The fight against cyber threats continues to grow more difficult every day, particularly in the financial sector. In fact, the threat of cyber security may very well be the biggest threat to the U.S. financial system. It’s best to mitigate this risk with a complete defense-in-depth program involving threat identification, protection, detection, response and recovery. The only way to receive this level of defense is to get board level involvement since it is the board’s responsibility to integrate cyber security throughout its operations as part of enterprise-wide governance. The problem with this is that oftentimes, financial institutions (credit unions in particular) find it difficult to get the attention for cyber security from the board.
Credit Union Cyber Hurdles
There are several hurdles credit unions struggle with in regards to cyber security. Many lack the security and compliance maturity that larger institutions are able to leverage. Credit unions often have a small IT department, limiting their resources necessary for compliance and IT security. Also due to their size, cyber criminals view these organizations as prime entry points into larger targets such as their vendors. In addition, as complexity of systems in their network continuously grow, an increased number of applications introduce more weak links and vulnerabilities. This means they are more at risk for loss of member data, financial fraud, and other business disruptions.
Board Level Actions
With the right approach, getting board approval and implementation for a cyber security strategy should be simple. There are five key actions you can take to get the board on-board with a defense-in-depth cyber security program. These five actions include:
- Understand your inherent risk – It’s important to understand and document the amount of risk posed by the types, volume, and complexity of the credit union’s activities, products, and services. Share these findings with the board.
- Make cyber security part of the routine – Discuss cyber security issues routinely in all board meetings. For example: present the findings of a dark web scan. Physical evidence and visuals are always well received and easy to act upon.
- Increase cyber awareness – Monitor and maintain sufficient awareness of threats and vulnerabilities across the whole organization. Create an all-around cyber-secure environment.
- Test your disaster recovery plan with the board – The board should be aware and involved with all DR exercises. Incorporate cyber incident scenarios for testing purposes at the board level.
- Have a plan of attack – When the board is ready to jump on-board, have plans to establish controls. Your plans should actively mitigate cyber risk and seamlessly implement change.
As organizations who are trusted with member information and money, extreme vigilance should be taken to protect those members. It is the duty of the board to incorporate a strategic cyber security program across the entire organization. Cyber vigilance is not the job of the IT department, it is the responsibility of everyone.
To get a jump start at board level cyber security actions, we can run a dark web scan for you. We can review the results together and ensure that you have an actionable plan in plan to present at your next board meeting.