Try to imagine your credit union as a medieval castle, if you can—you've certainly got high walls, multiple watchtowers, a keep and perhaps even a moat. One thing you absolutely must have is a gate; a gate that serves as the last bastion of defense against external forces wishing to do you harm. It keeps the enemy out, but also allows your soldiers to pass through to fight when needed. In this analogy, the castle gate represents your credit union's cybersecurity defense.
Any gate formidable enough to protect those behind it surely has a bevy of vital features, like barred windows, a portcullis, chains, ropes, pulleys, gears, lubrication, arrow slits and, of course, a bridge over the moat. All these essential elements won't take care of themselves, though—proper maintenance is required. Without constant lubrication, the gears will surely rust. Pulleys and ropes will eventually wear out and need to be periodically replaced. Chains tend to buckle over time and non-moving parts must be tested for structural decay. The point is, without someone assigned to keep the gate in proper working condition, eventually parts will fail, making it easier for the enemy to penetrate the walls and cause mayhem inside.
So, how does this analogy translate to modern times? Well, all the features that protect your CU and members must be similarly maintained or hackers will eventually find and exploit a cybersecurity weakness. Instead of a portcullis and pulley system, you've got a building, environmental controls, a power infrastructure, computer hardware, operating systems, applications, digital storage and even physical storage to consider. In this sense, gatehouse maintenance looks a lot more like migrations, upgrades, patches or purges. The message is the same—proper care helps ensure both functionality and security from outside threats.
Naturally, there may be extenuating circumstances resulting in delayed maintenance—but these should be the rare exceptions, never the rule. Any exception should be accompanied by a risk assessment that includes the business purpose for it, as an exception is an acceptance of risk. As we know that maintenance is absolutely necessary, we must constantly be vigilant of aging software, hardware, or other various outdated systems and versions, properly installing security patches to keep the infrastructure up to date. While it might be a pain to update these systems, an aging infrastructure represents more than just a lack of features and functionality—it is a serious security risk.
Credit unions are constantly under attack by external forces in an attempt to breach personal data, steal financial records, blackmail the institution itself or in some cases, simply to cause chaos. While tomorrow may present unforeseen challenges, today we must focus on the major cybersecurity challenges that can be preventable. These include Advanced Persistent Threats (APT), Distributed Denial of Service (DDoS) attacks and lost or stolen portable devices.
APTs commonly begin with malware or Trojans, and is the attack vector most commonly used when we hear about breaches. The best way to defend against an APT sounds simple, but can be difficult to execute—you must do all of the right things all of the time. This includes treating vendor connections as untrusted and firewalling them from internal networks. It is also wise to subdivide your network to separate vendors, customers, departments and users from resources by need-to-know permissions.
DDoS attacks occur when hackers use multiple comprised systems, often infected with a Trojan, to target a single system causing it to become unavailable. One of the best methods to prevent a DDoS attack from saturating your network is to use a proactive monitoring service with enough bandwidth to handle an incursion, as these attacks often go undetected and can occur in a matter of minutes. Another preventative solution is to implement a multi-layered security system for your credit union.
Unfortunately, individuals losing their laptops, tablets or smartphones happens frequently. Even more upsetting is that thieves often steal these valuable devices from their owners. What's the best defense against an action that can at times be unavoidable, or even defenseless? Prepare for the worst—encrypt your data or entire disk as a preventative measure and ensure all your devices are password protected.
Threats like APT, DDoS and lost or stolen devices can pose serious problems for any credit union, especially those not taking maintenance tasks seriously. Hopefully, you've found a core provider that also happens to be an excellent gatekeeper, making sure that all parts are working fluidly and are impervious to unwanted infiltration. In this instance, the relationship between a core provider and a credit union should be a partnership, with both parties working towards the common goal of protecting members' interests. Your ideal gatekeeper should help you identify the best value adds in the form of additional services by way of purchasing and licensing software or hardware that creates additional barriers against cyberattacks. Your core provider must also maintain world class firewalls and IPS to reduce the risk of online intrusion.
Additionally, your core provider should actively engage in an educational dialog, providing actionable steps you can share with your members that will help them protect themselves. The steps may vary, but the fundamental message is always the same—education is one of the most powerful weapons in your arsenal. Credit unions should constantly remind their members to not click on links in emails unless they were expecting the message, and members should know that credit unions will never call and ask for their password. Members should also be taught how to set up an unprivileged user program, other than the administrator profile, to use on their personal computers to check emails or browse the internet.
Cyberattacks will only become more prevalent as our lives become further entrenched in the digital world. Credit unions will likely remain in the crosshairs because they possess two of the most valuable things to hackers—personal and financial information. Just like castle inhabitants, credit union members put their faith and livelihood in the hands of the institution. If your core provider is sleeping on the job or is simply unable to maintain your credit union's defenses, perhaps it's time to consider a change to a gatekeeper that can get the job done. Remember—your members are depending on it.
Stephen Adwell is vice president of security, compliance and BCP at EPL, Inc.
