What is Cybersecurity Month?
Since 2004, October has been designated as Cybersecurity Awareness Month, dedicated to the purpose of educating both individuals and companies on how they can limit cybersecurity risks. As credit unions, this month is not only a great opportunity to educate members on how they can be more vigilant, but to re-examine your own credit union’s cybersecurity precautions, staff awareness, and potential risks.
Since the start of the pandemic back in 2020, cyberattacks have risen by 600%, meaning it’s now more crucial than ever to be alert and prepared for these attacks. Ransomware in particular is now upwards of 57 times more harmful than it was as recently as 2015. When was the last time you updated your protocols or held a staff meeting to discuss what such attempts might look like? How confident are you in your cybersecurity?
Credit unions already have protections, right?
As credit unions, we might not feel the need to brush up on our cybersecurity knowledge as others. After all, financial institutions spend more on cybersecurity than just about anyone, and we go to great lengths to educate employees on the warning signs of a potential phishing scam or cyberattack. So we should be all set, right?
While it is true most credit unions probably have sufficient cybersecurity, our industry also stands to lose more than most. Additionally, despite all preparation and vigilance, mistakes can still happen. All it takes is one bad link in an email to open the doors to a cyberattack. Those are both expensive and can severely damage a credit union’s reputation. (Interested in what the during and after of a cybersecurity breach looks like? Matt Sawtell recently detailed his experience dealing with a ransomware attack at a credit union.)
Despite best efforts, there are always cracks in security you may not be aware of that could put your credit union at risk for a cyber attack. A study conducted in March 2021 conducted by Black Kite found that eighty-six percent of credit unions and 76% of vendors servicing the credit union industry have breached employee credentials available on the dark web and that more than 66% of credit unions and 88% of vendors lack email security to prevent spoofing and phishing attacks. These are huge risks that are seemingly being overlooked. Protecting member information and assets is the name of the game, and if a financial institution fails to achieve that, they risk losing not only its members’ data but their trust.
Furthermore, a credit union’s cybersecurity is not just dependent on their efforts, but their vendors as well. If a vendor has a cybersecurity risk, every credit union they work with has one as well. The same previously mentioned study also found vendors to be credit unions’ greatest cybersecurity vulnerability, with attacks on these vendors costing upwards of $1 million per event per credit union. As noted above, these vendors lack many of the same security measures a credit union might. Each and every vendor is an additional risk, one credit unions should be assessing.
Simple steps to take
So what can credit unions do this month to brush up on their cybersecurity knowledge and fill any potential gaps in their cybersecurity plan? The first step should be to have a refresher meeting with staff on email security, such as what phishing and other attacks may look like when sent, the importance of regularly changing passwords (regular password changes should be mandatory if they are not already), and how they can keep information secure.
This meeting would also be a good time to go over your business continuity plan and ensure employees are aware of what steps to take in a cybersecurity incident. Who they should report the incident to, what they can do right away to minimize risk, etc. On that topic, make sure your business continuity plan is up-to-date and has strict guidelines in place in case of a cybersecurity incident. Hopefully, you never need to use it, but response time is critical in preventing further loss of data and limiting the cost of said breach.
Furthermore, credit unions should conduct a scan to find out if any of their member or staff information is currently on the dark web. As noted earlier, 86% of credit unions have employee data leaked on the dark web. There are many services that offer free scans that will alert you to any data breaches. This information cannot be removed from the dark web, but being informed allows you to prevent it from being used by changing login usernames and passwords, and enabling two-factor authentication where possible.
Credit unions should also check in with their vendors. Examine their current cybersecurity measures and pay attention to key areas such as information security, business resiliency and recovery, employee training, incident response, regulatory compliance, insurance, independent testing, and financials, as recommended by NContract. While a vendor is not legally required to give you all this information, it may say something if they are unwilling to.
Member education should be a priority as well
Don’t forget to help your members as well. Individuals may not need all the bells and whistles that financial institutions do to be cyber secure, but they need to be just as alert of where their information might be compromised. According to PurpleSec, 71.1 million people fall victim to cyber crimes yearly. Your members don’t just face potential data breaches through your credit union, but through every app, account, subscription service, and email they have.
Use this month to offer your members education on how to protect themselves from individual cyberattacks and how to be on the lookout for scams. You might also recommend they do a dark web scan as well. If their information has been leaked, the credit union can advise them of the next steps (freezing their credit, changing passwords, etc.). You should also consider hosting informational events or offering one-on-one meetings with a staff member where members can ask questions and get some cybersecurity tips. Even a few posters, flyers, or other materials in your lobby with tips and warning signs can make a difference.
Participating is easy!
If you don’t have a plan yet for Cybersecurity Month, don’t fret, you still have plenty of time to get something going. Start going over your current cybersecurity measures and take the above steps one by one. You don’t need to have fanfare all month long, but a few initiatives can go a long way. As for CUSO Magazine, we will continue to publish articles on the topic all month long, so make sure to check in weekly or go here to view all our cybersecurity articles.