Cybersecurity Requires a Multi-Faceted Defense

Recent high-profile attacks reinforce the need for robust lines of defense.

October 5, 2015

Above: San Diego County CU’s Leo Maduzia says cybersecurity efforts should be preventative, detective, and corrective.

Charged with protecting their members from increasingly sophisticated cyberattacks, today’s credit union information security professionals must navigate a complex web of regulations and implement robust lines of defense.

The most important elements in an effective defense strategy are your people, processes and technology—in other words, your credit union’s organizational culture.

This was the advice given by cybersecurity experts Leo Maduzia, senior vice president at $6.9 billion asset San Diego County Credit Union (SDCCU), and Jim Brahm, CEO of Security Compliance Associates.

They co-presented a breakout session during this week’s CUNA Tech/OpSS Council Conference.

Brahm shared the timely example of an unnamed credit union in Florida recently victimized by a string of social engineering attacks. The fraudsters focused on draining members’ accounts through debit card point-of-sale charges and depositing fraudulent checks via remote deposit capture—to the tune of $500,000 in losses for the credit union per month.

This is just one of numerous recent high-profile cyberattacks, including a hacker breach at a large credit union in Virginia.

The wide-ranging presentation covered applicable laws and regulations that credit unions must adhere to, including the Gramm-Leach Bliley Act, which was passed in 2000 to help protect consumer privacy and data confidentiality; the Fair and Accurate Credit Transactions Act; and Health Insurance Portability and Accountability Act security and privacy regulations.

Maduzia relied on his experience as information security officer at SDCCU, as well as his background in information security and information technology risk management within diverse industries, to present a roadmap for implementing multifaceted lines of defense.

He cited three key areas of control:

  1. Preventative, such as USB blocking and blacklisting;
  2. Detective, encompassing tactics including antivirus and USB alerts; and
  3. Corrective, which come into play in the case of an actual hacking incident or data breach.

The speakers emphasized the importance of educating and training staff to understand data protection, and how to avoid the riskiest aspects, including social engineering and phishing attacks.

Brahm also reviewed the new Federal Financial Institutions Examination Council’s cybersecurity assessment tool, which NCUA will begin using in credit union regulatory exams in June 2016.

Click here for more coverage from the CUNA Tech/OpSS Council Conference, which concludes Wednesday.