Credit unions must step up cybersecurity during coronavirus
As COVID-19 stay-at-home orders begin to lift, people who have the capability to do business from home are being encouraged to do so — and credit unions are no exception.
Throughout the pandemic, organizations have had to put business disaster recovery (BDR) and business continuity plans (BCP) to the test — and in tandem, we’ve seen an increased emphasis on cybersecurity resiliency.
Cybersecurity concerns have risen over the past couple of months as attackers continue to take advantage of the situation. Notably, the Zeus Sphinx banking trojan has returned, phishing attacks are up 350%, and the growing remote workforce has increased the use of potentially vulnerable technologies.
As credit union employees work from home and nearly all services are offered digitally, the target on the back of financial institutions has only gotten larger.
So, what can the industry do to strengthen its cybersecurity hygiene at a time where it is more vulnerable to cyberattacks? Here are four areas that I suggest credit unions shore up as a starting point.
Ensure communication channel security
What platforms are you using to communicate with your colleagues, staff and customers? Third-party video conferencing platforms, such as Zoom, WebEx or GoToMeeting, are a popular option — but are not always the most secure.
There are a few simple ways to keep your private customer or internal conversations safe from Zoombombing — when an unauthorized person joins a video call — and eavesdropping, and keep your computer and data unreachable for unauthorized users. Use a communication channel that’s been approved by your organization, where the security implications have been reviewed and the vulnerability remediation process is written in your contract.
Additionally, mandate that for each meeting your organization requires passwords, that a new meeting ID be generated instead of using a static, personal one, and the waiting room functionality is enabled so you have to give users permission before joining.
Implement continuous security testing
Credit unions are required to perform pentesting engagements, or ethical hacking to uncover vulnerabilities, just one time each year. But it is critical that you are continuously scanning and monitoring your system for malicious activity.
In any organization that has gone through digital transformation, anytime a big technological change has occurred in your system (for example, when half of your workforce moves to remote work), it may also warrant additional deep dive penetration tests at that time.
Institutions are a target that makes financial sense for hackers, so it is critical that you identify and remediate any vulnerabilities on an ongoing basis, or the risk of a breach will increase.
Understand your remote connection options
Remote connections are more common than ever as employees become mobile. As the remote workforce grows, cyber criminals’ options to access your data expands. Credit union work-from-home scenarios include one of the following: employees are issued a company laptop or desktop and connect over a virtual private network (VPN) or team members use a personal device and connect through a virtual desktop infrastructure (VDI). It’s important to understand best security practices that come with each.
When enabling users to connect over VPN remotely, disks on those machines should be fully encrypted in the case that a device is lost or stolen, and security baselines should be established and updated based on evolving business needs. Additionally, each workstation image should receive regular tests for vulnerabilities.
With a VDI, because it can be easier for an attacker to gain unauthorized access through an outside source, such as shared drives, printers or email, VDIs should be configured with access control top-of-mind. As a best practice, enable multi-factor authentication and lock down applications to prevent unauthorized access to the operating system.
Many also use remote desktop protocol (RDP) to enable their employees to connect to their desktops remotely. RDP has recently seen an increase in brute-force attacks (an attempt to crack a password or username). Organizations should enforce proper strong password policies and ensure RDP is only available after the end user has connected to VPN.
Educate your employees
Ultimately, people tend to be the weakest link when it comes to cybersecurity. This is why I underscore the need to provide employees with appropriate security training so that they don’t put the organization at risk. Be sure to educate employees not only on how to keep their connection secure but also how to avoid scams.
Phishing for personal information using deceptive emails, websites and now phone calls, is at an all-time high. To avoid phishing attempts, educate team members on the common characteristics of a phishing email, including a request for private and personal information or an unnecessary sense of urgency or fear mongering, and instruct them to look at whether the sender’s email address is unfamiliar or suspicious.
Three other tell-tale signs? Cybercriminals typically will not use a person’s name to greet them in emails, and the use of poor spelling/grammar and low-resolution graphics are clues.
With the focus on making sure people can work effectively and customers are being helped during these economic uncertainties, it’s wise to evaluate whether attention on cybersecurity has shifted in priority. Consider creating more secure communication channels, implementing continuous testing, ensuring the security of your remote workforce, and focusing on education and training to lower your risk of a data breach during COVID-19.