On-premise email servers have become as passé as buckle shoes. Credit unions have rushed to put their technology infrastructure in the cloud. Moving to the cloud has benefits such as quick provisioning, no hardware to manage, built-in upgrades, and transitioning capital expenses to operational expenses. However, the cloud has also opened new opportunities for bad actors to worm their way into networks and steal or wreck sensitive data.
Here is what credit union leaders need to know to protect their organizations.
Mandatory Multi-Factor Authentication (MFA)
Requiring MFA is the single most impactful step you can take to secure your environment. The small inconvenience of entering the second-factor password far outweighs the damage potential if an employee falls for a phishing attack and discloses their password.
We expect within the year that MFA for cloud email accounts will be required for cybersecurity insurance coverage and that claims will be denied if not in place. Get it done today.
The takeaway: turn on multi-factor authentication (MFA) for all email accounts.
Teach and test your employees
Employees fall for phishing attacks daily and unless they are trained to recognize potentially unsafe emails and not click on links or open unexpected attachments, someone will eventually fall for a scam. The impact of falling for a phish could cost hundreds of thousands of dollars, as it is not uncommon to fall for fraudulent wire transfer requests. Put the odds in your favor and test employees quarterly using a service such as KnowBe4.
The takeaway: setup regular email testing for employees.
Turn off or restrict email attachments
Attachments can hide malware, and custom-built malware used by a determined attacker can defeat many anti-virus systems. Use the attachment restriction features from your cloud provider to strip attachments completely, or only allow safe ones through.
The takeaway: disable email attachments or turn on Office 365 Safe Attachments.
Disable email forwarding
Bad actors that successfully compromise an email account typically set up an auto-forward rule that sends all messages (including sensitive ones) received by that account to a separate email address under the control of the attacker. This can be done without the victim even knowing it’s happening. Get in front of this risk by globally disabling email forwarding.
The takeaway: disable email forwarding globally.
Administrator accounts are risky
Administrator accounts are frequently targeted by bad actors. A successful attack usually results in a full compromise of the organization. Therefore, administrator accounts should never be used for normal business functions.
Users that need administrator privileges should always have a primary account without any special privileges that they use for day-to-day activities. Administrator accounts should only be used when necessary and your credit union should understand how many there are through regular auditing. Administrator accounts should be required to have MFA every time they are used.
The takeaway: administrators should only use their admin accounts when necessary, all administrator accounts should require MFA, and all administrator accounts should be audited regularly.
Enable alerts for suspicious activity
Most cloud providers support alerting for activities such as the creation of new email accounts, login attempts from suspicious locations, or accounts exceeding sent mail thresholds, which could be an indicator that the account was compromised.
The takeaway: turn on alerts for suspicious activity.
Auditing is for forensics
Account activity auditing should be enabled for cloud environments. Any change made to the system, authentication activities, and user activity should be centrally recorded by the system. These logs will be of primary importance to unravel a breach and evaluate if personally identifiable information (PII) was compromised or exfiltrated from the organization. Logs should be kept for a minimum of 90 days and ideally for a year.
The takeaway: turn on auditing for cloud environments and ensure at least a 90-day retention period.
Use the provider’s security checks
Most major cloud providers such as Microsoft 365 will provide a Security Scorecard dashboard that will analyze the environment’s security posture and provide specific recommendations to improve its overall score. Make use of these tools and reports and consult with your IT team on following the recommendations to improve the security score for the environment.
The takeaway: use and follow the cloud provider’s security scorecard dashboard.
Tighten up your controls!
Some of these recommendations are technical in nature, but it’s important that credit union leaders know they are ultimately responsible for the safe operation of their email environment. Just because a third party was hired to manage the environment does not mean the credit union is no longer ultimately responsible for ensuring the environment is operated in a safe and secure fashion.
The cloud is not inherently more secure than on-premise environments and may in fact be less secure if additional steps are not taken to tighten up default controls. It is up to every credit union to understand its cloud environment and know it is configured properly according to its cybersecurity policies.