A new study brings to light some ugly truths about executives and how they perceive their role in cybersecurity.
The study, commissioned by Tanium, a cybersecurity firm, and Nasdaq, reported more than 90% of corporate executives cannot read a cybersecurity report and are not prepared to handle a major attack…and that at least 40% of executives seem OK with that. That’s the number who said they don’t feel responsible for the repercussions of hackings.
This is a problem. Especially if any of these 40% are credit union executives.
Senior executives are responsible for everything in an organization, even things beyond their direct control or area of expertise. That’s leadership, and it’s particularly true when, as with cyber, the issue cuts across every part of the organization and touches every stakeholder, internal and external.
According to a FireEye report, “Cybersecurity’s Maginot Line,” it’s been validated that 97% of all organizations in the country have been breached. Not just hacked, but hacked successfully. On average, it takes 229 days to discover the breach. That’s bad for everybody, but the stakes are higher for credit unions.
Watch It On-Demand
Hear Chris Howard, senior vice president at Callahan & Associates, discuss dealing with security breaches and best practices that can save a credit union's reputation in the Callahan Leadership webinar "Cybersecurity And Credit Unions."
What’s At Stake For Credit Unions
With cyber, it’s not just money and information at risk, it’s reputation. For credit unions, reputation means member trust, every credit union’s most valuable asset. The problem is, reputation is easier to steal than money or data, harder to protect, harder to recover, and you can’t carry insurance against its loss. Money, you can insure, even data can be insured, but you can’t insure reputation.
Many high-profile victims of major cyber breaches have suffered more damage to their reputation than they have to their wallet. Consider examples like Home Depot, Target, and Sony Pictures among others. News of their breaches went public, they lost control of their message and the situation, and that’s when the worst damage was done.
Cybersecurity bears some real and important similarities to traditional risks that institutions face, but there are also some significant differences. Those differences make protection against cybercrime harder, vigilance more important, and the downside if mistakes are made all the greater.
The only difference between these companies and credit unions is that for us, reputation — member trust — is even more important. This is why there is a premium on direct CEO and senior team involvement with cyber risk management.
Breaches happen. Some become public knowledge through an uncontrolled, unforeseen event. When that happens, things can get out of hand very quickly. No checklist or CIRP (cyber incidence response plan) can cover these contingencies. Tough, existential decisions may have to be made in real time, under immense pressure with incomplete, inaccurate, or even contradictory information. That responsibility can’t be delegated, so CEOs need to be prepared.
Fluent In Cybersecurity
Dave Damato, the chief security officer of Tanium, agrees, saying executives need to become fluent in the issue of cybersecurity. People become fluent by understanding what’s at risk and their role in response. Cybersecurity bears some real and important similarities to traditional risks that institutions face, but there are also some significant differences. Those differences make protection against cybercrime harder, vigilance more important, and the downside if mistakes are made all the greater.
This isn’t just a technology issue. Many of the breaches have to do with people. Every single employee in the credit union is a portal to the system, and therefore a potential cybersecurity threat regardless of whether they mean to be. Every single device in the credit union is too, as is every single member who interacts with the credit union.
People are the risk factor. Technology alone can’t protect against phishing, spear-phishing, or identity theft.
That makes this is a radically different kind of security risk, with radically different kinds of potential impact. The gold standard for credit unions are the core members who use the credit union as their primary financial institution. That either limits freedom of action for a credit union under attack, or creates some unpleasant exposure.
What’s Plan B?
In the past, credit unions have experienced the negative effects of credit and debit card skimmers. Some even decided to shut down those cards. That meant that without warning or notice, or the chance to build a plan B, the members of those credit unions lost access to their money.
Think about that. Members depend on their primary financial institution for access to money when and where they need it, no matter what. When that access is compromised, it can be much more than just a nuisance, especially for the 76% of Americans who — according to a Bankrate.com survey — live paycheck to paycheck. It could put their jobs at risk, their health at risk, their kids at risk; it could even put their house at risk.
This isn’t just a cybersecurity issue, it isn’t just a technology issue. It’s a comprehensive risk management issue. It’s the ultimate in enterprise risk. And that’s always the boss’s responsibility.
With cybercrime, the threat is pervasive, comprehensive, and ubiquitous, so if the CEO and the senior team aren’t ultimately responsible as a team, no one is and security is compromised. There are plenty of chief technology officers out there who will find that remark offensive, and I understand. But these risks, and the threat they pose, are not things a CTO can manage alone. That itself poses a challenge.
Good CEOs delegate responsibility and authority, and with cybersecurity, aggressive delegation is necessary because of the specialized knowledge and skills required. But some of the responsibility cannot be delegated, and that’s counterintuitive. It’s also critical for credit union leaders to understand, and that is where CTOs are uniquely well positioned to make a difference. They need to spread the word that, as a comprehensive risk management issue, the cyberthreat is the ultimate in enterprise risk, and that makes it the boss’s responsibility too.
Visit the CreditUnions.com Blog Roundup for Callahan commentary, industry insights, leadership perspectives, and more. Read now."
Reputation At Risk
Overall the results of this study are deeply distressing. If the numbers follow through to credit unions, it puts the reputation of the whole movement at risk. Member-owners need more than a financial cooperative, they need a financial institution they can trust and count on to deliver service whenever and wherever, no matter what. When cybercrime threatens the ability to do that, it undermines trust, the greatest strategic advantage that credit unions have.
Cybercrime is a threat to the entire organization and everyone has to be involved in preventing it. Those decisions are made at the top, and that’s where the standards must be set. If you don’t walk the talk, then you won’t get the results that you need, and that your members expect.