Credit unions should consider these fundamental factors when allotting resources to combat cybercrime.
Chris Sachse, CEO of CUES Supplier member Think|Stack, Baltimore, a managed IT services credit union service organization specializing in cloud and cybersecurity solutions for credit unions and non-profits, says that regardless of size and budget, there are three fundamental factors credit unions should consider to make the job of combatting cyberattacks less daunting.
- The architecture and design of your network. Sachse says that often when it comes to cybersecurity, people are inclined to buy fancy tools and implement 24/7 monitoring. And while there is nothing wrong with those options, they are usually executed before the most important things have been taken care of, such as making sure your network is designed appropriately.
“I always liken this to a football team,” he says. “If you go out and sign Randy Moss or some fancy wide receiver, it makes you feel good, but it often doesn't lead to a Super Bowl. On the other hand, if you get a really good offensive line and a really good defensive line, stick to the basics, and get back to the fundamentals, you'll see that those teams are good over the course of time. Cybersecurity is much the same way.”
Sachse explains that a well-designed network that sets the foundation, followed by maintenance, including keeping current on updates, is critical. He says that most attacks come through outdated machines. “Just doing your patching and your maintenance—and making sure your network is designed appropriately—is probably going to protect you from 80% to 85% of the attacks out there,” he says.
Another component of a well-designed network is the concept of “least privileged access.”
“The idea is that every person—including your C-suite—and system in your network should only have access to the things that they must have access to, to do their jobs,” Sachse says.
But typically, networks are not built that way. Most of the time, employees just plug in and have access to everything in the network. “The problem with that is you’ll have things like printers and phones that people never update because they don’t even think about those things,” he says. “These are often the launch points for attacks, because that phone has access to your whole network. If the hacker gets into that old phone, they can go around and do whatever they want.”
- Governance. Sachse says that the biggest issue he sees in credit unions is not paying enough attention to cybersecurity at the board and executive team level and instead relying too much on IT. Not pursuing more detail when an examiner comes out is a common example, as is assuming that because the examiner didn’t have any findings, everything is good.
“We don't ask enough questions,” he says. “Good governance is simply just asking good questions to the right people. It’s really about having those conversations more frequently. And if you have those conversations more frequently, then the rest of the organization starts to know that the leadership team is taking this seriously. I really encourage that.”
- Partnership with an experienced vendor. “You have to have a vendor that you can work with, because you can’t do it yourself,” Sachse says. “The war for talent right now is absolutely unbelievable—particularly in cybersecurity. Credit unions are having a heck of a time finding people, let alone retaining them. You have to have partners that can help you.” He encourages working with a vendor with industry knowledge, as they already consistently monitor the industry and may have access to volume-purchase licensing that would otherwise be expensive for small credit unions.
“We have a couple hundred credit unions that we monitor, so when we see an event at one credit union, we can propagate that protection to all of the other credit unions simultaneously,” he says. “If you're an individual credit union trying to do this by yourself, you just can't. So, finding the right partner for your organization is critical.”
Formerly a member of the CUES marketing staff, Felicia Hudson Hannafan is a writer based in Chicago.