AUSTIN, Texas —Some have referred to 2014 as "The Year of the Breach," but we could be headed for "The Decade of the Breach," if all the stakeholders, including financial institutions and their regulators, don't speed up their efforts to head off mounting security threats.
That was the message at the 10th Annual Credit Union IT Security & Risk Management Summit, where one presenter criticized federal financial regulators for dragging their heels on updating guidance for credit unions and banks.
Calling the Obama Administration's launch of the National Cybersecurity Framework—a voluntary "how-to guide" on enhancing cybersecurity—a good step in the right direction, Tom Schauer, CEO of the Seattle area-based TrustCC, criticized the Federal Financial Institutions Examination Council for its failure to update its guidance on information security. The fact that it was last updated in 2006 is "shameful," he said during his presentation titled "CyberSecurity Framework—Will the New Guidance Make the U.S. More Secure?"
As NCUA is a member of the FFIEC, it was no surprise that an NCUA representative at the conference was quick to respond. "There are a lot of unanswered questions, and I think that is why things are not coming out as fast as people want them to," said NCUA's delegate, Jerald Garner. "IT is there to protect information; otherwise there is no need for it."
Garner stressed the importance of credit unions preparing and testing incident response plans, and he echoed other experts on hand when noted that it's a matter of when—not if—the next attack will happen.
"If the complexity of the attacks continue to advance, the board of directors at all financial institutions should have an information security expert or information technologist on their board," advised Garner.
Schauer agreed with Garner's latter statement and despite imperfect federal regulations and constructs, he lauded the work of agencies like NCUA. He added that in his estimation examiners truly want to provide the best oversight and guidance, but are forced to deal with FFIEC guidelines that are out of date. Garner said the key word was "guidelines" and how they are interpreted.
"I'm not trying to blame anyone, maybe the FFIEC, but not the agencies [like NCUA] and I want to make that clear," said Schauer.
Even with NCUA oversight and guidance and proactive credit unions adopting the National Cybersecurity Framework, Schauer said that in certain respects the industry is deadlocked when it comes to cybersecurity.
"We could either move forward with the national cybersecurity framework as a means of defining our [industry] security program, but we run the risk that the FFIEC will come out with something [framework] that will make this effort, in part, wasteful. This is a problem we have—we're stuck."
And credit unions are hardly alone. Indeed, to date, most of the splashiest of breaches have occurred at retailers, not credit unions.
"It started with Target in 2013," said Scott Perry, IT security architect at Ent Federal Credit Union, during his presentation. "It was a tiny little snowball at the top of the mountain that began to roll down and just got bigger and bigger."
Perry explained that numerous other companies such as Kmart, AT&T, P.F. Chang's and Dairy Queen were among victims of cyber attacks last year. "The list kept growing and growing. It could not just be the year of the breach, but the start of the decade of the breach—we hope that isn't the case."
But the experts gathered at the CUISPA event agreed that in light of the recent Carbanak malware incident that stole upwards of $1 billion from banks worldwide, no organization is safe from attack.
Schauer noted that one of the biggest problems is that about the only thing that is predictable about these attacks is that there will be more of them.
"Some presenters have spoken as if data breach is inevitable, when only 3.6% of attacks [have been] directly targeted at banks and credit unions," said Schauer whose firm specializes in IT security, IT compliance risks and IT technology, audits and security assessments. "Breaches come in a variety of different methods and there really is no way to predict where the breach will come from."
As a result, Schauer pointed to the importance of credit unions instituting an enhanced cybersecurity network as a way to brainstorm about how the credit union could be breached—a "the-best-offense-is-a-great-defense" approach to security. Encouraging c-level executives to either hire a cybersecurity consultant or build an internal fraud detection team is imperative, he said, along with adopting the National Cybersecurity Framework.
And while it's true that in the past banks and credit unions weren't the primary focus of data breach attacks, the landscape changed in February when the Moscow-based security firm, Kaspersky Labs, reported that an international hacking ring using Carbanak malware pilfered nearly $1 billion from more than 100 banks in 30 countries, including J.P. Morgan Chase.
"We are early in understanding what this [malaware] did," said Schauer who explained that the attack occurred over a two-year time period, with each bank being hit for nearly $10 million. "It took them two to four months per bank. Our [credit union] systems are similar." He added that in each instance it took 42 days before the attack was detected.