ARLINGTON, Va. (11/14/14)--Cyberattacks are fast taking "center stage" when it comes to data breaches, according to an information security expert. Speaking at the National Association for State Credit Union Supervisors and Credit Union National Association Credit Union Cybersecurity Symposium, security professional Ian Harper shared some of the latest information on breaches.
Harper previously served as chief information officer for Pentagon FCU, Alexandria, Va., with $17.5 billion in assets, which had a data breach in 2011 as a result of a hacked laptop.
According to a PriceWaterhouseCoopers survey on information security, the average number of security incidents has increased since 2011, along with organizations that answered that they did not know if they had been breached.
|Ian Harper, a former credit union chief information officer, discusses how to prevent and deal with data breaches at the CUNA/NASCUS Credit Union Cybersecurity Symposium Thursday. (CUNA Photo)|
In 2011, there were 2,562 breaches, with 9% of respondents unsure if they had been breached. In 2012, those numbers rose to 2,989 and 14%, and last year the numbers were 3,741 and 18%.
"Right now as it stands, not only are the incidents increasing, but we're not keeping pace when it comes to knowing whether we're at risk," he said. "Part of that has to do with cybersecurity moving at such a pace that the attacks are very different than they were a year ago, five years ago, 10 years ago. The focus and the actors are very different as well."
This can have consequences for financial institutions not faced by retailers or other organizations.
"Members are more finicky when it comes to their financial services. They might shop at Target again, but they might think twice before using the same financial institution," Harper said.
Simply knowing whether a data breach has occurred is a major factor in determining the losses a financial institution might incur, Harper said.
In the Target breach, for example, stolen credit card information was being sold at $120 per card in mid-December, before many people were aware a breach had happened. By mid-February, information was being sold at between $8 and $28 a card, with approximately 60% of the cards still being actively used.
The faster a financial institution can discover a breach and start the recovery process, the more difficult it becomes for hackers to profit from the stolen information, Harper said.
"It's important to understand that we have to change the cost cycle for the attackers. Right now it's too easy for them to get information--hackers spend very little money and time getting this information," Harper said. "How we respond to breaches is the most important thing credit unions should be looking at. It's not how should we prevent them, it's if and when that happens, we need to be able to respond to them."
Harper recommended that credit unions identify and formalize teams and roles, both internally and externally; that service providers, vendors and regulators be kept in the loop during preparations and that realistic breach scenarios are part of every credit unions' preparations.