The widening gap between understaffed IT departments and growing demands for better, more complicated data security is pushing many credit unions and community banks to outsource the management of their IT networks and security monitoring, according to new research.
In a new survey of about 110 credit unions and community banks, done by Alpharetta, Georgia-based technology security firm Safe Systems, 80% see cybersecurity as their greatest security challenge in the year ahead. However, 31% had just one employee in their IT departments, and 26% had just two IT employees. Only 12% had more than five IT staff employees.
In turn, the vast majority (76%) of the respondents said they’re outsourcing the management of their IT networks to third parties, and 86% are outsourcing their security monitoring — not a surprise, considering the number of recent data breaches, the study noted. A full 77% of respondents said they’d been hit with debit card fraud within the past 18 months, making it the most common type of fraudulent activity in the study. About a quarter suffered from malware threats during that time.
“These institutions continue to struggle with the rapid rate of change the industry is experiencing. The IT departments continue to be understaffed, forcing community financial institutions to augment their IT departments with outsourced service providers who are able to help them navigate technology, security, and compliance required today,” the Safe Systems report said.
Patches and compliance in the mix
Approximately 68% of the credit unions and community banks in the survey now rely on third-party IT providers for “patch management” — finding and implementing updates that patch security holes in hardware, software and applications.
Failing to install patches has been the alleged culprit in several data breaches, including the one involving Equifax last September. That breach allegedly occurred because the credit bureau didn’t install a patch on some software in one of its systems. Equifax is now facing dozens of lawsuits.
Ongoing “top of mind” compliance-related issues are also part of the outsourcing decision, according to Safe Systems.
“Managing the strict, ever-changing government regulations and guidelines is the greatest IT compliance challenge today for 32% of survey respondents,” it noted. “This has led approximately 40% of respondents to outsource their compliance needs.”
Tech spending rising
Even though they’re outsourcing much of the work, credit unions and community banks do appear to be spending more on their own technology.
Nearly 81% have increased their tech spending in the past 18 months, and 74% have boosted their IT-related security spending over that time, according to the data.
A larger proportion of credit unions and community banks spent more, too: 72% of respondents spent between $50,000 and $350,000 on non-core service technology in the last year, which is up from the prior year, when just 63% reported spending that much. Only 7% of respondents spent more than $350,000 non-core service technology in the past year.
Going forward, about three-quarters (74%) plan to boost their infrastructure and hardware budgets. A third plan to replace the majority of their current workstations; half plan to replace or upgrade them only if necessary, for example.
Also, about half the respondents (48%) said they plan to spend more in 2018 on IT security solutions. However, IT security solutions was the number-one budget increase for credit unions, according to 55% of the respondents.
Still leaving the door unlocked
That spending may be one reason there are now more servers, PCs, laptops, printers, fax machines, routers and switches connected to credit union and community bank networks than ever before. More than half (51%) of had more than 100 devices connected to their networks, yet 50% of the respondents also only performed vulnerability scans once a year, the study said.
“Doing so more often would provide greater visibility into the network and identify potential threats on all workstations and devices connected to the network before an attack occurs,” the study warned.
