Can credit unions keep up with COVID's evolving phishing threats?
With more credit union employees working from home than ever before, hackers are on the lookout for security weaknesses on home networks – often through email phishing schemes – that could compromise those institutions’ data.
The National Credit Union Administration cautioned the industry early on in the pandemic about ongoing security risks, and the issue has taken on new relevance recently in the wake of more data breaches at retailers and October’s designation as Cybersecurity Awareness Month.
The annual True Cost of Fraud report from Lexis Nexis also indicates fraud – and its impact on the financial services sector – has increased since the pandemic began. The monthly number of fraud attempts each month for the financial services sector has risen by 14% since last year, but the number of attempts that succeeded is up by 42%, according to the study, released earlier this month. The company’s research found that financial firms spend $3.64 for every dollar lost to fraud, a 12% increase from 2019.
The 2020 Phishing Trends Report from Keepnet Labs found that 90% of all successful cyber attacks begin via email. That's backed up by Specops Software, a Sweden-based provider of password managment and authentication solutoins that works with many U.S. credit unions, which said more than half of all businesses have seen a rise in cybercrime since working from home became the norm.
Specops cybersecurity expert Darren James said the finance sector, in particular, is reporting an increase in the number of phishing attacks since the pandemic began. Hackers are creating elaborate and convincing emails to fool employees, and concerned staffers sometimes let down their guard and click malicious links or download attachments.
“When we were all in the same office, we could consult a colleague when we received a suspicious email, but working from home prevents people from asking for a second opinion or double-checking a strange request from the CEO,” James said.
Passwords are often the weak link in cybersecurity because they are used everywhere, James said. Studies have shown that employees of financial companies need to remember an average of 69 passwords, so people often reuse them across multiple platforms.
Credit unions should secure their Windows passwords by preventing employees from choosing weak and leaked passwords. Password-vulnerability scans from vendors can help a credit union understand internal weaknesses surrounding passwords, James said.
They should also enable multi-factor authentication where possible and invest in security training and guidance for staff members on how to securely use their IT systems, James said.
Pete DuPré, chief information officer for $2.6 billion-asset Elevations Credit Union in Boulder, Colo., said Elevations was prepared to accommodate the new remote workforce environment, but it upped its game in terms of cyber protections.
Strong passwords were already standard protocol at Elevations, but an increased focus has been placed on using "single sign-on" to lessen the burden on employees while also increasing security, DuPré said.
He added that regardless of the pandemic or any other circumstance, phishing emails are always going to be present, and they tend to evolve based on current events. Opportunity lies in every crisis, and the move to remote work as a result of COVID-19 has introduced new vectors for phishing, he said. As a result, Elevations rolled out an awareness program for employees as part of a broader initiative to keep employees and the institution safe.
Specops reported that 61% of businesses don’t require complex enough passwords for employee profiles, and about 44% of businesses admit to not fully understanding specific password protection terms.
Smaller credit unions often have fewer resources to apply to IT security, but larger institutions may also present a bigger target area for hackers, James said. The more users you have, the more potential cracks in the armor and the bigger the reward.
Matt Jernigan, executive vice president and chief operations officer at $3.1 billion-asset Ascend FCU in Tullahoma, Tenn., said there’s no doubt that 2020 has been a challenge. But the credit union is constantly updating its security strategy to address the needs of on-premise devices as well as hardware staff have taken off-site for remote work.
In February, shortly before the pandemic hit, Ascend upgraded all of its enterprise-level systems, including data security. “We spent several months carefully selecting a new solution that continued to support what members expect, as well as offer new technical solutions for future growth and improvement,” he said.
The upgrade included several security measures for employees working from home. Just as important, the upgrade helped prepare Ascend for the unexpected and for the pandemic.
“The biggest thing we do to mitigate security breaches in our network is education,” he said.
Toward that end, all employees are regularly briefed on security best practices and expectations.
Even credit unions maintaining a more traditional workspace are on guard. John Murga, CEO of $183 million-asset Hidden River Credit Union in Pottsville, Pa., said the company does not currently have anyone working from home, but cybersecurity is still a huge concern.
Hidden River continues to employ practices that reduce the threats, but can’t eliminate them completely, Murga said. So the credit union has relied on social-engineering testing and auditing, ongoing training and education, and locking down its networks and systems as much as possible.
“Other than that, there is little else we can do,” he said.