Blog: Credit Union

Cybersecurity budgets for financial institutions are continuing to increase in an effort to keep pace with advances in technology. CoNetrix conducted a survey to gain insights into cybersecurity and how institutions are using their funds to support their cybersecurity program. 

Cybersecurity Budget for Financial Institutions

Here is some of the information you will find in the report concerning IT and Cybersecurity budgets for financial institutions.

  • 52% of all respondents indicated their IT budget for 2019 will exceed the allotted amount for 2018.
  • 31% reported they will neither increase nor decrease their IT budget for 2019.
  • Institutions with a larger asset size are more likely to increase their IT budget in 2019.
  • 52% of respondents reported they plan to increase Network Infrastructure making it one of the top priorities in 2019.
  • 41% of financial institutions will be increasing their cybersecurity budget in 2019.
  • 44% will maintain the same cybersecurity budget.
  • Institutions with higher confidence in their Board's understanding of cybersecurity posture results in a higher likelihood the budget will increase.
  • 66% of institutions have a shared budget with IT with no designated line item for cybersecurity.
  • 19% have a shared budget with IT with a designated line item for cybersecurity.

Find out more about how institutions are managing their IT and Cybersecurity budget by downloading our report on The State of Cybersecurity in the Financial Institution Industry. https://conetrix.com/cyber-report


 

By:

Early this year the tech world was rocked with the announcement of two unprecedented vulnerabilities named Meltdown and Spectre.

These two vulnerabilities are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Understandably there was a rush from three main industries, processor companies, operating system companies, and cloud providers to provide solutions. However, as a result of the urgent response, there were unanticipated update incompatibilities which crashed systems. This created a dilemma for IT professionals. "Do we install updates which may cause our systems to crash?" or "Do we sit-tight and remain vulnerable?"

Even in the weeks of uncertainty, there were calm voices of seasoned reasoning. Their message reminded us that basic security standards remain our first line of defense. No matter how bad an exploit may be, its impact can be limited if:

  • The vulnerability doesn't have access to your systems
  • Operating system or application weaknesses are patched
  • Security software is installed (advanced end-point protection software with artificial intelligence is a game changer)

So how do you do achieve these standards? Here are some fundamental best practices:

  1. Monitor availability of operating system and application updates. Be sure you find and establish good sources to inform you about the patches and updates for your systems and applications. Then, monitor the sources or subscribe to notifications.

  2. Test updates to ensure compatibility. It is best if your update and patching process includes a test environment where non-production systems are updated first in order to test functionality and compatibility. This allows you to postpone or avoid updates which might crash systems or applications.

  3. Apply updates and patches on a regular schedule. As a best practice, you should implement a schedule (at least monthly) to evaluate, test and install updates for systems and critical applications. In this way, your schedule can coincide with schedules of operating system and application vendors (e.g., Microsoft has "Patch Tuesday, the second Tuesday of each month).

  4. Install and maintain security software (e.g., antivirus software, endpoint security software, etc.). If possible, explore and utilize behavior based end-point protection software. This genre of software "watches" system behavior to notice and stop suspicious action.

  5. Prevent malicious code execution. The goal is to keep malicious code out of your network and systems. This is best accomplished with layers of security including Internet filtering, phishing detection, and security awareness training for system users. Security awareness is essential to help prevent users from falling prey to malicious emails.

 

Yesterday, during a webinar titled "Cybersecurity - The Basics", the NCUA provided information on a new Fraud and Cyber Security Initiative grant of up to $7,500 for low-income designated (LID) credit unions.[more] The grant, which must be applied for by June 30, 2015, is designed to help LID credit unions with building and enhancing cyber security to help protect member information.

In order to assist credit unions with their information and cyber security needs, CoNetrix has created a webpage with information about the grant, including a few bundled offerings centered on cyber security.  Additionally, CoNetrix is sponsoring several free webinars to educate about the grant and our offerings.  You can register for the webinars and learn more at www.conetrix.com/ncuagrant/  


 

This month, the New York State Department of Financial Services ("the Department") released results from a survey conducted in 2013 on cyber security.  154 institutions completed the survey, representing 60 community and regional banks, 12 credit unions, and 82 foreign branches and agencies.  The survey asked questions regarding information security framework; corporate governance around cyber security; use and frequency of penetration testing and results; budget and costs associated with cyber security; the frequency, nature, cost of, and response to cyber security breaches; and future plans on cyber security. [more]

In conclusion, the Department states:

"As part of its continuing efforts in this area, the Department plans to expand its IT examination procedures to focus more fully on cyber security.  The revised examination procedures will include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery.  The revised procedures are intended to take a holistic view of an institution's cyber readiness and will be tailored to reflect each institution's unique risk profile.  The Department believes this approach will foster smarter, stronger cyber security programs that reflect the diversity of New York's financial services industry."

This report comes on the hills of the FFIEC webinar, Executive Leadership of Cybersecurity: What Today's CEO Needs to Know About the Threats They Don't See in which the FFIEC introduced expectations of new examination procedures.

To read the full Report on Cyber Security in the Banking Sector by the New York State Department of Financial Services can be found here - http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf