Financial services experienced the highest volume of security incidents in both 2017 and 2018, according to the IBM X-Force Threat Intelligence Index. Attacks are expected to increase for smaller franchised retailers, along with those businesses with distributed infrastructure.
Credit unions, on average, spent $362,000 to address these merchant data breaches; this figure does not take into account damages to reputation and loyalty, making the actual cost much higher than that reported.
Security Risks: Physical and Virtual
Most of the hacks we hear about are strictly virtual, but physical threats are also a concern.
Skimming is an example of a physical threat. Thieves skim by placing card scanners on top of the slot where a credit or debit card is inserted to initiate an ATM transaction.
These card readers can gather data whenever customers use the ATM. Personal identification numbers (PINs) are sometimes stolen as well through the use of additional skimming tools, such as overlaid number pads or micro-cameras. These save the keystrokes of each transaction, giving criminals everything they need to use the card.
Victims typically don’t know their information has been stolen until they receive their statement or an overdraft notice.
This type of attack was not the most popular in 2018 but will continue to be a threat for unsuspecting financial services businesses.
Virtual Attacks through the Side Door
Virtual attacks, like the one that penetrated Equifax in 2018, are high on the list of security threats for credit unions. However, the trajectory of these attacks has shifted. Rather than enter through the front door, cybercriminals are increasingly exploiting application vulnerabilities, using these vulnerabilities to gain network access.
Equifax and many of the most damaging hacks in 2018 were perpetrated through software. Equifax was vulnerable due to Apache Struts, an open-source application that the company used to create web applications. Maersk, a logistics company that suffered millions in damages, was vulnerable through an outdated accounting application.
These latest attacks give us the opportunity to adapt and stay protected.
Security Recommendations for Credit Unions
Many credit unions are taking adaptive precautions. A 2017 NAFCU survey found that nearly 10 percent of respondents’ operating budgets were devoted to IT/cybersecurity, and all expect a moderate or significant increase over the next five years.
There are many actions credit unions can take to protect themselves and their customers.
1. Limited number of third-party vendors, and vetting current vendors for security protocols
To hackers, each third party is a potential access point. According to a Soha Systems survey on Third Party Risk Management, 63 percent of all data breaches are linked in some way to third parties such as contractors, suppliers, or vendors that have access to a business’s system.
Yet only 2 percent of survey respondents considered third-party access their top priority in terms of IT initiatives and budget allocation.
A credit union can mitigate this vulnerability by negotiating contracts with each of its third-party vendors that detail security safeguards they must take while handling the company’s data. The vendor can also be asked to perform periodic security assessments on its systems and an occasional audit can be required to ensure the proper security measures outlined in the contract are being taken.
2. Regular updates to OSes, software and security
The hacking community is constantly working on breaching applications, so keeping software current gives them the least amount of time to find and deploy an effective hack.
3. Prioritization of security in home-grown services
Businesses can sometimes get too focused on providing “good banking options” and forgetting to design security into the mix. Before launching mobile banking applications and platforms, it’s prudent to perform thorough internal security penetration testing.
4. Regular security vulnerability scans on all devices
5. A culture of dynamic cybersecurity awareness
Many cyber attacks are the result of users being tricked to click on links or opening attachments. Phishing attacks were not the spotlight in 2018, but this does not mean they are gone. In most cases, hacking activity will trend away from a tactic, only to return as soon as defenders forget.
As attackers change strategies, make sure to update your employees so they stay vigilant.
6. Regular checks on ATMs for tampering
Questions about your credit union’s network security?
Call Platte River Networks for a free consultation.