It’s no secret that incredible technological strides in banking have been made over the past decade. The benefits we experience with new technologies and the evolution of cloud computing – from the instant gratification of mobile banking to interoffice and global communications – also present heightened areas of risk. We are increasingly reliant on information technology in the credit union industry today, and the need for strong cybersecurity has never been greater.
The truth is, proper credit union cybersecurity isn’t just network firewalls and malware detection (even though both are very important). It’s a complex strategic plan that includes those things, yet relies even more heavily on employees/end-users and the policies and procedures that are set in place to keep your credit union and your members safe. Planning and risk management should begin with a management “steering” committee that is responsible for reviewing and approving IT plans and priorities. Regular evaluation of IT for risks and appropriate actions to address identified risks are paramount, as is regular evaluation of outside service providers.
Taking on cybersecurity can feel overwhelming. We want to help credit unions approach cybersecurity effectively and comprehensively by breaking down three main areas where cybersecurity energies should be focused.
Maintaining Reliable Systems
While legitimate concerns, data loss isn’t just hackers and dark web identity theft. A true cybersecurity concern is loss of data due to any number of systems issues. A backup and retention policy is imperative. Once in place, this includes ongoing monitoring of backups to ensure they are occurring and are successful. Recovery procedures should be tested to verify data integrity, recovery time, and recovery period.
Cybersecurity also means keeping watch over your data processing systems. While batch processing by very definition is a tool to eliminate tedious end-user interaction, the process itself must also be controlled and monitored. How else can you ensure interfaces between systems have appropriate controls and that all data transfers are complete and accurate?
One area you may overlook when thinking about cybersecurity is environmental control systems, such as fire and smoke detection, temperature controls, and alternate power sources. Without proper environmental controls, you cannot ensure the security and reliability of branch equipment and the other systems your credit union has in place.
And, ultimately, a process should be in place to ensure that systems incidents, problems, and errors are reported, analyzed, and resolved in a timely manner.
Providing Adequate Physical Security
To safely navigate IT in the credit union industry, the goal has to be ensuring appropriately controlled access to programs and data to prevent unauthorized use, disclosure, modification, damage, or loss of data. There are several steps that are key players in the game of success, beginning with an information security policy that defines information security objectives for management and employees. Procedures must exist and be followed for employee hires, branch moves or changes, and terminations to maintain controlled access to sensitive data. Grant permissions based on need and with consideration of segregation of duties, not on a sweeping or group basis. Adequate segregation of duties should be in place between IT and end-users, and source code and configuration access should be prohibited for end-users.
Procedures must also exist and be followed for maintaining effective user authentication. Password length, history, expiration, and lockout for failed attempts are all needed considerations for your authentication policies. All users need to be identified uniquely, and, except on limited bases and documented and approved exceptions, shared IDs should never be permitted. Physical access to computer systems should also be restricted to appropriate personnel.
Cybersecurity needs extend to controls over the perimeter and network security. Such controls may include firewalls, routers, terminal service devices, wireless security, and intrusion detection. Sensitive data must be encrypted across all hardware platforms, and penetration testing should be performed periodically to identify, assess, and address cybersecurity risk. Cybersecurity breach detection sensors should be deployed and monitored, and detected events must be investigated, mitigated, and documented.
Internal end-users and unwelcome outsiders aren’t the only considerations in keeping your data safe. Exposing certain areas of business to the vendors you use in daily operations is a necessary part of doing business, but this exposure can be a threat to your financial stability, data security, and business reputation if not handled properly. Vendor due diligence procedures should be in place to manage risk. Vendor reviews cover the way a vendor manages nonpublic information, as well as the security systems they use and their financial and legal standing. This is increasingly important with the advent of cloud computing and having a data cloud. It is critical to perform cloud vendor risk assessments and periodic reviews. These reviews should be performed at least annually, but intermittent reviews should also occur any time a vendor’s management changes, if they experience employee layoffs, have legal action brought against them, or if they file bankruptcy. Vendor management software is available to assist financial institutions with supporting their vendor due diligence needs.
Supporting Internal Objectives
Program changes and systems acquisition and development have to be appropriately managed to ensure they are adequately supporting internal objectives. How do you do that? IT systems changes need to be appropriately approved and tracked in a change management database. Controls should be in place to ensure that only authorized individuals move systems into production.
Application controls need to be considered by authorized personnel and formally documented. End users should also be involved in deriving application requirements for applications they will use. Get the people on the ground voicing the end-user needs. Develop and follow a test plan for all major implementations that includes user acceptance testing and adequate documentation.
Cybersecurity is a lot like a holistic approach to personal health. Each system potentially affects the next. Maintaining reliable systems, adequate physical security, and policies and procedures that support internal objectives can help your credit union and your members safeguard valuable and confidential data.
ARB’s credit union advisory services team recognizes the unique IT challenges credit unions face and delivers services that are customized to each organization’s needs. Contact us to discuss your IT procedures and other credit union service needs.
by Stephen R. Boissonneault, IT Support Specialist