Shame can take many forms. There’s fat-shaming, single-shaming, and the shaming of those who choose to be a little more promiscuous than us. We shame men for not being “manly enough” and women for deciding not to have children or for deciding to be stay-at-home moms. People who are “too shy”, who have certain physical or mental health problems, or who are considered “lower class” or “wealthy snobs” can also be victims of shame – whether on social media, in a conversation or through stories told in the media and popular culture.
People who shame others do little more than hurt their victims and create new divisions in our society. And I’d like to add another type of shaming to the list – which could be potentially dangerous for credit unions – the shaming of victims of cyberattacks.
While conducting interviews for this month’s Focus Report feature on ransomware and cybersecurity, one of my sources, Jack Henry & Associates Financial Crimes Managing Director Allen Eaves, shared an anecdote about an Indianapolis-based financial institution’s experience with ransomware. He said the financial institution traced the attack to a specific host machine on its network and approached the employee, a cashier, who uses that machine. It turned out that this person was actually working one day when a scary banner appeared on his screen stating that he had to hand over the equivalent of around $200 or lose access to computer data.
Because she was afraid of what might happen to her at work if she reported the incident, and perhaps feared she had made a mistake that led to her machine being targeted, she paid the ransom of her own. pocket, regained access to his files and went back to work without saying a word. Meanwhile, the bad actor had begun to make his way through other parts of the institution’s network.
If the leaders of this organization had trained their employees to report suspicious cyber activity and assured them that they would not be punished for it, this person might have reacted differently, which would have led to a better outcome for the organization. in his attempt to thwart the attack. .
Eaves said it’s important to have technical cyber protections in place, but what’s also important is “the culture of not just teaching employees who use your systems what to do and what not to do, but not to have an attitude of shame”. He noted that some organizations incentivize employees to report phishing emails and other suspicious cyber activity by rewarding them with gift cards and other perks.
He also pointed out that the shame of victims of cyberattacks can extend beyond the shame of individuals in an organization and to the organization as a whole – and this can have major negative implications for a credit union. In this case, instead of an individual employee being humiliated by their colleagues for their potential role in a cyberattack, a credit union is humiliated by their members and the public for being a victim.
Think about this: when people hear the news that an armed robber walked into a branch of a credit union and demanded money and even threatened the lives of the employees and members there, how does this generally affect their perception of the credit union? Aside from the natural instinct to want to stay away from that particular branch until the dust settles, they will see the credit union as a real victim. “Oh my God, I can’t believe this happened to those poor people,” they’ll think.
But what if the credit union is the victim of a major cyberattack? Some common audience reactions might include, “How did they let this happen?” “Their systems can’t be too secure” and even “I wouldn’t trust them with my money”.
“In a physical sense, the nature of people is to have more compassion towards the organization that gets victimized there, when someone comes in with a gun, but that compassion often doesn’t translate into cyber. -world,” Eaves said.
And if that lack of compassion leads to mistrust, the victimized credit union could suffer a debilitating loss of business – something you wouldn’t expect after a physical attack.
There is clearly a disconnect between what actually happens when an organization falls victim to a cyberattack and what the public thinks is happening. But why? And what can we do about it?
A lack of knowledge about cyberwarfare certainly plays a role, and to be fair, people have been robbing banks in America since the early 1800s when cyberattacks were a fairly new concept. They’re complex and invisible, and people may not understand that they’re being carried out by highly skilled, sometimes state-sponsored groups that are getting smarter and more sophisticated – not some kid in a hoodie in their parents’ basement. This is where credit union marketing and communications professionals can step in to deliver messaging that educates the public, not only to protect the organization’s reputation after an attack, but to help people understand that even credit unions with the best cybersecurity safeguards in place can have their systems breached.
Within credit unions, we need to develop cultures where employees aren’t afraid to be fully transparent about suspicious activity they encounter online. Like the best whistleblower programs that assure employees that they will not be retaliated against for reporting suspected fraud or internal harassment, even if they feel threatened by the perpetrator , employees should feel comfortable reporting a cyber incident and not have to worry about being treated as a suspect. Cybersecurity education and incentives are a good start to addressing this issue, but it will take time to see real attitude change.
If we can create an industry-wide culture of openness and transparency around cyberattacks – not just within individual credit unions, but among credit unions, CUSOs, third-party vendors and other groups that make up the movement – valuable information can be shared faster, helping victims intercept attacks before they escalate and helping others know what to look for in their efforts to prevent attacks. attacks. With the landscape of cyberattacks becoming scarier by the day, and so much at stake for credit unions and their members, we need to do better.
Natasha Chilingerian Editor-in-Chief [email protected]