Talking at cross purposes: Where credit union cybersecurity goes awry

by Robert McGarvey, McGarvey's Words

For years I have pondered a puzzle: why do financial institutions spend so much on cybersecurity and employ wonderfully smart and talented people – but the results are not as good as one would hope.

Frequently financial institutions simply are whipped by their criminal opponents.

Just look back on how DDOS – distributed denial of service – brought innumerable institutions to their knees a few years ago.  It took months for credit unions to get it together to repel the attack.

Then look at ATM jackpotting. New account opening fraud. ATM skimming. The list could go on and on but you get the message: criminals often outwit credit unions and banks and that is despite the money spent and the talent employed.

Why don’t credit unions gain the upperhand?

A new report, sponsored by cybersecurity firm Authentic8, involves a survey of 163 financial services professionals, and it tackles just that question: why do financial services firms so often fall victim to cyberattacks?

Here’s a hint at the reason: “Financial firms have some of the best-funded IT departments of any industry, that’s no secret,” said Scott Petry, CEO of Authentic8. “What’s perplexing to me, with data breaches and privacy violations at an all-time high, is how deep the divide still runs between IT, compliance and legal professionals in many firms.”

The report’s title spells out the problem: “Surprising Disconnect Over Compliance and Secure Web Use at Financial Firms.”

The word to focus on is: Disconnect.  That, inside many credit unions, sums up what ails the counterattack.

Here’s the problem: inside many financial services firms, credit unions and banks included, there’s a cyber Tower of Babel where three principal stakeholders often talk at cross purposes, according to the Authentic8 report.

Legal comes to the table with one perspective: it wants to insure that security policies and practices are squeaky clean, legally. Legal also wants to set data loss prevention policies and reduce the risks of web browsing by employees.

Compliance comes to the table looking over its shoulder at regulator demands for compliance and, these days, it often has its eyes on social media because they, potentially, are compliance minefields. Compliance also worries about malware and how to reduce the damages it can inflict.

IT comes to the table with real awareness of attack vectors and countermeasures – but IT also is sensitive to pushback from internal consumers who grumble, loudly, about restrictive security policies. IT, in many cases, said the research, also focuses on perimeter defenses and point solutions.

The problem in many institutions, said Petry in an interview with me, is that the three groups often just don’t hear each other’s concerns and and don’t look outside their own silos. Each is focusing on valid issues but their comparative lack of interest in the concerns of other stakeholders severely impedes fast responses to changing cybersecurity environments.

“It keeps me up at night knowing these three groups are working on the same problems but not really collaborating closely enough to solve them,” said Michelle DeStefano, a law professor and co-editor of the Compliance Elliance Journal.

What this also means is that the institution’s response is fragmented, where what is needed to thwart ever more sophisticated cybercriminals is a coherent, muscular, focused response. And that just isn’t what many institutions are providing.

Matters may be even worse inside many credit unions because at least some of this cybersecurity work is outsourced to multiple vendors – who commonly do not speak at all with each other.

What’s the solution?

Pretty obviously, it’s up to the boards of directors to bang home the message that effective, efficient cybersecurity is a necessity for a thriving financial services firm today. The penalties for falling victim range from reputation damage to hard dollar fines and no board wants that – which is exactly why this has become a board level concern.

Top management – responding to board concerns – has to insist the three stakeholders work together, in a unified force, to fight against cyber criminals. That has become a necessity. The bad guys keep getting slicker.

The good guys have to fight back hard – and that means pulling together.

Read the report. It’s short, it’s free, but it’s provocative: Get it here.

Robert McGarvey

Robert McGarvey

A blogger and speaker, Robert McGarvey is a longtime journalist who has covered credit unions extensively, notably for Credit Union Times as well as the New York Times and TheStreet, ... Web: www.mcgarvey.net Details

Featured