DENVER—Credit unions were given four key points to consider when making decisions about cybersecurity during the opening day of the NASCUS/CUNA Cybersecurity Summit here.
The meeting has attracted more than 100 IT professionals, regulators and others to the two-day event that concludes later today.
Tom Schauer, CEO of Trust CC, kicked off the program with an overview of the cybersecurity landscape. Citing all the breaches that have been in the news, including activity by foreign governments and the “hactivism” against AshleyMadison.com, he recommended four key points for credit unions to consider for the remainder of 2015 and into 2016:
- Make sure privilege escalation can be detected.
- Make sure incident response is ready.
- Address the high and medium-high deficiencies.
- Recruit IT talent to the board so it is well equipped to provide guidance and oversight to management.
Schauer also urged credit unions to ask themselves these questions:
- If I wanted to steal money from the CU, how would I do it and what can prevent this attack?
- If I wanted to negatively impact the reputation of the CU, how would I do it and what can prevent this attack?
Patrick Sickels, internal auditor for CUSO CU*Answers, addressed effective internal cyber policies and procedures, noting the critical nature of policy versus procedure.
“Your policy should be a rule, e.g., ‘You must use encryption to send e-mails with sensitive information’,” he told the group. “Your procedure should be ‘The how,’ e.g., ‘You sign into MOVEIT, use Zix, etc., for ensuring encryption.”
John Eyre, AVP of IT, TAPCO Credit Union in Fircrest, Wash., suggested using tools as easy to obtain as open source programming Visual Basic to develop effective security. He reminded that network security should be multi-layered, VB scripting can be extremely powerful, and there are many examples are available on the Internet of effective use of the programming tool.
In “Life After a Data Breach,” Wes Withrow, cybersecurity expert for TraceSecurity, noted some key points about data breaches: Money isn’t your enemy, variation is; bouncing back is easier than you may expect; you should expect to experience a breach, and; you must control the narrative.”