“I mean, look at the Secretary of State,” Prisco said. “He said it's very likely that his emails are being read by the Chinese, the Russians and the North Koreans, and he writes them assuming that they are reading them. There's something very, very wrong with that picture.”

Earlier this month, Secretary of State John Kerry said in an interview with “CBS Evening News” that countries have consistently engaged in cyberattacks against America, and he writes his emails with that in mind. The interview came after NBC News reported Chinese hackers had been spying on the personal email accounts of top U.S. officials since 2010. Two weeks ago, the Joint Chiefs of Staff said Russian spies breached their unclassified email server, and last month, the Office of Personal Management tried to explain in congressional hearings how Social Security numbers, bank account numbers, addresses and more belonging to 22 million Americans were stolen by the Chinese government for more than a year before the agency realized it was happening.

This comes on the heels of some of the largest attacks on private companies in American history: Confidential data from Sony Pictures Entertainment was leaked in November, JP Morgan Chase was breached last summer after an employee's login credentials were stolen, and debit and credit card information for 40 million accounts was stolen in 2013.

The problem, Prisco said, is most companies and government agencies don't care enough to provide adequate security.

“They can't feel safe and they shouldn't feel safe,” Prisco said, referring to consumers. “Because many of the companies and government agencies view security as an expense item that is to be controlled and minimized. Do you think OPM cared? I don't. They had ancient computers, they had very poor security. Do you think Sony Pictures cared? I don't. They had very lax security and it's only when somebody's exposed, then the lawyers spin it. They only care when they're in the hot seat. As long as that attitude persists, you're going to see these breaches, at least one a week.”

It may sound dire, but Prisco said he is a proponent of the “no spin zone,” and if small financial institutions don't watch the mistakes of those “too big to fail,” they will fall victim.

“Look at some of the biggest companies in the financial sector like JP Morgan,” he said. “Now they care. They spend an enormous amount of money on security, yet they were one of the biggest breaches in American history and why did that happen? Well it happens because they are listening to very well-marketed products that are spending hundreds of millions of dollars on marketing hype but their products aren't that good. Most of the security products out there today are just a notch above any virus, which is almost useless.”

And more regulations from the government aren't much better, he said.

“They're better than nothing, but not much better than nothing because compliance is not protection,” he said. “Compliance is just not enough. It helps to check the box, it helps with insurance, it helps the lawyers feel as if they're not liable, but at the end of the day consumers are still unprotected.”

Kari Anne Amosk, director of debit and checking consulting at the St. Petersburg, Fla.-based Advisors Plus, said credit unions are already complying with regulations and protecting its members, and that the CFPB should instead focus on how merchants and retailers can provide more protection.

Amosk joined Advisors Plus to help credit unions create the most effective strategies for maximizing their checking and debit card portfolio growth. She is currently assisting credit unions who may be subject to upcoming CFPB regulations regarding overdraft charges. Prior to joining Advisors Plus, she worked as a vice president and senior product manager at Key Bank.

“What needs to be done in terms of the pushing back is really on the merchants,” she said.

She added credit unions need timely disclosures from merchants, just as they must give timely notifications to their members.

“How soon do they have to tell us? What do they have to tell us? What's their responsibility and also, what needs to be done in terms of the cost?” she asked of merchants. “Who is ultimately responsible for that breach in terms of where it's occurred?”

But both Prisco and Amosk agree that the answer for credit unions is to focus on what they can control. And Prisco said credit unions need to go beyond checking the compliance box.

“The main problem is that there are 21st Century adversaries that are quite skilled and, today, we're all trying to fight them with 20th Century technology,” he said. “There's a gap between penetration and remediation so as more innovation occurs, it will get better. But innovation is not going to come from the large companies that are in the land-grab mode and trying to gain market share. Innovation is going to come from smaller companies that have bright people working on actually solving problems.”

Prisco said given the amount of third parties that credit unions work with, they should focus on working with those that are using more advanced security techniques. He said products that rely on prior signatures and old intelligence platforms won't do the trick.

“Those platforms are all based upon signatures,” he said. “They're a half step in the right direction but the full step in the right direction is to use an analytics-based anomaly detection kind of product with continuously monitoring endpoints. There's no one product that is going to solve this problem 100%, but there is a defense strategy that will work and it will include a network-based approach. It will include an endpoint-based approach so that you can cut off some of the attacks as they penetrate the network, and those that get through those shields – and they always do – would be picked up on the endpoint by an anomaly protection product that can really see changes that occur and synthesize remediation without having signatures or any former prior knowledge.”

Prisco said he would suggest to consumers to only work with organizations that have a two-step login authentication system, so credit unions should also be employing that method.

“It's much harder when you're getting a key sent to your cell phone via text to complete your login,” he said. “It's much harder to steal somebody's credentials that way because they have to be on your computer and on your phone in order to do that and that's much harder to do.

It's not good enough to put in your password and then tell them where you went to grammar school.”