Year after year, surveys show consumers rank credit unions as the most trusted financial institutions. Recent studies, such as the American Customer Satisfaction Index, ForeSee Survey of Online Financial Services Benchmark, and Chicago Booth/Kellogg School’s Financial Trust Index, show credit unions continue to top the charts in consumer confidence. That’s great for our industry.
But this level of trust also sets the bar very high for protecting your members’ data. They trust you to keep their account information, email addresses, social security numbers and other shared personal data safe and secure – and credit unions are committed to doing just that. But did you know the greatest risk to securing these files isn’t from hackers or thieves? Yes, it’s true that we all see high profile system and data compromises published in the media; however, most data breaches are the result of accidental exposure, often by your own employees – someone forgot to log off a secure service site, a broken laptop was discarded before its files were deleted, an employee downloads a data file to his desktop and then discovers his computer has been stolen.
While the NCUA correctly focuses on credit unions’ due diligence with the vendors they work with, including requirements for continuity plans, data redundancies and encryption programs, the security of third-parties is just one of your primary concerns. Internal security controls must receive the same levels of scrutiny. Remember, there are many ways – both intentionally and inadvertently – that members’ data can get out the door.
So what should credit unions do? Establishing specific IT responsibilities and data protocols – and ensuring staff know and follow them – is key. At DigitalMailer, we follow several “security commandments” to help keep our clients’ and our company’s data and internet communications as safe as possible. These may serve as helpful guidelines for your credit union, employees and members, too. Among them:
Commandment 1: Email is never secure.
Despite being conditioned to question unfamiliar or suspicious email messages, people and businesses continue to fall victim each year to phishing and online hoaxes. Never email login information or send it electronically. Never send usernames, passwords or personal data, or enter them in a pop-up window. Never download attachments from unknown addresses. And if account numbers, passwords, social security numbers or other sensitive data must be delivered via email, require that it be encrypted using software supporting standard encryption mechanism.
Commandment 2: Voicemails and Faxes are never secure.
Do not send private information via voicemail or fax, as you can’t control who is on the receiving end. To prevent the possibility of data being intercepted, only exchange passwords for encrypted files via phone, and do so only if all parties are on the call.
Commandment 3: Laptops and PCs are never secure.
There is never a reason to store files with sensitive personal data on any system except the central servers. If files are inadvertently saved to your individual computer, or you receive an emailed file with sensitive data, contact your IT department so they can move it/delete it securely. Also, avoid allowing automatic logins, especially when using shared or public computers. And remember that antivirus software, anti-spyware and firewalls are only as good as their most recent updates. Keep them current.
Commandment 4: A shredder is your friend.
If you must print out sensitive data or save it to a disk, use a cross-cut shredder to dispose of the data when you are done with it. Every time. Tearing up the paper or breaking the disk is not enough.
Commandment 5: Passwords are not optional.
Your passwords should be multiple, updated frequently and never shared with anyone. If your computer turns on without asking for a username and password, fix it now. If a program or browser asks if you want to save your password, the answer is always no. If you have trouble remembering numerous passwords, it is better to write them down (and keep them guarded) rather than using the same password for multiple logins.
Potential lapses in data security are significant issues that each and every credit union must address on a continuous basis. While there is no way to guarantee complete security, there are many best practices to guide you to putting strong protections in place for your members’ personal information – especially important given the ongoing threats that have become too commonplace. Your members have long trusted you to safeguard their data– to know where it is, who has access to it, and how it is used. To keep that trust, you must be ever vigilant.