What credit unions can learn from the election commission hacking

by. Idrees Rafiq, Jr.

According to the Center for Public Integrity, the Federal Election Commission (FEC), the agency responsible for regulating the campaign finance legislation, providing transparency and information about elections, and contributions such as political action committees in the United States was breached by Chinese hackers. The hackers successfully attacked the agency’s systems during the government shutdown in October.

Although the hack is still under investigation there are three lessons that credit unions can learn:

1) Identify and address your security risks — The FEC had conducted an audit that reported systems were at “High Risk” for such an attack. The FEC chose not to take measures to address the risks, thus resulting in the breach. The credit union can mitigate such embarrassments by performing NCUA required annual security risk assessments and third party audits; then proactively addressing their findings.

2) Limited IT budgets are not an excuse — Reports of the FEC being understaffed and operating on a limited budget sounds like a hallmark in the credit union industry. Many controls, like password complexity requirements, do not require monetary expenditures from credit unions. For example, some FEC passwords were noted in the audit as being over ten years old.

3) Identifying IT Infrastructure as a Reputation Risk — The media story of the breach is being portrayed as an embarrassment to the agency rather than on the threat of Chinese hackers. Accountability is sought for the lack of response to the audit findings. Credit union management can take this as a warning that, although it is difficult to justify a return on investment relating to IT Security, reputation risk must be accounted for. It is important to identify reputation risk as a business case for deploying the proper security controls.

continue reading »