Credit union management should not assume they are too small to serve as targets in distributed denial of service and ransomware attacks, according to a cybersecurity expert.
Ashley McAlpine, fraud prevention manager of Des Moines, Iowa-based payments processor TMG warned credit union personnel, despite recent coverage of high profile incursions, it might look like these attackers are only after the big guys. “In fact, small organizations are very much on the radar of these criminals,”
A DDoS attack occurs when many compromised systems attack a single target. The result is denial of service for users of the targeted system. Ransomware, a type of malware deployed for data kidnapping, allows attackers to encrypt a victimized organization’s data so it becomes completely inaccessible. Ransomware attackers typically demand payment via bitcoin or another untraceable digital currency before they will decrypt and release the kidnapped data.
A recent notable DDoS attack disrupted Visa, Twitter, Spotify, Airbnb, Netflix and other major websites, causing an hours-long outage that prevented users from accessing the sites or their accounts. In 2015 a an Office of Personnel Management network hack exposed the personal information of 21.5 million former, current and prospective U.S. employees.
Incidents like these massive attacks can give smaller financial institutions a false sense of security, McAlpine suggested before an audience of credit union staff earlier this month. Yet, community financial institutions are vulnerable for two reasons, she said. First, they can present an easy test bed for attackers working to hone their craft. Second, credit unions and community banks may have fewer layers of protection against DDoS and ransomware.
Most ransomware threats hinge on two factors: tricking people into clicking on malicious content, usually email attachments, and counting on devices not having advanced threat protection.
Ransomware, in particular, strikes small businesses at a rate eight times higher than that of larger counterparts, according to TMG. Some cybersecurity experts predict ransomware will become as prevalent as DDoS attacks in 2017.
“Community financial institutions must prioritize cybersecurity going forward,” McAlpine said. “Large banks and financial services providers are getting better at protecting themselves with every passing attack. As they become stronger, the target on smaller organizations becomes that much bigger.”
To mitigate the risks of both DDoS and ransomware attacks, McAlpine suggests credit unions consider the following:
- Educate and train employees. Cybersecurity threat education and awareness campaigns must extend to the C-suite because of the increasing threat of whaling, phishing attempts targeting those at the highest levels of an organization.
- Update firewalls and routers. Never fall behind on system updates. The risk is too critical to allow patches and firmware updates to slide.
- Change default passwords. Systems connected to the internet, such as Wi-Fi routers, should never be in operation with factory or default passwords. Change it upon set up and update often.
- Hire a white hat hacker. Several organizations in financial services are finding creative ways to tap into the collective expertise of cybercriminals. By networking at ethical hacking events and working with local colleges, credit unions can recruit or contract with students and other young cybersecurity experts who can find gaps in security protocols.
- Designate a cybersecurity leader. “Your cybersecurity will only be as strong as the people you’ve hired to manage it for you,” McAlpine said. Collaborating with outside security firms is a best practice for smaller organizations that do not have the appropriate internal resources. “However, even when you partner with an outside organization, there has to be an internal champion to monitor evolving threats and oversee a plan to protect against them.”
