The Voice of Canadian Credit Unions
Risk Management / Technology /  •

Build that Wall

The Bank of Canada is calling upon the financial industry to take tougher measures to stop cyber attacks, considered a major threat to the Canadian economy.

If you received an email at work from UPS saying you have a package, with a link to where you can pick it up, would you click it? Are you even expecting a package? Have you checked if the email is really from UPS?

These questions are ones BlueShore Financial Credit Union (43,700 members, $5 billion in assets) in British Columbia is asking its employees to consider as part of its ongoing digital literacy project. The goal is to try to educate staff about the threats of cyber attacks, including from so-called “phishing” emails, to help the credit union avoid becoming the latest victim of online fraud. “If our staff are aware of cyber security and doing everything to protect themselves, they’re in turn protecting our customers as well,” Peter Chau, BlueShore’s vice-president of business technology systems, says from Vancouver. “Obviously, being a financial institution, protecting our customers’ data and information is a priority,” Chau says.

BlueShore is also investing in the latest technology to try to keep out cyber attackers. However, says Chau, arming people with information about how to spot and avoid a digital intrusion is just as critical. “We can have all the latest and greatest technology in place but it can only do so much. Criminals know that humans are the weakest point of entry,” he says. “A lot of times we forget the human aspect. It’s about being proactive.”

“The danger with credit unions is that they’re a trusting bunch.” – Richard Swart

Cyber attacks are becoming more frequent and sophisticated, as are hackers’ tools and skills. Phishing and ransomware schemes — where malicious software blocks access to data and threatens to delete it unless a ransom is paid — continue to wreak havoc at companies around the world. This past May, for example, a huge cyberattack hit Britain’s health service, forcing some hospitals to close wards and emergency rooms. Related attacks were also reported in Spain, Portugal and Russia, according to the Associated Press. Attacks like these are forcing companies to invest more in protecting their information and systems and has many scrambling to stay on top of the latest technology changes used by online fraudsters.

Fraud threatens economy

The Bank of Canada recently flagged cyber security as a major threat to the economy and the financial services industry in particular, given its increased reliance on information technology infrastructure. The bank urged the industry to boost its defense. “The interconnectedness of the financial system could lead to rapid transmission of stress from a cyber attack,” the central bank wrote in its twice-annual Financial System Review, released this past June. “This is a structural vulnerability that is unlikely to go away.” It also warned of contagion across other sectors, which could be a major blow to the overall economy. “A prolonged interruption in financial services, compromised data integrity or a loss of confidence could harm the financial system with knock-on effects to the real economy.”

Some Canadian companies are too complacent with their cyber security measures, according to a recent survey of security executives conducted by research and consultancy firm Ovum for Silicon Valley analytics rm FICO. It shows 52 percent of companies surveyed across five industries, including financial services, consider themselves as better than average or a top performer when it comes to cyber security. “These results suggest some organizations are overconfident when assessing how cyber-ready they are,” the survey states. “This is particularly evident in the financial services sector, where no organizations think they are below average and 54 percent of them use their own benchmarks and criteria to assess their security status.”

Kevin Deveau, the head of FICO Canada, urged companies to be better prepared. “It takes more than just firewalls to be prepared for an attack,” Deveau stated at the release of the report. “To be truly equipped, firms should be thinking about analytics as well. This allows them to learn from any attempted breaches and continue to strengthen their defenses over time.”

The survey also shows 64 percent of telecommunications companies expect to invest more in cyber security protection measures, versus 38 percent of financial services companies. And, in organizations with 100 to 500 employees, only eight percent expect to see an increase in investment, the survey shows. That’s significantly less than the global average of 27 percent. “It is particularly concerning given that 62 percent of organizations of this size reported an increase in the volume of attack against them in the past year,” the report states.

Credit unions also at risk

Credit unions of all sizes are vulnerable to cyber attacks and must be vigilant, says Andrew Downin, managing director of research at the Filene Research Institute, a think tank for the consumer finance industry based in Madison, Wis. Filene released a report last year urging credit unions to invest more time and money on training and educating staff on cyber threats. “One of the main lines of defense, somewhat surprisingly, is employees and even members of the board of directors,” Downin says.

“We can have all the latest and greatest technology in place but it can only do so much. Criminals know that humans are the weakest point of entry.” – Peter Chau

The report also called on credit unions to ensure their vendors have the right protections in place to avoid any spread of future attacks. Third-party contractors are often “the chink in an organization’s armour,” the report states. It also cites a U.S. Department of Homeland Security statistic that reveals 71 percent of cyber threats come through phishing. It’s why many credit unions like BlueShore are using phishing and other tests to gauge preparedness. “It’s about raising the level of awareness and vigilance for all employees,” says Downin. “It’s a good technique for employees to know they need to be on the lookout and expose individuals or departments that need enhanced training.” The risk of not doing enough, and being attacked, is not only financial but can also harm the credit union’s reputation. “For many credit unions, it’s not a matter of if, it’s a matter of when they will be a victim of a cyber crime,” Downin says.

Richard Swart, a visiting professor at the University of California, Irvine and a fellow at Filene’s Center for Emerging Technology, says most credit unions do a good job of maintaining best practices when it comes to the right technology to protect their systems. “I have less concern about the credit union technology stack,” says Swart, who is working on an upcoming report about the risks, threats and misuse of technology among credit unions. “The threat is less on the outside intrusion from a criminal than it is an unwitting employee being careless.” He used the example of an employee at an American credit union who had her computer password posted on a sticky note on the side of her terminal, visible to customers. “The danger with credit unions is that they’re a trusting bunch,” Swart says.

Some smaller credit unions may not have the sophisticated technology required to protect their systems, which could leave them more at risk, especially as online criminals get smarter. “The tempo and intensity of sophisticated attacks are going up,” says Swart. “This isn’t Jimmy the teenager in the basement you need to worry about. You need to worry about well organized, well financed, intentional cyber fraud.”

Swart says credit unions are at risk even with simple things such as reusing passwords or having employees accessing work data using their personal computers. “The less vulnerability you have to employee misconduct, whether intentional or accidental, that’s where 80 to 90 percent of your risk is.”

The cost of training people and protecting systems can be expensive, especially for smaller credit unions. The advantage of the credit union system is its collaborative values that encourage sharing of information and systems where possible. “Whether it’s a formal system or even an informal chat between two credit union IT executives on the biggest threats they’re facing and what they’re doing about it, the ability for smaller credit unions to collaborate and share what they’re seeing is a huge advantage,” Downin says.

Fraud losses climbing

According to Central 1 Credit Union, there was a 40 percent year-over-year increase in Interac e-Transfer fraud losses in 2016. These increases mirror the increased adoption of the e-Transfer service. The good news, according to a Central 1 report issued this past March, was that its MemberDirect customers show consistent below-industry-average fraud losses. MemberDirect is the online banking platform for self-service transactions, such as online and mobile banking.

In 2016, with the help of intelligence from Canada’s federal government, Central 1 said it prevented $300,000 in fraud losses with a quick response to a single malware campaign that attempted to steal member credentials and use them against credit union online banking services. Central 1, the primary liquidity manager, payments processor and trade association for member credit unions in BC and Ontario, has also made several enhancements so far this year to alert and proactively detect fraud, according to Martin Kyle, Central 1 director, operational risk and chief information security officer.

Cyber security professionals from a number of Canadian Credit Union Association members are actively working together to stay on top of the latest cyber threats. Brian Kocsis, director of information security at Meridian Credit Union (297,200 members, $13.9 billion in assets), says he meets weekly with security executives at other credit unions to talk about incidents and responses around the world and ways to prevent cyber attacks in their own organizations. “Collaboration is key to helping us understand what the threats are and what controls we have in place,” Kocsis says. Some credit unions share not only information but also investments on anti-malware and anti-spam platforms to help boost their security perimeters. “Our mandate is to really look at improving the security posture — what we can do for our own credit unions and the industry as a whole,” Kocsis says. ◊