LAS VEGAS–At a meeting themed “Grimm Fairy Tales or Happily Ever After,” it shouldn’t be a surprise that when the discussion turned to cyber-threats there was a lot more talk that was grim than fairy tale—although some happily ever after was suggested.
The discussion was part of Mitchell Stankovic’s Underground Collision event. Panelists included Stephen Bohanon, chief strategy and product officer with Alkami; Raj Bandaru, CIO with Kinecta FCU; Jen Anthony, VP-cybersecurity and risk with ThinkStack; and John Bagents, president and CEO of WestStar CU.
Here’s a look at some of the insights shared:
Bohanon: Alkami is a digital banking platform that has been around for 14 years. I think digital banking is a perfect analogy to the issue we’re talking about today. In one instance, it can be so much of a benefit for the member, but it can also bring so much harm to your credit union. The member can do so much, and yet those features can also be used by the bad guy.
From left, John Bagents, Jen Anthony, Raj Bandaru, and Stephen Bohanon.
What we’re seeing now is all the machine learning and AI that will be used in many cases for good, but also for bad.
The top trending models on Instagram are all AIs. One sells for time for $1 to men for companionship. You’re going to want to know about deep fakes and you’re going to want to set up training sessions for your branch and call center staff so they know what it is.
Bandaru: This topic is near and dear to me. I am on the grim side for today. To get to the happy side is going to take a lot of work.
What is the cause for concern? At the credit union, we use a lot of partnerships on technology. We can’t develop all that ourselves, especially from a time-to-market standpoint. Credit unions have to have a skin in the game on how to mitigate risk.
With AI, (there are threats to CUs), whether it’s deepfakes, or social engineering or mimicking your voice to bypass authentication. With Quantum computing I can crack all your encryption keys in an hour. There is so much we can do with the existing technology where the fraudsters have an upper hand.
Bohanon: Why? We have that technology?
Bandaru: Yes, we have the same technology, which is why we need to have a skin in the game. We need to understand what the fraudsters are doing and get in front of that. Even as an organizational construct in credit unions, it’s hard to get ahead. Look at your own organizations. I’m sure they are all segregated departments. For us to get in front of it, we need operations, fraud, IT, retail—everything together.
Anthony: I spent 20 years in the Air Force (working in cyber defense and technology.) I then spent some time in (medical industry) and nonprofits and then made an intentional decision to come to credit unions. I believe in what you are doing, but we have some work to do.
I have been in credit unions for seven months and in that time I have worked with six credit unions on a cyber-incidents. You are not ready to respond to a breach to a cyber-incident. (The fraud ranged in size), but one of them was $280,000 being wired out of a credit union to a fraud account. You might say that would never happen at our credit union. I will tell you four months ago that CEO would have told you the same thing.
Opening the Door
The staff at the credit union in all six cases opened the door to the criminal. Behind SaaS and webmail users, you are the next highest industry for targeted.
I would say to credit union leaders, we have things to solve in the technology and the people piece. They are not independent, they are intertwined. Compliance is not security and it is going to take every single team member on your staff to get ahead of this.
Bohanon: We used to see credential stuffing every quarter. Now it’s 24x7. But what we have found is it doesn’t work, it’s just noise. But we see social engineering and the faking out the employees, where they approved something. That is where it happens.
We are technologists. We are smart and like to bedazzle you with all our smart words. In your credit unions I think you’re struggling to hire staff that can help you.
I don’t have an easy fix, but what I would submit is this case study. I was meeting with the CEO of a fairly large credit union three weeks ago and he said to me three times very directly, “I hate CIOs.” What I learned in conversation through him is that there is a very clear divide between credit union leadership and the technologists who are in your credit unions or working with your credit unions. We have as technology leaders an incumbent role in learning the business.
Bagents: There is that Steve Jobs quote, “Don’t hire smart people and tell them what to do; hire smart people and have them tell you want to do.” You have to have those conversations. In credit unions, we pay top of market—there’s no other industry where people could make more money, right? (Audience laughed.) So, why would someone with the technical skills choose to be on the good side? They have to have a better moral compass. Every time we improve, they get smarter.
Our primary SEG group is the gaming industry in Nevada. Some of you may have heard of a fairly large gaming company recently that had a cyber-incident and the major reason was social engineering. They found a name on LinkedIn, made a phone call, and had full control in five minutes.
The Weakest Link
We’re only as strong as our weakest link. As an industry we aren’t known for being tech first, tech driven or tech savvy. Are we keeping up? One of the biggest things that scares me is we always have excuses. Smaller credit unions say we don’t have the resources, but you still have the same products and services and the same exposure. Larger credit unions say we have some things in house, but we don’t have what the big boys have. The criminals don’t care.
Anthony: On average if you are a business in the U.S. with less than 500 employees, you would spend $3.1 million recovering from an incident. Because of the familial relationships in the credit unions, because you are so intertwined, if one credit union takes a hit, your reputation is impacted across the board. I would say, stop spending your time thinking it won’t happen to me. Accept that it will. If you assume attack, what you can do is start planning to respond to when that day comes.
Bandaru: We have to get to that zero-trust model…
Bohanon:…With a smile.
Bohanon: What is one leave-behind you would offer this group?
Bagents: It’s not if it happens, it’s when. Prepare for the worse.
Anthony: I am going to give you one interview question to ask the technologist you are hiring: What is something you don’t know about, and what is your plan in the next 90 days to learn about it?
Raj: Security first for everything in the credit union.