POIPU, Kauai—Credit union board members gathered here were warned about just how many “doorways” there are into CU systems, how they are opened and how they can be locked, while also being pointed toward a free security tool every CU should be using.
Speaking to Rochdale’s Volunteer Leadership Institute (VLI), Randy Romes, a principal with CliftonLarsonAllen LLP, shared with attendees a graphic showing all of the devices in their homes and lives—from routers to refrigerators—that are part of the Internet of Things, and said the same applies to credit unions, which are much juicier targets for bad actors.
Romes recommended that even the smallest credit unions turn to CIS Critical Security Controls, version 8, which include resources such as checklists, benchmarks, reporting and tracking tools, and other guidance.
“The roadmap is already there,” he said. “This is the best, plain-English framework out there.”
Key Questions
Other key questions to ask, Romes told the VLI meeting, include:
• Do we have accurate systems and data inventories?
• What does this software application have access to?
• What user accounts and privileges are given to it?
• What do we need to do for due diligence?
• What impact does this software have on the institution if it is hacked or breached, or if the credit union is down for hours or months?
• Has the credit union performed a ransomware readiness or resilience test?
• Can IT operations be restored from bare metal up, in the heat of the moment?
• Are you confident your hosted vendor is prepared?
Romes told board members that a credit union also needs to have management authorities identified in the event of a breach.
“Who is authorized to make decisions?” such as shutting down the website, he asked.
