CUs Must Train Employees Most Likely To Be Targeted By Scammers

The financial services industry has surpassed the healthcare industry as the top victim of data breaches, according to the Ponemon Institute's 2013 Live Threat Intelligence Impact Report. The report also shows that it's certainly not just banking giants propelling our industry to this dubious honor: 50% of the companies victimized have 1,000 or fewer employees.

Other research reinforces the unfortunate reality that credit unions aren't too small to be targeted by thieves. In its 2012/13 Annual Global Fraud Survey report, Kroll's Advisory Services warns that "The size of the company doesn't seem to matter anymore" when it comes to data breach crimes. Small and mid-size organizations may be getting targeted more frequently because their network security isn't improving as fast as that of larger organizations, the report says.

So credit unions appear to be caught in a difficult spot-not too small to be attacked, but not big enough to commit the massive resources that large companies devote to battling cyber crime.

However, your credit union can fight back effectively. And one of your best tools is educating employees about handling sensitive data.

Cyber Thieves Aren't the Only Risk

Cyber thieves aren't the only people who can create a data breach. Your employees can do it, too. Here are two examples from 2013:

* An East Coast credit union employee posted debit card data on a non-secure file transfer protocol site, making the information available to search engines. The data included names, addresses, birthdates, card expiration dates, plus checking and savings account numbers.

* A Midwest credit union inadvertently made a file containing some members' financial information accessible through its website. The file contained names, addresses, Social Security numbers, account numbers, and passwords.

Data can also be compromised when employees have their computers stolen, or save data to a thumb drive or other removable storage device that is stolen or lost.

The point is, data vulnerabilities are not simply a matter of network security-employee training also helps protect your members from having their key financial information fall into the wrong hands. Here are four key training areas for credit union employees:

1. General data security awareness

In Verizon's "2013 Data Breach Investigations Report," the researchers analyzed a broad category of data "security incidents," reported by companies across the globe, in which sensitive data was exposed. Although not all of these incidents involved criminal activity or caused losses, customers' private financial data was put at risk. Of more than 47,000 security incidents reported, by far the largest category of threats was "error," at 48%. Errors included lost devices, mis-delivered e-mails and faxes, publishing mistakes, etc. Tied for second, at 20%, were threats caused by malware and "misuse" (such as data-use policy violations).

Employees who e-mail, fax, or otherwise disseminate sensitive data must double-check the destination before hitting "send" or otherwise transmitting the data.

2. Use of removable memory devices

Member data put on thumb drives, CDs, or any other portable media is a huge risk. Consider locking the USB ports and CD/DVD drives on employee workstation computers. If that isn't possible-or if your employees use laptops or tablets that have member data on their hard drives-make sure employees understand the risks of removing any data from the premises.

3. Data disposal

Just as employees should dispose of documents that contain members' personal information by shredding the documents, disposing of data storage devices must be done safely. Old tape drives, disks, laptops, etc., must be rendered unreadable.

4. Exposure to phishing attacks

Financial services employees are at greater risk than the general public for phishing schemes. Criminals can easily search social networks such as LinkedIn to discover someone's employer, job title, and e-mail address. By creating a targeted list-a tactic called "spear phishing"-of financial institution employees, scammers seek to implant malware on employees' work computer and gain access to the institution's network.

Employees need to be careful about any e-mail that contains a link or file, even if the e-mail appears to be from a professional organization or social network to which the employee belongs.

Assess and Manage Data Breach Risks

The first step in improving data security is learning about your credit union's current risk exposures. You need an expert analysis of your network security measures, internal controls, and employee awareness of proper data security practices.

How long has it been since your credit union had an expert analysis of your firewalls, antivirus and intrusion detection systems, encryption methods, anti-spam protection, and operating patches? Do you regularly conduct penetration testing to gauge your network's vulnerability?

You should also regularly review your insurance protections and consider whether cyber liability coverage should be added to further protect your credit union from data security risks. If you don't have a policy specifically devoted to cyber liability losses, your Bond and other policies may leave you more exposed than you think in the event of a data breach.

Cyber crime insurance policies can protect against losses from security breach liability, programming errors and omissions liability, public relations expenses, and a variety of other expenses a credit union may incur following a security breach.

Cyber criminals continually find new vulnerabilities. And although credit unions may not have the resources to block every attack, a combination of sound technology, education, and risk management is a good starting point in protecting members' sensitive financial data.

Jay Isaacson is director, Credit Union Protection Product Management, for CUNA Mutual Group. Contact him at 800-356-2644, ext. 6657829, or at jay.isaacson@cunamutual.com.