Day 2 of the GAC opened with a political discussion on the future of the credit union movement — including commentary from acting NCUA Board Chairman Mark McWatters and Board Member Rick Metsger, as well as a keynote address by former Secretary of State Colin Powell.
The afternoon sessions continued that theme, though a panel titled “Cybersecurity in 2017 and Beyond” focused less on the potential political actors carrying out cyber attacks, and more on the state of the ever-changing field today.
In 2017, credit unions are vulnerable to groups of “bad actors” canvassing for sensitive and potentially valuable information. These bad actors often take the form of “hacktivists” who leverage data to advance political or moral causes, nation states, and trusted insiders, illustrating the fact that the financial information can be pilfered both internally and externally.
We’ve covered different approaches to credit union cybersecurity on CreditUnions.com, including how it all starts with the CEO. But the evolving nature of the threat made the panelists from organizations such as the NCUA, CUNA Mutual, Department of the Treasury, and the FA-ISA pause when asked about handy best practice guides.
But the basic tenants of cybersecurity are consistent across all institutions, says Tim Segerson of the NCUA’s Office of Examination and Insurance.
“We need to understand current risks and guard against those,” he says. “But that has to be balanced with your financial capabilities.”
Does the credit union find it appropriate to be up and running right after an attack like it never really happened? That might require a greater financial investment on the part of the institution.
Or maybe not. Jay Isaacson, a vice president with CUNA Mutual Group cited the 2016 Verizon Data Breach Investigations Report that found 63% of breaches were the result of weak or stolen passwords. That’s in addition to other research showing human error is to blame for most breaches.
“Education is important for staff and members on this topic,” Isaacson says. “They can’t rely on default passwords.”
Another bullet in the chamber for credit unions in the fight against cybersecurity is insurance.
Cyber insurance is still a new, maturing field, but for issuers there are two components: first-response coverage and liability coverage. Typically first response coverage will allow a hacked credit union to cover the costs of the forensics work, including fees paid to investigating agencies, lawyers, and member and employee education efforts.
Liability coverage on the other hand, helps to cover the costs of a suit brought against the credit union.
“All insurance policies are different, too,” Isaacson says. “And they continue to evolve. But not as fast as the bad actors are.”
Ransomware and distributed denial-of-service (DDoS) attacks are getting more sophisticated. And as the interconnectivity of devices large and small continues to advance, hackers may take advantage of vulnerabilities in the so-called Internet of Things (IoT).
In November 2016, hackers used a drone to target a set of Philips light bulbs in an office tower, using a virus that let the hackers turn the lights on and off and flash an “SOS” message in Morse code.
And while the NCUA’s Segerson admitted we’re only in the early stages of understanding attacks to the IoT, there are ways to mitigate risk.
For suspicious email activity, consider the source.
“It’s getting harder to know what to open and what not,” Segerson says. “My personal practice is if there is an attachment and I’m not highly confident where it’s coming from I delete it.”
Some credit unions and their league affiliates have their own solutions.
Tom Kane, president and CEO of the Illinois Credit Union League spoke at Sunday’s Small Credit Union Roundtable. He’s a former CIA employee who has also worked for Aon Corp., Quaker Oats, and Risk Sciences Group before joining the league in 2003. His best advice for holding down hacks: “Don’t mix business with pleasure. Keep the personal stuff away from the work stuff.”
At his operation, games and personal software are not allowed on work computers and instead Chromebooks are available in the lunch room for employees to use for email and other personal business.
“There are a few relatively simple things you can do to mitigate a lot of risk,” Kane says. That includes ensuring the integrity of software installations and keeping it up to date, limiting access to the network to vendors and employees only where and when needed, and working to keep staff awareness high about the threats of social engineering. “I was whale phished myself last week,” he says. Someone had sent one of his executives an email that looked like it was from Kane and was asking for a wire transfer to be made. “He brought it to me and I confirmed it wasn’t legit.”
In addition, while it’s important to have relationships with local police departments and belong to trusted communities to more quickly spread the flow of information, credit unions can leverage their buying power to make sure the solutions on the market are the most secure.
“Use your purchasing power to walk when things aren’t made to proper security standards,” Segerson says.
— Marc Rapport contributed to this article.