Insight. Innovation. Industry.
Risk Management / Technology /  •

Gone phishing

Every credit union is vulnerable to attack by a cyber crook greedy to get his or her digital claws into valuable data and financial assets. A key prevention is ensuring individual employees are constantly on the watch for subtle, well-disguised phishing attacks.

It’s nearly impossible to stop a determined cybercriminal and that’s the reality that every credit union must contend with.

Size is immaterial. No business, regardless of its resources or importance, is immune to the disruptive threat these digital malefactors pose. If there is value in data and financial assets, cybercriminals will probe for vulnerabilities.

Canadians spend 43.5 hours every month online, according to Public Safety Canada — the most in the world — and the degree to which we rely on the Internet for financial services continues to grow. Concurrently, the digital economy is expanding in leaps and bounds and consumers are generally willing to give up more and more personal information to businesses and government in exchange for added convenience. To stay on top of this societal shift, credit unions are evolving their businesses to enhance their use of the Internet while embracing emerging technologies to meet members’ expectations for convenient and portable service. But, as a credit union’s membership grows and its library of member data expands, the incentive for a hacker to probe and attempt to break into its network increases.

As custodians of members’ personal information, credit unions have a legal and ethical obligation to keep this data safe. Unfortunately, it is impossible to defend against everything so credit unions have to determine what the biggest risks are and focus finite resources in those areas. “Breaches are certainly becoming a fact of life in the digital age,” says Paul Gordon, senior manager of payments at the Canadian Credit Union Association (CCUA). “What’s important is that companies can clearly demonstrate that they’re doing everything they can to protect their customers and their customer’s data from these types of events and be proactive and transparent if or when a situation does occur,” Gordon says.

Statistics indicate how serious a threat to the Canadian economy cybercrime is. The Canadian Chamber of Commerce reported in April 2017 that cybercrime costs the Canadian economy more than $3 billion a year, with the average breach costing a business about $6 million.

Quadruple threat

There are four main types of threat actors: nation states, cybercriminals/organized crime, hacktivists and script kiddies. Canada’s credit unions are unlikely to be targeted by a nation state and most of the attacks launched by hacktivists or script kiddies can be thwarted by mature risk-based security systems. Hence, the real threat to credit unions come from cybercriminals, says Don Jackson, senior security consultant for Red Leaf Ventures, a Toronto-based firm serving companies in the financial sector. “An attacker doesn’t want to have to expend a lot of resources to go after a company. For them it’s a business opportunity,” Jackson says. “They are looking at it from the perspective of, ‘if I invest a couple thousand dollars, can I use that to gain $50,000 worth of credit card information and are those credit cards worth stealing?’ ”

In recent years, attackers have targeted companies using a particularly nasty type of malware called ransomware — a malicious software that threatens to publish data or block access to it unless a ransom is paid. Cybercriminals are drawn to the relatively quick payoff and the ability to use bitcoin — untraceable electronic cash — as ransom currency.

“An attacker doesn’t want to have to expend a lot of resources to go after a company. For them it’s a business opportunity.” – Don Jackson, Red Leaf Ventures 

What’s worse is that, according to the RCMP, the number of ransomware attacks doubled between 2015 and 2016, and many more may be going unreported for any number of reasons. The force recommends that companies back up their system/data regularly to a cloud or external hard drive to minimize the leverage that cybercriminals have during ransomware negotiations when they have control over a company’s critical information.

Every employee matters

The majority of system breaches occur as a consequence of an accidental introduction of malware, whether by opening an email attachment, downloading bundled software, or sharing files with other computers on an unsecured network. “You can have a straight-up attack against a company,” says Jackson, “but that tends to be rare because the majority of firewalls and conventional antivirus technologies deal with the majority of those direct threats, so it has to be more nefarious, more subtle and more under the radar to get in.”

From falling for phishing emails, or clicking and downloading malware, or being the victim of an email scam, employees are often the accidental cause of many data breaches. Employees present cybercriminals with the most paths into a network and to its valuable data.

Because it is so easy to click on a link, every employee, from board member to the social media coordinator, has to understand their organization’s cybersecurity policies and procedures. Good organizational cyber hygiene includes educating staff on password management, identifying potential phishing efforts and backing up data. For network administrators, it involves continually updating applications so the most current security measures are installed (patching) and limiting the number of users with administrative privileges.

While it is easy to fall into the trap of thinking that you can avoid a cyber breach by being vigilant with the sites you visit and the attachments you download, the phishing email is just the most visible part of a specic type of attack. Attackers may also target your company through a supplier that has less stringent IT security controls, or launch a denial-of-service attack by attempting to overload a server with requests in order to overwhelm it.

And while increased use of technology is frequently advertised as a potential panacea to human error, there are limits. “Machine learning and AI are buzz terms but at the end of the day they are just algorithms and they are built to look for anomalous behaviour,” says Jackson. “So as long as you can manipulate an algorithm to make your behaviour not look anomalous, then you are able to bypass those technologies as well.”

Adds Jackson, “There is a human element to the equation that you can improve but you can never close that gap until you rule out the human element.”

Cyber attacks worst threat

The conundrum is: financial institutions like credit unions must offer a convenient and secure mobile banking option to remain relevant with members while juggling the costs of cyber security with the knowledge that there is no such thing as an infallible defence system.

In the Bank of Canada’s 2018 Financial System Survey, cyber attacks were cited as the most important risk to the smooth functioning of the Canadian system, ahead of a major drop in property prices, rising default rates and a deterioration in the economic outlook. Such worries make Ottawa’s new National Cyber Security Strategy especially timely. Funded with $507 million over five years and $110 million per year thereafter, Ottawa is establishing a voluntary recognizable certificate intended to enable small- and medium-sized businesses to demonstrate to customers that they meet a baseline set of security practices. Part of this funding will also be used to create the RCMP National Cybercrime Coordination Unit and increase the pool of cybersecurity talent to help fill the labour shortage that exists in the sector.

Is this new funding commitment enough? “It will never be enough,” says Red Leaf’s Don Jackson, adding that there are so many different tools that can be installed as part of a defense system that the price can become staggering. “A lot of times you have to just cross your fingers and hope for the best — it’s scary.”

CCUA’s Paul Gordon adds: “I would say the overall risk for smaller financial institutions, like credit unions, is lower than larger ones. But the reality is — any organization that manages customer data and relies on technology to run its business should have a clearly defined strategy around protecting that data and access to their technology infrastructure.” ◊