WASHINGTON–Any credit union leader who previously downplayed the “vulnerabilities” represented by technology is likely no longer playing down those threats, after one panel of experts here shared their experiences, warnings and views.
Those include core systems still based on half-century old code, the number of employees who still fall for phishing fraud, and the price of not embracing new technologies because it’s so darned expensive.
The discussion took place as part of the sold-out Underground: Shattered meeting hosted by Mitchell Stankovic here ahead of CUNA’s GAC.
Participating in the discussion were George Estrada, principal strategist with Amazon Web Services; Amber Harsin, president/CEO of Prodigy; Keith Sultemeier, president and CEO of Kinecta FCU, and Stephen Bohanon, chief product and sales officer with Alkami. The panel was moderated by Shazia Manus, SVP-experience capabilities with CUNA Mutual.
Here's a look at what was discussed:
Manus: The reality is for the last six years we have been comfortable because consumer trust has increased in the biggest companies. What happens when times go well is inertia settles in and we get runaway hubris. What will it take to remain worthwhile for members’ trust and what is the impact and implications and impacts on our businesses? How do we modernize and move forward?
Estrada: Our CTO has a saying, ‘Everything fails, always.’ It starts off with the idea things are going to fail. We tend to look at things through the rear-view mirror, and when you look through a rear-view mirror you get a very small view. When you look through the windshield, you get a much larger view.
Everyone thinks about the big disruptions, but it’s really about lots of micro disruptions. Everyone waits for next big thing to make an investment. I used to work for Gannett. It’s not the Internet that disrupted newspapers, it was micro-disruptions, Craig’s List and social media. The ones that made it through knew they needed a presence on the web.
Looking forward, it’s very hard to know which disruption is going to impact you, but one thing for sure is you must have at least one foot in the cloud.
Harsin: Studying the risks that exist for the credit union movement from a technology perspective is a little terrifying. In 2019, a federal government study on critical infrastructure found that 10% of our critical infrastructure uses outdated technology, some by 55 years. That includes Treasury and the Federal Reserve ACH system. When we think about that, that is not something you can control daily. If we move that down to more of a microcosm of the credit union movement and think about our technology partners, the most prominent core in our movement is written on software from the 1960s. We are maybe getting 50% of the security we think we’re getting.
Why don’t we change it? It’s really hard. We’re expected to be up 24/7/365. If a member can’t see their funds for 30 seconds, members lose it. It’s scary. It’s like changing out the propellers for jet engines on the plane while you’re flying. But you have to do it. You have to take the risk.
A Problem Moving Forward
Legacy infrastructure is going to be problematic for credit unions moving forward. We have to hold our partners accountable; we need to ask what version of things are you on? What does it look like if you have to upgrade? Where might the breaks be? There are moves we can make as an industry to make things better--CUSOs, non-CUSOs that are deeply committed to the credit union movement. Let’s protect ourselves from those risks.
Sultemeier: Gartner research shows that increasingly trust is about a good digital experience in the eyes of the consumer. Credit unions are still pretty highly trusted, but the big banks are closing the gap fast. The summary they gave was credit unions have been slower to adopt the digital experience. When I look at our institution, I see three vulnerabilities: data security, internal tech stack, and relevance.
From a data security standpoint, we all have vendors, they are all SOC II certified, but you can’t stay passive on that. You have to continue pushing. You have to make sure they are staying current.
The Weakest Links
One of the things that scares me the most from a data security perspective is the weakest links in the chain is our members and our employees. About six years ago we started phishing our employees and we do it pretty frequently. And when we started, 17% to 19% failed the test. They clicked on the link. It was chilling. If you click on the link, you get the opportunity to do four more hours of security training. If you click on it a second time, you get to do eight hours. If a third time, you may be terminated. In recent tests it’s been 1% to 2%, but it only takes one. I worry about that.
In the tech stack, it feels like there are 30,000 new vulnerabilities every month. One thing I hadn’t thought about was the actual hardware. We had a hard crash for about three hours before switching over to DR, and that was about two hours and 59 minutes too long. Five years ago, out of environmental concerns, there was a change in a solder that connected hardware. It has a tendency to degrade fairly quickly. We have gotten some vendors to go in and review all these things in our tech stack. And now we have gotten religious about replacing our equipment.
‘You Run a Risk’
So, anytime you concentrate your operations in one point of failure, you run a risk. And cloud providers have not been 100% reliable, 100% of the time. If you’re going to go to the cloud, you better be cloud-ready. If you think it will be cheaper, it is not. It is expensive.
The last piece, relevance. We all rely on our core vendors. The danger is we have tied ourselves to those vendors and our pace of innovation is their pace of innovation. Our providers and their providers are not always aligned. And you have done custom coding, you’ve got bubble gum and bailing wire holding the whole thing together. I do worry about that. Digital experience largely equals trust for the consumer; your members have to trust that you are safe and secure.
Bohanon: With trust, there is another group we don’t think about, and that is the trust of our employees. (When there is a failure), these poor employees, the branch staff employees, the call center employees. Do they trust you? They think you obviously didn’t care enough about us to invest. It can really affect your employer brand. Think about how distracting that event is. You may have had really important initiatives planned that you cannot get done.
And because data breaches have become more commonplace, there is almost a numbness in the market to it. There is a whole playbook for it. I think there is less damage to the brand from that than if you have availability issues. It is not cheaper to go to the cloud, to AWS, if you do it right. But it does get you active, active all the time.