Well, readers, it felt like Summer would never end, but it tragically has, just as all good things do. Now, as we mark the start of Autumn with the changing of the leaves, get our spooky decorations out of the closet, and try on costumes, it’s important to remember that trips to the pumpkin patch and Halloween aren’t the only events of the season.

The start of October also marks the start of Cybersecurity Awareness Month, a time dedicated since it’s inception in 2004 to the purpose of educating both individuals and companies on how they can limit cybersecurity risks. As credit unions, this month is not only a great opportunity to educate members on how they can be more vigilant, but to re-examine your own credit union’s cybersecurity precautions, staff awareness, and potential risks.

Crime never sleeps

As always, Cybersecurity Month can never come too soon. At the risk of sounding like a broken record, the reality is that cybercrime increases every year, as does the number of people affected. Despite new technology, security protocols, and increased awareness, cyberattacks are higher than ever. While it feels as though we say that every year, the sad reality is, it’s true.

Even in just one year, from 2022 to 2023 the average ransom demand from a ransomware attack reached $1.54 million, nearly double the amount in 2022. In fact, in just the first 6 months of 2023, ransomware extortion totaled $176 million more than in all of 2022, according to a report from Chainalysis.

With a cyberattack happening every 37 seconds, or over 4,000 per day, and over 60% of businesses reporting they were targeted by a ransomware attack in 2023, the odds are likely that in the next year, your credit union might be on the receiving end of an attempted attack. Whether or not the attempt is successful depends on your credit union’s staff, members, and defenses. So why delay in making sure all three are up to snuff?

Where are the attacks coming from?

As they say, the best defense is a good offense, which means educating the credit union and your members on all the potential means and methods cybercriminals will use to get into your system. The most common cyberattack businesses see is malware, but the type can vary. In his article on malware, Keegan Krajniak covers the different kinds, what they can do, and how they can be recognized.

While no malware is good malware, the outcome of these attacks and the expenses involved can vary depending on the specific malware used. Ransomware, for example, is by far the most lucrative opportunity for criminals and by far the most expensive for credit unions to combat once started. In fact, the amount criminals pull in from ransomware attacks motivated over 72% of cybersecurity attacks in 2023, as businesses tend to simply pay the ransom.

However, though these attacks may differ in their approaches and expenses, they have one thing in common: they start with an email. Or phishing, to be more precise. It is estimated that as much as 91% of cyberattacks come through email, and not all of them are as obvious as the Nigerian prince asking for help. They tend to be much craftier and more deceptive attempts, such as Business Email Comprise (BEC), a specially targeted type of phishing designed to make the user more likely to trust the sender, which accounts for 35% of all cybersecurity incidents.

Credit unions in particular are at risk for these email attacks, as Comparitech notes that smaller organizations (with 1 – 250 employees) have the highest targeted malicious email rate. Smaller credit unions may not be up-to-date on the latest cybersecurity measures or may feel that due to their size, they are less of a target when the reality is the opposite.

So how can credit unions best position themselves and their members to avoid these attacks?

What steps should I take right now?

The best thing to do right off the bat is to ensure your credit union has multi-factor authentication (MFA) enabled across the board. Not just for member accounts, but for credit union devices and staff accounts as well. This will add an extra layer of security, meaning that in case a bad actor does get their hands on an employee or member’s password, they still aren’t able to access the account.

This can be a critical difference in whether or not a cyberattack is successful. As Brian Henderson mentions in his article on the seven layers of cybersecurity defense, the human layer is the first and most vulnerable layer. Therefore, it is most likely to be the first one to fail in a potential attack (by clicking on a phishing email for example) and requires protections to fall back on.

Jumping back to our BEC incidents, ArticWolf reported that “In 80% of the organizations where a BEC attack occurred, no multi-factor authentication solution was in place before their incident,” proving the effectiveness of adding multi-factor authentication.

But if you’re not sold on MFA (yet), now is the time to get on board the bandwagon as cyber liability insurance carriers will almost always require credit unions to have MFA in place—as Patrick Sickels goes into here. And if you were wondering, the answer is yes, you absolutely should have cyber liability insurance.

The importance of these two protections cannot be overstated, but as usual, one of the best weapons in your arsenal is education, education, and more education. Make sure your members and staff are up-to-date on the latest phishing scams and what telltale signs they can watch out for, such as suspect email addresses or instructions telling the recipient to click on a link.

In the meantime, practice your cybersecurity protocol as well. In the event an employee does fall for a phishing email, who should they report the incident to? What steps should be taken to minimize potential effects? If an attack follows, what are your first steps to solving the problem? How to you alert your members to the problem? Have a plan in place, update it regularly, and practice it often!

Don’t let your credit union be the next victim

Cybersecurity Awareness Month is not a summons, but it is a great opportunity to find ways to improve your credit union’s current protections and offer much-needed education for employees and members alike. If you’re not currently involved in Cybersecurity Month, now is the perfect time to get started.

Start the ball rolling on getting multi-factor authentication incorporated into your online banking system and on staff accounts. Do some research on cyber-liability insurance providers and what requirements they have in place to qualify. Do you meet those requirements, and if not, how can you change that? When was the last time you updated your staff and members on the latest attack methods? Don’t wait until it’s too late!

If you’re looking for advice or ways to get started, you can check out our articles on the topic! Furthermore, we will be tackling the subject of cybersecurity all throughout October, so stay tuned for more!