Asked by a newspaper reporter in the 1930s why he robbed banks, Willie Sutton Jr. responded: “Because that’s where the money is.” Decades later, many still subscribe to “Sutton’s Law,” even if the tools of their trade have changed from low-tech to high-tech.
Credit unions, facing a multitude of security threats across the entire technological spectrum, have much more at stake than money. The integrity of members’ personal information and credit unions’ reputation as trusted financial partners are also on the line.
This has been the year of the data breach. High-profile incidents at Target, Michaels, and Home Depot, among others, affected millions of consumers and serve as stark reminders of the damage high-tech criminals can inflict.
“Nearly every company is vulnerable,” Dave DeWalt, CEO of cybersecurity company FireEye, told CBS’s “60 Minutes” recently. Cybercriminals breach 97% of all companies, he says: “This isn’t a lack of effort; most of the large companies are growing their security [budgets]. Breaches are inevitable.”
Low-tech criminals haven’t gone away either. This creates daunting challenges for credit unions. But there are many effective strategies to safeguard your credit union’s assets from criminals who try to enter through your front door or firewall.
Malicious software—or “malware”—is one of the most dangerous and pervasive high-tech threats your credit union faces. Malware can penetrate your network and lurk unnoticed for months while it steals your data and compromises your entire system.
These intrusions give hackers a wealth of information about your system and its vulnerabilities, paving the way for future attacks.
Hackers continue to generate new and more ingenious ways to bypass credit union security systems. Attacks that penetrate firewalls and reach internal systems can come from portable media devices, spam email, employees’ personal electronic devices, and even phishing scams.
Jim Finney, senior director of information security and governance at $6.8 billion asset First Tech Federal Credit Union in Beaverton, Ore., says it’s crucial to know what activity occurs in your core processing systems so you can identify deviations from the norm.
“The speed of the threats is just too crazy today,” says Finney, a 25-year veteran of information technology (IT), business continuity, and security. “You have to build the architecture that protects your core and have alerts or triggers in place to notify you of unknown or anomalous types of activities. You have to know your traffic.”
Response time can be crucial to limiting a breach’s impact. On average, breaches aren’t discovered for 229 days, according to DeWalt—ample time to steal data.
“They’re going to get in. But don’t let them access the information that’s really important. Don’t let them get back out with that information,” DeWalt says. “Detect it sooner. Respond sooner. And ultimately that exposure is very small.”
NEXT: Risks specific to your CU