Credit Unions are Under-Appreciated as a Balance Between Great Business and Doing Good in the World. Credit unions are first chartered with serving their members including those who are in the bottom half of the income scale. They are also chartered with remaining financially sustainable without the notion of “maximizing profits”. This is a wonderful, beautiful idea that predates the “b-corps”, “social capitalism” and ESG .
140+ Million members in the United States and over 400 Million in 100+ countries around the world count on credit unions for affordable financial security. In recent years membership has grown as banks have lost trust with their customers and charge over $ 80 Billion in fees in the United States alone. To put the fees in perspective, this is nearly as much as the United States consumes annually in produce and fruits.
With all that good news, credit unions are at a cross roads. The average member age is in their mid-fifties, a new generation of potential customers is adopting FinTech and cybercriminals have recognized that credit unions are vulnerable to attack. Cybercriminals have successfully executed Ransomware 2.0 attacks in which credit unions are held hostage *and* member data is sold to other criminals. Information security, privacy and systems integrity will be foundaitonal to the credit unions future everywhere.
Credit unions are one of the fantastic inventions of western civilization dating to the 19th century and are well worth protecting, encouraging and growing into the 21st century. To a great extent, that endeavor begins with the information security and compliance professionals in this room.
Truth, Accountability and Trust as the Guiding Light
Security, Privacy, Integrity and Compliance – Business Sustainability
For 25 years my colleagues and I have operated businesses which protect sensitive information including hundreds of millions of patient records, tens of millions of employee-contractor identities and trillions in financial assets. This responsibility has been 24 hours a day, 7 days a week, across every time zone. Maybe there is a gap around the international date line but it’s non-stop regardless.
At any given time, our teams know that a security breach would violate the trust of our customers, result in public embarrassment and likely end the livelihoods of many.
We have performed these services in industries which have the strictest of breach notifcation laws which carry punitive legal responsibilities for our customers and ourselves so there is been no hiding from even the smallest of breaches. So far, so good.
Maybe singing, dancing, being a professional athlete or an entertaining influencer would bring less responsibility and more fun. None-the-less, it has been incredibly enriching, rewarding and enjoyable to protect people and businesses around the world
Here are key lessons learned for those with the responsibility of protecting sensitive information in behalf of others;
Leadership
- Establish a common vision, what success looks like and agree the team is unified about reaching the vision
- Establish common values – Truth, accountability with the goal of fully trusting one another. This requires humility beginning with leadership as an example
- Create your plans together with leadership starting the process with a strategic framework
- Make your plans transparent with clear and direct responsibiliites for all involved
- Accountability begins with yourself and then to each other as team mates. Acountability is established through direct questions, and direct answers
- Recognize intermediate milestones and accomplishments
- Celebrate hard-earned success excessively
Security, Privacy, Integrity and Compliance Serves the Business through Sustainability
1) Fully sustaibale in all circumstances is the goal, compliance results. Achieve compliance through your relentless efforts to ensure your enterprise is sustainable through all circumstances. Put security, privacy, systems and data integrity first. If you work in an industry which has breach notification requirements, any breach of security, privacy or integrity carries with it vast legal, financial and business consequences. As professionals, our jobs are to protect the enterprise from these risks. For the great majority of businesses, a single breach begins the end.
Believing the goal is compliance first fosters a false belief that an anacronyms and logos like SOC means you have secured, made private and ensured the integrity of sensitive data and systems. It is a very dangerous way to live. In my experience this false belief results in the degradation of your enterprise.
Start the journey with identifying the location and motion of all sensitive information in your enterprise or application. Identify all systems, backups, data which are needed to ensure the on-going operation of your enterprise before you are facing potential disaster.
Security receives the bulk of attention but privacy vulnerabilities have a tendancy to turn into full-blown breach equivalents as the workforce, contractors and outsiders learn to exploit the privacy vulnerabilities.
Integrity gets even less attention but failure to have adequate backups and adequate disaster plans sinks many a ship. Touring the NHS after ransomware attacks was one of the hardest things of my career, as health systems were completely shut down and patients were being diverted to far away geographies for life-saving care
Our vision will not happen at once but become unrelenting toward the vision of creating an enterprise which is sustainable at all times. Persist.
You can always have discussions with your auditors if you find yourself in mis-alignment with “compliance” and find common ground.
Put a change control board in place. All changes to your application, infrastructure, processes, configurations and otherwise must go through a formal change control process. Some may say this creates bureaucracy, and they are right. It should be a little cumbersome to change an application and enterprise which is mission critical.
All direct, and tangential groups must have representatives including applications. This doesn’t have to be a big team, just a well-represented team.
As your organization matures and trust develops, consider having two boards, one that meets weekly or bi-weekly on minor changes. Retain the senior board that meets less frequently and handles bigger picture changes like application releases, and infrastructure upgrades.
Tactical Tips
2) Shrink the attack surface, minimize open network ports. Absolutely minimize the number of open network ports in your enterprise and applications. Once you have technically identified all of the open ports, you should know the very exact, critical reason the port is open. If you can not discover the purpose of the network port, strongly consider just turning it off. If someone needs it, they will come talk to you. I am not a legal advisor so don’t consider this “legal advice” but that’s how we did it.
3) Encryption at all times unless the information is literally in-use. In modern cloud environments it is completely feasible to encrypt data at rest and data in motion as part of the infrastructure design. The only time sensitive information is unencrypted is when it is literally in-use by the application and user. Consider having this framework as a baseline.
If you are dealing with a legacy environment which make it essentially impossible to encrypt data in rest and in motion then consider have robust audit logs, centralization and analytics analyzing acccess looking for actionable intelligence.
4) Zero-trust applicaiton and infrastructure services. Modern cloud environments also provide for zero-trust infrastructure and application services. This means if a hacker were to gain access to the “network” they would still need authentication credentials to do things like access databases, change configuration settings, decrypt storage blobs and make api calls into your application’s services. Further *all* data at rest and in motion is encrypted.
An interesting exercise is to *assume* a hacker has gained access to the “network” portion of your application or enterprise, for most this is a disasterous scenario. The goal of zero-trust environments is the answer to this question is that the hacker can do ‘nothing’.
5) Audit logs everywhere. It is virtually impossible to secure, troubleshoot and analyze modern applications and the infrastructure they rely on without robust audit logs. The audit logs should be centralized and analyzed for unusual patterns. Again the goal being to produce actionable intelligence.
My opinion is that too many businesses centralize audit logs as a compliance exercise and are not aggressive in leveraging them for security, performance, integrity, application usage and troubleshooting. This may give you comliance but not fully security and privacy.
Prepare to meet resistance to audit logs for various reasons very often from application teams. Applications have many options today for the equivalent of audit log analysis and that is great. My personal preference and insistence is that applications have in-house audit logging even if they are using third party tools.
6) Identify verification.
Authentication is well-traveled ground in security circles and won’t be covered here. User verfication is most often overlooked. User-subscriber verification is the idea is that the user has been mapped to a very specific personal identity. Subsequent authentication processes link the user to a personal identity and an account within your application or system. This eliminates the threats of imposters, bots and genrerally bad actors from attacking your application and if there is a social aspect, it eliminates bad-acting users from attacking other users.
There is a trade-off between subscriber-user registration, engagement and user verification so you may have to experiment to find the right balance for your application. Ideally this idea applies to both an application and an enterprise.
Lack of user verfication is what empowers imposters, bots, cyber criminals and fraudsters to attack social media so aggressively.
It also empowers these same bad actors to conduct aggresively systematic attacks through text, email, social media messengers and even encrypted messengers like WhatsApp.
The lack of user verification opens enterprises up to phishing, smishing attacks and ransomware attacks. The industry calls this employee error but we are really too often putting employees in a position to fail by using tools which were never designed for security.
7) Third party products. MOVEit is now the most infamous third party applicaiton across many industries having be the major factor in over 1,000 data breaches with 60 million people affected. Ensure vendors are serious about the security, privacy and integrity of their products and business. Industry certifications including third-party certifying bodies are very helpful.
Some organizations have more specific security questions about the products and businesses they use.
Threat Intelligence
Lastly, threat intelligence has emerged as vital and is a whole conversration. For all credit unions, particularly smaller organizations, it may be very difficult to take action based on the most recent intelligence. This is an entire discussion.
