I caught up recently with my friend, cybersecurity expert Jim Stickley, founder of Stickley on Security. He also regularly appears on The Today Show as their resident expert. Last month he appeared on the show to run a phishing test first against correspondent Jeff Rossen’s parents, and then against Rossen’s producers. (watch the segment here)
Maybe it’s not so surprising that Rossen’s parents flunked the test, but his producers did, too! Which points to a larger fact: Often people who should know better still do stupid stuff. People like you and your employees, for example.
That got me wondering. What are some of the “epic fail” moments Jim has seen at credit unions?
“A lot of credit unions do a good job of educating members about the potential perils of clicking email links or opening attachments,” Jim told me, “but then their marketing departments send out all sorts of emails with links and even PDF attachments. When you start sending members emails telling them to do the exact thing you warned them against, you’re priming them for a phishing attack. Then when they get phished, you look like the bad guy.”
Of course, it’s just as important to be aware of offline threats.
“Credit unions today are into the ‘open’ branch concept,” he added. “That means they often put a printer in a common area where all the MSRs can get to it. I can’t tell you how many times I’ve walked past just such a printer and grabbed a stack of sensitive documents. People don’t even notice. They just assume the printer malfunctioned.”
Do your MSRs maintain a shred box – a little receptacle for documents that are eventually supposed to make it to the shredder? “I’ve gone in with the cleaning crew a number of times and have been able to rummage through these documents at will,” he said. “And thanks to the camera on my phone, I don’t even need to steal any physical paper. I can just snap pictures.”
He said his camera comes in handy too when he’s just passing by an employee desk. He keeps his phone in hand, as everyone does these days, and has the camera rolling. He can then check later to see if he captured any profitable data..
Yes, it’s less convenient to tell the member to visit your website rather than to provide a link. And yes, it’s a hassle to lock everything up before you take your coffee break. But balance that against your credit union’s reputation as a trusted keeper of member money. “We have to take these extra measures,” Jim insisted. “That’s the world we live in today.”
When it comes to protecting member data, a little common sense can go a long way. And remember, the ass you save may be your own.