On-Going Cybersecurity Challenges Faced by Credit Unions and Community Banks
Financial service institutions traditionally relied on making strategic capital investments to complete physical infrastructure projects to secure the valuable assets their customers entrusted them to protect. Think special features such as the New York Federal Reserve's 90-ton steel cylinder door blocking entry to the vault containing the world's largest bullion depository. Today, however, banks are forced to think of security in a more holistic way to counter the ongoing and evolving landscape of cybersecurity challenges. According to a survey conducted by Deloitte, 64% of executives working in top financial firms list cybersecurity as the number one spending priority for 2021. The most prominent companies are directing more than $1 billion to counter the ongoing encroachment of advanced cyber threats. Industry analysts have predicted that damages related to global cybercrime incidents are projected to top $6 trillion in 2021—roughly double the $3 trillion spent as recently as 2015—although community banks and credit unions remain largely ill-equipped to confront the levels of cyber threats their customers and valuable digital infrastructure is facing this year. Meanwhile, researchers have determined that due to the vital linkages that connect the financial service sector, a single cyber-attack incident creates a ripple effect the reverberates through the global banking industry, impacting organizations with no business ties or geographic connections to the victimized institution. As a result, every incentive imaginable is available for community banks and credit unions that are roughly 300% more likely to experience cyber-attacks when compared to any other industry to think pragmatically about cybersecurity and allocate proper resources to counter emerging threats across multiple vectors. This article explores the ongoing cybersecurity threats facing credit unions and community banks while providing actionable insights around how to counter them.
Top Cybersecurity Threats for Community Banks and Credit Unions in 2021Credit unions and community banks across the nation face a wide range of cybersecurity dangers posed by everything from everyday garden variety hackers looking to mess around a bit to the sophisticated cyberespionage/cyberwarfare maneuvers of advanced persistent threat (APT) actors.
- Combatting the Fallout of Data Breaches and Credential Stuffing In the first six months of 2020, more than 36 billion datasets containing user information were exposed due to data breaches, and by the end of the year, the average cost of an incident rose to $3.86 million. Credential stuffing is one of the most devastating after-effects of data breaches when criminals use stolen account credentials to access banking user accounts using large-scale automated login request attempts. One of the main reasons data breaches are on the rise in 2021 is because banking user data is valuable to criminal organizations that buy, sell, and trade account credentials across various channels and dark web platforms. Credit union and community bank customers are more likely to be at-risk for credential stuffing operations by using the same passwords repeatedly for various online platforms and digital services. One of the best ways to help protect customers from the effects of data breaches is to teach them the best practices around authentication services and create and employ solid and difficult-to-crack passwords for every online service they use.
- Addressing the Limitations of Cloud Computing Cloud computing services have revolutionized the digital world in many profound ways while also creating some new attack vectors for hackers to seek to exploit. As community banks and credit unions store more and more of their valuable data using cloud-based storage systems, it becomes increasingly prudent to seek partnerships with top firms capable of ensuring their cyber resilience's integrity. The Cloud Hopper Mega Hack created a dramatic wake-up call for many banks about the lingering dangers posed by rapidly adopting new digital services to store valuable data in the cloud. Considered by the officials in the Department of Justice to be one of the most significant cyberespionage events of all time, this incident involved cloud-based infiltration efforts spanning multiple cloud-based service providers and some of the largest MSP companies in the world, including IBM and DXC Technology in the U.S. and CGI of Canada. The recent data breach tied to Accellion is another recent example of how devastating attacks can be when cloud-based resources, including file-sharing programs, are attacked by advanced and persistent threat actors. What started as a simple data breach quickly escalated into global extortion schemes using advanced ransomware tactics to shake down Fortune 500 companies, law firms, universities, and many other organizations.
- Social Engineering: Phishing, Spear Phishing, and Whaling Social engineering exploits a trend that infosec analysts frequently cited over the years—human error is responsible for as many as 95% of all data breaches executed. Phishing scams are a common type of cyber-attack when an attacker convinces an individual to open a malicious link executing a malware attack, which in 2021 is highly likely to be a type of ransomware. Phishing scams can be executed using nearly every type of communications channel imaginable and are becoming harder and harder to distinguish from regular social media posts, emails, text messages, and sales landing pages sent by legitimate entities, such as your community bank. Spear Phishing and whaling are variants on this theme that are much more targeted in nature. These threats seek to contact specific individuals for the sole purpose of unleashing scams. Famous versions of these attacks have been unleashed against top C-suite executives at top companies, military leaders, and government officials. Social engineering scams are rising and are extremely difficult to spot. Fortunately, there are many ways to mitigate them, including everything from employing more advanced filtering systems to scan incoming communications to better educate customers and staff about spotting signs of phishing scams. Developing relationships with trusted cybersecurity partners is perhaps the easiest and most straightforward way to ensure your bank is following best practices to avoid phishing scams.
- Crimeware 2021: The Year of Ransomware Ransomware continues to be one of the most devastating and pervasive of all types of cybercrime and is being tied to a new boutique industry that has been dubbed crimeware-as-a-service (CAAS). Recently organizations like Acer, The Houston Rockets, Asteelflash, the Broward County Public Schools, Applus Technologies, Pierre Fabre, and Harris Federation have been targeted by expensive digital ransom requests of $20-40 million. However, Taiwanese computer producer Acer is believed to have received the highest request of all time, standing at over $50 million to retrieve its valuable data. Ransomware attacks occur by infecting your organization's computers, encrypting your data, and asking you to pay a fee to retrieve the information. These attacks are on the rise, and community banks are prime targets due to the valuable business intelligence and financial data they can access. Some of the best ways to counter ransomware are to educate customers and employees about cybersecurity best practices. In many cases, ransomware attacks begin like phishing scams and are triggered by human errors to click malicious links, download suspicious attachments, and launch sketchy .exe files.
- Responding to Emerging Threats Against the Internet of Things (IoT) Though the vast majority of cyber threat attacks occur using the software as a threat vector, hardware assets such as servers and routers are becoming increasingly problematic due to being connected via the internet of things (IoT). Something as seemingly benign as an employee smartphone can be used to launch a devastating cyberattack underscoring the need for a 360° awareness of cybersecurity threats. Business essential hardware like computers, routers, printers, and cameras can be weaponized and turned against your organization due to actions carried out by both employees and customers. Many hackers today are highly motivated to attack community banks along IoT-based threat vectors. Technologies such as your bank's API system can create immense cybersecurity risks, and open banking trends and platforms have only exacerbated these. Modern banks need to think about security in a much more rich and nuanced way than simply installing a massive 90-ton piece of steel in front of a vault entrance and calling it a day. Cybersecurity today means safeguarding digital infrastructure, vetting vendors' activities, and educating both customers and staff constantly. It is a challenging undertaking, and that is precisely why the largest financial institutions have allocated such massive budgets towards countering cyber threats.