A New Age of Cybersecurity: The Best & Worst of Times

A New Age of Cybersecurity: The Best & Worst of Times

When Charles Dickens published A Tale of Two Cities in 1859 and introduced us to the infamous opening line, “It was the best of times, it was the worst of times…,” there’s no way he could’ve known how those words would resonate 160 years later. With the COVID-19 virus raging throughout the world and our once seemingly normal lives turned upside down, things are certainly surreal. And with so much unknown territory being brought to light because of the pandemic, it has us truly wondering, are we living in the best of times or the worst of times?

There is definitely a case for the latter, but look at all the positives – we have technology that allows us to work remotely, stay connected to our friends and family and make contactless transactions. But then again, technology is a double-edged sword isn’t it? Because with sophisticated programs and software like we have today, it can be used for both good and evil, the evil being hackers – those who seek to take from others in order to make gains for themselves, those who are preying on people during the pandemic and those who make your credit union operations more difficult.

You see, we’ve entered a new age of cybersecurity, one where we have hoards of resources at our disposal, but also one where the attackers do too. And, as previously mentioned, the continued presence of the virus in our lives brings about new scams every day. So we have to ask ourselves once again, is this the best of times or worst of times where cybersecurity is concerned?

The Best

We’ve all heard the phrase, “fight fire with fire.” That’s what makes this such a great time for cybersecurity. We really do have access to high-quality technologies and have amassed quite a thorough understanding about cyberattacks. We have the ability to be just as sophisticated and, ultimately, very proactive against our underhanded counterparts. Think of the firewalls and intrusion detection systems you have. Then add your annual security awareness training. Even these few things are good steps to creating a viable and effective cybersecurity foundation for your institution.

The Worst

But if we flip the coin, there are some pitfalls that make strong cybersecurity harder to achieve. Because technology has come so far, many of us utilize a cloud solution for virtual storage of information. We utilize remote wireless connections for employees to work remotely that may or may not be secure. In fact, it’s predicted that 27 percent of corporate data will bypass defense perimeters and go directly to the cloud by 2021 (which is only five months away). The downside to these new ways of accessing and storing data is that we have less control over outside variables, and that brings a level of uncertainty that hackers love to exploit. How we can be prepared for unknown attacks? How can we fight cyberattacks when there are pieces of the puzzle that we just can’t control 24/7?

Taking a Stand

Truthfully, there is no black or white answer, no cut and dry solution. There are ways to help protect your credit union against evildoers and build a robust cybersecurity program. If you can implement the following cybersecurity tactics, you’ll be well on your way to taking a stand against damaging cyberattacks.

Ensure secure connections.

This is especially important now, since many employees are working remotely in response to the pandemic. Make sure they are accessing your data through a secure connection. One of these critical pieces is a virtual private network (VPN), which allows your employees to utilize their home wi-fi (or wi-fi anywhere) and then sends them through a secure portal to get to your networks. There are other ways to establish secure connections as well, such as restricting personal device usage, blocking pop-ups and installing firewalls, for example.

Don’t shy away from security systems – use them!

Yes, the thought of expensive security systems sounds intimidating and maybe not feasible when it comes to your bottom line, but think also of the benefits. Security systems allow you to track and monitor your networks to make sure nothing malicious is coming in and nothing sensitive is going out. Or, if something does slip through the cracks, you can be alerted and take action quickly. Not only will these help you see what’s going on within your institution’s cyber presence day in and day out, but over time, it will help you to better understand your typical exchange of information so you can determine your baseline for cyberthreats. In addition, these systems may not be as expensive as you’d imagine and the role they could play in helping prevent a data breach is invaluable. A word to the wise – be sure to update security systems often so they are working properly and remain up-to-date.

Make staff security education a top priority.

Many, if not most, cyberattacks happen because of a sheer lack of knowledge. Just being aware of what’s going on in the world of cybercrime and how to detect a scam can make all the difference in the world. Educating your staff on these things is an important piece of any cybersecurity program. Show them what could happen, how to avoid potential issues and what to do if a cyberattack is imminent. Also keep in mind that annual security awareness training is required by the NCUA, so you’ll be killing two birds with one stone here.

Employ the “principle of least privilege.”

Not all employees need to have access to the same sensitive information. Perhaps your EFT staff will need to know account numbers and amounts, but your marketing staff may not. The fewer connections there are to your data, the less likely attackers will be able to expose that information. Determine where you can make limitations to lower your chance of information being hacked.

Strong passwords are a must.

We all know there are many rules surrounding passwords, but the ultimate goal is to create ones that are difficult to decipher. Implement common password requirements that include extended character minimums, the use of varied characters (letters, numbers, special characters, etc.) and expiration timeframes. These, in conjunction with multi-factor authentication (MFA) methods – such as a temporary code or assigned token – can make the task of compromising passwords infinitely more strenuous for hackers.

Enlist help from your IT department and even third-parties for extra protection.

Four eyes are better than two, as they say. The more people with knowledge about cybersecurity and technology that can keep an eagle eye on your institution, the better. If holes in your security parameters arise, your IT team or IT provider may be able to help fix them. These are also the people who will be setting up your VPN and limiting access to users, so they really are an integral part of your credit union’s security team. Keep them in the loop and utilize them for extra assistance to achieve maximum security. Is it surprising that some of these tactics are so simple? Sure, the minute details become more complex as you dig deeper, but the general ideas are pretty basic – establish a good foundation, strengthen your level of control where possible, constantly monitor, keep up open communication and embrace education for your staff.

Regardless of whether we’re navigating the effects of a pandemic or walking down easy street – living in the best of times or worst of times – protecting your data and that of your members is just as important as providing loans and setting up checking accounts. Cyberattackers are always looking for those who have the most to give, and, well, that would be credit unions. But with a few strategies and technologies under your belt, you can build a cybersecurity program that actually works.

For more information, please contact the risk management team at riskmanagement@vfccu.org.

John Cuneo is information security director for Vizo Financial. With over 10 years of information technology experience, Mr. Cuneo is well-versed in conducting information system risk assessments, providing security awareness training and analyzing security controls and reports.