How Can Credit Unions Protect Themselves Against Cyber Attacks?

Greg Schaffer, corporate executive vice president and chief information security officer (CISO) for FIS Global, has enterprise-wide oversight of FIS’ information security program, functions and initiatives. Here, he answers important questions regarding credit union security, ranging from what threats face credit unions to what they should look for when hiring a CISO.

CSCU: What are the biggest threat types facing credit unions today?

Schaffer: With so many people accessing data from mobile devices, security needs to be carefully re-evaluated by entities in the financial services sector. The mobility of data requires a more cautious approach when determining if the right people have the right access to the right data at the right time. Mobility can mean access through untrusted networks or via devices that are easily lost or stolen. In the end, the benefits of mobility outweigh the risks. We just need to manage the risks in a way that allows us to get the most out of these new mobile capabilities.

CSCU: What are the different “attack vectors,” and how does security differ for each?

Schaffer: There is a wide range of attack vectors, including various confidentiality, integrity and availability attacks. Although there are differences between each of these, one common element of the most prevalent attacks today is that they rely on a company’s employees to be the weakest link in the security chain. Whether someone is clicking on hyperlinks or opening attachments, the majority of modern hacks start with an individual mistake. Credit union employees need to understand they are the first line of defense in identifying and preventing these attacks.

CSCU: What security infrastructure components should a credit union have in place to protect its members/partners?

Schaffer: This is highly dependent upon the particulars of an organization’s infrastructure. There is no magic combination of technologies that will guarantee a secure network. Indeed, a poorly managed network with the most up-to-date technologies can be less secure than a well-managed network with good basic security hygiene in place. Probably the most important security asset an organization can have today is an appropriately sized staff of capable security professionals, or access to those resources through a relationship with a third-party provider.

CSCU: What skills are needed for a CISO position (i.e., business acumen and technology knowledge)?

Schaffer: A background in business and technology is certainly important. However, in today’s environment, strong analytic skills are even more critical. Today’s CISOs need to anticipate how and where highly skilled cyber criminals are going to strike next, which is why people who excel at thinking outside the box are gravitating toward CISO positions. Good communication skills and the ability to translate between “security tech” and the C-Suite is also a huge advantage.

CSCU: What percentage of credit unions have a CISO?

Schaffer: How has that number changed in recent years? Without the benefit of a survey or actual statistics, what we see anecdotally at the moment is that the percentage is relatively low, at least with respect to smaller institutions. However, the CISO position is evolving and changing in a number of ways. CISOs are receiving more attention from the media and becoming more prominent in the boardroom. As data breaches and hacker attacks continue, I think we’ll see more credit unions relying on the expertise of a CISO.

CSCU: Are credit unions at risk if they don’t have a CISO?

Schaffer: Credit unions move money and transmit valuable data every day. It’s a CISO’s job to communicate the associated risks to the C-Suite and how those risks could impact the entire business. If no one on the executive management team has an enterprise view of cyber risk, you’re making your organization vulnerable. Whether it is a CISO, a Chief Risk Officer or some other C-Suite executive, someone at the most senior level of every financial services institution should have explicit ownership of information security risks.


Strategic Link is the NWCUA’s wholly-owned service corporation, providing the Association’s member credit unions with exclusive high-quality, competitively-priced products and discounted services. Questions? Contact Sales & Marketing Associate Craig Reed: 206.340.4789,

Posted in Around the NW, NCUA.