Have you ever tried to explain the game of baseball to someone that has never seen it before? Did you quickly get lost in the minutiae of the rules and find your audience frustrated by their inability to grasp the details? If you want a laugh, Google Bob Newhart’s explanation of baseball and you’ll hear what I mean.
To credit union executives, cybersecurity can seem like stumbling upon a game of baseball with no previous reference. It’s complex, difficult to understand, and expensive to get into.
October was Cybersecurity Awareness Month in the U.S.—a collaborative effort between government and industry to raise awareness and promote cybersecurity education. A lot of ink was spilled on the topic, much of it helpful. But what are the key takeaways for the busy credit union executive? What can you do right now to improve your security posture and peace of mind?
Secure your people against phishing attacks
Problem: Email is a primary path for exploitation by bad actors. Users clicking on links or opening attachments can give the bad guys a foothold inside your network in just a few seconds.
- Regularly remind and test your users. Remind them not to click links or open attachments on emails they are not expecting, even if it is from someone they recognize.
- Give them permission to delete emails they are suspicious of.
- Use a testing tool like KnowBe4 to regularly test and train employees and encourage and reward them for demonstrating proper handling of email.
- Rewarding those that promptly report when they’ve made a mistake instead of punishing them will encourage employees to come forward right away.
- Realize you can be duped as well and understand that as an executive you are a primary target of bad actors. Think twice before clicking.
- If you use the cloud for email, you must turn on two-factor authentication for all of your email accounts. The cloud remains an easy target.
Have a plan for patching everything
Problem: New security vulnerabilities are discovered every day in all sorts of products. These vulnerabilities can be leveraged by bad guys to enter your network.
- Everything you plug into your network needs to be updated or patched regularly.
- Conversely, don’t plug anything into the network that you don’t want to have to maintain for its lifespan.
- Have a solid patch-management plan that ensures everything plugged into your network is accounted for.
- Keep an up-to-date inventory of everything that’s on your network and know if it’s connected to the internet.
Have a practiced incident and disaster response plan
Problem: Security events will happen: users will click a link they shouldn’t, your VPN will need emergency software patches, or your server will run out of space and crash. These are all events you will need to respond to. Are you ready? (Not sure if you’re ready? Check out this series on creating and testing your incident and disaster response plan.)
- Have documented response plans for security incidents and disasters.
- Not all disasters involve your building on fire. A disaster can be a file server running out of space.
- Your plan should include a response to ransomware.
- Practice your plan: execute two table tops a year with your team. Get them thinking and communicating. Talking with each other and knowing what to say to the media should be determined now, not when in the heat of the moment.
Understand your remote access
Problem: Most of your employees have some sort of remote access, especially in this post-COVID world. Bad actors will attempt to leverage your employee’s remote access to gain a foothold inside your network.
- Understand how employees can connect to your network remotely: email, VPN, etc.
- Require two-factor authentication for all external connections.
- Consider time-of-day restrictions.
- Regularly audit users and disable or deactivate those that no longer require access.
Break it down
Cybersecurity is challenging to everyone with a computer, but it doesn’t have to be so complicated that no one understands it. While there are no silver bullets, you will gain a grasp by breaking it down into these basic components, just like the complicated game of baseball. Require your team to stay on top of these areas and you will have taken significant steps toward improving your cybersecurity posture.