How can credit union professionals implement and strengthen their cybersecurity posture within their organizations?
Much like banks, credit unions hold large amounts of highly sensitive data about members, including financial and personal information such as credit scores, banking information and investment history. Unfortunately, many credit unions are still at a loss when it comes to properly securing their critical data assets against cyberthreat, breaches and intrusions.
Most recently, Desjardins, the largest association of credit unions in North America, fell prey to a cybersecurity incident when an employee leaked the personal information of more than 2.7 million individual members and 173,000 businesses outside the institution.
In this blog article, you will learn more about:
Before we dive deeper into cybersecurity for credit unions, let’s have a look at what cybersecurity actually means.
Cybersecurity is most commonly defined is a set of strategies, techniques, and controls to reduce risk and ensure that your data assets are protected.
In general, security should be looked at as striking the balance between access and control.
In today’s business environment, information has become a key resource for all organizations. Technology, in turn, plays an important role in the entire information lifecycle, including its creation, use, storage, treatment, disclosure and removal.
Business owners and executives are struggling to find a balance between protecting their confidential data assets, leveraging them effectively to generate business value from IT-enables investments and mitigating the respective risks that come with managing data, all while complying with various risks and regulations.
For credit unions (and all organizations processing or storing large amounts of confidential data), cybersecurity should be a regular part of their best practices.
Related Post: What is Cybersecurity all about?
“Cybersecurity is a systemic risk that affects all levels of business, government and ordinary people. It is such a high-risk area for credit unions that the National Credit Union Administration (NCUA) placed cybersecurity as a top focus for exams.” (National Association of Federally-Insured Credit Unions)
More often than not, credit union professionals find it challenging to balance their many priorities with the implementation of an effective cybersecurity strategy.
Here are just some of the challenges that IT and security professionals at credit unions face:
When it comes to choosing the right cybersecurity strategy, how are organizations supposed to know what is best? Should you conduct regular penetration testing, vulnerability assessments, control assessments, compliance audits, risk assessments, security program reviews, etc.? The list goes on! How often should this be done? And how can you be sure that these initiatives will actually pay off?
According to Help Net Security, “cybersecurity strategy needs to be led by the board, executed by the C-Suite and owned at the front lines of the organization.”
While it is easy to become overwhelmed of the sheer thought of implementing an effective cybersecurity strategy, your best battle strategy is put your cybersecurity posture at the core of all security initiatives you undertake.
By doing so, you will be able to tackle the following cybersecurity best practices with greater ease.
We will go over each of the above best practices in detail.
According to ISO/IEC PDTR 13335-1, an asset is defined as “anything that has value to the organization, its business operations and their continuity, including Information resources that support the organization's mission.”
To improve your cybersecurity posture, your credit union should identify
Knowledge is power. Having awareness of your critical assets will help you define a cybersecurity strategy that focused on protecting your most critical assets adequately. This way, you will be able to allocate the largest chunks of your budget to protecting assets that are most important to be protected.
Important: Not all assets have equal relevance to your credit union, which is why it is impossible to protect all of them equally.
Risks represent the potential for loss, damage or destruction of an asset following a threat.
Before implementing an effective cybersecurity strategy, it is important for your credit union to think about all potential risks that you may be facing.
By carefully reflecting about your risks, you will be able to outline security strategies that can help you reduce or mitigate these risks properly.
Related Post: Risk Management: Why Perspective is Essential
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
The main objective of security controls is to assist organizations in managing their risk and protecting their valuable assets against security incidents, cyber threats and data breaches.
There are 3 types of security controls:
In your credit union, controls can be malware defenses, internal processes, 24/7 monitoring, penetration testing or incident response techniques, for example.
Depending on your geography or the industry you operate in, you may want to follow a variety of security control frameworks, including NIST, ISO or the 20 Critical Security Controls issued by the Center for Internet Security.
Interested in learning more about how your organization can strengthen its security posture with the 20 CIS Critical Security Controls? Watch the recording of our webinar “Are You in Control? Managing the CIS Critical Security Controls within your Enterprise”, which we jointly hosted with SANS.
Threats represent what could damage, destroy or compromise your assets.
Assessing the risks and threats of your credit union environment will help you define which types of security controls need to be implemented and strengthened to protect your assets from threats.
Important: Threats can be external or internal: hacker groups, employees, individuals with access to your devices/amenities, third parties.
With your cybersecurity posture in mind, you will be able to adopt a focused approach to assessing, designing, developing, implementing and aligning your security posture. A Cybersecurity Posture Assessment provides an overall view of a customer's internal and external security posture by integrating all the facets of cybersecurity into only one assessment approach.
A cybersecurity posture assessment can help indicate how healthy or resilient your credit union is when it comes to cybersecurity, how effective it can protect against potential cyberattacks and how well it can maintain a strong cybersecurity posture as the threat environment evolves.
→ Want to self-assess your cybersecurity posture? Download our free checklist to find out!
Generally, a cybersecurity assessment is based on four (4) principal baselines:
It is increasingly difficult for credit unions to know what their current cybersecurity posture is and how well they could face security incidents. This can result in a variety of issues, including:
By knowing their cybersecurity posture, credit unions can develop a long-term security strategy that will protect your credit union, outline a concrete cybersecurity roadmap and help you strengthen your cybersecurity defenses over time.
Do you know what your credit union’s cybersecurity posture is? If you’re not sure, we’ve developed a handy-dandy checklist that will help you get a high-level overview of where you’re at in terms of your cybersecurity posture. Click below to download a copy.