What CUs need to know about the latest cybersecurity threats
With each passing year, cybersecurity threats become more sophisticated. At its core, security in cyberspace consists of two fundamental elements: cyclic software development and consistent security maintenance.
For credit unions, this relationship can be thought of in terms of a footrace. Software engineering cycles can best be represented by a quick sprint to the finish, while the security and maintenance of new and existing software should be viewed as a marathon, with increased complications and a constantly shifting landscape. In this cybersecurity analogy, speed and endurance are equally important.
Although most of us know not to respond to a vexatious email from a foreign prince promising a multimillion-dollar payout in exchange for a wire transfer, there are still serious and growing cyber risks that credit unions and their members face daily. As more members shift to online and mobile banking platforms, these threats will only increase. Credit union employees and members must be vigilant, constantly assessing all potential weaknesses in their data-security protocols.
This year, cybersecurity threats will continue to evolve in the following ways:
1) Ransomware will become more mature, capable and smart, leading to bigger breaches and bigger payoffs from victims.
According to an IBM report, ransomware attacks quadrupled in 2016, and show no signs of slowing down this year. Medium-sized financial institutions are especially vulnerable to these attacks because many do not have the sophisticated anti-malware software of larger corporations. Malware can easily infiltrate company software, often in the form of email attachments. Encourage employees to refrain from opening emails with cryptic subject lines or from unknown sources. Educate your credit union members of these risks as well. Of course, your credit union should have security software in place that is updated regularly to prevent any viruses from infecting your systems.
2) DDoS attacks will continue to plague smaller and midsize organizations that cannot afford DDoS prevention services.
As with ransomware, DDoS (Distributed Denial of Service) remains a greater threat for smaller organizations. DDoS attacks target company systems from a multitude of sources with Trojan programs (seemingly harmless applications that infect computers with viruses), making them harder to identify and block. As opposed to ransomware attacks, these viruses do not access data and withhold it for ransom — instead, they distract and overwhelm the institution’s cybersecurity system and then extract sensitive member information. Consumers and administrators are locked out in the process. These attacks happen quickly, and often organizations utilize security systems that are simply too slow to stop them. A proactive, layered security strategy is the best line of defense against these attacks, but these systems can be cost-prohibitive for smaller credit unions. Unfortunately, once a member’s data has been compromised, he or she will likely lose all trust in the credit union. Therefore, it is of utmost importance that your credit union’s software is prepared to fend off these types of attacks.
3) Zero-day attacks will continue because they are the source of access at the server and workstation.
Zero-day attacks occur when a hacker identifies an exploitable weakness in a software program before the IT security system can patch it. These attacks underscore the necessity of applying software patches as soon as they are released — both by the credit union’s software vendors and the end users (credit union employees and members).
4) The Internet of Things (IoT) will become better understood in the mainstream, and poorly secured IoT devices – such as security cameras and home routers – will become regular targets of hackers.
Before the IoT existed, PCs were the only option for hackers to exploit as botnets for cyberattacks. A botnet is a network of private computers infected with malicious software that can be controlled as a group without the owners’ knowledge. With so many devices now connected to the Internet, hackers can more readily commandeer devices as botnets to take down company servers. This problem is made worse by the fact that after most organizations install these connected devices, they do not update them on a regular basis. Like computers, all connected devices must be updated regularly to ensure they are not easily compromised.
Although the cybersecurity landscape is ever-evolving, the daily maintenance activities that must be performed to keep member data safe ultimately remain the same. Patches should always be applied as soon as possible. Administrators should always remove old users’ access to company systems. Users must always utilize unique IDs. Servers should always be built with only necessary services enabled.
The bottom line: if a device is connected to the internet, someone will try to hack it. In order to prevent a breach and protect member data, it’s critical that your credit union partner with a software development company that has mastered the art of the sprint and the marathon. Otherwise, the bad guys will inevitably win the race.