New guidelines for credit unions have recently been released by the NCUA (National Credit Union Administration) including a focus on “Cyber-security, Insider Threat and Security Clearance Reform, Open Data, and People and Culture.” When you look at the priorities, and include advancing technology paired with the needs of having more consumer-friendly applications while still meeting regulatory needs, credit unions must balance the basics with moving toward advanced security concepts to be the most secure.
Threat Credit Unions Face – And How To Combat Them
When you break down the large threats that credit unions face, several consistent themes emerge:
- Phishing will be one of the first points of entry to compromise any system or data
- Denial of service attacks will continue to threaten to knock companies offline, especially when they have internet-facing or mobile applications
- Data Sharing and Privacy will have increased scrutiny, disclosure laws will become more draconian, and disclosure must happen more often and quicker
Unless your security posture is already strong enough to combat these threats, continuing to work on controls that meet the goals, and then delivering tools that enforce the controls, is key. Consider the following:
- Remove access to privileges and paths to the data where the people don’t need it. You can do this with privileged access management, network segmentation, and general user role maintenance.
- Patch everything where you can. Most attacks happen when a vulnerability is more than one year old. If you at least get this far, you can remove a large number of paths to entry where data can leak.
- Find your data and start by protecting the major repositories of data first. Build outward as you find other copies of your data. Don’t forget sometimes the best path is to delete the data where it doesn’t belong.
A layered security approach within an environment and within cloud practices will continue to drive the set of cyber-security controls needed by credit unions going forward. By taking some basic steps you can have good hygiene. As horrible as it sounds, sometimes the best security is to make it hard enough to break in that the attacker moves on to the next guy.
Scott Carlson, Technical Fellow
As Technical Fellow, Scott Carlson brings internal technical leadership to BeyondTrust, strategic guidance to our customers, and evangelism to the broader IT security community. He also plays a key role in developing innovative relationships between BeyondTrust and its technical alliance partners. Scott has over 20 years of experience in the banking, education and payment sectors, where his focus areas have included information security, data centers, cloud, virtualization, and systems architecture. He is also a noted thought leader, speaker and contributor to RSA Conference, OpenStack Foundation, Information Week and other industry institutions.
Prior to joining BeyondTrust, Scott served as Director of Information Security Strategy & Integration with PayPal, where he created and executed security strategy for infrastructure across all PayPal properties, including worldwide data centers, office networks, and public cloud deployments. He led several cross-departmental teams to deliver information security strategy, technical architecture, and strategic solutions across enterprise IT environments. As a member of the office of the CISO, CTO and CIO, Scott spoke on behalf of the company at global conferences. In addition, he was responsible for infrastructure budget management, vendor management, and product selection, while also serving as the cloud security strategist for private OpenStack cloud and public cloud (AWS, GCP, Azure). Prior to PayPal, Scott held similar roles with Apollo Education Group and Charles Schwab.