How better training, cybersecurity upgrades made one credit union safer
America’s Christian Credit Union, Glendora, Calif., reduced its cybersecurity threat plane by 90 percent by upgrading both its hardware and its resistance to phishing – and earned a Credit Union Journal Best Practices award for 2018 in the category of cybersecurity.
The $387 million-asset CU said it implemented a “Palo Alto Next Generation” application-based firewall from Santa Clara, Calif.-based technology provider Palo Alto Networks. In addition, it focused attention on strengthening the “human firewall” through in-depth training of its staff.
Prior to the implementation of this cybersecurity revamp, America’s Christian was hit with a whopping 27 federal audit findings from the National Credit Union Administration in 2017 alone, which the CU’s management team said displayed the numerous holes in the current systems that had been outsourced and managed by a third-party company. The credit union’s IT department decided it wanted more control, accessibility and the ability to proactively manage cybersecurity in-house. This was accomplished by implementing privileged account siloing, Knowbe4 training software and the Palo Alto Firewall with a WildFire threat database.
Privileged account siloing – This process began in June 2017 to combat Privilege Escalation Attacks, which are used to gain access to critical servers and data. Attackers can use malicious email phishing to plant malware on an internal machine. From there, hackers can gain control over the machine and move vertically to gain access to more privileged accounts, eventually compromising the entire organization. ACCU’s IT department completely audited critical privileged accounts and servers, restricting and removing user access permissions where unnecessary. The finished product was a segmented and isolated network, preventing attackers from gaining any additional access other than the individual machine.
Knowbe4 training – This training software was implemented in August 2017 to address the enormous attack surface of the “human firewall.” ACCU said it recognized many organizations around the world were vulnerable to phishing attacks through malicious email, and the weakest link in any given company’s overall security posture is its employees.
ACCU began simulating phishing attacks through KnowBe4 to test the credit union’s employees’ ability to “not click” and flag these emails. The initial findings were exactly what was anticipated: most users “clicked.” Through constant testing and required training classes to educate employees about phishing attacks through email, KnowBe4 training helped reduce the number of employees clicking on simulated phishing attacks to zero clicks in June 2018. A follow-up external audit phishing test confirmed this with zero clicks in July.
Palo Alto Firewall and WildFire threat database – America’s Christian CU implemented a “next gen” application-based firewall, which allows for a person-by-person approval system for accessing websites, in April. The credit union said the new firewall has given “exceptional insights” into not only what specific traffic is traversing the network, but the individual users initiating the traffic. This device is managed by the internal team as well as a 24/7 security company. In addition, the WildFire threat database enables updates of threat signatures from around the globe every five minutes. The Palo Alto firewall uses this to monitor all of ACCU’s network and email for new threats with every click.
ACCU reps told CU Journal that as a result of upgrading its firewall and improving staff training, the credit union cut its cybersecurity exam findings from 27 to just one in its most recent NCUA audit. The credit union has in place an ongoing anti-phishing campaign that uses an increasing level of difficulty each time to reflect the growing skills of attackers. Results show zero clicks to two clicks per company-wide campaign, which ACCU says allows it to focus training on where it is needed most.