Tech Time: 10 Keys to a Sound Cybersecurity Program
Credit unions often ask me what they need to do to have a strong cybersecurity program. I often respond with the following 10 considerations.
1. Executive Leadership Involvement
When it comes to cybersecurity and risk management decisions, senior management, the CEO and the board are in the position to make the risk appetite decisions. Therefore, cybersecurity requires executive and board oversight. Make sure your CU’s top leadership is involved, not just IT.
2. Follow a Cybersecurity Framework
A trusted framework provides the guidance in developing your credit union’s cybersecurity program and maintains an acceptable cyber-risk level by assessing the risks faced by your credit union, mitigation measures and plans for future improvements. Some examples are the NIST Cybersecurity Framework, ISO 27001/27002, PCI DSS and CIS Critical Security Controls.
3. Architecture Design
Over the past few years, there has been a heavy, and often reactionary, investment in IT security. However, these new investments have been implemented on top of existing and rapidly aging IT architecture. To achieve a secure enterprise architecture, security must be treated as a critical design principle from the beginning.
4. Asset Inventory
If you don’t know you have it, you can’t protect it. An information system asset inventory helps your organization identify reasonable threats, vulnerabilities and technology gaps, in addition to improving IT department productivity and reducing the risk of a breach of your credit union.
The creation and management of an information system asset inventory is good for your credit union and, ultimately, for your members. Start simple and create a spreadsheet to list all your hardware and software systems. Remember to include personal devices that are used within your network (“bring your own device” https://www.cues.org/cu-management/columns/byod-poses-security-threats). Consider including the cost and age of the assets as well. As your inventory process matures, software solutions available on the market can help you streamline it.
5. Frequent Risk Assessments
There are many benefits to frequent risk assessments:
- Discovering unknown compromises
- Understanding and adjusting to the latest cyberthreats
- Ensuring the entire credit union stays focused on cybersecurity
- Making smart technology investments based on importance and return on investment measures
- Showing your members that cybersecurity is important to the credit union
6. Cybersecurity Awareness Program
A cybersecurity awareness program aids in the development of essential competencies, methods and techniques needed to face new cyberthreats. The adoption of such a program greatly increases the overall security-related risk posture of the credit union.
7. Threat Intelligence
There isn’t enough money, time or manpower to defend against every imaginable—or even credible—cyberthreat. Instead, the use of cyberthreat intelligence can help a credit union to understand which threats are the greatest risk and allow the allocation of resources accordingly in order to defend against those threats.
8. Automatic Patching Solution
Patch management tools are crucial to not only the IT side of the house, but also the cybersecurity side. By automating patch management, you take the hassle out of keeping your devices and software up to date. Since an automatic patching solution connects to and pushes patches to all end points simultaneously, the process also provides a network health overview, as scanning the network for gaps in patching also allows you to identify and easily fix “broken clients”—those that have been disconnected from the patching process.
9. Mitigating Controls
It is critical for cybersecurity teams to work with senior management in the implementation of mitigating controls that address the findings from risk assessments, vulnerability scanning and threat intelligence. Those mitigating controls may range from data segregation, Defense in Depth design (in which multiple layers of security controls are placed throughout the IT architecture to provide redundancy in the event a control fails or a vulnerability is exploited), the purchase of cyber insurance or a movement from username/password to multifactor authentication to minimize the threat surface of your credit union.
Step 10 – Third-Party Risk Management
Third-party risk can cause significant damage or possibly even destroy a credit union. Credit unions have numerous third-party relationships that stretch the barriers of cybersecurity. Our third-party partners can introduce IT risks, safety, environmental and operational risks. Some steps to take to mitigate third-party risk include:
- Vetting of each third-party partner
- Conducting risk assessments on the third parties
- Establishing a third-party tracking database
- Reviewing third-party contract language
The subject of vetting warrants its own article, but credit unions should be sure to have a question and evidence section in third-party vendors’ contractual language. Examples include: Does the vendor have cyber insurance? What does that insurance cover? (Does it cover our data if the vendor is breached)? Does the vendor have a cybersecurity program? An incident response policy and procedures? Are those procedures tested? Has the vendor had third-party penetration testing done? You want proof of these efforts provided before and during the contract period.
A proliferation of recent cyberattacks has caused and continues to cause increasing damage to government entities, companies and individuals alike. Credit unions must take cyberthreats seriously and adopt strict cybersecurity measures to counter those threats. Addressing the 10 areas above will allow your credit union to shore up its cyber defenses and move from a reactive cyber posture to a proactive stance.
Heath Renfrow is chief information security officer at CUES Supplier member LEO Cyber Security, Fort Worth, Texas. Renfrow has served as chief information security officer for multiple global organizations, most recently for United States Army Medicine, where he was awarded the 2017 Global CISO of the year by ECCOUNCIL, the largest cyber training body in the world. He has 19 years of global cybersecurity professional experience and is considered one of the leading cyber experts in the world. For more information, you can contact him at email@example.com.