By Sam | September 9, 2013

How Do I Identify and Mitigate Threats to my Credit Union?

In the world we live in today there are so many threats to our business. New threats emerge everyday as our infrastructures grow in complexity. One of the most frequent questions we’re asked is how do I identify and mitigate threats against my infrastructure – what do I do first? How do I know which ones to focus on? If you need answers to these questions, this post is for you.

Identifying threats is easy when you first start making a list. The list usually consists of weather events and other commonly known threats. You can begin by looking at your region for known high risk events (hurricane, earthquakes, tornado, etc.). Live in a city? Perhaps massive power outages are a high risk for you.

Biggest thing to keep in mind is that threats and their impacts are continuously changing. Let me explain what I mean.

• During the winter, the Northeast has a high threat for snow and ice storms that could have a huge impact on the businesses in the region. During late summer and fall,  the same region is going to have a higher threat for hurricanes with an even greater potential for damage/impact.
• Another example is when you are pulling into the parking lot at work and you notice some construction workers digging with machinery a few feet from where your building’s internet connection comes into the building. If the internet goes down,  first thing I would do is go check in that hole for any damaged wires. For a few days the construction work may be considered a “High” threat but then it changes once the work has been completed. That would be a threat you may not have accounted for in the past but is real and needs to be considered.

Other types of threats to consider are:

• Operational – threats from loss of key personnel, settlement failure, and compliance failure, to theft, systems failure and building damage
• Privacy – personal information about customers and employees
• Reputation – the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions
• Security – alarm, medical emergency, crimes, war, natural hazards, or disasters
• Strategic – impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes

Once the threats have been identified the fun of how to mitigate each threat begins. There is never enough time or money to deal with all items so the focus should be on the threats that scored the highest. There are 5 methods for dealing with risk (as defined by the Project Management Institute.) Only the first 3 should be applied to your top ranked items.

• Protect – mitigation is included in this category. This is avoidance by using an approach that reduces the probability of a risk becoming a reality (generator, door locks, security systems and procedures.)
• Assign – assigning or transferring the risk in whole or in part. Insurance and outsourcing are normally placed here but do not transfer responsibility and liability.
• Eliminate – not engaging in a specific activity or technology because the risks are greater than the benefits.
• Accept – some risks are acceptable i.e. Low probability and low severity (impact.)
• Ignore – distinctly different from acceptance. This is an active decision to not properly analyze the risk, identify the potential impact, and place it one or more of the above categories.

Once the mitigation methods has been applied to the list of threats the process will need to be monitored and reviewed to assure that action items from the mitigation methods are being completed. The continuous review of threats should become part of your business processes as they are changing and could have potential impacts on your business and members.

Mitigating Credit Union DDOS Attacks…Its Time to Push Back

Credit Union Disaster Preparedness Week – Hurricane Preparedness

Have Questions? Contact Us: