Three Ways Credit Unions Can Fortify Their Cybersecurity Defense Plan
The average cost of a data breach in the United States increased from $7.91 million in 2018 to $8.19 million in 2019, according to this year’s Cost of a Data Breach Report. And the biggest contributor to data breach costs? Lost business.
Cyber breaches, which doubled from 2017 to 2018, can produce devastating financial and reputational losses, affecting a credit union for years – if not shuttering it altogether. So, the importance of being able to control the storm of cyber events that come your way is key to keeping your credit union solvent.
Many financial institutions believe that relegating cybersecurity to their internal IT professionals is enough. But with 20 million logged cyber events occurring in financial institutions each day and a global cyber staff shortage of 3 million, is it?
No.
Regulators hold the C-suite and Boards of Directors responsible for cyber safety and soundness, not tech teams. Therefore, credit union leadership must understand the cyber threat landscape while simultaneously tightening security programs by asking and answering some key questions of your teams. And by creating a culture of cybersecurity and cybercompliance, you can achieve real-time safety and soundness.
Question your security and compliance climate
Today’s regulated climate mandates that credit unions must maintain both security and compliance – along with managing and measuring performance. So, here are three questions that should drive your cybersecurity checklist:
- Are we doing the right things?
- Are we doing the right things right?
- How can we prove that we are doing the right things right?
So, what are the “right” things? First, you must understand and comply with the Federal Financial Institutions Examinations Council’s (FFIEC) cybersecurity standards and auditing for financial institutions and other regulatory agencies.
The second point for a successful cybersecurity checklist is to establish an information security policy, business continuity plan and incident response plan.
An information security policy should ensure those using technology within your credit union or your networks comply with your rules and guidelines to protect the security of information stored digitally in your network or within your four walls.
A business continuity plan outlines steps your credit union will take to respond to and recover from business disruptions, including those caused by cyber events. And an incident response plan systematically documents and manages situations resulting from IT security incidents and breaches.
Finally, to prove you’re doing the “right things right,” educate and test your team, test your vulnerabilities and enact measures to ensure they don’t become full-blown breaches. For most credit unions, this includes hiring a third-party cybersecurity provider to help.
Look to employ outside help
An outside partner can conduct ongoing vulnerability and penetration testing on your behalf, analyze and prioritize findings, and alert you of incidents needing immediate attention. Just be careful when choosing because most cybersecurity providers are generalists who are unfamiliar with financial institutions’ specific needs.
A reputable vendor should be able to prioritize findings for you to address and recommend a methodology for treating risk; and should understand FFIEC’s Cybersecurity Assessment Tool (CAT) and the Center for Internet Security’s (CIS) Critical Security Controls. Make sure, however, to avoid organizations that deliver an endless list of vulnerabilities, a patch-all mindset with no priorities and zero clear risk-treatment strategy.
Know, too, that some analysts predict major changes coming in the cybersecurity space, particularly with a cybersecurity staff shortage in the millions.
In a recent Gartner Blog Network post, computer security specialist Anton Chuvakin, research director at Gartner for Technical Professionals (GTP) and Risk Management Strategies (SRMS) team, wrote: “A revolution is coming…that will sweep away many security products and will replace them with ‘product-service fusions’ where you pay one amount for using the tools together with ongoing help with their operation.”
By partnering with outside help dedicated solely to your space, credit unions can successfully incorporate such a product-service fusion approach, allowing you to maintain both cybersecurity and cybercompliance.
....-->The average cost of a data breach in the United States increased from $7.91 million in 2018 to $8.19 million in 2019, according to this year’s Cost of a Data Breach Report. And the biggest contributor to data breach costs? Lost business.
Cyber breaches, which doubled from 2017 to 2018, can produce devastating financial and reputational losses, affecting a credit union for years – if not shuttering it altogether. So, the importance of being able to control the storm of cyber events that come your way is key to keeping your credit union solvent.