Financial services institutions are subject to cybersecurity incidents 300% more frequently than all other industries, according to a recent report.
Carl Leonard, principal security analyst at Websense and one of the report's authors, told CU Journal that statistic "tells us financial services are really experiencing a large number of attacks against their industry, because [fraudsters] realize credit unions, banks, and insurance agencies have a great deal of personally identifiable information on their clients and customers. And it's where the money processing is. Malware authors have found that they can sell that data on the underground market to get a good return on their investment."
More concerning, he said, is that FIs face a disproportionate amount of effort compared with other industries in terms of the work they need to do to secure their employees and data. The threats to FIs can change day by day, but IT teams — particularly at smaller institutions — don't often move quickly enough to keep up.
"Not only do you have the high volume of attacks, but the attack type is changing from week to week and month to month, [and] you're also experiencing a large number of attacks targeting financial services that you might not fully understand until the attack is done," said Leonard.
Web vs. Email
Leonard said attacks against FIs are generally coming through the web or email.
In the case of email threats, "A malware author might have selected that particular credit union to target," he explained, noting that fraudsters can create dummy emails that are nearly identical to those sent by legitimate vendors the CU uses. "He could craft an email, make it look very convincing, send it to the CEO or CFO of that organization and that could then be used as a point of entry to that organization."
When it comes to the web, malware authors may target end users — including employees — by placing malicious code in otherwise harmless websites in order to "deliver malicious payloads" to the employee and into the CU's systems.
Leonard said Websense found that as much as half of the attacks this year were from disguised code. "So if you're in the IT team, you're not going to be able to understand what this code looks like or what it does, because malware authors have disguised it," he said. "It's very difficult to even determine that something had has happened. It's not possible to even understand what the code is trying to do That's the challenge IT teams have: it's not so obvious when a machine in their environment has been compromised and taken over, because the malware authors go to specific lengths to ensure that the machine just looks ordinary. They want to use that as a springboard into the network to look around for databases they can steal from."
While some analysts have advised credit unions against using outside IT services, Leonard said there may be security benefits to outsourcing cybersecurity. By looking to outside firms, he said, CUs can not only get those vendors' expertise, but gain a level of knowledge that might have taken years to assemble internally.
NCUA's Cybersecurity 101
With those sorts of threats in mind, NCUA last month hosted a "Cybersecurity 101" webinar for credit unions.
Chris Gill, risk management consultant at CUNA Mutual Group, reminded that while hacking is the leading cause of intrusions into business information systems, it's not the only one. But, he cautioned, sometimes the biggest threats come from inside the credit union.
"In addition to having access to the credit union network, [employees] know how things work, they know where critical cords are, and they can wait to exploit the system until the time is right," he said. "Crimes committed by internal actors are often times much more costly and complicated" than those committed by external actors.
He cited a study form Pricewaterhouse Coopers that showed more than 117,000 cyber threats occurring each day, for a total of 42.8 million threats last year — nearly double the number of threats from 2012.
Just as credit unions test their responses for floods, fires and other natural disasters, Gill said CUs must have a plan in place for a data breach and must test it regularly. Not only is that important for data security, but there are insurance ramifications, as well.
"In the event a breach occurs, it's important for you to be able to prove you had controls in place and that they were tested regularly for effectiveness," he said, noting that post-breach CUs will need to be able to determine how and when the breach occurred and if any internal actors were involved.
Gill pointed to a NETDILIGENCE study from last year that the average payout for a data breach claim exceeded $733,000. Once the cost of crisis services, legal defense and more was factored in, the average total exposure could easily hit almost $1 million or more, and that's only for a small credit union. Total exposure was determined to be $956.32 per member, but for a credit union with just 1,000 members, that figure exceed $956,000.
'A More Fertile Environment'
Tim Segerson, deputy director of NCUA's office of examination and insurance, reminded that there's a difference between cybersecurity and information security. Cybersecurity, he said, is a subset of information security.
Around 2009, he said, the number of internet-connected devices on the planet exceeded the number of people, and as that number grows it creates more risks because of the need to mitigate risks associated with so many legacy systems. Combined with a decline in the level of expertise needed to hack into a system, conditions in recent years have created what he called "a more fertile environment for smaller institutions to be attacked."
Segerson noted that the tools for hacking are even available for sale or rent to those with little skill these days, "sort of like a supermarket for hackers," raising the possibility that more low-level hackers may attempt to test out their skills on smaller institutions that they believe are more vulnerable.
Any CUs who think they're not susceptible to those kinds of attacks, he noted, should look to Montana, where a small CU's website was hacked earlier this year by a group claiming — most likely fraudulently — to be the Islamic State.
No matter how small an institution is, he said, it almost certainly uses some sort of web-based services, opening it up to potential cyber threats. More than 50% of all credit union members use CU web services.