Protecting the Crown Jewels During Heightened Cybersecurity Risk Periods

As time goes on, financial institutions face more serious and potentially damaging threats from bad actors looking to compromise systems and steal valuable information. These threats can lie internally or externally and be domestic or international. Financial institutions with a firm infrastructure, robust security support and a well-trained staff are in a good position to ward off these harmful threats.

What Credit Unions Can Do

The greatest challenge facing leaders like me is that cybersecurity protocols are always evolving. That's because bad actors are constantly coming up with new ways to try to exploit targets. As the person in charge of managing the security infrastructure for $3.8 billion Affinity Federal Credit Union, I put a lot of focus into ensuring the crown jewel, our members’ data, is secure and constantly being monitored. The biggest areas of focus include:

• Training: The weakest link in the security chain is humans. It’s imperative that every employee is educated on best practices to handle data and secure accounts. This goes for those working on the back end in data programming and security all the way to staff on the front line. It is the responsibility of all members of a team to do their part to protect against cyber threats. At Affinity FCU, we educate our staff and update our teams regarding the latest threats monthly.
• Remote control: My team has been working from home since the pandemic began in March 2020. The remote setup requires each team member to pay extra attention to detail, since while still connecting to the Affinity back-end network, working from home can leave open the possibility for network security vulnerabilities. Leaders also need to ensure the back-end systems and computers their employees use at home are as well-protected as the computers in the office.
• Being prepared for the worst: It’s not a matter of “if” a cyberattack will happen, it’s a matter of “when” it will happen. It’s essential for all members of a data security team to know how and where all of their institution’s confidential information is stored. Why? If each team member has this knowledge, a data leak would likely be identified and contained quickly.

Knowing where your confidential and sensitive data is located is the key to putting appropriate controls in place to protect the data from unauthorized access. An organization that does not have an understanding of its data, where it is stored and who has access to it will have a very difficult time reacting in case of a breach.

• Outsourcing effectively: As a non-profit, Affinity FCU can’t hire a large number of in-house data security professionals to monitor our systems. Instead, we work with strategic partners to constantly monitor all internal and external threats. Like in all aspects of the job, communication between my team and the partners is key to ensuring our systems run smoothly and we maintain a top level of security.
• Assessments: As the nature of cyber threats continues to evolve, it is important to constantly assess your team’s protocols and security measures. Schedule a cadence to assess improvements that can be made. Additionally, audit your systems on a regular basis. A good practice is to assess at least every six months or every time there is a new global or domestic threat to the organization. Assessing regularly is a must in the cyber world, as new threats surface every day. Most importantly, have internal controls in place, authorizing certain team members to have access to personally identifiable information data.

Protecting Your Members

Credit union professionals can take actions to protect members’ data that members themselves cannot perform. Part of your institution’s multi-layered strategy to protect member data should include regularly scrub the dark web for stolen information. Based on what you find, you can alert members if their machine might be infected with malware and some of their personal data may have been compromised. If that’s the case, your security team should work with the member, providing steps to clean the machine and educate the member on how to avoid this situation in the future. Affinity FCU is taking the steps to implement this type of system.

The work does not stop with the credit union. It is incumbent to communicate with members, encouraging them to take the necessary steps to protect their PII data:

• Never assume: Members should be vigilant when it comes to correspondence with emails and text messages. Never respond to an email that looks suspicious. Hover over the sender’s address or click the drop-down icon for more information to ensure the sender is authentic. In both emails and texts, make sure any link you are asked to click doesn’t look suspicious. Additionally, never provide payment information through text message or e-mail. A credit union would never ask a customer to do this. Without taking these steps, a person could open doors to criminals looking to steal their information.
• Install multi-factor authentication: Whether it’s a login to a banking app or a news website, it’s important for members to use multi-factor authentication to protect their accounts whenever possible. Provide tutorials and best practices for using two-factor authentication applications, like Microsoft Authenticator or Google Authenticator.
• Know where to save your passwords: The more complex a password is and the more passwords you have, the better off you are. Know where to store those passwords. Recommend applications like Dashlane, LastPass or 1Password to your members, where they can save their passcodes on their phones instead of in their browser’s data or, even worse, on a sheet of paper.
• Keep your computer and smartphone up to date: Be sure to convey the importance of regularly shutting down, or at least restarting computers and smartphones. This allows for the installation of system updates, which may include security patches.

It takes a lot of effort to protect a financial institution’s systems and to be sure your entire team, beyond IT, is doing its part, as well. Ensuring your staff and members do their parts to protect data starts with proper education and training. On the back end, building, maintaining, and improving your infrastructure to respond to the constantly evolving threats will put your team in the best position to counter any bad actors targeting your financial institution.

CUES member Charles Perez is VP/infrastructure and operations at $3.8 billion Affinity Federal Credit Union, based in Basking Ridge, New Jersey, with 20 branches in the New York tristate area. Perez is a skilled leader-strategist with a record of success in formulating and executing IT turnarounds. He is known for providing critical IT leadership and vision to support and drive business goals, elevate and improve cybersecurity, and modernize and innovate IT to facilitate and support growth and continued excellence. Perez views IT through a progressive lens that focuses on delivering optimal support for key initiatives and growth plans while also effectively addressing risks and emerging challenges. He empowers teams to think globally and creatively, innovate, and test new ideas/approaches—all for the good of the organization.