Tech Time: Policies and Vendors and Staff! Oh, My!

The infamous Carbanak cybergang was uncovered in 2015 after its members had stolen more than $1 billion from over 100 banks worldwide. Notably, the group began each cyber-heist with a simple spear phishing attack aimed at individual employee computers.

All it took for the heist to work was one employee clicking on an infected email link or attachment. This click would inject malware into that one computer which, in turn, infiltrated the internal network and installed information-gathering spyware on administrative computers. From there, it was relatively simple for the attackers to mimic the bank clerks’ activities, allowing them to hijack e-payment systems, inflate internal account balances and even program ATMs to dispense cash.

Fiendishly clever? Yes. Surprisingly easy for the thieves to execute? Yes, again. Let’s look at some lessons your credit union can learn from such a simple but effective attack.

We want to note that we believe in the points we are about to make in this article because we do them ourselves. At PSCU and its consulting group, Advisors Plus, we emphasize employee education, implement proper vendor controls and create easily understood information protection policies. Each of these has proven to be a cost-effective, common-sense way to protect information and financial assets.

Employee Education

Your client-facing employees are your first—and last—line of cyber-defense. Chances are they will welcome any cybersecurity education you give them with open arms. But guidance doesn’t mean tossing policy manuals over their cubicle walls and calling it a day.

It’s important to realize that, ironically, the same go-the-extra-mile mentality that allows your valued employees to provide such great member service can also get them into cybersecurity trouble.

Left to their own devices (and we mean that literally now that employees routinely use their own smartphones and tablets at work), your staffers can easily respond too fast to suspicious emails; create their own file storage and productivity workarounds outside your credit union’s firewall; disseminate too much company contact information on social media; tape their passwords to their monitors; and juggle personal and company business during working hours—all in the name of being friendly, helpful team players.

When employees compromise the system, they may be horrified to realize their rookie mistakes.  This can lead to them tuning out warning messages or even trying to tough out a ransomware demand without involving management.

How should your credit union educate its client-facing employees?

• Show them concrete examples of spear phishing emails and let them practice exercising the proper amount of caution using simulations of real-world situations. Teach them proper spam quarantine techniques. Make it clear that well-meaning haste can have negative consequences. Develop a “buddy system” so they know to reach out to others before they click.

• Insist on strong passwords, such as those that incorporate upper and lowercase characters, numbers and special characters. Insist that employees change those passwords a minimum of every 90 days and never share them.

• Establish a hierarchy of information permissions based on “access needed” roles. Create clear policies that limit use of personal cloud file-sharing solutions and company social media accounts—and monitor for violations. Limit or prohibit personal business conducted on company computers and monitor for compliance.

Vendor Management

It’s important to recognize that other companies may not take data protection as seriously as your credit union does. As a result, it’s vital to put vendor governance and oversight policies in place to mitigate the risk.

What process should your credit union use to manage its vendors?

• At a minimum, your credit union must know which vendors have which data, and have clear agreement on how they will protect it while they have it.

• PSCU designed its own vendor governance and oversight program to meet the requirements of the Consumer Financial Protection Bureau and the National Credit Union Administration. The program has formalized PSCU’s third-party onboarding process by creating a provider risk scorecard and tying the scores to our ongoing oversight program. We use dashboards to facilitate executive-level risk reporting. In 2015, our program was selected as a finalist for the prestigious T.E.N. Information Security Project of the Year Award.

Information Loss Prevention Policies

Management guru Peter Drucker famously noted that “You can’t manage what you can’t measure.” IT department translation: If you do not know what sensitive information your credit union has, you cannot possibly know where and how to defend it.

What procedures should your credit union use to protect member information?

• Begin with information mapping. Take inventory of what sensitive information your credit union has, where it is stored, who owns it and who has what permissions to use it. Bear in mind that it’s far easier to map information before a theft than after. After an event, investigators will be breathing down your neck and your credit union will be working from an incomplete or informal list as it tries to identify what information may have been compromised. This bad scenario also lengthens the time before affected members can be notified. 

• Encrypt sensitive information and investigate the use of data loss prevention systems if you don’t already have one. Develop departmental protocols for changing default configurations and passwords frequently, but on a staggered schedule. 

• Develop dedicated security roles, but don’t isolate the security department. Customer-facing employees who “see something” need to know how and to whom to “say something.”

• Create and adhere to a data retention policy for compliance purposes, but be aggressive in purging data that is no longer needed. It’s a lot easier to defend a smaller, more concentrated territory than a larger, more dispersed one.

If these prevention steps sound too touchy-feely or low-tech, remember that very few cyberattacks are written by PhDs in a dark room. In fact, most compromises result from users getting infected emails and clicking on links or opening attachments that convince them to give up their account names and passwords.

Ultimately, your credit union must accept that bad things can and will happen. That’s why credit union business and technology groups must work together in educating staff, managing vendors and developing good policies, so you’re proactive and prepared.

Gene Fredriksen is VP/chief information security officer at CUES Supplier member PSCU, St. Petersburg, Fla., where he is responsible for the CUSO’s development of information protection and technology risk programs; he also is CEO of the National Credit Union Information Sharing & Analysis Organization, Kennedy Space Center, Fla., a Distinguished Fellow for the Global Institute for Cyber Security and Research, headquartered at the Kennedy Space Center, and has served on the R&D committee for the Financial Services Sector Steering Committee of the Department of Homeland Security.

Arnie Goldberg is VP/principal/business development for Advisors Plus, PSCU’s independent consulting group. Goldberg draws on more than 30 years of consulting, CRM, payments and funds transfer expertise to help credit unions achieve innovative, measurable improvements to their products, operations and profitability.