What does a breach at business networking site LinkedIn have to do with you?
Who is the “go to” risk management professional in your IT group?
Risk management in financial services often equates to the risks associated with investment vehicles and loan portfolios. Risk management in the information processing side of the house is often coupled to IT security.
News Update, June 7, 2012: LinkedIn Hack Confirmed, Change Your Passwords
It has been reported that the business networking site LinkedIn has suffered a breach of perhaps more than 6 million account passwords. This should matter to your credit union. I'll offer some background.
At a recent NACHA conference I was listening to a financial platform vendor describe the care with which they construct their software, develop a rules console for the embedded risk engine, the testing, the training for the end users and so forth in an effort to provide a solid and safe financial environment for an institution's end users.
During the question-and-answer period that followed another attendee asked if the risk engine was a “set it and forget it” technology or if the vendor provided continuing advice on its use. This question triggered a lively discussion that included conversation on the roles of vendors and the roles of risk analysts at financial services firms and how or even if technology is “risk managed” at different times.
The paradigm with which the session attendees were most familiar is the TSA's Threat Level color scheme. Yellow is an elevated threat level, orange is a high threat level and red is the code for existing severe threat level. Airport visitors understand that when the threat level is red, air travel will be a little less convenient.
How does this tie together with the LinkedIn breach?
There is a possibility that some of your customers use LinkedIn. It's possible, that despite your best efforts to educate end users not to reuse passwords, some of the passwords for online accounts at your credit union may be strikingly similar or identical to those the customer chose for their LinkedIn account.
Who decides if this represents an elevated threat level at your institution? Can the scrutiny of online account activity be ratcheted up a bit for a higher, albeit remote, threat level?
During the discussion at the NACHA meeting it became clear that there are two types of financial institutions; those in which the roles of risk management relative to online and mobile channel technology are well defined and those in which those roles are a little “fuzzier”.
Those who worked at the former felt that there were controls in place to more closely monitor accounts and transactions if the threat level were to go from orange to red. For instance, the use of phone-based out-of-band authentication for customer logons could be applied more liberally on a temporary basis.
Those who worked at the latter weren't sure how controls would be adjusted to meet an increased threat level. In a worst case scenario, the wrong time to find out how your technology might adjust to an elevated threat level – is after a compromise.
John Zurawski is vice president of sales and marketing at Authentify Inc. in Chicago.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.