You wouldn’t dream of stepping out of your office without locking up and setting the building alarm. Nor would you allow people to roam around, unchecked, in case they trespass into secure areas. So why should your Credit Union software systems be any different?
The Central Bank of Ireland (CBI) has advocated increased vigilance in the management of cybersecurity and related operational risks. This is in direct response to increased incidences of these types of malicious activities. The now infamous WannaCry ransomware attacks catapulted cybersecurity into the mainstream and left many organisations wondering if their company could withstand a cyberattack, and their general preparedness for such an eventuality.
Cybersecurity can be defined as the measures put in place to mitigate loss of data, or of service, for IT systems. We called upon our cybersecurity expert, Networks Engineer Gerard Farrell, to talk about the cybersecurity issues facing your Credit Union. We also get his 5 top tips for securing your Credit Union’s network and why they’re so important.
What cybersecurity measures should my Credit Union be following?
Cybersecurity is historically often a part of IT infrastructure that is left at the wayside. The CBI’s strict requests that security recommendations be followed has set an important benchmark that Credit Unions must meet - or face hefty penalties.
The impact of system breaches, like WannaCry, can be severe to both your operations and your reputation, and the CBI is buckling down on non-compliers in the financial sector in Ireland. If an attack does occur, the CBI must be furnished with an explanation of how (and why) it was allowed to happen, as well as attempts to contain the breach. Lack of evidence of preparedness will be treated seriously, putting your Credit Union at operational, financial and reputational risk.
Gerard’s 5 steps to better cybersecurity
It is essential to establish a business culture where IT maintenance and protection is viewed as integral to safeguarding the organisation operationally and as a whole. For Wellington IT’s resident cybersecurity expert, Gerard Farrell, there are numerous things that a Credit Union can do to ensure the CBI’s cybersecurity guidelines are met - and if the prospect is daunting for a busy Credit Union, IT Managed Services become the perfect antidote to the problem.
1) Credit Union cyber security training
For Gerard, better training of Credit Union staff (and board members) about the risks of unpatched systems and lapsed security updates is important. “Staff require training on cybersecurity, after all, the most common point of entry to a system is a user. They should also be trained to recognise the signs of malware, social engineering, and what to do if they suspect something is wrong.” said Gerard.
“An IT Managed Service (ITMS) provider can assist with the protection of your IT infrastructure by providing hardware, software and security awareness training. Cyber Essentials is a government backed program accreditation that shows your staff are trained in ensuring basic levels of security. Having an ITMS provider who trains your staff means you can get to a level where you can apply for the qualification.”
2) Take control of change management
Change management is designed to control risk and minimise disruption to business operations and IT services by implementing a set of standardised procedures and approaches to change. These procedures should be followed to ensure that every alteration or addition to your Credit Union’s IT environment is tracked, compatible and secure. Change management procedures can be managed much more effectively with an IT Managed Service offering.
“Change management needs to be documented and someone needs to be nominated to approve change processes,” said Gerard. “This means updates are kept current and that 3rd party access is controlled and contractors are accountable. Also, this ensures that any changes to a network are approved as business needs arise, and no unnecessary changes are made to infrastructure.”
3) Conduct a full site audit - and review it regularly
A full site audit should include details of all out of date or out of warranty equipment, computers, servers and software that require regular software patches from the manufacturer. An IT Managed Services provider can relieve your Credit Union of the burden of such an important but often painstaking task. “The ITMS should then provide a plan on what to do with the out of date equipment and make recommendations for hardware replacements,” said Gerard. “Hardware should be kept in warranty, in case of failure. While this includes servers and computers, more importantly in the terms of security, it includes your organisation’s firewall and network equipment.”
4) In case of emergency - duplicate your data
The increased ease of collecting and collating huge amounts of information means an increase in the number of complex data sets which require protection. Having a duplicate server, where all business information is safely stored, becomes an imperative if your Credit Union is serious about survival following a malicious act.. After all, without its data, your Credit Union can’t operate. “Whether on or off site, or locked in a safe, there must be both physical and digital security surrounding the Credit Union’s data. It should be secure.” said Gerard. “If data is hot (i.e. immediately accessible) the same safeguards should be in place as live data.”
5) Patch, patch, patch… and backup
“Generally, software patches and new versions of firmware are written up until a piece of hardware becomes end of life - the expected life span as proscribed by the manufacturer. Therefore, networking equipment, switches and firewalls, should be replaced periodically to keep up to date with the latest versions of software,” said Gerard.
“As well as networking hardware, your organisation’s anti-virus also needs kept up to date. This means that your anti-virus providers latest definitions (the files that determine what is a virus/ malware) are pulled down to your computers, as well as any software changes the supplier makes. Malware is generally downloaded to a machine in your network, by a user. It’s very rare that malware is placed on the network by an outside force.”
“Backups should be made daily, weekly, monthly and possibly yearly, depending on requirements,” explained Gerard. “This is not part of a Disaster Recovery or Business Continuity plan - a backup is more for recovery of lost or damaged data, i.e a cryptolocker virus. Backups should be tested regularly for data restoration.”
If your Credit Union comes up short when it comes to complying with the CBI’s stringent regulations around cybersecurity, an IT Managed Service offers a perfect solution. Credit Unions are busy organisations, with many competing demands on their time. In choosing an IT Managed Service for your Credit Union, you have peace of mind knowing your systems are operating securely, regularly checked, and patched. You’ll have a formulated protocol and set of procedures that prove you’re serious about cyber security and protecting your Credit Union - and what’s more, you’ll be investing in your future.