Many years ago, as a credit union CTO, I added a budget item for a cyber security tool not invented yet. The management team and our board gave me a lot of grief about it at the time. However, even today, I think it is a wise approach. The threats are constantly changing, the tools constantly evolving, and despite way more sophisticated cyber programs, I am far more worried about hacking today than I was 20 years ago. Here are my thoughts on the top 5 Cyber Security Trends for Credit Unions in 2020.
1. Third Party Risk
More and more of our credit union technology stack is supplied by SAAS or cloud hosted solutions, and we have less and less transparency into them. Credit Unions need to step up their sophistication and tracking of member data and the quality of their vendors Cyber Security programs. Vendor management (on the cyber security front) can’t be just delegated to the most junior internal auditor and compliance person. Credit Unions need formal programs leveraging knowledgeable cyber security expertise to review, track and push the Credit Unions cyber security requirements throughout the ecosystem.
2. Sprawl of Data
Emails, file servers, old servers, old pcs, new pcs, mobile devices, dropbox, etc. You name it, there is some hidden data that an unsuspecting user stored with member personal information out there. Of course we can create an inventory of where the data “should” be, but that is usually not the breach source. It is the old forgotten file from the conversion you did 3 years ago…or some old email from an employee that is no longer around. Finding this data using a tool like Ongoing Operations Risk Analyzer, is a key way to find the PII, prioritize it and eliminate it from breach potential in the first place.
3. Shortage of Cyber Expertise
Many credit unions take the approach of taking their most senior IT person and giving them the cyber roles. The reality is, over the past twenty years disciplines in IT are like medical specialist. You wouldn’t go to your General Practitioner for brain surgery. Cyber Expertise requires systems thinking + tactical knowledge and has many areas for specialization. There is a huge shortage of this talent and finding a good partner to supplement your team's skills and priorities should be a huge focus.
4. Patching & End Points
Most credit unions seem to have 1 server for every 3 employees and about a 3 to 1 ratio of devices to employees by the time you count printers, routers, switches, PCs, mobile devices etc. Keeping track of all the endpoints and keeping them up to date is a real chore – and not one that adds much value to your member experience. Finding tools and companies that can automate and develop core competency around the credit union application and device environment should be a priority for this year. Make it systemic – not tactical.
5. Iran – or other cyber security criminals
With the latest hot bed action in the middle east, it is reasonable to expect foreign governments or other cyber security criminals to increase sophistication and frequency of attacks in 2020. Most likely they will go after soft but visible targets of opportunity. Credit Unions tend to fit this bill like regional governments. Be on the lookout for more advanced attacks in 2020 coming from outside the US.
Credit Union security is about layered defense and requires constant attention. The work will never be done – it can be made more efficient, timely, and prioritized effectively. Make sure your credit union is cyber ready for 2020!