Keep Member Data Safe

Employee error often puts sensitive data at risk and into the wrong hands.

December 23, 2013

Splashy cybercrimes that feature devious hackers breaking through a giant bank’s firewalls generally make front page news.

But that’s far from the whole story about how consumers’ confidential data gets into the wrong hands. Research shows employee error puts sensitive data at risk far more often.

Verizon data security experts analyzed more than 47,000 data “security incidents” in 2012. In these incidents, the exposure of this sensitive data didn’t necessarily involve crime or result in monetary losses.

subscribefrontline“Error” ranks as the largest threat category, making up 48% of all incidents, according to Verizon’s 2013 Data Breach Investigations Report. Errors included lost devices, errantly addressed emails and faxes, and publishing mistakes.

Threats caused by malware and “misuse”—which covers employees’ violations of data-use policies—tied for second, at 20%.

All credit unions implement various network security measures to protect data against high-tech attacks. But employees also can protect members’ sensitive data with these four measures:

1. Double-check the destination of emails or fax numbers before hitting “send.” Anytime you’re corresponding with a member or third-party vendor that involves sensitive data, first check your credit union’s information security policies to determine if they permit transmitting members’ confidential data in
these ways. If so, best practices recommend you send only encrypted data.

2. Avoid saving data to movable memory devices—and keep your laptop secure if you take it off-site.

Laptops are a major target for thieves. Whenever possible, don’t take a laptop containing members’ confidential data out of the office. If you must, don’t leave the laptop in plain sight in your car, unattended in a coffee shop or library, or in other situations that invite theft.

Member data saved to thumb drives, CDs, or other portable media presents a huge risk. That’s why some credit unions lock down the USB ports and CD/DVD drives on their workstations.

If you have the ability to save member data to external memory devices, don’t lose track of them. Delete the data or destroy the disk as soon as you’ve transferred
the data to its destination.

3. Properly destroy data devices. Just as you’d shred paper documents containing members’ personal information, dispose of data storage devices such as old tape drives, disks, and computer hard drives by rendering them unreadable.

4. Beware of targeted phishing attacks. As a financial services employee, you’re at greater risk than the general public for phishing schemes.

One common phishing attack tricks you into opening an infected email attachment or clicking on a link to an infected website. This automatically installs malicious software (malware) on your work computer, possibly creating a back door into your credit union’s network.

Criminals search social networks such as LinkedIn to discover employers, job titles, and email addresses, and generally send phishing emails to a specific group of employees at a credit union—a tactic called “spear phishing.”

Be careful about any email that contains a link or file, even if the email appears to be from a professional organization or social network to which you belong. Your credit union might have an acceptable use policy prohibiting employees from using credit union-owned computers for personal purposes, including surfing the Internet and/or checking personal email.

These four measures cover only some of the employee-related data security exposures. Your security policies undoubtedly cover current scenarios. Your best protection is understanding your policies, being aware of how you interact with members’ data, and guarding against errors and targeted scams.

JAY ISAACSON is credit union protection product management director for CUNA Mutual Group.

This article first appeared in Credit Union Front Line Newsletter, the monthly sales and service newsletter for branch staff and their managers.