Maximizing digital security: 5 things credit unions need to do now

As our digital world evolves and our day-to-day activities become increasingly facilitated by technology, the opportunities for cybercriminals to access confidential information, steal identities and misappropriate funds also increase exponentially.  

Credit union executives and their technical staff need to be especially vigilant in maintaining the security and privacy of their member data. The financial services industry was the hardest-hit industry by cybercrime in 2016.  Financial services firms were breached 65% more than the average organization.  (IBM X-Force® Research: “Security Trends in the Financial Services Sector,” April 2017.)

To ensure the highest level of data security and member data privacy, credit unions should make sure their security policies contain these five essential elements:

1.  Data security needs to be a company-wide focus

Years ago, before the concept of cyber security became a ubiquitous corporate concern, this type of responsibility may have been handled entirely by the IT department.  But as technology reliance has permeated almost every facet of every industry, systems have become more cloud-based and remote employee access has become more prevalent. The opportunities to infiltrate sensitive company data have increased in proportion.

What is the biggest vulnerability facing financial services firms?  According to the IBM Cyber Security Intelligence Index, a whopping 95% of successful cyber-attacks are caused by human error.  Cybercriminals often target the weakest point in financial firms’ security: their employees. Through lack of proper education and communication of corporate data privacy policies, a simple mistake such as installing malware or responding to a phishing email can lead to catastrophic data breaches.

Technology alone cannot prevent cyber-attacks. Every credit union needs to build its human firewall through employee education at all levels of the company, clearly communicated data policies, and an ongoing focus on data security best practices, led by each department manager.

2.  Confirm the Security Protocols of All Parties in Your Data Chain  

Credit unions face one of the greatest challenges in the data security landscape, because a major breach could compromise their members’ account information, personal information and debit card details. This is why it’s essential to perform security due diligence on all participants in your data chain: your partners, your vendors, and your vendors’ vendors – essentially any party that will be taking confidential information out of your firewall.  

While there have been many large, publicized data breaches over the past few years (2016 hit record numbers), one of the biggest examples of errors made down the chain was the Scottrade Bank data breach in April 2017 that exposed the personal information of 20,000 customers.  And it wasn’t the work of highly sophisticated hackers, rather it was caused by simple human error.  A file containing the personal information of 20,000 customers was inadvertently left open to the public when a third-party vendor uploaded a file to a server without putting the proper security protocols in place. (SC Media, “Scottrade Bank Data Breach Exposes 20,000 Customers’ Personal Information,” April 2017.)

Fortunately, there is an industry standard best practice for reducing third-party security risks:  requesting and reviewing each partner’s and vendor’s SOC Type 2 Report. This report lists organizational controls, puts parameters around them and is audited at least once every year. Any vendor that processes your members’ sensitive information should produce a SOC 2 report.

SOC 2 reporting helps to create trust and establishes each party’s credentials for providing financial services. They demonstrate that their internal controls meet security best practices, otherwise known as the trusted services principles (TSP).  The American Institute of CPAs (AICPA) defines these five TSPs as:

• Security
• Availability
• Process Integrity
• Confidentiality
• Privacy

3.  Review Your File Transfer Protocols to Avoid Debit Card Reissues

Information associated with your members’ debit cards can be especially catastrophic if compromised.  Nowadays, it’s become commonplace for consumers to receive reissued debit cards in the mail with the brief explanation that their card may have been “compromised” with no further detail.  Not only does this alarm the consumer, but in this digital society, we have almost everything set on auto-pay.  We have debit cards attached to our monthly bill payments, our retail accounts at Amazon, Target, eBay, etc., and even stored for our favorite pizza delivery service! It’s an enormous hassle for consumers to update all of their profiles, and the act of reissuing mass amounts of cards is a huge financial burden to the financial institution.

Careless file transfers are a leading cause of data breaches.  Carefully review your credit union’s file transfer protocols. When data is being transferred outside your firewall, be sure that your employees are utilizing secure file transfer protocols and encrypting the data. Data needs to be encrypted not only during transit but also at rest, to avoid having account numbers, tax IDs or any other sensitive data left insecure and vulnerable.

If your credit union encounters a breach situation requiring thousands of debit cards to be reissued, fortunately there are financial service companies that can help you repair the resulting drop in consumer usage due to trust issues or inconvenience.  Such vendors are skilled in motivating consumers to increase their debit card usage in small steps, leading to progressively dramatic increases, and often provide the marketing tools and analysis necessary for a successful program.  

4.  Implement Defined Rules, Roles and Responsibilities for Client Data

How does your credit union handle sensitive client data? Who has access to it? And what is your security protocol? With any company that handles consumer financial information, the employees in every role – from interns to C-Levels – need to realize that such data cannot be downloaded, emailed, or saved on an external device.  Such data cannot be left on desks, displayed on computer monitors unattended, or simply discarded without first being shredded.  The reality is that most data breaches, while caused by human error, are unintentional. Or, your employees might be perfectly following your internal security protocols, but one shares the data with a vendor who then mishandles it.  

While training and education help and a company-wide security policy is essential, one of the most important safeguards for preventing data breaches is to limit the access to sensitive data.  Define your roles and level of access to various data.  Perhaps you have teams within your credit union who need access to review sensitive records, but only a select few very experienced individuals should be entrusted with transferring and storing such data.

It’s also critical to periodically review access levels to confidential information and adjust as necessary as roles change within your credit union.

5.  Prioritize System Updates and Application Patching

In many companies, the technical focus is often on “newness” – the newest operating system releases, new programs, new tools, new hardware, etc. And in this fast-paced digital world, it’s very tempting to shift priorities away from critical maintenance to focus your resources on what’s new and probably more exciting.

Don’t let your credit union fall into this trap.  Because systems are changing and evolving so quickly, numerous vulnerabilities arise frequently in these systems and they need continuous attention and maintenance.  Firmware updates and system patching need to be kept on a disciplined schedule.  Make sure that your tech team has the resources they need to devote adequate time to maintaining your company’s infrastructure and managing all system vulnerabilities.

What’s important to point out is that system patches need to be applied promptly and proactively. Even the slightest delay could result in disastrous data breaches, such as what recently happened to Equifax.

In September 2017, hackers were able to access personal data of nearly 143 million Equifax customers.  The simple explanation: a flaw in a software tool that wasn’t promptly and properly patched, leaving the company’s data vulnerable.  

If something so catastrophic can happen to a major credit bureau, it could certainly happen to a credit union.  A data breach can lead to loss of consumer trust, public criticism, job losses, and a devastating hit to your revenue.  

If your credit union does not have a recently-updated data security policy, the time to start addressing that is now.