Human element and data protection

It is important for credit unions to have well-written and easy-to-understand cybersecurity policies for employees to understand what is required, how they play a role and what to do in the event of a suspicious activity. Regular reviewing for updates and changes to your policy/ies is also vital to its effectiveness.

Cybersecurity threats are constantly evolving and it’s important for organizations to maintain training continuous and relevant. Tailor training content and delivery to different roles, incorporating real-world examples and scenarios to help keep employees informed and aware of the potential threats.

Training should be regular and ongoing to build a strong culture of security. Instruct employees on scams, how to recognize them and the correct internal processes. Employees should be told to:

• Be skeptical and never share personal information during unexpected calls, even if the caller seems legitimate. If something doesn’t seem right, trust your instincts and do not move forward.
• Confirm the legitimacy of requests by verifying with the supposed employee. Authenticate requests by using a different communications channel (out-of-band authentication), such as face-to-face with the requestor or calling the requestor’s phone extension or cell phone.

In addition to your employee training, encourage staff to enhance their knowledge with the TruStage no-cost, interactive employee training module: Data Protection and You.

It is important for organizations to also focus on preparing their employees on what to do should they suspect cyber incidents. Empowering employees with knowledge as to where to report things like phishing emails, smishing, vishing and other scams is just one step to help defend against cyber criminals.

It is important for employees to understand their roles and responsibilities in the event of a security incident and reporting procedures. Knowing who to call and where to report within the organization is just one step to help the fight against cyber threats.

If your organization suspects, receives an indication of, or discovers any actual or potential data breach incident, including incidents involving vendors, it is important to immediately contact your cyber insurance carrier. Providing prompt notice may aid with investigation, remediation of cyber risks and notification requirements through the assistance of an experienced breach coach.

In addition to training, you should follow practices related to implementing polices that enforce strong passwords, implementation of two-factor authentication (2FA) or multi-factor authentication (MFA) to help reduce the risks from human error.

Also, having processes for reporting suspicious activities to make it easy for employees to report concerns. Organizations could also consider using technologies like automated security testing and threat detection to further the defenses against human error.

Other mitigation tips to consider:

• Apply the principles of least privilege and network segmentation where an end user only has the privileges necessary to complete tasks related to their role.
• Implement zero trust network access to help enhance security protocols, including encryption and authentication.
• Implement tools and systems that can detect and prevent social engineering attacks in real-time.
• Continuously monitor system access, website traffic and activity for anomalies that can help detect and respond to security incidents promptly.
• Vet and monitor third parties that have remote access to your network and other third-party connections.
• Keep all systems including hardware, mobile devices, operating systems, software, cloud locations and content management systems, patched and up-to-date. Conduct regular testing to help identify and address security gaps.

Access controls are a fundamental pillar of cybersecurity because they help ensure that only authorized individuals can access specific systems, data or resources.

By restricting access to only those who need it, access controls reduce the number of potential entry points for attackers and minimize the risk of data breaches, insider threats and accidental data leaks.

Conducting regular audits of access controls is essential for maintaining data security. These audits help uncover vulnerabilities, ensure compliance with internal policies and external regulations and prevent unauthorized access.

Key steps include identifying and disabling inactive or unused accounts, verifying that all users have access appropriate to their current job responsibilities and ensuring that administrative privileges are both necessary and actively monitored.

Poorly adopted flexible work arrangement plans can also lead to increased risks; therefore, policies and procedures for remote work should be monitored. In a traditional office setting, organizations generally have an IT and cybersecurity team watching over the network and ensuring everyone follows best practices for device usage, file storage and sharing and sending and receiving messages.

Strong password policies are essential for protecting credit union systems and data from unauthorized access. A well-designed policy helps enforce secure password creation, usage and management. Minimum expectations outlined in your policy should include password length, complexity, character variety, expiration and reuse restrictions.

Social engineering frauds using deepfake technology can be a significant challenge as most conventional security technologies and identification protocols are designed to identify impostors — not recognize altered or recorded voices or digitally enhanced voices or videos. The deepfake technology is increasingly available and used by fraudsters to successfully convince employees to follow instructions and even bypass protocols.

Credit unions may be affected by deepfakes in several ways including:

• Exploiting member onboarding processes.
• Creating fraudulent accounts, counterfeit payment or transfer requests.
• Impersonating key credit union, third-party or vendor personnel in business email compromise (BEC) or fraudulent instruction scams.
• Mimicking job candidates.

You should ensure employees are naturally suspicious and know that they should not be pressured into making quick decisions or providing sensitive information during unexpected requests — even if the caller (voice or image) seems legitimate. It is critical to establish clear policies and procedures on how information can be shared and what information can and cannot be given over the phone or through other communication methods.