,” Meyer added.

That can have dire consequences. Capital One learned that firsthand after a former AWS employee hacked the bank’s customer data in 2019. Capital One paid an $80 million civil fine for the incident.

Only going to get worse

Crane Hassold, senior director of threat research at Agari, an email security firm, said cybersecurity threats are “going to intensify going into 2021.” That’s because cybercriminals will eventually realize business email compromise scams are “easier and more lucrative than other types of scams, like ransomware,” he added.

Cybercriminals in West Africa usually dominate this space but that will change in 2021 as others enter the business email compromise market. Cosmic Lynx, a Russian criminal enterprise, has already jumped into the fray this year.

Besides that, the remote-work environment is making it harder for credit union employees to verify requests for transactions from their coworkers.

“The remote workforce phenomena has had a serious impact because people cannot just get up from their desk, walk over to another department and ask, ‘Hey, just had a few questions about that email you just sent me about wiring $60,000 to a new vendor,’” Hassold said.

Because of that, vigilance is necessary.

“Authenticate and verify every email — pick up the phone and call the person you think is on the other end of that email, even if it is the CEO,” he added.