How Internet “of things” Is Complicating Your cybersecurity
On Friday, access to major websites, including twitter, Netflix and the New York Times, was shut down as the result of a massive distributed denial-of-service attack just after 7 a.m. When Twitter couldn’t be reached officials originally thought that Donald Trump was simply sending out too many tweets complaining about media bias following his botched debate performance and cratering poll numbers but the attack was actually a sophisticated assault on a New Hampshire company called Dyn that helps direct internet traffic. Just joking about the Trump stuff. The bad guys would never want to shut down Trump.
Why should you care? Because the attacks demonstrate the (1)importance of cybersecurity mitigation based on the size and complexity of your credit union operations (2) The need for contracts that memorialize vendor liability and oversite and (3)the need for policymakers to take a holistic approach to cybersecurity that involves all industries shouldering responsibility to mitigate cyber threats. Your credit union might not be directly at risk but your vendor very well could be.
First some background. Distributed denial-of-service attacks are nothing new. Basically hackers search the internet for devices to take over. Once they discover a vulnerable device and its password they can redirect these machines to send data at targeted sites. The more devices that can be used in the attack the larger they are going to be.
When it was just computers that were hooked up these attacks were bad enough but with the explosion of devices hooked up to the internet these attacks have become that much more lethal. Security experts have been sounding the alarm for months that not enough security precautions are being taken when gadgets such as DVR’s and cameras are hooked up to the web. According to krebs on Security the problem is exacerbated by standard factory password settings. He further reports that even if these passwords are changed, its relatively easy for hackers to get around these changes.
So what can and should you do? As luck would have it on Thursday the Federal Financial Institutions Examination Council released a “frequently asked questions” document about the cyber security assessment tool unveiled by the Council last year.
The assessment tool provides financial institutions with a framework for assessing an institution’s cybersecurity risk profile and its preparedness to mitigate cybersecurity attacks. In addition, it says that institutions may customize the assessment for their individual needs. While I have never been against the assessment I was concerned that regulators were imposing the same analytical framework requirements on Citibank and a $20 million credit union. So I was pleasantly surprised that regulators clarified state that no institution is mandated to use the assessment. It is no more and no less than a “voluntary tool that institution management may use to determine and institution’s inherent risk and cyber security preparedness.”
In this environment there are three main steps the industry has to take. First we have to ensure that, whatever additional mandates are imposed on businesses provide institutions the flexibility they need to establish cyber protections consistent with their own risk profile. The assessment is a good place to start. Secondly we have to continue to explain to regulators and policymakers the steps that financial institutions and their regulators have already taken for several years to protect against cyber assaults. Europe has already suggested baseline cybersecurity standards for manufacturers and financial institutions have a stake in advocating for this country to impose similar standards Thirdly, all businesses, including merchants, have to be subject to cyber security protocols. Mechanisms have to be put in place to hold them accountable when they fail to do so. Finally do you know who your vendor uses to provide you with the computer services your member’s expect? If you don’t then you don’t know how vulnerable your credit union is to cyberattacks. One thing you may want to do is to ask your vendors to take the risk assessment and tell you the results.
if you woke up early watch the Giants game on Sunday you did more than the Giants who won despite sleepwalking through one of the most boring, uninspired football games I have ever seen them play. Anyone who tells me how much more exciting football is then baseball hasn’t been watching the Chicago Cubs make it to the World Series.
By the way the Cubs last won the World Series in 1908, the same year St. Mary’s Cooperative credit union was founded in Manchester New Hampshire. In other words North America’s credit union industry is as old as the cubs losing streak. I hope a Cub’s victory in the World Series isn’t a bad omen for the next hundred years.