In this difficult economy, credit union membership is down – for some far more than others. Median membership in federally insured credit unions declined 0.3%, and about half of federally insured credit unions had fewer members at the end of the second quarter of 2020 than a year earlier. In response, many credit unions are actively trying to attract new members with marketing, new products and services, and expanded online and mobile banking.
While these activities are necessary, they also increase your exposure to the internet. Where might your credit union be vulnerable? In areas such as the member login process, cloud-based applications, third-party offerings, and online loan and mortgage forms. Expanding your internet presence gives threat actors a larger target. They want to get into financial institutions to steal sensitive data – either intellectual property or members’ personally identifiable information (PII).
Credit unions with “tech debt” that move applications to the cloud have added risk. Tech debt refers to conditions that can create exploitable vulnerabilities, such as aging technology that lacks advanced security features like encryption, poor patch management, and a shortage of IT cybersecurity skills.
Some of the top threats to credit unions include directory transversals, port scans, denial-of-service/distributed denial-of-service attacks and man-in-the-middle attacks. Fortunately, these threats can be detected and stopped, whether they are already in your environment or attempting to enter. We recommend five best practices suitable for every credit union:
If you have the expertise, time and budget to update cybersecurity yourself, the Federal Financial Institutions Examination Council (FFIEC) offers a cybersecurity assessment tool as well as general guidance on cybersecurity. The tool covers the basics such as identifying factors that contribute to cyber risk, assessing cybersecurity preparedness, evaluating whether your readiness aligns to your risk, determining needed risk management practices and controls, and revisiting risk management strategies. And the tool maps to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is an excellent framework for small and midsize businesses.
If DIY isn’t an option, then a managed security services provider (MSSP) is an affordable alternative. A MSSP can evaluate your current security program, assess risk from gateways to endpoints and implement the appropriate controls. Look for a MSSP with financial industry experience, capabilities to streamline regulatory compliance and the ability to customize cybersecurity to your needs.
 National Credit Union Administration, NCUA Quarterly U.S. Map Review, Second Quarter 2020.