Stats & Trends
The Barkly Team
Jun 2018

Credit Union Cybersecurity in 2018: Biggest Threats and 3 Practical Solutions


With cyber attacks increasing, the pressure is on credit unions to show that they're properly safeguarding their members' information.

Credit union membership is growing, with consumers looking to these nonprofit banking options for better interest rates, lower fees, and less overhead than traditional, large, for-profit banking institutions.

But, despite their smaller size and tighter margins compared to banks, credit unions still face the same data and malware threats and require the same high level of security. That means credit unions — which average just 52 employees and hold just under $1.5 billion in assets in total — must maintain the same level of security as JPMorgan Chase, which alone holds $2.5 trillion in assets and employs over 250,000 people.

It's a high bar with much at stake as credit unions are incredibly popular targets for cyber criminals. In 2016, credit unions and banks with less than $35 million assets accounted for over 80% of hacking and malware breaches at financial institutions. With the threat of malware on the rise across all industries, here is a look at the challenges credit unions face, specifically, along with some practical tips on how they can strengthen their security in more efficient and effective ways.

How vulnerable are credit unions to malware?

A quick examination of industrywide data makes it easy to see that the risk cyber attacks pose to credit unions is increasing. The financial industry as a whole ranks in the top five most likely targets of a social engineering breach, and Verizon reports that nearly 60% of breach victims last year were small businesses — a category into which virtually all credit unions fall. Verizon also indicates the motivation behind 76 percent of the attacks it investigated last year was to steal money or inflict financial damage, an outcome that poses obvious pitfalls for credit unions, in particular.

At the same time, recent studies show many organizations are underprepared for the surge in new and sophisticated malware attacks. In fact, only one-third have adequate resources to manage the growing threat. That could explain why, among those that fell victim to an attack last year, nearly 70% say it took months or more to even discover the breach, to say nothing of the months it can take to recover. Many credit unions may find themselves unequipped to take on proactive efforts like threat hunting, and security software designed for large security teams is often overkill or too complex to try to manage in-house. 

What are the biggest cyber threats to credit unions?

Based on industry data, the types of threats credit unions are most likely to grapple with are: 

Email is the most popular vector, with more than 90 percent of successful attacks delivered via phishing emails and “pretexting” — attempts to trick victims into releasing sensitive information such as credentials, often by pretending to be a trusted contact such as a boss.

Another growing attack trend is the use of fileless techniques designed to compromise machines silently, often by hijacking otherwise legitimate tools and software. Because they’re undetectable by conventional file-scanning antivirus solutions, attacks that utilize fileless techniques are 10x more likely to succeed than attacks that deploy malware in traditional ways. Due to that success, use of fileless techniques is quickly becoming widespread — nearly 40 percent of attacks this year are expected to incorporate them.

How much are cybersecurity incidents costing credit unions?

Taking lost productivity, system down time, restoration, and other factors into account, the average cost of a successful attack is now over $5 million

With that much money at stake, it's no surprise the amount of investment credit unions are pouring into preventing that outcome has gone up, as well. In a recent survey of National Association of Federal Credit Union (NAFCU) members, 92 percent said their data and cybersecurity costs have increased over the last three years, yet the majority indicated it still remains a “significant” challenge to maintain a secure environment.  

“It’s really difficult to quantify how much a credit union should invest in cybersecurity, but I can tell you the hurdle is increasing at a rapid rate and isn’t likely to let up soon,” said George Rudolph, SVP of operations and technology at Chicago-based Alliant Credit Union and second vice chair of CUNA Technology Council, in an interview with Credit Union Journal. Rudolph estimated Alliant has spent tens of millions of dollars on cybersecurity during the past five years, and others say cybersecurity is at least 5% of their annual operating budget.

3 practical tips for overcoming the threat

With costs on the rise, credit union IT directors should be happy to know there are several things they can do that don't require adding budget or complexity. 

  1. Use the FFIEC’s Cybersecurity Assessment ToolIt can help you determine your organization’s overall risk and level of preparedness, then identify how best to refine your risk management practices and security strategies to keep your credit union and its members safe.

  2. Give hackers less to work with. With attackers increasingly building their attacks around the abuse of native Windows tools and functionality, you can essentially throw a wrench in their plans by disabling and restricting as much of it as possible. Disabling macros, restricting PowerShell, and turning off rarely-used features in Microsoft Office, for example, can harden your systems by reducing the attack surface. Get more tips on Windows system hardening in our free eBook, The Essential Guide to Blocking Malware without a SOC

  3. Replace your antivirus with stronger, smarter protection. In the majority of successful attacks, AV and other protections were in place, yet they failed to stop malware. That’s because the ways attackers are packaging, delivering, and deploying malware have evolved to evade AV detection. To keep up, credit unions need to investigate using a new endpoint protection solution like Barkly, which is designed to block malware in addition to the underlying malicious behaviors and exploit techniques attackers rely on. As a result, Barkly blocks infections regardless of their source, and stops them in real-time before any damage is done. Best of all, it's built for empowering small teams with easy-to-use security software that just works. 

See for yourself how Barkly can improve security at your credit union. Sign up for a demo.

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.


Stay up-to-date on the latest threats

Join a group of 7,000 IT and security pros who get clear, actionable takes on malware and infosec news.



Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.