CUS’ cy­ber­se­cu­rity fore­cast: Don’t ex­pect any easy solutions in 2018

A panel of experts says the credit union move­ment still has a lot to learn about stop­ping data breaches, but emerg­ing tech­nolo­gies can help mit­i­gate risk fac­tors in the year ahead.

Credit Union Journal - - Special Report - BY NATHAN DICAMILLO

THERE ARE PLENTY OF CY­BER­SE­CU­rity lessons for credit unions in a year in which 143 mil­lion Amer­i­cans — nearly half the na­tion’s pop­u­la­tion and more than the to­tal num­ber of U.S. credit union mem­bers — had their data ex­posed as a re­sult of the mas­sive breach at Equifax.

“The Equifax breach made it clear that if you’re not on top of your patch­ing, you’re vul­ner­a­ble,” said Mike Atkins, chief in­for­ma­tion of­fi­cer at Bellco CU and chair of the CUNA Tech­nol­ogy Coun­cil.

That breach and oth­ers like it have made vul­ner­a­bil­ity man­age­ment a key is­sue for CUS go­ing into 2018.

“Data breaches are learn­ing ex­pe­ri­ences for the or­ga­ni­za­tions that ex­pe­ri­ence the breaches as well as the in­dus­try as a whole,” Tim Mielak, CIO of Michi­gan State Univer­sity Fed­eral Credit Union, said via email.

Chris Saneda, ex­ec­u­tive vice pres­i­dent of tech­nol­ogy and dig­i­tal in­no­va­tion at Vir­ginia Credit Union and vice chair of the CUNA Tech­nol­ogy Coun­cil, rec­om­mended work­ing with ven­dors that hold the same cy­ber­se­cu­rity stan­dards as your credit union.

That’s the strat­egy Bellco’s Atkins uses. He ex­plained that when con­sid­er­ing a ven­dor for his credit union, he as­sesses the com­pany’s security stan­dards by ask­ing the same ques­tions of them as he asks of his CUSO, Open Tech­nolo­gies, LLC. “If they are touch­ing mem­ber data, we ask a lot of ques­tions around how they are go­ing to pro­tect that data,” Atkins said.


But a security pro­gram for a credit union changes based on the in­sti­tu­tion’s size and scope.

“It’s re­ally dif­fi­cult to quan­tify how much a credit union should in­vest in cy­ber­se­cu­rity, but I can tell you the hur­dle is in­creas­ing at a rapid rate and isn’t likely to let up soon,” Ge­orge Ru­dolph, SVP of op­er­a­tions and tech­nol­ogy at Al­liant Credit Union and sec­ond vice chair of CUNA Tech­nol­ogy Coun­cil, told Credit Union Jour­nal via email.

Ru­dolph es­ti­mated in­clud­ing sys­tems, peo­ple, on­go­ing third-party sup­port ar­range­ments and con­sul­tants Al­liant CU uses, the fi­nan­cial in­sti­tu­tion has spent well into the tens of mil­lions of dol­lars on cy­ber­se­cu­rity dur­ing the past five years.

Atkins es­ti­mated his CUSO spends be­tween four and five per­cent of its to­tal bud­get on cy­ber­se­cu­rity.

“We’re all fight­ing the bad guys,” he said. “And they are well-funded and well-or­ga­nized, and any or­ga­ni­za­tion on­line is a tar­get.”

Ac­cord­ing to Ru­dolph, ma­chine learn­ing and ar­ti­fi­cial in­tel­li­gence will play a large role in re­duc­ing at­tacks. This tech­nol­ogy would also re­duce false alarms, mak­ing the process more ef­fi­cient for CUS and their mem­bers. On top of that, in­creased us­age of to­k­eniza­tion can re­duce the in­cen­tive for steal­ing mem­ber data – or at least limit ex­po­sure in the event of a breach.

“I will say there is a trend to­ward be­hav­ior-based an­a­lyt­ics and ar­ti­fi­cial in­tel­li­gence to de­tect and block sus­pi­cious or un­usual ac­tiv­ity,” Saneda said. “But this tech­nol­ogy is new and ex­pen­sive.”


As more breaches oc­cur, Ru­dolph noted, it will be­come more dif­fi­cult for CUS to com­bat fraud while pro­vid­ing fric­tion­less service.

Ac­cord­ing to Mielak, $3.7 bil­lion-as­set Michi­gan State Univer­sity FCU is mov­ing to­ward next-gen­er­a­tion security con­trols such as fire­walls and in­tru­sion-pre­ven­tion sys­tems that in­spect all lay­ers of communication from fun­da­men­tal net­works to high-level ap­pli­ca­tions while in­te­grat­ing ex­per­i­men­tal and open-source tech­nolo­gies to en­hance more pre­dictable, text­book security con­trols.

Saneda ex­plained that it’s up to in­di­vid­ual credit unions to as­sess new risks “in terms of their pro­cesses, mem­bers and ven­dors, and how they might be ex­posed to a risk.” Saneda con­sid­ers three fac­tors when mak­ing cy­ber­se­cu­rity in­vest­ment de­ci­sions: How many ex­ter­nally fac­ing de­vices the CU has, what kind of soft­ware it has en­abled and how well it does cy­ber­se­cu­rity train­ing.

Saneda rec­om­mended CU ex­ec­u­tives fol­low list­servs or dif­fer­ent cy­ber­se­cu­rity feeds on­line to keep up to date with best prac­tices, along with up­dates from the Fed­eral Fi­nan­cial In­sti­tu­tions Ex­am­i­na­tion Coun­cil and the Na­tional Credit Union In­for­ma­tion Shar­ing and An­a­lyt­ics Or­ga­ni­za­tion.

“There are a lot of cy­ber­se­cu­rity solutions out there,” he said. “But gen­er­ally if credit unions take a look at their own con­trols, that aware­ness will take you a long way in de­cid­ing which tools to use.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.