By Josiah Russell, Wipfli
For organizations of any size, facing a cyberattack is almost an inevitability. But credit unions are especially vulnerable to ransomware attacks, which can lead to not only financial damages, but operational and reputational harm as well.
However, there are practical steps you can take to limit your credit union’s risk of exposure and enhance your ability to respond to a ransomware attack. This won’t keep an attack from ever occurring, but it can dramatically shrink the fallout.
Credit unions are used to dealing with cybersecurity threats. But the threat environment is now evolving as more credit unions add digital services, run more operations on cloud-based platforms, embrace partnerships with fintech vendors and implement AI within their organizations. All of these elements make up what’s called your digital footprint – and the larger your digital footprint is, the more openings there are for hackers to attack.
Cybercrime is also becoming easier to do. Newer digital tools have lowered the barriers to entry to the point that threat actors include not just rogue nation states or organized crime, but less sophisticated groups or even individuals leveraging AI to accomplish something they lack the technical skills to do on their own.
This expansion in both the size of the attack surface and the number of potential attackers is showing up in the data. Based on one analysis, cyber incidents in the financial services industry have gone up 72% in recent years.
Cyberattacks most commonly take the form of email phishing scams, ransomware, and denial-of-service (DOS) attacks. Credit unions are vulnerable to all three, but may need to be especially wary of ransomware attacks, specifically a double extortion attack.
In a double extortion ransomware attack, a hacker gains access to sensitive data from inside your business, copies it and encrypts it. The attacker then contacts you and threatens to sell or release the data unless you pay a ransom.
While this kind of attack can happen to any organization, credit unions and other financial services firms are frequently targeted. This is because regulated industries face higher consequences should customer data or other sensitive information be exposed.
A ransomware attack may end with your credit union deciding to pay a ransom. However, you may also face additional consequences beyond paying the attacker to regain access to your data and keep it from being exposed.
The full range of costs stemming from a ransomware attack can include:
Financial: The average cost of a ransomware attack is estimated at roughly $5 million, including the ransom itself and the associated ripple effects. For larger organizations, the ransom alone can reach as high as $25 million.
Operational: A ransomware attack can cripple your systems for hours or even days, disrupting your operations and interfering with your ability to conduct business.
Reputational: Both current and potential members will not respond well to a ransomware attack, which, in a worst-case scenario, can expose their personal information to buyers on the dark web.
Regulatory: Federal regulators may choose to impose additional sanctions or penalties if they deem your organization didn’t meet compliance standards.
Legal: In some situations, you could even face litigation by members who have suffered damages resulting from a successful ransomware attack.
Most credit unions have already invested heavily in security tools, controls and policies designed to prevent cyberattacks like ransomware or mitigate the damage if an attack occurs. But the million-dollar question is: Do your defenses actually work?
Here are five key actions you can take to reduce your risk exposure or speed up your response time:
Cybersecurity shouldn’t be something you talk with your team about once a year. Expect that employees inside your organization will be targeted in email phishing scams that can leave you exposed to a ransomware attack.
This makes it essential that your entire workforce keeps cybersecurity top of mind. To do this, you’ll need to conduct ongoing training to remind your team of the importance of following your established security protocols, promptly reporting suspected phishing attacks and avoiding any other actions that could expose your network or data.
If and when an attack does happen, having a plan already in place can help your team respond faster and more effectively. Work with a cross-departmental team inside your organization to develop an incident response plan that lays out who gets called and how they should take action.
But your plan shouldn’t be a static document. Conduct regular tabletop exercises to test your incident response plan so your organization can practice how to react, and continue to update your plan on a regular basis as your needs or risks change.
Don’t just assume your cybersecurity systems are capable of detecting and responding to an attack. Conduct regular attack simulations to assess your current capabilities and find gaps in your defenses so you can fill them.
An attack simulation is what it sounds like: running a pretend cyberattack to help you understand what happens when your systems are put to the test. The simulation will assess your monitoring capabilities, whether alerts quickly reach key team members and how fast and effectively your team is able to respond.
Typically, you should run an attack simulation every 1-2 years to keep up with the evolving threat environment.
Someone needs to be constantly watching your systems for signs of a cyberattack. This kind of 24/7 active monitoring is necessary as an attack can happen at any time, and will allow your team to respond immediately when an attack is detected.
Least privilege principles is a formal way of saying don’t grant anyone in your organization access to your systems beyond what they need to do their job. This reduces your potential exposure risk by keeping access to your more confidential data limited to only those who absolutely need to have it.
You don’t have to tackle cybersecurity alone. Work with a third-party advisory firm to conduct attack simulations and tabletop exercises that test your existing security and incident response capabilities, identify gaps, and implement solutions to fill them.
Look for an advisor that understands both cybersecurity and the specific security, regulatory and compliance needs of credit unions, which differ significantly from organizations in other sectors.
We advise credit unions on areas like organizational performance, regulatory compliance, cybersecurity and growth. Let’s talk about how we can help you thrive.
Connect with Wipfli to start a conversation.