It’s no secret that 2020 isn’t going exactly how we imagined (understatement of the year). For a lot of us we celebrated the end of 2019 as we would any other year, excited for a fresh start, hopeful for a “better year”, full of promises, strategic plans, and big growth goals. We can all agree that Ross Geller unknowingly coined what is now the new word for strategic planning in 2020, “PIVOT”! (don’t act like you didn’t binge every season of Friends during the pandemic).
The financial services sector was no exception to the disruption, as 2020 marked a period of tremendous change, not just from COVID-19, but by new privacy and cybersecurity regulations. While many financial institutions were ready to start their technology transformation climb, the mandatory shelter-in-place orders due to the global pandemic shoved the slow and steady technology growth plan into full-on hyperdrive mode in a matter of days.
Fast forward six months and for some companies it’s been a slow and cautious migration back to the office, but for others there is no future plan to return. The sudden PIVOT to a remote workforce meant new software and hardware needed to be implemented and fast, too fast in fact to ensure proper installation compliancy and proper updates to policy. What’s unfortunate is that fraud and cyberattacks are increasingly prevalent today as attackers continue to evolve with COVID-19, adjusting to hybrid environments, targeting both personal and business systems. They are becoming better organized, better financed, and better equipped.
So, now what? You plan for the all possible futures. Acknowledge the global nature of cybersecurity risk and build a security framework that compliments your current risk management, to strengthen your security posture, and can evolve with technology and business requirements. Here are just a few best practices to consider.
Where are your assets and what is their value?
Identify your most important data or mission-critical assets, determine their value and where they are located. Certain advanced technologies and programs can be used to scan for these valuable tidbits and pull this information together quickly and precisely.
Remember, not all data is created equal and requires different levels of protection. Hackers will be more interested in high-value assets than those of lesser importance. Hence, why having this knowledge will allow you to prioritize efforts and adjust risk strategies based on protecting these crucial assets and allocate portions of your budget accordingly.
Recognize potential threats
Always be identifying, assessing, and responding to risk. Identifying and understanding the threats and risks of your technology environment allows you to understand how to prioritize and facilitate the implementation of effective security strategies. Threats are factors that can damage, destroy, or compromise valuable data, and they could emerge from internal operations or external relations. For example, an employee who leaves login credentials somewhere easily accessible or noticed can be considered a potential threat. The truth is, our employees are our biggest cybersecurity risk, so make sure you’re training them … they don’t know what they don’t know.
Implement Effective Security Control
Build processes that addresses your credit union’s specific data security needs. Implement processes like response planning; communications; analysis; mitigation and improvements. Then you can develop, document, and implement a disaster recovery processes to remain resilient!
Review your newly migrated technology environment
Ah yes, the famous last words of every CEO whose company was breached, “I didn’t know, I thought the security we had in place was top notch” (aka good enough). Think of it this way, you wouldn’t expect your employees to open up a new account for someone without verifying their credentials, right? So, why would you assume the security protecting all your data is bulletproof or compliant without performing a proper vulnerability scan?
We’re more than halfway through 2020. We may not know what the second half of the year has in store, but if there was ever a time to start implementing a proper security framework to your risk management, now would be the time. More so, whether you were one of the few organizations who were prepared to weather the COVID storm, or whether you were the majority who had to PIVOT quickly to deploy new technologies in order to adapt, your next steps remain the same. Always be assessing!
- If your organization is relying on technology, building a cybersecurity framework will assist in assessing and addressing cybersecurity as it affects the privacy of customers, employees, and other parties. If your organization has a cybersecurity framework in place, GREAT, assess it to make sure your processes and policy is evolving with technology and current business regulations. If you have no idea if you have a cybersecurity framework in place, or how to get started, that’s okay too! You can get started by utilizing templated frameworks offered by the Center for Internet Security (CIS) and the National Institute for Standards and Technology (NIST)
- No matter where you are in the process, remember to train your people! Utilize free phishing tests through KnowB4 to see what percentage of your employees are phish-prone.
- Read up on ransomware and how to be preventative. Download the 2020 Ransomware Hostage Rescue Manual including a Ransomware Prevention Checklist!