I’m a firm believer that, for far too long, we’ve put our focus on protecting our network perimeter, with thoughts of trying to keep “the bad guys” from getting in, rather than focusing on the security of our people and our data, and keeping the sensitive information from getting out. Broken? Backwards? Upside down? Your call, but fixing this is a major paradigm shift in thinking and organization culture.

So, you ask, how do we fix it? Let me outline the top 3 most important steps to paving the way for a security model repair.

1. Elevate the cyber discussions to board level. The financial, operational, legal, regulatory, reputational and, therefore, strategic risks around cyber threats are game changers for credit unions, their leaders, their employees, their members, and all their other stakeholders. Executives and boards must be in active discussion and seeking the proper security awareness and education.
2. Fix the broken training model and start providing employees engaging and continuous cyber awareness training. Most existing cyber awareness training programs are severely lacking. First, nobody gets excited about 60 to 90 minute module based training followed by a quiz. Secondly, annual or quarterly training could never keep the security awareness top-of-mind enough to gain the required behavior modification required of employees in order to foil emerging threats. That would be similar to showing a 7 year old student multiplication flash cards once a quarter and expecting them to have quick recall of the answers. Just not going to happen. Effective training must be served up in continuous, short bursts that utilize some level of gamification to keep employees engaged and in active discussion. With research showing that greater than 90% of breaches occur because of user targeted phishing (or similar) attacks, this is a serious issue.
3. Protect the DATA! Make sure the data is encrypted. We must assume that a breach has already occurred and a user, or the network, has been compromised. Not if, but when, it does happen, will the data be easily obtained and exfiltrated? Granular encryption of data both at rest and in motion should be a baseline requirement.

Don’t let the pressure of security related guidance coming from all directions create confusion and stall your progress.

As our team at CUdefender works with credit unions nationwide, we are assisting and guiding them in exactly how to accomplish the above steps in the most affordable way. Our engaging cyber awareness and training program is showing highly effective results. Please reach out for more information.

CUdefender can be contacted at 1-888-632-4339 or by visiting http://www.cudefender.com

Rob Harbin is CEO and Cyber Security Evangelist for CUdefender, LLC., a credit union cyber security company. His LinkedIn profile can be viewed at www.linkedin.com/in/robharbin. Email him at rharbin@cudefender.com and follow CUdefender on Twitter at www.twitter.com/CUdefender and Facebook at www.facebook.com/CUdefender

The post Security is Broken, Backwards, and Upside Down appeared first on CUdefender.

Cyber attacks, like last November’s hack of Sony Pictures, have motivated many to increase focus on external threats and begin having more discussions around real world cyber threats and overall preparedness.

Credit unions, like many other companies, have business units that submit regular requests to buy new cloud apps, the most popular being file-sharing services like Box, Dropbox, and Evernote. With most credit union infrastructure being built as fragmented layers of add-ons, over a period of many years, the security methods used to protect the legacy network and applications, as well as these new cloud applications, is severely lacking.

2015 is the year that credit unions must reinvent their security model to be more holistic and ready to face the sophistication of emerging threats. This doesn’t have to be a complete rip-out and replace initiative, and it can be accomplished much easier that most believe. Our team at CUdefender speaks regularly with credit union executives and boards who don’t realize some of the quick and cost effective steps they can take to have an immediate positive impact on their security posture.

The long-standing issue of security having a proper seat at the executive table should no longer be a problem. Now it needs another lift upwards to the board. Hopefully credit unions will have foresight to make cyber topics a substantial part of their 2015 board and strategic planning meetings.

Credit unions looking for security planning assistance or cyber threat protection can contact CUdefender at 1-888-632-4339 or visit http://www.cudefender.com for additional information.

The post Cyber Security Needs Board Level Visibility appeared first on CUdefender.

51% of CEOs surveyed said their company experiences cyber attacks hourly or daily

60% of employees circumvent security features on their mobile devices

It doesn’t take qualified research or a fancy publication in a trade journal for us all to agree that: Every employee in your credit union is a potential penetration point for your network, systems, and your data. Getting rid of all the employees doesn’t seem like a popular risk mitigation option, so we’re left with education and behavior modification.

Assess, Train, Monitor, Repeat

The foundation of any good information security or data protection program is the component of security awareness and training. At CUdefender, we are strong advocates for making credit union employees aware that threats exist but also teaching them how to recognize threats and know exactly how to respond to keep data and systems secure.

This four-step approach seems to help employees retain information they are taught and change behaviors over the long term.

1. Assess – It is imperative that credit unions understand the level of risk within their own institution. Simulated attacks and knowledge assessments are great tools for helping accomplish this, but it shouldn’t just be about penetration testing; it should also be about education and motivation for employees. Take this opportunity to provide employees guidance about how they can make better choices in the future. This education is critical to long-term retention. As Art Gilliland, General Manager of Enterprise Security Products at HP, told Kathryn Dill of Forbes Magazine, taking advantage of a teachable moment directly following an action is more effective than a general conversation later. “Educate at that moment,” said Gilliland. “It can be private, but it’s very powerful at the time of failure.”
2. Train – Providing in-depth training as an add-on to specific teachable moments provides employees a better understanding of the potential risks. It’s during this phase that staff gets a sense of how important their actions are to the safety and security of your credit union. It’s critical to think beyond phishing attacks and email and extend training to include the many other channels where attacks may be present such as social networks.
3. Monitor – After employees receive in-depth training, effectiveness must be monitored and measured as this helps to identify your weaknesses and which employees may require additional training. Many credit unions stop after training and don’t take the extra steps to formalize key performance indicators (KPIs) to establish a clear path forward. Where should you be 6 months or a year from now? Having clearly defined goals and publishing the general trend will further serve to keep security top-of-mind and keep staff motivated.
4. Repeat – Cybersecurity threats are ever changing and come in many different forms: phishing, smishing (malicious SMS/Texts), and vishing (classic fake phone calls); social engineering, social network threats, and lost or stolen devices are just some of the issues credit unions are facing. Hackers are fast learning and relentless. Their approaches are becoming more varied and complex. For these reasons, it is critical that we continue to reinforce best practices and teach good behavior. A security awareness and training program that gives you the ability to deliver training with high frequency (bi-monthly) is key to realizing the best possible results.

As with anything, security awareness and training is just a small piece of the puzzle. Following the four-steps outlined above can vastly improve your training program and make for a strong foundation, but be sure to think holistically. At CUdefender, we help protect credit unions from cyber threats by providing guidance as well as a full range of easy to implement tools delivered 100% from the cloud. Feel free to visit our website http://www.cudefender.com or reach out to our team for more information.

The post Four Steps to Improve Security Awareness appeared first on CUdefender.