Making Intelligence Actionable: Cybersecurity Preparedness in the Credit Union Industry

July 3, 2019 • Avia Navickas

As the threat landscape continues to evolve, organizations need to be increasingly proactive in their approach to cybersecurity.

One industry that’s taken proactive measures toward cybersecurity preparedness is the credit union industry. Over the last couple of years, the National Credit Union Administration (NCUA) developed a tool called the Automated Cybersecurity Examination Tool (ACET) to help credit unions assess their cybersecurity readiness. The maturity assessment part of the tool helps credit unions determine their cybersecurity preparedness in the context of five domains:

  1. Cyber risk management and oversight
  2. Threat intelligence and collaboration
  3. Cybersecurity controls
  4. External dependency management
  5. Cyber incident management and resilience

The goal of collecting this data across credit unions is to establish a benchmark for the industry and identify areas for improvement.

Using the ACET as a Blueprint

The ACET outlines the five domains above as primary areas of focus for increasing cybersecurity preparedness, and for credit unions, this can serve as an effective guideline for how to build a security strategy. Recorded Future’s credit union clients use our solution to help them satisfy multiple areas of the assessment, particularly within the “threat intelligence and collaboration” and “external dependency management” domains.

Threat Intelligence and Collaboration: Making Intelligence Actionable

Financial institutions, like credit unions, have a lot of information to protect. It probably comes as no surprise that they are common targets of malicious threat actors. Threat intelligence can help provide insight into who these threat actors are, what their motivations and capabilities are, and what indicators of compromise to look for in your systems. Threat intelligence is most actionable when it is relevant — meaning it’s timely, provides context, and is able to be understood by the people in charge of making decisions.

Recorded Future helps credit unions satisfy the “threat intelligence and collaboration” domain of the ACET. We enable credit unions to continuously monitor for new threats relevant to their organization from the broadest set of sources and surface that intelligence in real time. With the introduction of the Intelligence Goals Library, an easy-to-use library of alerting rules, this intelligence has become more accessible than ever.

These alerts are written in plain language and organized in a way that makes them easily discoverable, making it easy for anyone, regardless of their level of cybersecurity experience, to understand and implement them. In fact, any alert can be activated with the click of a button. Having the outside perspective that threat intelligence provides can help credit unions stay proactive in their cybersecurity defense.

External Dependency and Management: Managing the Risk of Third Parties

But in today’s interconnected business world, understanding the threat landscape that surrounds your own company isn’t enough. Equally important to understand is the threats surrounding an organization’s third parties, including vendors, partners, and suppliers. According to a study conducted by the Ponemon Institute, 59% of companies said they have experienced a data breach caused by one of their vendors or third parties. Clearly, this is an issue that can’t be ignored. Appropriately, the ACET includes monitoring third-party risk as an area within the “external dependency management” domain.

This is another area where Recorded Future supports clients with the addition of our Third-Party Risk module. The intelligence included with this module helps organizations assess the threat landscape in which their third parties operate, identifying things like exposed credentials and potential phishing domains that could, in turn, expose not only the company itself but also its partners. Understanding the threat activity surrounding your own company is a useful first step to a proactive security strategy. Better still is to understand your risk in the context of your broader ecosystem, including the threats targeting your third parties.

Cybersecurity Preparedness: A Good Idea No Matter Which Framework You Use

Regardless of which security framework or vendors an organization chooses, being proactive in your approach is a smart bet.

As more and more of our world becomes digital and attacks become increasingly stealthy, our risk is greater than ever before. The ACET sets a helpful precedent for the credit union industry in establishing the importance of cybersecurity and implementing a consistent framework for measuring preparedness. When considering security vendors, credit unions could consider using the ACET template as a starting point for evaluation.

To learn more about the ACET, visit the NCUA’s website.