The phrase the more things change, the more they stay the same was coined in 1849 France, but it is applicable to cybersecurity at U.S. financial cooperatives in 2022.
The methods attackers use are always changing says Richard Roark, senior vice president and chief technology officer at Bay Federal Credit Union ($1.6B, Capitola, CA). You have to protect the organization through daily diligence that covers all the bases
For Roark and his team, that means using strategies and technologies similar to those he used all during his 21 years at Travis Credit Union before he joined Bay Federal in 2016.
Roark is currently in his second term on the executive committee of the CUNA Technology Council and here he talks about responding to threats and the importance of collaboration in keeping enterprises and members safe.
Has the importance of sharing information and experience with peers and vendors changed?
Richard Roark: No, it’s still huge. The larger credit unions have more staff and scale and the smaller ones typically lean more on third-party vendors, but at the end of the day, we’re all trying to solve for the same problems.
That’s why I’m happy to see we’re getting back together in September for the CUNA Tech Council conference. You develop relationships that continue year-round. Other organizations that are important for that, too, include FS-ISAC Sharing information year-round is just as important as it’s always been.
What is Bay Federal’s cybersecurity strategy? What processes and services are in place?
RR: We deploy a defense-in-depth strategy and work with several critical business partners to implement solutions. There’s been a lot of homework and trial and error to find the right partners, but the effort is worth it.
If you treat a vendor like a partner, then it won’t be only a vendor. Vendors have their own interests in mind, but in most cases, they’re also aligning with what we’re trying to do as a credit union movement. There are smaller credit unions doing some interesting things with fintechs, for example. And I’m on three different client advisory boards myself, so I can help them make their products even better.
What cyber threats do credit unions face?
RR: DDoS [distributed denial of service] attacks are still a big problem after all these years They can pose a reputation risk if they make your digital services unavailable for a while. For some reason, they seem to go after our East Coast peers first and then move west, but we have a pretty awesome supplier that keeps us protected in that regard.
Then there are third-party problems, especially DDoS attacks related to cloud-based providers. Salesforce is a good example. It’s gone well beyond CRM and is now running software for mortgage loan origination and intranets. Same thing with AWS and Azure. If there’s a DNS problem that causes a big outage, that’s a problem for a lot of organizations, including credit unions that use them as hosts.
It doesn’t matter what vertical you’re in, financial services or anything else, you need redundancies between providers and applications, and your suppliers need to stay on top of it all.
How do today’s threats compare to five years ago? What about 10 or 20 years ago?
RR: There are quite a bit more zero-day attacks today than we’ve seen in the past. The SolarWinds attacks are a good example of that. Those are the type of attacks that can do a lot of damage before they’re discovered. Again, that’s why it’s imperative to have a defense-in-depth approach to your cybersecurity strategy.
CU QUICK FACTS
Bay Federal Credit Union
Data as of 12.31.21
HQ: Capitola, CA
12-MO SHARE GROWTH: 15.4%
12-MO LOAN GROWTH: 11.4%
Ransomware is the biggest problem now it’s what we see the most of. Attackers encrypt files and try to make a company cough up a lot of money to get the key to open the files and get back up and running, and there are companies in different verticals willing to pay that ransom.
How has your approach to these issues changed?
RR: We haven’t changed how we monitor for attacks. It’s still a matter of when, not if, you’ll be attacked. We’re ready to find issues and remediate them as quickly as possible to ensure there’s no damage.
We have deployed a 24X7 security program to ensure our credit union is protected. We have team members located across the country, which allows for extended support. We have a well-defined security checklist that gives team members the time to check all systems and logs for any potential anomalies.
We also rotate responsibility among team members to ensure everybody’s on top of it. And we watch the watchers, our third-party suppliers. You have to make sure everyone is taking security seriously.
That’s where our defense-in-depth approach comes into play. We rely on multiple vendors. Simply put, your firewall supplier might not be updated for a new zero-day attack, but your end-point protection might be, and the attack would be stopped at the PC level.
You have to keep everything updated and follow all the threats. That’s why we subscribe to a threat-monitoring service that keeps us updated and helps us be more proactive.
What opportunities are there in addressing these threats and risks? For example, in terms of member service and value?
RR: Most of the threats we face a member might also face. There are things like seeing an uptick in vishing and smishing, those phone- and text-based scams that could be someone pretending to be from the IRS, for example, or from their own financial institution. We’re hearing about that from other parts of the country now.
It is imperative to communicate warnings about those threats. If our team finds potential security issues that could affect our membership, we work together with our marketing team to update our website and educate our members about these potential problems. That makes us even more of a trusted partner to our members.
When I retire, I would love to say we were never compromised. I don’t want to write a letter to our 82,219 members saying we were compromisedp>
Bottom line: How can a credit union best keep its cybersecurity strategies responsive and up to date?
RR: Two words: continuous compliance.; You cannot work on security just once a year. You must develop an information security program that’s consistently reviewed and adjusted as necessary.
I would recommend performing monthly vulnerability scans and penetration tests both internal and external to the credit union. Also, you need to partner with your risk/compliance and internal audit teams to ensure everyone is on the same page and moving forward together to implement best practices while also eliminating potential security friction with your fellow team members.
Take cybersecurity very seriously and ensure it’s always top of mind with yourself and your security teams. When I retire, I would love to say we were never compromised. I don’t want to write a letter to our 82,219 members saying we were compromised. I still have a good 15 years to go, so we’ll see.
This interview has been edited and condensed.