The Online Trust Alliance’s (OTA) 2015 Security Report
Although financial institutions fell prey to some of the most notable data breach attacks of 2014, no one in the industry was shocked by the events. Credit unions are and will continue to be prime targets for cyber criminals because they maintain databases that contain members’ personally identifiable information. The non-profit organization, Online Trust Alliance (OTA), published their 2015 Security and Privacy Best Practices Report which analyzed over five hundred online security breach attack reports from the first half of 2014 and recommended actions based on their findings. In the report, the OTA highlights the shocking fact that almost 90% of the attacks could have been prevented by implementation of basic information security controls.
An All-Encompassing IT Governance, Risk Management and Compliance Management (GRC) Solution
From suggested improvements of vulnerability and risk management protocol to recommendations addressing company incident response methods, all of the best practices outlined in the report can be put to action using TraceSecurity’s cloud-based, fully integrated and award-winning IT GRC management software, TraceCSO. For instance, recommendations to implement a vendor management program serve as a reminder that several of the most costly data breaches of recent history could have been avoided through proper vendor management. Enhancements to the TraceCSO vendor management module are currently underway to streamline existing vendor management processes and incorporate risk analysis to empower credit unions to make well-informed, intelligent decisions about their existing and future vendor relationships. Another OTA recommendation that has been reinforced with updated regulation guidance involves an established incident response plan. Upcoming additions to TraceCSO’s incident response module integrate guided workflows that meet newly-published NCUA standards to enable credit unions to maintain compliance with these updates.
Whether recommendations instruct credit unions to develop training and testing materials or policies, TraceCSO provides the platform for company policies to be developed and accepted and training courses to be distributed and tested. Finally, recommendations to implement effective vulnerability and password management practices and to enforce least privilege user access and multi-layered firewall protections may be accomplished through TraceCSO’s patch management and network scanning functionality, as well as through the variety of information security services that TraceSecurity offers.
Overcome Security Challenges by Leveraging Seasoned Information Security Experts
Of the attacks evaluated, 60% were either the result of insider activity or social engineering attempts. The OTA recommends performing annual risk assessments to identify credit union assets that contain (or allow access to) sensitive member information and create a framework from which the institution can develop data minimization and least privilege access to these systems. Customers can choose to have TraceSecurity perform any of the various security assessment services offered as well as participate in implementation training that educates the credit union on how to perform risk assessments internally using TraceCSO. Similarly, a social engineering training course is available within TraceCSO, and TraceSecurity provides social engineering engagements designed to test employee response to such attacks – cultivating an institution-wide awareness of social engineering strategies to ensure intrusion attempts are debunked at all levels of the institution.
Prepare for a Secure and Prosperous 2015 and Beyond
TraceCSO, coupled with TraceSecurity’s extensive information security services, provides an essential combination of resources to develop all components of a successful risk-based information security program. By leveraging TraceSecurity’s services and integrating TraceCSO’s risk, compliance, vendor, and incident response capabilities, credit unions can thoughtfully plan for and greatly diminish the potential of data breach attacks not only in 2015 but also for years to come.