Be Cyber Safe: 4 Tips to Secure Your Credit Union During Cybersecurity Awareness Month

Earlier this year, we learned that millions, if not billions, of people were impacted by the National Public Data breach that occurred in December of 2023. Through this data breach, personal information like social security numbers, addresses and phone numbers were exposed to bad actors.

In July, Ticketmaster released information on a data breach that happened within their organization, which resulted in people’s credit card details, phone numbers, email addresses and other personal information being exposed. Those are just two examples of cyber incidents that are happening to many organizations all across the world; both of which should serve as a warning – we need to be more vigilant in protecting our organizations and ourselves from bad actors. If you’ve heard me say it once, you’ve heard me say it multiple times — cyberattacks are no longer an “if” situation for your credit union, but a “when.”

That’s why I’m thankful that months like Cybersecurity Awareness Month — which has been recognized every October since 2004 — exist because they’re a great reminder that we have to be careful when we’re online. This year, for Cybersecurity Awareness Month, the theme is Secure Our World, and with all of the recent data breaches, there’s no better time than now to make sure that we’re protecting our organizations, employees and members from bad actors. To help raise awareness this month, I wanted to share some key tips from the Cybersecurity and Infrastructure Agency (CISA) on how to keep your organization secure, which will, in turn, help secure our world:

Passphrases and password manager.

While strong passwords are vital in protecting your accounts, there’s an even better way to protect them: passphrases. Passphrases are exactly what they sound like – a phrase that is used in place of a regular password. I recommend using passphrases instead of passwords because they’re typically longer, harder for bad actors to guess and more complex than a regular password. They’re also easier to remember. To come up with these passphrases, you can think about your favorite movie, song, TV show, hobby, foods, etc.

As an example, I’ll use the food category. I could use a phrase like Orange vegetables are gross, but I like green ones. As a passphrase to secure your accounts, this may look like: 0r@ng3V3g!35YucKGre3nYum. Notice how I also included uppercase and lowercase letters, numbers and special characters. This will make your passphrase even more difficult for a bad actor to guess.

In addition to creating strong passphrases, I also recommend that you change them frequently, at least every 90 days. You should also have a unique passphrase for all of your accounts. According to a report conducted by the National Cybersecurity Alliance, less than 40 percent of people use a different password for each of their accounts.

Now, you may be thinking — John, do you know how many accounts I have? If I used different passphrase for every account, I’d never remember my passphrases! My response to you would be…utilize a password manager. Password managers are incredibly beneficial because they can help you create strong passphrases, and they’ll even remember them for you. They’re powerful tools that I encourage you to look into using for your credit union accounts and your personal accounts.

You can learn more about password managers and their benefits in a blog article I wrote last year called: 5 Reasons Why a Password Manager is Worth the Investment. If you’re not interested in using a password manager, make sure you’re creating strong passphrases. My colleague, Mike Bechtel, wrote an article about how to create passwords and passphrases that bad actors can’t easily guess. Check out the article, Cracking the Password Code…So Hackers Can’t Crack Yours, and invite your staff to read it as well.

Use Multi-Factor Authentication

Multi-Factor Authentication (MFA) helps protect your accounts in the event that your passphrase is guessed, either through brute-force or because it wasn’t strong enough. It’s an additional layer of protection for your accounts, as it requires you to have two factors of authentication to sign in. There are three categories of factors — something you know (passphrase, PIN, security questions, etc.), something you have (token, ID, etc.) and something you are (biometrics like your fingerprints or face).

If you have MFA enabled on your accounts and a bad actor guesses your passphrase, then it will also require them to use something else from one of the three categories to sign into your accounts. Some of these factors are stronger than others. For example, if you use security questions to protect your account, it may not be as strong as if your account is protected by your fingerprint because bad actors can easily guess the answers to your security questions if they’re something simple like your mom’s maiden name or the make and model of your first car. If you’re not already using MFA at your institution, I believe it’s a change worth making.

Update software

The report that I mentioned earlier — the one conducted by the National Cybersecurity Alliance — revealed that less than 40 percent of people regularly update their software. I know it can be frustrating having to balance serving your members and updating your software, but regularly updating your systems protects them against bad actors. These updates provide security patches, and they fix any bugs within the system. I know it’s easier to push updates off to a later date, but bad actors are looking for vulnerabilities within your systems. If they find one, they won’t wait to exploit it, which is why you shouldn’t wait either when you receive an alert to update your systems. I encourage you to check out this article about the importance of patches and updating your software.

Recognize and report phishing

Bad actors are becoming more skilled at crafting phishing emails. They want to trick you into clicking on a bad link so that they can infiltrate your systems and network. That’s why they’ll try to create a sense of urgency in their emails, so that you won’t take the time to actually examine the message. It’s imperative to make sure that your employees not only recognize a phishing attempt, but also report them — even those that seem to come from a legitimate email address.

Phishing emails often have “red flags” that can reveal their true intentions. These red flags could be the email address, subject line, body message or even the links. We have a great article on our blog that explains the main areas you should look for red flags when determining if an email is legitimate or not.

As credit unions, we’re privy to Personally Identifiable Information (PII) for both our employees and members. We have a responsibility to protect them and our institution as a whole against bad actors. If we all follow these tips and guidelines to secure our institutions against bad actors, then ultimately, we can help secure our world and make the cyber world safer for everyone. And that’s the idea behind Cybersecurity Awareness Month.

If your credit union is interested in building a good defense strategy to help protect your institution from bad actors, Vizo Financial also offers services through our partner, DefenseStorm. Visit our website to learn more about these services.


John Cuneo works as the VP of information security for Vizo Financial Corporate Credit Union. In this role, he conducts incident response planning and testing, security awareness training and information security policy and procedure reviews. Mr. Cuneo also delivers tailored consulting services to credit unions, assisting them with their specific information security needs.