Social (in) Security: SSN Exposures Top Data Concerns06.13.2016
Some 6.2 million data records already have been compromised in 2016, and credit unions are prime hacker targets, according to The Identity Theft Resource Center (ITRC).
Moreover, while the recent ITRC report noted that no two breaches are ever exactly alike, 32.7% were Social Security Number (SSN) related and nearly 13% were exposed credit or debit card information.
"Credit unions are prime targets because they have a ton of personal identifiable information from members and employee information," said Adam Levin, chairman and founder of the Scottsdale, AZ-based IDT911, which supports ITRC. "Credit unions are targets of phishing scams, and because of phishing scams, members are victims of wire transfer fraud or tax related identify theft — breaches are coming from all angles."
The report focused on five sectors: business, healthcare, education, government and financial services. The good news for the financial, banking and credit sector is that this segment ranked the lowest in SSN breaches at 2.6% (the healthcare industry scored highest at 16.6%). However, the data that was exposed (13.5 million records) was from "data on the move."
Cornerstone Advisors senior director Wes Bjorklund said that data breaches in the credit union space are being realized "across the spectrum," including insider issues, human error, criminal activity or third-party incidents.
Last year, he noted that suspected breaches also involved credit unions that had laptops go missing along with account numbers, driver's license numbers and SSNs. A similar event happened this February when a Federal Deposit Insurance Corp. employee accidentally downloaded 44,000 customer records on to a portable device.
"We also saw CUs hit by malware that hackers used in conjunction with ATM skimmers to access member card and account information. EMV cards and other technologies such as tokenization are helping to address the risks, but we can't expect total elimination of the threats," said Bjorklund. "These examples don't even get into the impact of other events impacting the CUs such as merchant breaches and the ongoing reissuance of cards, which is increasingly expensive with the move to EMV or PIN-and-chip cards."
The Three Ms
Levin, who recently published a book titled Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves, suggested his "triple M" approach to ensure an organization's security platform is sound and evolving.
"The first step is minimizing risk, then monitor risk and then managed the damage," said Levin. "It may also be in the best interest of the credit union to have a relationship with a third-party organization that is an expert in cyber security, protection and resolution."
In Bjorklund's estimation, a sound security platform requires executives, and not just IT employees, to focus on respective programs "every moment of every day" and seek methods for ways to make the platform stronger.
"As for the best platform or framework, it has to be the usual suspects: people, process and technology," said Bjorklund. "Those components have to be applied across a layered approach using a 'defense in depth' strategy comprising several functions: identify, protect, detect, respond and recover."
This outline structure, he noted, should sound familiar to most executives as it follows the NIST CyberSecurity Framework as well as regulatory guidance and self-assessment tools provided by regulatory examiners.
"This isn't a recommendation to fully implement all the elements of the [National Institute Standards and Technology] NIST or any other framework. This approach results in meaningless documentation, wasted effort and unnecessary expense," said Bjorklund. "A tailored approach and thoughtful design of a structure that best accommodates the risks, culture, timeframe and budget of a CU or any organization can help ensure a more effective security program and a better return on the investment for this kind of effort."
Levin and Bjorklund agree that an annual review of a security platform that has a strong risk assessment process in place is critical to effectiveness. But they stressed that cybercrooks move fast and attacks can change by the day. And in recent years, "spear phishing" scams have spawned new terminology.
"The term 'wailing' is when they go after senior level officials in financial organizations to try and get them to click on a link or respond to something. These communications look really authentic and may presumably look like it is coming from a security organization," said Levin. "One can never underestimate the creativity or sophistication or the tenacity of hackers."
In an effort to stay one step ahead of cyberthieves, Bjorklund said C-level executives should continually attend roundtables, webinars and information sharing opportunities in the credit union industry as well as other in industries.
"Executives should consider any number of resources to understand today's security landscape, as well as upcoming changes and emerging threats. These sources should include not only internal resources such as information security, IT, risk management and business leadership, but also outside sources, such as peers, vendors, trusted advisors, regulators and professional groups."
Reprinted with permission from Credit Union Journal.