LAS VEGAS (12/9/15)--Hackers that steal personally identifiable information (PII) and personal financial information (PFI) aren’t after the data--they are after the money that comes from selling the data according to a Tuesday breakout session at the CUNA Supervisory Committee and Internal Audit Conference in Las Vegas.
Randy Romes of CliftonLarsonAllen presented “Data Breaches and Cybersecurity Incident Response--Are You Prepared?” The session included current cybersecurity trends, the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) and case studies of what went wrong.
Romes said credit unions and their members are being affected most by:
Prior to the 2013 Target data breach that compromised 40 million credit and debit cards and the 70 million PII records, such data could be sold for as much as $200 per record. Because of the number and expanse of the data breaches, prices are now hovering between $2 and $10 per record, he said.
The overarching message of all the cybersecurity and information security sessions at the capacity conference is that the human element is the weakest link in information technology.
A breach often can be successfully initiated by weak administrative credentials. Weak passwords can open the door for the initial intrusion into a system where hackers then start taking control of the information and of security.
Romes said an information security strategy should have:
Dual controls are particularly important to protect against corporate-account takeovers (CATO), Romes said. “In every instance that a CATO occurred, the organization did not have appropriate dual controls.” Those who could populate information could also authorize activities, and that should never be the case, Romes warned. Those who can authorize should not be able to populate information, and vice versa. However, he said some managers can expect some pushback from staff who consider that such actions increase time and complexity.
“You need to figure out a way to require or incentivize appropriate dual controls,” Romes said.
Romes also reiterated a point made earlier during the conference: The FFIEC Cybersecurity Assessment Tool is important to a supervisory committee because the committee has oversight on the risk assessment process, and documentation and validation of the controls for risks.