In every credit union I have worked in, the credit union knows where every ounce of cash is at all times. We know which drawers have it, which tellers, which locations and which vaults. It is highly guarded and verified constantly. Strangely, however, most credit unions’ approach to IT security isn’t as sophisticated. Instead we build lots of tools to protect the data but don’t have many tools designed to tell us where the data is and how vulnerable it is at all times.
Since the mid-90s, credit unions have been on a never ending race track of adding IT security features, complying with regulations, and trying to get more comfortable with the risk of a breach. We have built bigger and bigger vaults, better controls, better patching etc. yet how many of us can answer these questions?
- Which employees have the most access to member data?
- Where is my member data located down to every server, pc, or fileshare?
- What vulnerabilities exist on those machines?
- Can you correlate the value of the data, the person’s access, the location and vulnerability?
The reality is that every single day an employee changes permissions, PCs, a file gets moved, something new gets setup, or something old gets decommissioned, the known vulnerabilities change. So in effect – if you can’t answer all of these questions with confidence every day – it’s impossible to know what you are guarding against.
In 2017, credit unions should consider changing their approach. Instead of just putting bigger walls, adding gates, and more armed guards to protect against infinite possibilities and hope that everything is locked down appropriately – we need to start assessing this daily and reacting to the biggest vulnerabilities. Our mindset needs to change from believing that we won’t be hacked to understanding that we will be hacked, so let’s make it so they can’t get anything. Anyone can drive a car through the front door of the credit union at any time – but because we lock down all of the cash in a vault – that means they won’t be able to get much. For 2017 make a decision to:
- Know what data needs to be protected (SSN, Credit Cards, Driver licenses, etc.)
- Know where that data is at all times
- Know who has access to it
- Know what vulnerabilities could be exploited for those individuals and those systems
- Clean up or make one change to reduce the risk every day
Take these steps and your risk from a breach will go down significantly, can be measured, and can be easily scored and communicated to the CEO, Board, Auditors and anyone else.
Read more tips like these on Ongoing Operations’ blog at www.ongoingoperations.com.