LAS VEGAS—Cyber threats are only becoming more elusive and harder to detect, insists one security analyst who says the best way to address potential attacks is to make cyber defense a “habitual” practice among all CU staff.
Lori Lucas from PSCU told attendees at CUNA’s America’s Credit Union Conference that no longer can credit unions simply defend the perimeter and pay attention only to the obvious exposure points.
“A credit union should be practicing cyber situational awareness,” said Lucas. “It’s paying attention to your surroundings to identify potential cyber threats. Look at your surroundings and think about what might go wrong. It is not difficult if you make it a habit among your staff—make it become muscle memory.”
Constant security attention from the entire staff is needed today because anytime someone or a device interacts with hardware or software, a cyber risk could be present, Lucas explained.
Lucas said even e-cigarettes are a concern. She said fraudsters are loading malware onto e-cigarettes and asking people if they can plug into their computers for a quick recharge.
“And as the Internet of Things grows and even implantable medical devices become more commonplace, new threats appear every day,” she said.
Lucas said credit unions need to transition away from a cyber defense “checklist” mentality and develop processes that can quickly identify, react to and address cyber-attacks.
“Everyone in the credit union needs to be a superhero to defend the network,” she said. “They have to move away from thinking about standard defense to thinking about and responding to the unknown,” Lucas said.
To get to that point credit unions will need to develop and execute ongoing cyber defense training programs for the entire team.
“Tomorrow’s staff must be engaged with cyber security—empower everyone,” Lucas said. “Make the training messaging interesting and funny, that helps things stick. Run contests and giveaways associated with your training programs. Get real-time feedback from your staff and analyze user behaviors.”
Lucas said credit unions must bake cyber security into the designs of their systems.
“Test controls, build and maintain an IT controls catalog, and patch, patch, patch. And shift the mindset of the credit union to alerting as opposed to logging. Make your defenses more real time,” she said.
Cyber situational awareness is external as well as internal, not only considering the vulnerable points of the credit union but the events and attacks happening outside the walls of the CU. But the credit union must be careful not to try to monitor too many things, noted Lucas. She said trying to defend against all potential threats is simply a task too big for many credit unions, especially small ones. Instead, she said, what CUs need to do is determine what are their greatest risks and focus attention there.
“You don’t want to target everything, only what is relevant to your credit union and focus your dollars there,” she said. “Collaboration, too, is very important. Talk to other credit unions about what you have encountered, the articles you read, what you know.”
Lucas said that waiting to implement a cyber situational awareness process is a mistake. She said that cyber crooks’ skills are advancing too quickly.
“Cyber security of tomorrow is really here today—the threats are here and the crooks are watching you,” she said. “Don’t turn your back.”