Randy Romes embraces the Boy Scout motto when it comes to cybersecurity: Be prepared.
“We need to be ready physically and mentally, and practice and be accomplished with the right tools,” says Romes, a principal at CliftonLarsonAllen who addressed the 2023 CUNA Cybersecurity Conference with NASCUS Tuesday in New Orleans. “We need all of these elements in information technology [IT] security.”
Cybercriminals view fraud as a business, he says. “They’re after information and access. Some groups specialize in financial institutions, while others focus on health care and retail. Once we know who they are, we’ll be better equipped.”
Romes says fraudsters will attack credit unions with:
- Email spear phishing attacks, which account for 85% of all breaches.
- Password guessing and business email account takeovers.
- Payment and funds disbursement transfer fraud.
- Ransomware.
- Extortion to avoid breach disclosure.
The average financial institution breach takes 177 days to identify and 56 days to contain, he says, citing the IBM Security Cost of a Data Breach Report 2021.
During that time, “they’re figuring out your business, where the crown jewels are, and how to access them,” Romes says. “Ransomware typically is the last act as they’re going out the door. It’s usually coupled with other acts, and is simply the most visible part of the attack.
“Resuming operations is just the first step,” he continues. “The legal and business ramifications of the data breach can persist.”
The average cost of a data breach is nearly $6 million, he adds.
Romes stresses the importance of incident response preparedness that incorporates people, rules, and tools.
“Security is not a product,” he says. “It has to be all of these things together. When people know the rules, they’ll do the right thing more than 90% of the time.”
Incident response preparedness entails:
- Having a plan. This includes an incident response playbook, and disaster recovery and business continuity plans.
- Knowing how vendors fit into and support your incident response plan. This requires creating a matrix of service provider responsibilities.
- Practicing the plan. Conduct tabletop and live exercises, and regularly review and update the plan.
“Prepare, practice, and prove it,” Romes says. “IT needs to practice and prove that it can restore critical data elements in the heat of the moment.”