According to the Verizon Data Breach Investigations Reports (DBIR) 2016, “No locale, industry or organization is bulletproof when it comes to the compromise of data.” Even more troubling, some experts say that local and regionally-based financial institutions, including credit unions, have much more to lose than larger money-center financial organizations. Cybersecurity risks have grown to crisis proportions over the past five years. From rings of hackers to state-sponsored attacks, organizations are facing a vast and complex web of intermingled threats that don’t discriminate based on line of business or how big or small the organizations are.
One problem that has become pervasive across industries is malware-based ransomware which can be debilitating for a credit union that depends on their members and their members’ continued trust. Credit unions have increasingly become an attractive target for cyber criminals that deliver malware through phishing and other techniques. As much as we all hear about phishing it doesn’t seem to be sinking in. Perhaps phishing is thought of as something that happens to “other people.”
The DBIR reports that in a large sample of 8 million verified phishing tests in 2015 (done by multiple vendors) 30% of the phishing messages were opened by the target across all campaigns. And in 12% of instances, recipients clicked on either a link or an attachment which triggered a successful ransomware attack. This is actually an increase from 2014, when 23% opened the malicious email. So what’s going on here? It could be that spam has become more sophisticated, making it harder to detect and ferret out malicious emails, or the ability to clone email addresses, making the sender appear to be a friend or credible brand. Whatever the case, it’s apparent that phishing is still a very effective malware delivery vehicle.
So where should credit unions focus their time, energy and resources to up their cybersecurity posture and be more successful at preventing data breaches and data theft due to ransomware in the first place?
1) Investing in ongoing education about phishing is imperative. Providing employees with cybersecurity awareness training and information on a regular basis will keep the phishing threat top of mind. In addition to educating employees on how to spot malicious emails, make sure there is a simple process in place for reporting phishing (or attempted phishing) events. One way to accomplish this is to include a button on the task bar to make it quick and easy to submit a report.
2) Always have a well thought-out backup/disaster recovery plan. Continuous backup of data is a must. Equally as important is creating a “restore point” so data loss due to ransomware is minimized and staff can access the data.
3) Everyone should consider proactive and reactive security measures. Credit unions need a systematic approach to identifying, prioritizing and addressing vulnerabilities. The 2016 DBIR shows that old vulnerabilities are still being exploited months, or even years later. Employ a patch management process to track changes to software and operating systems and deploy patches automatically. The key is not letting your guard down. Always assume there will be zero-day threats and make sure that round-the-clock security monitoring is being used to identify potential threats on the network.
There are many straightforward steps credit unions can implement in a security policy that supports their goals to increase their cybersecurity posture, including:
- Regularly monitor who is accessing data and when
- Don’t allow employees to share system credentials
- Absolutely no USB-type devices at work
- Make sure the IT department approves the installation of all third-party applications
- Continually monitor and review activity across all IT assets. You can’t fix issues and reduce your risk if you do not have visibility.
- Be proactive in assessing and fixing exploitable weaknesses.
Financial institutions must focus on cybersecurity just as much (and arguably, more so) than other objectives, such as offering the latest mobile banking functionality. Credit unions must come to terms with how their IT security capabilities might be limited as compared with larger entities, generally because they lack the big dollar budgets for the latest tools and team of experienced security analysts. However, being limited doesn’t mean these organizations are victims-in-the-making, it just means they need to prioritize what they tackle from a cybersecurity standpoint and be consistent in creating and enforcing security policies that will assist in the fight against cybercrime.