Constructing a Cybersecurity Culture at Your Credit Union
I’ve been at Vizo Financial for almost 11 years now, and I’ve had the pleasure of getting to know many of our members throughout my tenure here. I’ve helped our members with security issues, spoken at different events and even presented at a few webinars that the Corporate has hosted. However, what a lot of people may not know about me is that I’m also a contractor.
Ok, maybe not an actual contractor, but today, I’m going to be your credit union’s cybersecurity culture contractor (try saying that five times fast). Just call me Bechtel the Builder because I’m going to help you construct a cybersecurity culture at your credit union.
What is a Cybersecurity Culture?
You’re familiar with your credit union’s culture – the way your team interacts with each other, your values and goals as an organization, etc. Well, a cybersecurity culture is no different. Whether your employees are virtual or in-office, it’s important that everyone is on the same page when it comes to security awareness. Your employees should understand and carry out your policies, procedures and processes, but even more than that, they should really believe in them and what your credit union is trying to accomplish with them. So, the question becomes, where do I start? And to that I say, at the top…but also at the bottom. Let me explain.
How to Construct a Cybersecurity Culture
Step 1: Build a Strong foundation.
As with any house or building, you need a solid foundation so that when oppositions arise, the house will stand strong. For your credit union’s cybersecurity culture, this strong foundation is your C-suite. Your executives have to believe in what you’re attempting to accomplish in order for it to work because if they don’t, then your employees won’t either. When you present this idea to your C-suite, explain to them:
- the risks that your credit union is currently facing
- the risks that you could face in the future
- and how a security culture can decrease these risks
It might be helpful if you explain it in terms of what these risks could cost your credit union if you don’t build this culture. Make sure you also point out how this new security culture will be aligned with your credit union’s current goals and strategic plan. Raising these issues and presenting your case to your executives will help you build that solid foundation because at the end of the day, these are the people who will need to set the tone and expectations for the culture; otherwise, your attempts may fail before they even begin.
When you have all-staff meetings or other company-wide events, encourage your leaders to talk about the cybersecurity culture and the objectives you’re trying to accomplish. Not only will this set the tone and communicate the importance of security awareness and this new culture to employees, but it’ll also help you engage your employees and make them feel included in this new culture you’re trying to establish.
Step 2: Construct the Frame.
The frame is one of the most important parts of a house. It protects the house from collapsing and provides the structure and support that the house needs, in the same way that your staff protects your credit union and provides the support that your members need. That’s why, once you have buy-in from your executives, you’ll need to secure staff buy-in.
They’re the ones on the front lines every day facing these risks. You’ve heard the phrase that “humans are the weakest link,” and it’s true. We all make mistakes from time to time, but according to a Verizon Wireless’ Data Breach Incident Report, nearly 80% of data breaches in 2021 can be traced back to a human. This tells us that we can buy all the digital firewall applications that we want to protect our networks, but if our staff isn’t properly trained, cyber incidents will still occur.
In order to protect your credit union to the best of your abilities, your staff needs to be trained in security awareness. More than that though, they need to understand the importance of security awareness and how their actions can help protect your credit union and members from a risk incident. Your staff needs to feel like they are included in and a part of this new security culture. Once they do, you’ll secure their buy-in. And once you secure their buy-in, you’ll be able to build, what experts are calling, a human firewall.
Human Firewall
Whether you’re in the information security industry or not, we’ve all heard of firewalls. These “walls” protect your network from external intruders, as well as monitor what goes out of your network too. In the same way, your staff can act as a human firewall, protecting the information that leaves your credit union while simultaneously protecting your credit union from external forces (bad actors, phishing emails, etc.). However, they can only do this if they are properly trained and tested in security awareness. Once your staff has a strong grasp on how to identify and prevent or deal with certain security issues, they can help keep your other employees on track as well. If they see a phishing email come to their inbox, they can alert other employees so they know what to look out for. This communication and sharing of information between employees can help strengthen your human firewall.
In the same way that the framing for a house is crucial for the long-term stability of said house, making sure your staff is as committed as possible to this culture is crucial to the long-term stability of the credit union. Once you get their buy-in, you can move to the next step.
Step 3: Install the Infrastructure
After you get everyone on board, it’s time to install the infrastructure for the culture. This infrastructure is your outline of the programs, set of common practices and behaviors your staff will be trained on. This step is more behind-the-scenes than other steps, as most of the work in this step will fall under the risk department’s jurisdiction. Here, you’ll include an outline of the strategies and tactics that you will build upon later to create this culture. Think about the types of behaviors you want to see from your staff and the common practices you want to set in place regarding security awareness and include that within your strategies.
Like your HVAC, plumbing and electrical needs in your house, this is the step you’ll come back to in order to evaluate and change your practices and processes depending on the changes in the risk, technology and credit union’s environment. You’ll need to reassess and strengthen these strategies and tactics in order to keep your credit union up-to-date on new and emerging risks.
Step 4: Build-out the Interior.
Now that you’ve got your foundation and framing in place, it’s time to build out the interior framework. Within a house, this looks like adding drywall, flooring, cabinets, etc. Within your credit union’s cybersecurity culture, this looks like building out security awareness training for different groups within the credit union. Not every employee at your credit union will be faced with the same exact cyber attempts.
For example, your president/CEO and other C-suite employees may face business email compromise attempts more often than other employees because these high-level staff members typically have access to more sensitive information than frontline employees do. And once a bad actor successfully gets access to an executive’s email, they can send phishing emails or use the login credentials to access other areas in the network. My colleague, John Cuneo, explains this more in an article he wrote entitled “Who’s Really Behind Your Email Account?”
In addition, your frontline workers will probably encounter security issues and attempts that your C-suite may not. For example, if someone comes into the credit union wielding a weapon or if an imposter enters the credit union to gain access to an account that doesn’t belong to them. Your executives may not be in the branch to deal with these situations, but your frontline staff will be. I’m not saying that you shouldn’t train your executives and board members in these situations, but you should dive deeper into these types of training for your frontline employees.
Once these trainings are built out, you should also test your people on a regular basis. The goal here is to make security awareness as natural as breathing. It should be something that your employees do so much that it becomes natural and comfortable, like muscle memory, if you will.
Step 5: Add the Final Touches.
The final touches are typically the most exciting part of building a house. This is where you pick out paint colors, décor, crown molding, architectural accents, etc. For your cybersecurity culture, this is where you can make it fun by adding rewards. Security awareness training doesn’t have to be stressful and boring. You can make it into a game — where the employee who spots the most phishing email tests and reports it to your risk department earns a reward — or model the training videos off of TV shows. We’re actually working on doing that now for our employees here at the Corporate. Not only will this make the training more engaging for your staff, but it will also build a positive mindset around the cybersecurity culture. Your employees will be excited to engage in the training and testing, and they’ll be more likely to retain that information long after the training has ended.
Just like with any other types of construction, you’re going to face challenges and set-backs when building a cybersecurity culture. It’s important during these times to make sure that everyone is still on the same page when it comes to protecting the credit union and your members. Keep reminding your staff, executives and board members the importance of creating this culture and how it will benefit both your credit union and your members now and in the future.
Now that I’ve shown you the blueprints for how to create a cybersecurity culture, it's time for me to hang up my hardhat, but please remember that Vizo Financial does offer consulting services for IT security and risk mitigation strategies. We’re here to help, and we hope you’ll use us as a resource.
Mike Bechtel is an information security engineer for Vizo Financial Corporate Credit Union. As such, he provides incident response planning services, information security risk assessments, security awareness training, social engineering and vulnerability testing and reporting and information security-related consulting services to credit unions.