LAS VEGAS—Cybersecurity risks aren’t going away—in fact, they’re becoming more threatening. But the biggest risk of all is already working at the credit union, according to one person.
As a result, credit unions need to update their security policies and procedures regularly because the threat landscape is always changing, advised security expert Jim Stickley.
Speaking during the CUNA National Credit Union Roundtable for Board Leadership, the CEO of Stickley on Security and co-founder of TraceSecurity said, “Most of the risk comes from employees making mistakes and doing something dumb. Usually, they’re unknowing participants. But the insider threat is the biggest entry point into your credit union.”
While credit unions of all sizes are at risk of attack, those above the $1-billion asset mark are especially vulnerable because their networks are more complicated, additional regulations take away the focus that could be placed on security, and the fact that even large credit unions tend to have small information technology security teams, Stickley told the group.
Increasingly, Stickley said cyber thieves are targeting specific employees, particularly IT administrators, using social networking sites such as LinkedIn.
The board’s role in security, according to Stickley:
- Stay informed about security changes, both in the industry and at their credit union
- Follow established questions to ensure proper security controls
- Approve the credit union’s written information security program
- Affirm responsibilities for the development, implementation, and maintenance of the program; and review a report on the overall status of the program at least annually
Stickley added that management should provide a report to the board at least annually that describes the overall status of the program and material matters related to the program, including:
- Risk assessment process, including threat identification and assessment
- Risk management and control decisions, including risk acceptance and avoidance
- Third-party service provider arrangements
- Results of testing
- Security breaches or violations of law or regulation and management’s responses to such incidents
- Recommendations for updates to the information security program
Credit unions also should review employees’ access to technology, Stickley said.
“Many don’t need to be able to receive email at work,” he said. “Find out which employee groups need access to email, the Internet, and so on. If an employee doesn’t need it, turn it off.”