LAS VEGAS — It's something credit union executives dislike talking about. But the fact is that the biggest information security risk to most institutions is its employees.
Speaker after speaker on day two at the CU Infosecurity Conference in Las Vegas on Thursday hammered home that contention because, they said, at their root a lot of insecurity just boils down to people problems.
Also from Credit Union Infosecurity Conference:
The meeting room in the Platinum Hotel was filled with executives from dozens of credit unions, including MECU of Baltimore, Maryland, Hughes FCU of Tucson, GeoVista CU of Hinesville, Ga., and XCEL FCU from Bloomfield, N.J.
The speakers had their ears because the messages were lively. “People are our greatest risks.
“Ninety-seven percent of data breaches involve human failure,” said Reg Harnish, founder of GreyCastle Security in Troy, N.Y. But he quickly amended that: “The biggest risk is not people. It's the [expletive deleted] training they get.”
People, he indicated, are not born with innate knowledge of phishing attacks and malware and other threat vectors. But they can be taught.
Harnish stressed that to be effective education has to be “relevant, continuous, engaging, and short so people can absorb it.”
“We can reduce susceptibility. But you have to put the effort in,” said Harnish, who added that when employees slip up, seize the opportunity to teach. “Don't wait three weeks. Right there, train them.”
It wasn't just people threats that got emphasized on day two. Mike Eaton, an executive with Maryland CUSO Ongoing Operations, gave a brief talk about cloud computing that emphasized a couple key points.
The first is that when a credit union truly embraces cloud computing this allows “IT to move from a technical to a business focus,” that is, the IT staff can stop fighting tech fires and instead concentrate on how better information management can advance the business objectives of the institution.
His other point was that a lot that is called cloud isn't. True cloud, said Eaton, “is computing that is not local to the customer, it is not owned by the customer, and it is not maintained by the customer.”
“Cloud,” he acknowledged, “is not for everyone.”
But for many it is coming into focus as a very good solution indeed.
A closing speaker was Jay McLaughlin, chief security officer at Q2ebanking in Austin, Texas, and his message was dramatic: “You,” he said to the room full of IT executives, “are no longer driving technology to your members. They are driving technology to you.”
He added: “The device used for mobile banking does not matter. What does matter is that you cannot secure it.”
That, of course, changes the whole security mindset.
McLaughlin acknowledged that so far mobile banking threat have not amounted to that much but, he predicted, you ain't seen nothing yet. To date crooks have focused on online because that is where the money is. But as the mobile channel grows, their attention is shifting.
“I believed they have exploits teed up, ready to be unleashed. They are coming our way.”
One solution: start viewing members as part of the security solution, said McLaughlin. Get them using two-factor authentication and receiving account activity alerts and this makes them part of the solution.
“Use your members as a line of defense,” he urged – and good things just may begin to happen.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.