MADISON, Wis. (12/26/13)--Splashy cybercrimes that feature devious hackers breaking through a giant bank's firewalls generally make front-page news. But that's far from the whole story about how consumers' confidential data gets into the wrong hands.
Research shows employee error puts sensitive data at risk far more often, Jay Isaacson, CUNA Mutual Group's credit union protection product management director, told the Credit Union National Association for the December issue of the Credit Union Front Line Newsletter.
The article was written well before Target announced last week that 40 million debit and credit card accounts were compromised in a breach. (See News Now story, "Breach Aftermath: CUs Rally to Help Members.")
Verizon data security experts analyzed more than 47,000 data "security incidents" in 2012. In these incidents, the exposure of this sensitive data didn't necessarily involve crime or result in monetary losses, but exposed gaps and oversights that could be exploited.
"Error" ranks as the largest threat category, making up 48% of all incidents, according to Verizon's 2013 Data Breach Investigations Report. Errors included lost devices, errantly addressed emails and faxes, and publishing mistakes.
Threats caused by malware and "misuse"--which covers employees' violations of data-use policies--tied for second, at 20%.
All credit unions implement various network security measures to protect data against high-tech attacks. But, according to Issacson, employees also can protect members' sensitive data with these measures:
Member data saved to thumb drives, CDs or other portable media present a huge risk. That's why some credit unions lock down the USB ports and CD/DVD drives on their workstations.
Don't lose track of member data saved to external memory devices. Delete the data or destroy the disk as soon as the data are transferred.
Criminals search social networks such as LinkedIn to discover employers, job titles, and e-mail addresses, and generally send phishing e-mails to a specific group of employees at a credit union--a tactic called "spear phishing."
Be careful about any e-mail that contains a link or file, even if it appears to be from a professional organization or social network. The credit union might have an acceptable use policy prohibiting employees from using credit union-owned computers for personal purposes, including surfing the Internet and/or checking personal e-mail.