Cybersecurity is becoming what’s known in some circles as a “wicked problem” — a problem that defies easy definition or solution, has multiple causes and dimensions, and is likely to be persistent regardless of the steps taken to address it. It’s the kind of problem that isn’t going away soon and might become worse even if credit unions do all the right things.
Why a wicked problem?
First, it involves a lot of people — employees, of course, but also every member who interacts with their credit union. Second, it doesn’t have obvious, limited ownership. Most credit unions treat it as an IT issue, but it’s much more than that. It’s a service issue, a marketing and communications challenge, a compliance and governance burden, and a line management issue in every part of the business where employees represent a way for cybercriminals to get into the system. It’s so broad in scope and potentially devastating in impact, it’s a leadership issue demanding the direct, active, ongoing involvement of the entire C-suite, from the CEO down.
Compliance should never be confused with security, and these necessities are not nearly sufficient to secure a credit union against an attack.
Devastating in impact? You bet.
The obvious money at risk isn’t nearly as big a concern as institutional and member data. And if member data gets out, reputation risk jumps to the top of the list. Breaches are inevitable, so the differentiating factor becomes how they’re handled. If a credit union’s response is anything less than prepared, professional, and transparent, with a focus on member impact, then member trust and goodwill — the single most valuable asset any credit union has — is jeopardized.
Then there are the externalities to consider.
Cybercrime is big business. Every year, criminals invest hundreds of millions of dollars in the development of tools to steal billions of dollars. The SWIFT caper alone reportedly involved an investment of seven years and more than $100 million. When the bad guys invest that kind of time and money, they expect big returns. But even smaller-scale thieves have access to tools that allow them to take advantage of smaller, less secure targets.
The Dark Web is the marketplace for stolen data, hot money, and proven software developed for targets large and small. Read more about it in "What Lurks In The Dark Web" only on CreditUnions.com.
That’s why any credit union that thinks it’s too small to worry needs to reconsider. The mom and pop shops of cybercrime go after mom and pop targets — hard. Brute force hacking is one approach, but it’s easier to drop a few flash drives in a parking lot and hope a careless employee will plug one into the network. And that might not even be the big event. It might just let the bad guys scan internal emails for social engineering cues that will help them pose like an insider to get folks to do things they shouldn’t.
And for full disclosure, even a small company such as Callahan & Associates isn’t immune.
This past fall, our finance director received an urgent email message from Jon Jeffreys, our managing partner. According to the email, Jeffreys was on the road — which he really was — and needed instructions for authorizing a wire transfer — which he really didn’t.
Happily, this wasn’t a terribly sophisticated effort and my colleagues know what to look for. However, phishing, spearphishing, and whaling are becoming everyday events, as are other threats like ransomware that leverage innocent, untrained, or inadequately vigilant employees, members, clients, etc.
Watch It On Demand?
Hear Chris Howard, senior vice president at Callahan & Associates, discuss how to deal with security breaches and best practices that can save the credit union's reputation. Watch "Cybersecurity And Credit Unions" today.
The good news is credit unions have a fundamental advantage in fighting back against cybercrime: They play well with others. Cooperation is important because sharing information and experiences has proven to be the most effective way to protect against cybercrime.
A good place to start is with the Financial Services Information Sharing and Action Center, which every credit union should join. FS-ISAC is one of nearly 20 U.S. government-sanctioned ISACs created to help companies share information without violating anti-trust laws. The result is better security for everyone. At its most basic level, FS-ISAC is free and offers access to more resources through an asset-based pricing model.
A study by cybersecurity firm Tanium and Nasdaq shows executives feel little personal responsibility toward cybersecurity. Learn why that's wrong in "Cybersecurity Starts At The Top."
The FBI has its own take on information sharing that is based on regions rather than economic sector. The Infragard Program is a public-private partnership created to facilitate the sharing of “information to assist … in protecting critical infrastructure assets,” including the financial services system. There are 85 local chapters across the country, and the cost of participation in these, too, is free, though some chapters charge fees to cover the costs of delivering some optional services.
Finally, the ISACs have also given rise to a much larger number of ISAOs (information sharing and analysis organizations) with fewer resources but more nexus among smaller arrays of participants, often making information more topical and actionable. Some players in the credit union space are setting up ISAOs, but because many progressive credit unions already have a long history of working with and sharing with one another, there are also informal working and sharing groups across the movement. Getting involved in one or more of these is a good investment of time and effort.
Unfortunately, too many credit union leaders Callahan speaks with are hesitant to engage in these sharing initiatives. Concerns run the gamut, from thinking that sharing isn’t relevant because the credit union is “unique” or too small to concerns about the ability to contribute equitably, from embarrassment about being “too far behind” to fear of wasting time, money, and resources that should be directed straight at the challenge.
To an extent, this makes sense. All the sharing in the world won’t mean much if the credit union doesn’t attend to fundamentals like employee education and keeping patches up-to-date. But compliance should never be confused with security, and these necessities are not nearly sufficient to secure a credit union against an attack.
From that perspective, every one of the excuses for not engaging in cybersecurity sharing initiatives fails.
It’s not just about the cooperative principles, although familiarity with them should make this easier for credit unions than for-profit competitors. It’s about herd immunity, strength in numbers, and the power of pulling together different perspectives and different kinds of intelligence to produce better outcomes for all.
This kind of sharing is ground zero for the robust cybersecurity response every credit union will need in the years to come.
Strategy is a process. That's why Callahan & Associate has developed team learning experiences that help executives become more effective, make better strategic decisions, and ultimately thrive — together. Learn more today at Callahan.com/strategylab.