Global Credit Union: Fighting Cyberthreats in the Age of AI

Dana Gonderzik has spent nearly 13 years at Global Credit Union (GCU), watching the financial services sector transform from traditional brick-and-mortar banking to a digitally-driven industry. As Director, Information Security, she has witnessed first-hand how technology has reshaped both the opportunities and threats facing credit unions today.

Her journey into cybersecurity was unexpected. Originally training to become a registered nurse, a back injury during her first year of college forced Dana to reconsider her career path. She took a position at a computer company handling phone support and discovered a passion for technology that would go on to define her professional life.

“I really enjoyed the learning and the growth in the industry and within computers,” she recalls. “It was the turning point of my career.”

Today, she leads a distributed security team spanning Alaska, Arizona and remote workers across the US. The institution serves nearly 800,000 members worldwide, with locations in five states and three sites in Italy, living up to its global name. Her role encompasses everything from vulnerability management to risk assessment, governance, policy development, threat hunting and security management.

Since Dana joined in 2013, Global Credit Union has continued to grow and evolve. Its Alaskan roots date back to 1948, and its presence has expanded into four other states, with recent entries into Idaho and Italy.  During her tenure, both the company and Dana’s security team have doubled in size.

As a member-owned financial cooperative, GCU provides full-service financial solutions including checking and savings accounts, loans, insurance partnerships and investment services. What sets it apart from its competitors is its 24/7 member service centre, one of the largest among credit unions, which ensures that members can always reach a real person when needed.

“I really like the focus of the credit union being members first, and we're here for the people,” Dana explains. “I still have the desire to give back to people, my role lets me do that by helping ensure our members  are financially safe and ready for their next adventure.”

How security architecture is evolving

The shift from traditional data centres to cloud-based infrastructure has fundamentally changed how Global Credit Union approaches cybersecurity. Dana describes this transition as moving from perimeter-based security to a layered, risk-based approach that provides multiple levels of protection.

“By implementing multiple layers, we create multiple levels of protection. We've invested in maturity across those layers to ensure we're protected in different ways,” she says.

The institution has embraced zero-trust principles, protecting higher-risk assets more stringently than internet-facing systems that don't contain critical data. Identity has become the foundation of this strategy, with an emphasis placed on knowing members and employees alike.

The threats facing financial institutions today are sophisticated and constantly evolving. Account takeovers represent a major concern, alongside traditional hacking attempts and identity fraud. To combat these things, Global Credit Union employs a large fraud team in addition to the Information Security team that monitors member behaviour patterns to identify unusual activity and prevent unauthorised transactions.

Phishing remains a persistent threat, with attackers creating fake websites designed to trick members into entering their credentials. The security team proactively monitors for these sites, aiming to eliminate threats before members encounter them.

“We're continuously watching the network for phishing attempts, fake websites being put up, which are trying to lure our members into entering data,” Dana explains. “This reduces risk, and the fraud team doesn't have to even deal with the problem, because we're going to take care of it before it happens.”

This proactive stance extends to internal security awareness. The institution requires regular training and testing for all staff, and sends regular phishing simulation campaigns to employees, testing their ability to recognise threats. For front-line staff like tellers who work face-to-face with members, Global Credit Union limits external email access entirely, reducing the attack surface.

The double-edged sword of AI

AI represents both a powerful tool and a significant threat in the cybersecurity landscape. The technology that helps financial institutions detect fraud and analyse behaviour patterns is equally available to the bad actors seeking to exploit vulnerabilities.

“Everything you’d expect us to use to protect you, adversaries use against us,” Dana says. “You need to be ready to think like them if you’re going to stop them. That is why my team continuously pursues advanced education and certifications, so we can think like attackers and stay ahead of them.”  

Deepfake technology also particularly concerns security professionals. AI-generated voices can quite convincingly impersonate executives or members, potentially authorising fraudulent transactions worth millions. In response, Global Credit Union is developing capabilities to recognise deepfakes and verify identities through multiple channels.

The institution takes member feedback seriously when implementing security measures. When Global Credit Union introduced multi-factor authentication (MFA), some members found the additional verification steps challenging. The security team responded by tuning the rules to balance security requirements with user experience.

“We put in MFA, and people were like: ‘whoa, that's challenging a little more than we want,’” Dana recalls. “We modified and tuned rules to make sure that it was a balance for security as well as business and member focus.”

The institution now offers multiple MFA options, including SMS codes and authentication apps, giving members a choice in how they secure their accounts.

The regulator landscape

In the US, financial institutions operate within a complex regulatory environment overseen by bodies like the National Credit Union Administration (NCUA). Global Credit Union invests in additional compliance checks to ensure it meets all requirements, conducting monthly reviews of its cybersecurity insurance and regulatory alignment.

Many regulations reference frameworks like the Federal Financial Institutions Examination Council (FFIEC) guidelines or the National Institute of Standards and Technology (NIST) standards. However, Dana notes that regulations often lag behind technological advancements, particularly in areas such as AI.

“Regulations don't change as fast as they should,” she says. “Think about all the AI technologies that have come out recently. There's really no governance yet.”

This gap requires financial institutions to anticipate regulatory changes rather than simply react to them. Global Credit Union monitors proposed state and federal privacy and security regulations, particularly watching states like California that typically adopt stricter requirements before other jurisdictions.

GCU learned from the European Union's General Data Protection Regulation (GDPR), which caught many organisations unprepared. By watching regulatory trends globally, even outside their direct operating footprint, at the time of release, Global Credit Union can prepare for changes before they become mandatory.

“You can read the writing on the wall and be ready and prepared versus being reactive,” she says.

Building a security-aware culture

Technology alone cannot protect an organisation from cyber threats. Human behaviour remains the weakest link in many security breaches, making security awareness training essential. Dana recognises that security expertise shouldn't be expected from every employee, but everyone shares responsibility for protecting the organisation and its members.

“Security is everybody's responsibility, but we need to make sure we are  teaching them, showing them, guiding them in ways that can help themselves and our members,” she explains.

To help raise awareness about cyberthreats, Global Credit Union creates short online training videos, typically lasting five to ten minutes, making security education accessible and digestible for everyday people. During Cybersecurity Awareness Month, the firm produced TikTok-style videos offering quick security tips for members, content that simultaneously educates employees.

Dana believes that the key to effective security training is demonstrating the personal benefits of caution. When employees understand how security measures protect them personally, not just the institution, they become more engaged and compliant.

Clear policy writing supports this educational approach. Rather than drowning employees in technical jargon, Global Credit Union strives to make security policies understandable and actionable.

The distributed nature of Dana’s team requires strong communication and collaboration. She takes pride in building a team culture that has shifted from a restrictive “no” mindset to a business-focused “yes, and here's how to do it securely” approach.

Global Credit Union’s relationship with Palo Alto

GCU relies on strategic technology partnerships to maintain its security posture. Palo Alto Networks, a cybersecurity company that provides network security, cloud security, and endpoint protection solutions, has served as a key partner for several years, initially providing firewall protection but expanding significantly as both organisations have grown.

“Palo Alto is always looking at how it can become a better partner and what they can offer people,” Dana explains. “Their products integrate well when you use them both on your perimeter and as your endpoint.”

The credit union recently expanded its Palo Alto implementation to include security information and event management (SIEM) and security orchestration, automation and response (SOAR) tools. These systems help the security team manage incidents more efficiently and automate responses to common threats.

Palo Alto's Unit 42 service provides 24/7 monitoring, giving Dana and her team some relief from constant vigilance. The company's Wildfire, a threat intelligence product, analyses suspicious files in Global Credit Union's environment, identifying and neutralising potential threats before they can cause damage.

The institution also has a multifactor authentication partner to provide identity and access management services, for its multi-factor authentication implementation. These partnerships reflect Dana’s belief that togetherness provides the best form of defence. 

“If you operate in isolation, you're going to be at risk,” she says.

Data security and AI readiness

As Global Credit Union prepares for increased AI adoption, data security has become a critical focus. The effectiveness of AI systems depends entirely on the quality and security of the data they process. Poor data hygiene leads to inaccurate AI outputs or potentially exposes sensitive information to unauthorised parties.

“Your data and your identity is going to be your foundation,” Dana explains. “If you don't have your data clean, you're going to get answers that could conflict from reality or provide somebody information they should have never had.”

The institution is undertaking a major data security posture management initiative over the coming year. This involves classifying data according to sensitivity, understanding where it resides, identifying redundant copies, and ensuring appropriate access controls.

The credit union plans to focus heavily on identity security over the next 12 to 18 months, encompassing both member and employee identities. Threat detection and response capabilities will also receive significant attention, with goals to reduce mean time to detect and mean time to remediate security incidents.

Digital transformation and member experience

Beyond security considerations, Global Credit Union continues evolving its digital services to meet changing member expectations. The institution has redesigned its mobile application, maintaining the legacy version for members who prefer it while launching a modernised alternative with cutting-edge features.

Lending workflows are being streamlined to provide faster service for members seeking home or vehicle loans. These improvements leverage automation and digital processes without sacrificing the personal touch that distinguishes credit unions from traditional banks.

The member service centre exemplifies this balance between automation and human interaction. Members can choose to navigate automated systems for quick answers or speak directly with a person at any time.

Their fraud detection system operates continuously, monitoring transactions for suspicious activity. When Dana’s own son experienced a potentially fraudulent transaction at 2:30 in the morning, he received an immediate text message asking for verification. When he replied negatively, his phone rang instantly with a fraud team member ready to help.

Looking forward, Dana sees the threat landscape continuing to evolve in parallel with defensive technologies. Post-quantum computing represents another emerging challenge, and forward-thinking institutions like Global Credit Union are already preparing.

Despite these challenges, she remains optimistic about the industry's ability to protect members. The credit union's commitment to member-first service drives every security decision.

“We are continuing to become more proactive, more integrated into the business and into the members' lives, and more aligned with the digital experiences people are requesting,” Dana says. “We want to be in the background and just make their life and their financial services wonderful.”