Protect Financial Institutions Strategically, from the Enterprise to the Individual

Grant Gaines, Senior Director of Cybersecurity, First Tech Federal Credit Union

Grant Gaines, Senior Director of Cybersecurity, First Tech Federal Credit Union

Financial institutions are targeted relentlessly by cyberwarfare. The threats are daunting, sometimes involving bad actors sponsored by other countries, and they arrive around the clock. The sophistication and seriousness of attacks evolve continually, and in the financial world, we expend tremendous energy behind the scenes to fend them off.

At First Tech Federal Credit Union, we’re on the front lines. We’re constantly evaluating and updating the solutions we use to protect our members and our enterprise, and we’ve always strived to be a catalyst in tech innovation across the credit union industry. Yet we’ve found that even the most cutting-edge cyber crime-fighting tools can’t do their job without another level of defense. That’s where the human touch comes in.

First Tech is a $12 billion-plus institution primarily serving California, Oregon, and Washington, with roots in the community that reach back to the 1950s. Protecting our members’ investments, and shielding them personally from fraud, data breaches, and identity theft are vital to preserving our credibility and reputation.

"Even the most cutting-edge cyber crime-fighting tools can’t do their job without another level of defense. That’s where the human touch comes in"

We also have to meet the demanding regulation requirements, particularly in the realm of money-laundering and fraud-related concerns. For these reasons, our organization’s leadership is on board with investing in solutions to confront and ward off financial crimes. These include firewall and intrusion protection, a fraud detection system, behavior analysis tools, and a 24/7/365 Security Operations Center for our members.

Beyond the marquee threats are the attacks that come on a more granular level, such as phishing schemes. Alarmingly, these are some of the cheapest and most effective means that criminals use to gain access. The tools we deploy are helpful and necessary—but rather than focusing solely on those, we are also working to develop an enterprise-wide awareness about the need for security at the individual level. This ultimately will accomplish far more than the tools can by themselves.

Work with employees to foster a security-aware culture

In the global cyber warfare campaign, people are the weakest link. A phishing attack, for example, can sail right through all the defenses an organization may invest in. The strategy is to appear trustworthy and persuade an individual to allow access into a company’s security infrastructure.

Spear phishing, an attack targeted to a specific employee, relies on the use of personal information about targets, which sometimes is gathered in advance and even from a prior breach. When conducted against senior executives, the attack is known as whale phishing.

Sometimes, the whale formula is reversed, and a phishing email will be disguised as coming from an executive. They may ask for money to be transferred, sometimes in a sophisticated scheme in which the victim is deceived into wiring funds to a “burner” bank account, which is quickly emptied. Small and medium-sized businesses are especially vulnerable, as they have short lines of communication between finance staff and upper-level leadership, and fewer checks and balances.

In a real-world test by security firm Positive Technologies, 27 percent of employees clicked on an emailed phishing link. In addition, 7 percent even fell for a prompt to download and run a file. It’s currently the most effective method of cybercrime, requiring comparatively less effort and resources to execute.

All businesses, especially financial institutions, need to develop a security-aware culture inside and outside its walls. At First Tech, we hold regular security trainings for employees and test how well they think critically and follow security methods.

We also benefit from a company culture that reflects our longstanding value of community. We work hard to cultivate an environment where if somebody doesn’t feel right about, say, an unexpected request from a company leader to submit a purchase order, they can reach out directly, or even go right to the person’s office and ask.

Having those relationships within our company’s fabric is an asset that goes beyond any cutting-edge software or tools we could invest in.

Empower members to enhance their security

First Tech also has a built-in advantage of having a discerning, technologically sophisticated member base. We serve employees of companies such as Cisco systems, Intel, Intuit, and Google—many of whom may very well be involved with developing security solutions themselves.

Not only do our members count on us to provide high security in their banking experience, but the vast majority of them already are comfortable with being proactive in taking precautions to help stay safe. We take it as a given that our members are ahead of the curve when compared with the customer base of other large enterprises.

It’s in our interest as an organization to have members on board with their financial security and to work with them to keep it strong. We work with our members to make them security-aware, offering a number of online learning and development programs for them, which they take advantage of.

We strive to give our members the protection they have come to expect. Even the most tech-savvy among them tend to be oblivious to the many layers of security we provide, and that’s just fine with us. Outlining every measure we’re taking would play right into the hands of the cybercriminals.

Confront threats as they evolve

It’s all too easy for an organization to default to a myopic approach of focusing on security tools. It’s not very successful. We can buy a tool today, but two or three years down the line, the threat landscape will have already changed, and our tool will be obsolete. Beyond the tech solutions, we need to develop a “security correct” intelligence program across the enterprise, one that can scale up to address threats as they evolve.

The needle is always moving, and we will never be able to lock the door completely. At First Tech, we are focused on building our cybersecurity program enterprise-wide that we can drive into the future and keep leveraging. This requires getting everybody on board, from executive leadership to workgroups to our members, so that our approach is strategic rather than reactive. 

Weekly Brief

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank