Guide to IoT Security for Credit Unions

Credit unions are commendable due to their member-owned structure and strong community focus. They constitute a significant part of our primary focus. As a cybersecurity company with solutions for credit unions, we’re constantly monitoring cybersecurity threats and trends for credit unions so share this article to offer our friends, clients, and colleagues some insights. Readers may realize the top cybersecurity threats to credit unions are ransomware, phishing attempts, business email compromise (BEC) and Internet of things (IoT) security. This last one, IoT, may be new to you but, as we will see, it is a topic of great importance. So let’s have a look at how credit unions can protect themselves against security challenges posed by IoT devices and how cybercriminals exploit these often poorly secured tools.

Before we look at vulnerabilities and solutions, we should understand what exactly is the Internet of Things, or IoT? Put simply, IoT refers to web-enabled devices that connect to the web and that are ever-more common in daily life. Think security cameras, ATM machines, even handheld ipad’s and cellular phones. How can these devices, in the pockets of our staff or customers, become a threat?

Insecure Device Interfaces and APIs: Many IoT devices, including those used by your customers like  medical devices, offer user interfaces and APIs. Insecure interfaces can easily lead to unauthorized access, “data leakage,” and other forms of manipulation. An unwitting customer in line to make a deposit could cause significant, unintended harm.

Device Interconnectivity: IoT devices in any network can be access points for cyber criminals because once the attacker gets access through a vulnerable device, they can move laterally throughout the network including to access more sensitive systems.

Inadequate Patch Management: IoT devices require security updates and patches. When there is a lapse in promptly applying security updates, devices become vulnerable. This is particularly problematic when devices are involved in or simply adjacent to financial transactions.

Unsecured Wireless Communications: IoT devices communicate over wireless networks. If your institution has not properly encrypted, devices can be intercepted, which leads to information theft, “man-in-the-middle” attacks, or worse.

Physical Security: IoT devices in public areas can be physically tampered with. Think about devices like ATMs, kiosks, or other tools.

Without adequate monitoring and without sound policies and practices in place, suspicious activities on IoT devices can go unnoticed. But what can you do to mitigate these vulnerabilities? At Upstart Cyber, we like to focus on solutions. In that spirit, we recommend you take these steps to protect your credit union, your customers, and your reputation.

How to protect your credit union from cybersecurity threats 

Implement a layered security approach. As we have seen, IoT systems are vulnerable to threats, from tampering to nefarious remote attacks. A layered security approach applies different types of security at different levels. Examples include firewalls, encryption, detection systems, and antivirus software. Layered security measures at each level will mitigate threats targeted at specific potential vulnerabilities. A layered security approach also includes preventative measures for recovery, in the event of a disaster.

Educate your team. Regular and concise training sessions should cover usage practice and prevention strategies that are supplemented by demonstrations, training, and a safe and open question and answer session. Engaging materials should be created and shared, and clear policies should be established and reiterated. And the team needs to be instructed to not delay or ignore update notifications. “I’m busy” is not an excuse.

Keep software up to date. Software needs to be kept up to date. Automatic updates should be made policy and a centralized patch management system should be built to track, test, and deploy updates. The IT team or a cybersecurity partner like Upstart Cyber should conduct regular system audits to ensure software is current and to identify any vulnerabilities that need to be addressed. This includes establishing a system to ensure third-party services and products used by your credit union are also regularly updated. As part of educating the team and establishing policies, develop guidelines for updates and patches including for emergency procedures.

Monitor systems. To monitor systems, first, understand risks. Think hardware risks, software risks, and the human element (like that vulnerable medical device we mentioned earlier). Make a list. What needs to go into your monitoring plan? Maintain an inventory of all your IT assets and understand how to protect each of these, then implement tools and processes for continuous monitoring. 

Segment your networks. Credit unions who segment their networks will have taken a crucial step in containing any future attack. 

Create a response plan. Your cybersecurity attack response plan begins with a clear, written incident response plan on specific steps to take in the event of a security breach. This plan must include roles and responsibilities, communication plans, and recovery steps. Regularly train the team on your response plan because awareness is key. Human error is an extremely common entry point for cyberattacks. Train the humans! And this includes your vendors. Any third-party vendors who have access to your network need to understand and follow stringent cybersecurity practices. 

Use multi-factor authentication (MFA). MFA adds an extra layer of security by requiring users to enter a code from their phone in addition to their password when logging in. After a review of your current security framework, select an in-house or third-party MFA service. Think about ease-of-use, types of authentication, and integration capabilities with your current system. 

Use a cloud-based security information and event management system (SIEM). A SIEM system can help you to collect and analyze security logs from across your network to identify suspicious activity. We’d be glad to talk about setting one up for you. 

Conduct regular security audits. Regular security audits can help you to identify and fix vulnerabilities in your systems. Your security audit should also include overt and covert tests to make sure the team is following established cybersecurity protocol. 

About: At Upstart Cyber, we believe elite security should not be reserved just for those without the huge budgets of the big banks. Credit unions and small, local banks deserve security, protection and peace-of-mind. We believe in bringing our clients affordable expertise. Contact us to explore solutions that work for you.

Leave a Reply

Your email address will not be published. Required fields are marked *