enterprisesecuritymag

Protect Financial Institutions Strategically, from the Enterprise to the Individual

By Grant Gaines, Senior Director of Cybersecurity, First Tech Federal Credit Union

Grant Gaines, Senior Director of Cybersecurity, First Tech Federal Credit Union

Financial institutions are targeted relentlessly by cyberwarfare. The threats are daunting, sometimes involving bad actors sponsored by other countries, and they arrive around the clock. The sophistication and seriousness of attacks evolve continually, and in the financial world, we expend tremendous energy behind the scenes to fend them off.

At First Tech Federal Credit Union, we’re on the front lines. We’re constantly evaluating and updating the solutions we use to protect our members and our enterprise, and we’ve always strived to be a catalyst in tech innovation across the credit union industry. Yet we’ve found that even the most cutting-edge cyber crime-fighting tools can’t do their job without another level of defense. That’s where the human touch comes in.

First Tech is a $12 billion-plus institution primarily serving California, Oregon, and Washington, with roots in the community that reach back to the 1950s. Protecting our members’ investments, and shielding them personally from fraud, data breaches, and identity theft are vital to preserving our credibility and reputation.

"Even the most cutting-edge cyber crime-fighting tools can’t do their job without another level of defense. That’s where the human touch comes in"

We also have to meet the demanding regulation requirements, particularly in the realm of money-laundering and fraud-related concerns. For these reasons, our organization’s leadership is on board with investing in solutions to confront and ward off financial crimes. These include firewall and intrusion protection, a fraud detection system, behavior analysis tools, and a 24/7/365 Security Operations Center for our members.

Beyond the marquee threats are the attacks that come on a more granular level, such as phishing schemes. Alarmingly, these are some of the cheapest and most effective means that criminals use to gain access. The tools we deploy are helpful and necessary—but rather than focusing solely on those, we are also working to develop an enterprise-wide awareness about the need for security at the individual level. This ultimately will accomplish far more than the tools can by themselves.

Work with employees to foster a security-aware culture

In the global cyber warfare campaign, people are the weakest link. A phishing attack, for example, can sail right through all the defenses an organization may invest in. The strategy is to appear trustworthy and persuade an individual to allow access into a company’s security infrastructure.

Spear phishing, an attack targeted to a specific employee, relies on the use of personal information about targets, which sometimes is gathered in advance and even from a prior breach. When conducted against senior executives, the attack is known as whale phishing.

Sometimes, the whale formula is reversed, and a phishing email will be disguised as coming from an executive. They may ask for money to be transferred, sometimes in a sophisticated scheme in which the victim is deceived into wiring funds to a “burner” bank account, which is quickly emptied. Small and medium-sized businesses are especially vulnerable, as they have short lines of communication between finance staff and upper-level leadership, and fewer checks and balances.

In a real-world test by security firm Positive Technologies, 27 percent of employees clicked on an emailed phishing link. In addition, 7 percent even fell for a prompt to download and run a file. It’s currently the most effective method of cybercrime, requiring comparatively less effort and resources to execute.

All businesses, especially financial institutions, need to develop a security-aware culture inside and outside its walls. At First Tech, we hold regular security trainings for employees and test how well they think critically and follow security methods.

We also benefit from a company culture that reflects our longstanding value of community. We work hard to cultivate an environment where if somebody doesn’t feel right about, say, an unexpected request from a company leader to submit a purchase order, they can reach out directly, or even go right to the person’s office and ask.

Having those relationships within our company’s fabric is an asset that goes beyond any cutting-edge software or tools we could invest in.

Empower members to enhance their security

First Tech also has a built-in advantage of having a discerning, technologically sophisticated member base. We serve employees of companies such as Cisco, Intel, Intuit, and Google—many of whom may very well be involved with developing security solutions themselves.

Not only do our members count on us to provide high security in their banking experience, but the vast majority of them already are comfortable with being proactive in taking precautions to help stay safe. We take it as a given that our members are ahead of the curve when compared with the customer base of other large enterprises.

It’s in our interest as an organization to have members on board with their financial security and to work with them to keep it strong. We work with our members to make them security-aware, offering a number of online learning and development programs for them, which they take advantage of.

We strive to give our members the protection they have come to expect. Even the most tech-savvy among them tend to be oblivious to the many layers of security we provide, and that’s just fine with us. Outlining every measure we’re taking would play right into the hands of the cybercriminals.

Confront threats as they evolve

It’s all too easy for an organization to default to a myopic approach of focusing on security tools. It’s not very successful. We can buy a tool today, but two or three years down the line, the threat landscape will have already changed, and our tool will be obsolete. Beyond the tech solutions, we need to develop a “security correct” intelligence program across the enterprise, one that can scale up to address threats as they evolve.

The needle is always moving, and we will never be able to lock the door completely. At First Tech, we are focused on building our cybersecurity program enterprise-wide that we can drive into the future and keep leveraging. This requires getting everybody on board, from executive leadership to workgroups to our members, so that our approach is strategic rather than reactive. 

Read Also

How to get your information security to lift more weight

How to get your information security to lift more weight

Carric Dooley , Worldwide VP of Foundstone Services, Intel Security
Be Proactive-Make Information Security a Priority

Be Proactive-Make Information Security a Priority

Donald Good, Director, Global Legal Technology Solutions, Navigant [NYSC:NCI]
Information Security Means Never Being Done

Information Security Means Never Being Done

Dan Callahan, VP, Cloud Services, CGNET
Achieving Information Security in Healthcare

Achieving Information Security in Healthcare

Dan Costantino, CISO, Penn Medicine

Weekly Brief