Resources /  Blogs

Why Attack Surface Management Matters to Credit Unions

Tanner Spear | March 20, 2024
Why attack surface management matters to credit unions

Credit Unions are every bit as susceptible to the “Willie Sutton Rule” as any other banking institution. When notorious American bank robber Willie Sutton was asked why he robs banks, his simple reply was, “Because that’s where the money is.” 

IBM agrees. According to their IBM Cost of a Data Breach Report 2023, financial services firms like Credit Unions are 300 times more likely to be targeted by a cyber-attack. In addition to the risk of compromising personal identifying information (PII), credit unions face multiple compliance risks, including: 

  • Data loss and data exfiltration 
  • Fraudulent spending 
  • Replacing debit cards and remediating member’s accounts 
  • Lost revenue that comes from downtime 
  • Reputation damage and lost members 

Even more sobering is that the average cost of a breach is US$5.9 million. By avoiding such breaches, any cost involved in protecting and managing your attack surface is clearly justified. Given the Black Kite report that almost half of credit unions and nearly two-thirds of their vendors may have possible critical vulnerabilities due to outdated systems,“ it is no wonder that Federal Reserve Chairman Jerome Powell has said, “cyberattacks are one of the greatest risks to our global financial system.”  

Defining a Credit Union’s Attack Surface 

The TechTarget definition of an attack surface is “the total number of all possible entry points for unauthorized access into any system. Attack surfaces include all vulnerabilities and endpoints that can be exploited to carry out a security attack. The attack surface is also the entire area of an organization or system that’s susceptible to hacking.” 

Credit Union Times adds, “As more systems and devices are connected and depend on computer software to function, the attack surface expands across a credit union’s supply chain. Credit unions commonly use third-party partners to deliver better services and functionality to members. The attack surface expands as a result of the numerous third-party relationships that exist and enables cyber criminals’ opportunities to access a credit union’s network. Managing third-party risk is a significant concern and involves effective third-party and data governance and technical solutions that securely support the flow of personal and financial data.” 

Credit Union Times identifies other areas which expand a credit union’s attack surface, including, “the critical infrastructure supporting the clearing, settling, or recording of payments, securities, derivatives, and other important financial transactions.” They also identify that there is, “a payments revolution taking place supporting real-time payments for person-to-person, business-to-consumer and business-to-business payments. An unintended consequence of these payment advancements is fraud. Faster payments create faster fraud.” They continue to explain, “As the popularity of these new payment services grows, so does the criminal activity that attempts to breach networks and scam credit union members. Steps must be taken to ensure the security and safety of these systems to promote trust in these new payment services that credit union members are adopting.” 

Insuring a Credit Union’s Attack Surface 

Cyber Insurance has grown in popularity over the past several years to help defray the growing costs of cyberattacks. Working alongside a Managed IT service provider (MSP) or specialized security team to properly defend and managing the attack surface offers credit union operators several important advantages, including: 

  1. Favorable Insurance Rates: Credit unions that implement robust cybersecurity measures, including automated monitoring and management platforms like Liongard, may be offered lower cyber insurance rates. Insurers often assess an organization’s risk level based on their security practices. Demonstrated adherence to best practices and a strong security posture can lead to more favorable insurance terms. 
  2. Maintaining Insurance Requirements: Many cyber insurance policies have specific requirements regarding the security measures an organization must have in place. Utilizing Liongard provides defensibility and documentation of due diligence that helps credit unions meet these requirements, making them eligible for cyber insurance coverage and seamless renewals. 
  3. Evidence in Claims: In the event of a cyber incident, the detailed historical data captured by Liongard can provide valuable evidence when filing a claim with a cyber insurance provider. This documentation can prove that the credit union had implemented appropriate security measures, helping to substantiate the claim, and potentially speeding up the claims process. 

Defending a Credit Union’s Attack Surface 

America’s Credit Unions, formerly the Credit Union National Association (CUNA), offers several recommendations to help credit unions approach the creation of truly effective defenses for their growing attack surfaces, including: 

  • Multi-factor authentication: Implement multi-factor authentication for all sensitive accounts and systems, including email accounts and remote access portals. This adds an extra layer of protection against unauthorized access and phishing attempts. 
  • Business Email Compromise (BEC) and anti-phishing measures: Deploy advanced email security solutions with phishing detection and blocking capabilities. Utilize Slender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Authentication, Reporting, and Conformance (DMARC) protocols to prevent email spoofing and enhance email authenticity. 
  • Continuous monitoring and security patching: Monitor network traffic, logs, and system configurations continuously to detect and respond promptly to any suspicious activities. Stay informed about the latest security updates and apply patches promptly. 
  • Regular data backups and recovery testing: Maintain frequent data backups and test the data recovery process regularly. In case of a ransomware attack, backups can prevent data loss and reduce the need to pay the ransom. 

Working with your MSP to Leverage Liongard to Automate and Assure Optimum Attack Surface Management (ASM)

Liongard is a software platform designed for IT teams to automate the management, documentation, and auditing of an organization’s IT systems and attack surface. Credit unions and financial institutions can derive several benefits from using a platform like Liongard, especially if they operate their IT infrastructure through a Managed IT Service Provider (MSP) or in-house IT department. Benefits credit unions can gain from Liongard include:  

  1. Continuous Attack Surface Management: Liongard can automatically document the system configuration state and changes in the IT environment of a credit union. This automated documentation of external and internal systems can help credit unions maintain up-to-date asset inventory of their IT systems, users, and licenses, which are crucial for compliance, auditing, and troubleshooting. 
  2. Security and Compliance: By continuously monitoring and auditing the IT environment, Liongard can help credit unions ensure that they are compliant with financial regulations and standards, such as those related to data protection and cybersecurity. Automated alerts can notify the credit union of any changes that could potentially violate compliance requirements. 
  3. Continuous Monitoring for Proactive Management: Liongard’s ability to continuously monitor the IT environment helps credit unions detect vulnerabilities and unauthorized changes over time. This detection is crucial for mitigating risks before they can be exploited by cyber threats, reducing the potential for data breaches and cyber-attacks. 
  4. Automated Compliance Checks: By automating the process of ensuring that IT systems adhere to industry standards and regulations (such as the Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and specific financial regulations), credit unions can more easily maintain compliance. This reduces the risk of penalties and fines associated with non-compliance. 
  5. Historical Data for Auditing: Liongard’s ability to maintain 18 months of historical data on the configuration and changes within the IT environment aids credit unions during internal and external audits. This data proves compliance over time, showcasing the institution’s commitment to maintaining security standards. 
  6. Efficient Troubleshooting: With detailed historical data on the IT environment, credit unions can quickly identify and resolve issues. This reduces downtime and improves the reliability of IT services for both employees and members. 
  7. Enhanced Visibility: Liongard provides visibility into the entire attack surface, including external cloud services, to internal network devices, and software applications. This comprehensive view can help credit unions make informed decisions about IT investments and optimizations and stay ahead of risk. 
  8. Cost Savings: By automating routine documentation and monitoring tasks, credit unions can reduce the labor costs associated with manual IT management. Additionally, by improving the efficiency and reliability of IT systems, credit unions can avoid costs related to downtime and IT failures. 

It’s important for credit unions considering Liongard to assess how the platform aligns with their specific IT management needs and regulatory requirements. Consulting with an MSP, IT professionals or the Liongard team can help determine the best approach for their operations.  

If you’d like to learn more or connect with one of our MSP partners, we’d be glad to assist. 

Credit Unions, Cybersecurity, Featured, Liongard

Get The Latest Insights Delivered To Your Inbox

Liongard needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. To review our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.