Security at financial institutions – both physical premise security and data security – is much weaker than one might think. That's what Jim Stickley has discovered in his more than 20 years of hacking into systems and robbing facilities for the purpose of testing the strength of organizations' defenses.
The founder and CEO of the San Diego-based identity theft and fraud education firm Stickley on Security, and the keynote speaker for CU Times' upcoming Data Breach Defense Virtual Conference, Stickley was a self-professed “nerdy kid” who spent his youth working on computers and hacking into them a bit for fun (he stressed that nothing malicious ever occurred, however).
When he got older, he wrote software and worked as an auditor for various companies, and in the process, he began to notice numerous system flaws and vulnerabilities that needed addressing. Those discoveries led him to a career in security testing, which proved to be eye-opening both for him and the organizations he tested.
“I had to convince them that they needed their security tested,” Stickley said of his early days as a tester. “It was like selling ice to Eskimos. They'd say, 'I'm secure, and I don't need to be told otherwise.' Half of that was arrogance and the other half was being naïve. Now they understand that there are vulnerabilities everywhere, and it's not a matter of your budget or anything, it just happens. And it's better to find out what your vulnerabilities are than to have a criminal find out for you.”
During his on-site testing jobs, Stickley often dressed up as an individual who is known to be trustworthy, such as a fire inspector. About four years ago, he said, he and a colleague gained access to a financial institution branch by pretending they were air conditioner repairmen. Unfortunately, the institution's security failed big time, as they managed to steal its backup server without any problem.
“We literally unplugged it from the wall and carried it out the door,” he said. “Employees were watching me, and no one said a word. One employee was outside in her car – we always had someone waiting outside when we stole stuff so we wouldn't go too far away with their property – and the look on her face was of sheer terror.”
While Stickley said he has seen a distinct improvement in employees' awareness of potential threats since he began his career, financial institutions are still at great risk of being hacked and are typically only as strong as their weakest link.
“Nowadays, if someone really focuses on your organization, it's not a matter of if you're going to get hacked, it's a matter of when,” he said. “It's like a terrorist. All you need is one terrorist to carry out an attack, and all you need is one employee to make a mistake.”
As a security tester, Stickley spent the majority of his time hacking into companies' systems remotely. One tactic that often tricked users was the bogus e-card, he said. He also entered facilities and installed keyboard loggers to access information at a later time, and physically stole items such as servers, drives, documents, phones and laptops.
What prevented many organizations from keeping their information safe, he discovered, was a lack of adequate employee education. So, two years ago, he founded Stickley on Security with the goal of addressing that very issue. Through its SOS Advisor, SOS Executive and Employee EDU solutions, his firm helps organizations and their customers, executive teams and employees stay informed of and prepared to combat the latest threats.
“One thing that frustrates me the most is the shifting of security budgets to products, when the main problem is education,” he said.
Many organizations, he said, tend to host one-day security training sessions for their employees once or twice a year; however, this strategy is not effective enough to fight fraud and identity theft. Instead, Stickley recommends scheduling quarterly training sessions in addition to deploying two to three emails per week that inform employees of the latest threats.
An organization's website is also an important tool for providing fraud and identity theft education to customers or members. Stickley said it's important to keep this portion of a website simple by focusing on three key points – what the risk is, how it can affect customers or members, and what they can do to fight it – as opposed to publishing “doom and gloom” content.
When asked what he thinks are the biggest threats credit unions face today, Stickley said scams that originate via email top the list. He said he even favors banning all email traffic from outside the credit union if possible. Web browsing poses another huge risk, he said, as cybercriminals have begun to use online advertisements as a front for malware.
In addition to running his education-focused security firm, Stickley serves on several corporate boards and appears as a speaker for corporations, security-related conferences, seminars and forums, covering topics that range from basic identity theft to national cyber terrorism. He's also shared his security insights as a guest on numerous national television shows, including NBC's “Nightly News” and the “Today Show,” CNN's “NewsNight,” CNBC's “The Big Idea” and Anderson Cooper's “Anderson.”
For CU Times' virtual cybersecurity conference, he'll be delivering the opening keynote, “Know Your Vulnerabilities: Credit Unions Are Only as Secure as Their Weakest Links,” which will cover data breach trends, how to beef up security measures to stand up to the latest cybercrimes and how to educate employees at every level of the credit union to actively prevent attacks.
CU Times' free virtual cybersecurity conference, “Data Breach Defense,” runs from 10 a.m. to 5 p.m. ET on Tuesday, Oct. 6. To register, visit CUTimes.com/DataBreachDefenseConference.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Natasha Chilingerian
Natasha Chilingerian has been immersed in the credit union industry for over a decade. She first joined CU Times in 2011 as a freelance writer, and following a two-year hiatus from 2013-2015, during which time she served as a communications specialist for Xceed Financial Credit Union (now Kinecta Federal Credit Union), she re-joined the CU Times team full-time as managing editor. She was promoted to executive editor in 2019. In the earlier days of her career, Chilingerian focused on news and lifestyle journalism, serving as a writer and editor for numerous regional publications in Oregon, Louisiana, South Carolina and the San Francisco Bay Area. In addition, she holds experience in marketing copywriting for companies in the finance and technology space. At CU Times, she covers People and Community news, cybersecurity, fintech partnerships, marketing, workplace culture, leadership, DEI, branch strategies, digital banking and more. She currently works remotely and splits her time between Southern California and Portland, Ore.
