3 minutes
People pose the biggest issue, but technology counts, too.
This is bonus coverage from, “Are We Safe Yet?” in the October 2015 issue of Credit Union Management magazine.
Keeping pace with network security is aiming at a moving target, suggests Jim Benlein, CISA, CISM, CRISC, of KGS Consulting, LLC. The hardware, software, and monitoring processes many credit unions have in place to protect their systems have become more sophisticated—but so have the threats to those systems.
“Probably the biggest security issue credit unions face today is with people, not with technology,” Benlein says. He cites high-profile breaches grabbing headlines in recent months, including hacks of the U.S. Office of Personnel Management and Milan-based Hacking Team databases.
“When they dig down into how the bad guys got access to those systems, the likely culprit was users not using a strong password or opening a link in a phishing email,” he notes. “There are a lot of technology solutions at work to help credit unions secure their networks, but if employees inadvertently open an email with malware attached to it or go to a site and enter something they shouldn’t, that’s a difficult risk for companies to get a handle on.”
Thus, education for employees and members on their roles in heading off security breaches and protecting sensitive data remain an essential component of fraud prevention. In many cases, members may be the first to spot signs of a breach, when they see and report unauthorized transactions in their account records, Benlein says.
If a member notices a string of odd charges on his or her credit card, informing the credit union immediately helps both the member and the financial institution, he adds. “Credit unions can investigate immediately to determine, ‘Is this something involving just this member’s account, or is it a sign of a bigger issue?’”
“See something, say something” is a tagline developed as part of a Homeland Security campaign to remind Americans about how they can help keep their country safe, but Benlein suggests this motto is appropriate for credit union members and staff as well. The continual threat of new malware and other tools to infiltrate financial systems leaves credit unions playing catch-up with the bad guys. Employee and member education, training, and awareness are crucial factors in prevention and early detection of network breaches.
A secondary risk to network security is ever-expanding access to data systems with the introduction of mobile services, which underscores the need for vigilance in managing vendor relationships and in identifying and responding to additional security challenges new channels may present.
“When you start up a new service, take a ‘fresh eyes’ approach to it,” Benlein advises. “How is this different from what we’re doing now? How is it the same? In many cases, you can leverage the security measures you already have in place to cover this new service, but there may be a need for additional security controls and modifications.”
On the horizon for network security, vendors and consultants will continue to develop new products for securing data, analyzing network traffic, and enhancing intrusion detection across all channels.
“The important thing for credit unions is not to look at one technology product as being a silver bullet to secure their networks,” he says. “Take a holistic approach and understand network security isn’t simply about technology, hardware, and software. It’s also about the people managing those items. Do they have good security awareness, education, and training? Do they understand what they need to be doing to ensure the security of their credit union’s systems? This is an ongoing challenge. Credit unions can never say, ‘We’re done.’”
Karen Bankston is a long-time contributor to Credit Union Management and writes about credit unions, membership growth, marketing, operations and technology. She is the proprietor of Precision Prose, Middleton, Wis.
