Between the Sony and Target breaches and NCUA losing member data on thumb drive during a routine audit, security protocols should be top of mind for all C-level credit union executives.
"With so much of online banking, mobile banking and core systems being outsourced, we are seeing an increase in all financial institutions looking at their third-party vendor management programs and making sure they are strong in areas of security, data and incident management," said Cornerstone Advisors Senior Director Jim Trautwein.
Ensuring member data is secure across all platforms is a continual challenge, explained Washington State Employees Credit Union (WSECU) Vice President of IT Infrastructure and Operations David Luchtel.
"Phishing and social engineering of our members and staff is the biggest concern," Luchtel said. "The activity level continues to increase, and the customization of the attacks to our brand is getting very sophisticated. The concern is if the attackers compromise an employee or members credentials, it subverts many of our controls."
Dave Wordhouse, VP-network technologies at CU Answers Network Services, said CU approaches to cybersecurity can be akin to Chicken Little — the sky is always falling.
"It's much like any other business problem solved in traditional ways: do the research, develop the plan, execute the plan, measure the results and adjust as necessary," said Wordhouse. "Rinse and repeat."
From a cybersecurity perspective, Wordhouse explained that this approach includes conducing an IS&T risk assessment; developing a comprehensive information security program to apply compensating controls for risks outlined in your assessment; implement the controls; use third-party validation to measure the success of the controls; and adjust the controls as necessary based on performance.
"Smaller institutions may actually have it easier than larger ones simply because there is less complexity in their systems," he said. "They can do things like strip out email attachments at the firewall or greatly restrict remote access that larger shops might not be able or willing to do."
Wordhouse added that hosting data processing in-house is a risk, due to internet-facing services. The more risky it is, the more expensive it becomes to safeguard the asset. "Shifting that expense to a trusted third party is a valid strategy."
The Top 3
There are always new virus and malwares that CU executives have to contend with and 2015 and beyond will be no different. In fact, as times move forward, hackers are becoming more sophisticated.
"Leading threats are the hackers that will start to go down the food chain to smaller organizations that have less sophisticated security counter measures and policies," said Trautwein. "In some cases a credit union account can more easily compromised that an account at a major bank."
Wordhouse offered his top three security threats for 2015:
First is malware, he said, which will continue to be a major problem as millions of new variants are being released into the "wild" every month. For credit unions, the most dangerous are Trojans that exfiltrate sensitive data and ransomware variant that encrypt critical data.
"Anti-virus vendors are already having troubles keeping malware definitions up-to-date and will continue to fall farther behind in 2015," said Wordhouse. "Credit unions can respond by layering pattern-based anti-virus solutions with behavioral-based ones; restricting elevated user permissions; implementing data leakage prevention systems; whitelisting applications and improving employee security training.
Inadequate Security Training is No. 2.
Wordhouse said security officers without formalized security training are ill-equipped to implement and maintain suitable security programs. As a result, he recommends that CU executives ensure that frequent education and training is provided.
"Credit unions that use an annual or even quarterly staff security briefing processes will find their programs inadequate," said Wordhouse. "Programs need to be timely, relevant, regularly executed and entertaining to be successful. Managers should be on the lookout for careless or disgruntled employees."
The third major threat of 2015 is inadequate patch management programs.
"Credit union patch management procedures will have to respond with an accelerated process that ensures threats are properly assessed and updates applied in a timely fashion," said Wordhouse. "This will require improved technology inventories and patching procedures for not just third party applications but underlying technologies normally hidden under the covers of video surveillance systems, ATMs, cash handlers, time card management systems, and the like."
When it was reported late last year that the NCUA had lost member data after a routine audit at Palm Springs Federal Credit Union, alarm bells singled throughout the industry. The data, which was housed on a thumb drive, went missing.
While NCUA Board Chairman Debbie Matz said the agency took full responsibility for the breach, she relayed in a released statement that the NCUA was considering a motion to require credit unions to encrypt consumer data before it's shared with industry examiners.
"That's barking up the wrong tree. Instead, the NCUA should implement new internal controls, such as encryption, to safeguard member data," said Wordhouse. "Credit unions should understand if and how data provided to examiners would leave their premises and what steps the examiner will take to safeguard it."
Luchtel agrees. "From my perspective encrypting data in transit in any form (file transfer or via physical media) is an industry best practice everyone should be following. This would have mitigated the issue of the lost thumb drive. We do this at WSECU."
When it comes to encryption regulation, the National Association of Federal Credit Union has taken a stand in light of recent retail breaches.
"Ultimately, legislation may be necessary, but to be truly effective any control, such as encryption, needs to be implemented across the board from point of sale origin all the way through settlement and storage," said Wordhouse. "Encrypting data at the credit union would not have prevented either the Home Depot or Target breaches."
Trautwein said credit union executives should visit or revisit Federal Financial Institutions Examination Council (FFIEC) website on cybersecurity (www.ffiec.gov/cybersecurity.htm), a central repository for current and future FFIEC-related materials.
And whereas security related topics might have been an annual focus at board meetings, in today's environment, the conversation should be happening more frequently.
"The FFIEC wants security discussed [at board meetings] as much as the financial health of the financial institution," said Trautwein. "We know some organizations that have security topics on the agenda at every executive meeting. This is to ensure there is an ongoing awareness and that when a threat does come up or a new virus is announced, management is reasonable aware of it."
Putting Members First
Over the last few years, Luchtel said that WSECU has increased its number of third-party SaaS based solutions. As a result, he noted that the CU has had to rely more on good vendor management practices to ensure its vendor partners are using the appropriate security controls and have certification those controls are effectively implemented.
"We take a risk based approach based on the value of the data and the risks to the data. Based on these factors we apply what we view are the appropriate controls to secure the data," said Luchtel. "Our member data is our most valuable asset, and we focus on how best to secure it through a variety of controls."