To fight data breaches, organizations must treat all emails with skepticism and educate employees about cybersecurity risks. That's according to Jim Stickley, keynote speaker for CU Times' Oct. 6 virtual conference, "Data Breach Defense."
In his presentation, "Know Your Vulnerabilities: Credit Unions Are Only as Secure as Their Weakest Links," Stickley, founder and CEO of the San Diego-based security education firm Stickley on Security, said cybercriminals target financial institution employees because they don't know they are vulnerable.
"If employees did not have Internet access, it would reduce fraud by 75-80%," Stickley said.
Often times, scammers looking to access a system find the targets of their attacks via social networking sites such as LinkedIn. They can then go after employees with emails laced with phishing lures and social engineering tricks, enabling them to plant malware. Scammers may also coerce unsuspecting employees to divulge critical information that will open doors to the organization's system.
Stickley suggested organizations limit Internet access to employees who really need it.
He also described Adobe Flash as a horrific mess that averages one new vulnerability per month, and added that if organizations do not keep up with updates, they will become vulnerable. He emphasized that these vulnerabilities are not minor.
"Adobe Flash is the devil," Stickley said. "The worst thing you can do is allow Adobe Flash in your organization."
He suggested switching to HTML5, a markup language used for structuring and presenting content on web.
Criminals are continuously evolving and now utilize a combination of engineering and malware to gain control of a desktop, Stickley said. Even an 800 number – something many assume to be legitimate – can be used by criminals to gain control of a computer.
Stickley noted implementing and maintaining an education program to help employees understand current threats is key.
"Education and awareness are not the same thing," he said, adding that employees should receive continuing education about security threats once per quarter.
He also advised that social engineering and phishing emails are two of today's main culprits, however employee education and security awareness can help dissuade these attacks. In his presentation, Stickley recommended the following:
- The number one thing is to never trust an email. Treat all emails with skepticism.
- Never give someone remote control of your desktop.
- Never allow someone to install software. When in doubt, call the IT department to verify.
"Criminals are going to continue to focus on your employees because it works," Stickley concluded.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
