What’s the Big Idea in cybersecurity for 2016? The way we think about it.
Cybersecurity is not just for technologists any more, it’s for everyone. Today, cyberattacks pose the most dangerous and pernicious kind of reputation risk, threatening the most valuable and strategically significant asset credit unions have, member trust. Understanding this changes everything.
Don't forget the expensive lessons learned by prior high-profile targets: Responding quickly and transparently is even more important than managing loss. This means informing member-owners while maintaining their access to funds. If a credit union does this successfully, its members can manage, overcome, and forgive other costs; if it doesn’t, the rest won’t matter.
Want To Learn More? Chris Howard talks about cybersecurity in the Callahan & Associates webinar "Cybersecurity And Credit Unions"
Traditionally, cybersecurity has been a cognate of physical security, an adjunct responsibility of information technology, and/or a function of compliance. None of these perspectives is wrong, but all are dangerously insufficient. Cybersecurity is all three but also much more because of a handful of characteristics that make cyber an exceptional kind of threat:
Breaches will happen — probably already have — so there’s a heavy premium on response management, mitigation, and recovery.
Breaches threaten primary systemic functionality, so impact might be pervasive and severe, far beyond a limited IT event.
How a credit union responds after the event, not the penetration itself, will have the biggest impact on reputation.
Nearly four years ago, then-FBI Director Robert Mueller said “there are only two types of companies: those that have been hacked and those that will be.” Mueller’s successor, James Comey, has taken this assessment a step further, placing the dividing line between “those who know they have been hacked … and those who don’t [yet] know they have been hacked.”
There are only two types of companies: Those that already know they have been hacked and those that don't.
There might be a few exceptions, perhaps even some small credit unions, but not for long. Cybercrime is subject to its own version of Moore’s Law — every day, the tools available become more powerful, easier to use, harder to detect, and cheaper.
A Brave New World
Some cyber attacks are little more than a nuisance. Every IT department regularly fends off distributed denial of service (DDoS) attempts. Others are just high-tech versions of old-fashioned capers. But many are far more cunning and insidious, penetrating entire systems to probe for weak points and gather information to use later for much larger, more damaging crimes.
Take the long-term hack of JPMorgan Chase, where cybercriminals operated for months inside what was believed to be a safe and secure perimeter. This is what U.S. Attorney for the Southern District of New York Preet Bharara calls a “brave new world of hacking for profit,” and it further differentiates today’s cyber risk from traditional threats like a bank heist or card fraud.
In a world where virtually all communications and operations run through the digital infrastructure, this is where things get really scary. When bad actors can operate freely and undetected inside seemingly secure systems, they can cause a lot more harm than stealing a few bucks or even compromising some member data.
They can engage in social engineering, using unwitting employees as accomplices.
They can mask ongoing fraud to make large thefts appear like business as usual.
Most disturbingly, they can compromise basic functionality.
This last example threatens a credit union’s ability to execute its core mission of connecting members with money when and where they need and expect it. This where reputation is most directly threatened and where a fast, effective, transparent response is most important.
Visit the CreditUnions.com Blog Roundup for more Callahan commentary, industry insights, leadership perspectives, and more. Read Now!
To better understand all the elements at play, Callahan & Associates has been working with Cognitio Corp., a cyber defense consultancy created by former CIOs and CTOs from inside the nation’s national intelligence community. One of Cognitio’s founder-partners, Bob Gourley, identifies two constants throughout the evolution of the modern cyberthreat:
Organizations are surprised when they are attacked successfully.
The threat itself will constantly innovate to evade evolving defenses.
In Gourley’s mind, this forces two critical executive lessons:
“Nothing will stop an adversary that wants to get in. Prepare for a breach. … Prepare to mitigate risks, but prepare to respond to breach.”
Readiness requires “a robust and effective incident response program that is integrated into the business environment, … exercised regularly, [and] includes all aspects of the business, not just IT or security.”
A New Way Of Approaching Cyberthreats
At Callahan, we have reached some conclusions of our own that will likely influence work we do in 2016:
All credit unions are cybersecurity targets, are likely to have been penetrated, and almost inevitably will experience some kind of consequences.
Trust and the member relationship are the most important, valuable, and vulnerable credit union assets.
Credit unions that are not aware of the stakes or prepared to respond quickly, effectively, and transparently, will suffer the gravest harm.
Key Questions To Ask Now
We believe cybersecurity should be on the agenda, and be part of the core responsibilities, of every member of every credit union leadership team. Complying with FFIEC and NCUA guidelines, while mandatory, does not provide adequate protection, and nothing can provide complete protection. Your credit union will have a cybersecurity event.
Cybersecurity And Credit Unions
Join Chris Howard, vice president of research at Callahan & Associates, for an open discussion on dealing with security breaches and best practices that can save the credit union's reputation.
This is why we believe preparing now to manage the inevitable is in the best interest of your members. Events happen in real time and might not provide the opportunity for consultation and consideration before having to make critical decisions for your credit union, decisions that could have an impact reaching well into your credit union’s future.
So before that real-time event occurs, ask yourself these questions:
Does your leadership team understand the full scope of threats your credit union faces and the full array of impacts that could result?
Do you have C-level mitigation and management plans in place and do you practice them?
Are you confident in your ability to make decisions quickly when an event occurs, even with incomplete, inaccurate, and/or contradictory information? What about if you or part of your senior team is unreachable at the moment of crisis?
Creating a framework in advance, one that clearly lays out how your senior team will manage an event quickly and transparently, will build confidence now and go far in preserving your reputation when an actual event occurs.