“Sensitive data footprints are becoming hot topics, especially at the executive level, and organizations in all industries are concerned about how much sensitive data they have,” former ethical hacker and CEO of the New York City-based Identity Finder Todd Feinman explained.

Organizations must protect all sensitive data that could be used to commit identity theft when placed in the wrong hands. For credit unions, that means member data such as SSNs, addresses, drivers' licenses and birth dates.

Internal fraud will always be a problem, but there are a limited number of insiders who normally have direct data access, Eldon Sprickerhoff, chief security strategist for the Canadian firm eSentire, maintained.

“On the other hand, the threat from external attackers, thanks to the increase in organized criminal interest and activity, is still significantly greater,” Sprickerhoff said.

It's not just the hacker living across the globe and looking to attack infrastructure whom financial institutions need to worry about. It's also third parties such as those that service IT and ATMs, Dodi Glenn, vice president for the Sioux City, Iowa-based PC Pitstop, said.

“In some ways, smaller financial institutions are at greater risk of external fraud than the mega banks because they lack the resources and breadth of data to detect these attacks,” Agari Field Chief Technology Officer John Wilson pointed out.

Dusan Petricko, digital forensics and cybersecurity manager at the New York City-based LIFARS, noted some smaller financial institutions lack the technology, knowledge and resources to protect themselves adequately.

Sprickerhoff warned of the following broad categories of external fraud in which cybercriminals desire access to users' accounts:

• Using a lean approach, they exploit individual accountholders. The individual accountholder must help prevent the loss of credentials (email and/or account) and the financial institution is responsible for detecting unusual behavior within the account.

• Using a broad approach, the external attacker gains access through weaknesses within the financial institution's security stance to obtain sensitive data from a large number of individual accounts.

• Another common approach is the business email compromise, in which a wire transfer request comes from a fake email account that looks legitimate.

The Anti-Phishing Working Group just announced the number of observed phishing attacks in the first quarter of 2016 hit a new high since it began tracking them in 2004. The APWG noted a 250% increase in phishing sites between October 2015 and March 2016, and the uptick indicated an alarming trend.

“Phishing of the credit union's employees is probably one of the biggest external risks, because it turns an employee into the unwitting agent of the criminal,” Wilson said.

Phishing or spear phishing through emails can also open the door to a devastating ransomware attack.

“Unfortunately, ransomware is getting increasingly more sophisticated and can now very successfully evade traditional ways of detection,” Petricko said.

Once ransomware strikes, there is essentially no way to continue doing business unless the victim's organization pays the ransom.

Another threat comes via ATM or point of sale card skimming and black box attacks.

“Card skimming attacks are increasing, especially in the U.S., and will continue as long as magnetic stripe cards are still being generated,” Terry Pierce, senior product manager for the Rancho Cucamonga, Calif.-based payments CUSO CO-OP Financial Services, said.

The number of ATMs in the U.S. compromised by criminals rose 546% in 2015 over 2014, analytics software firm FICO reported.

ATM attacks take place when external skimming devices, cameras and/or malware is attached to or placed near the machine to intercept card data and capture PINs.

“The black box attack is another form of skimming where the perpetrators cut holes on the top of the ATM to gain access to the ATM,” Pierce explained. “The black box, which is an external electronic device, is connected to the ATM, which controls the ATM to dispense cash.” According to recent data, black box attacks are on the rise in Europe and migrating to the U.S.

To fend off these attacks, Pierce recommended credit unions follow PCI DSS best practices, set limits on all cards and products, harden operating systems and stay up to date with patches.

The speed of payments is helping to increase the likelihood of fraud, Michael Lynch, chief strategy officer for the Boston-based InAuth, said. In the past, back-office employees had more time to look for potential fraud.

“Now the industry is preparing for this real-time payments world and that is going to be a key driver of fraud,” he said.

A typical fraud deterrent technique used during authentication is to recognize a device with a specific person's credentials, Lynch explained.

“Device recognition is really important,” Lynch said. “Then we assess the risk factor of the device itself.”

While the real-time payments push is great for the consumer, it isn't so great for fraud protection, he added.

“Any time in my experience we do anything faster with no time for a manual review, we see fraud,” Lynch said.

Personal data is at the core of both the problem and the solution.

“Big data is what every financial institution is striving to get a better handle on because data drives the business, from security to products and everything in between,” Steve Comer, sales manager of financial services for the Westlake, Ohio-based Hyland, said. “The ever present challenge is sifting through the data to find the relevant information.”

Comer explained technologies with advanced capabilities to take data, recognize patterns, and provide more relevant and accurate information in less time and in a more automated fashion do exist today. The key is connecting the dots between the systems where all of this data exists and maintaining accurate network intelligence.

Financial institutions fall short when it comes to understanding how much sensitive data they have because the concept is new to them, Feinman said. He suggested credit unions first focus on identifying the risk and the problem.

“You start to look at, where is all my sensitive data, who has access to it, when was the last time we even used it?” he said. “Some organizations have petabytes of information. Even the smallest organization will have multiple terabytes.”

He added protecting sensitive data requires the right technology; people in the organization who can implement, use and operate it; and good processes. He also recommended credit unions take three steps: Identify their sensitive data footprint, reduce that footprint and figure out how to protect it.

Sometimes that requires getting rid of unneeded data by digitally shredding it, which involves permanently overriding the data with junk data and then deleting the overridden data. In some cases, the solution is redaction, replacing sensitive data with characters or symbols, or encryption.

Experts made several other recommendations for protecting against external threats.

“Anything that can help improve the nonrepudiation of credential use will aid in minimizing the threats of external fraud,” Sprickerhoff said.

This could include the use of two-factor authenticators.

“Strong encryption and access restrictions on systems where credentials are stored in bulk will aid in minimizing the threat against large-scale account heists,” he said.

Yorgen Edholm, CEO at the Palo Alto, Calif.-based Accellion, said, “People learn by experience. When it comes to threats, the experience we had from a year ago or two years ago is not at all the experience we should rely on. Once these guys find a vulnerability, they will use that.”

Edholm suggested providing secure private cloud file sharing and collaboration; offering a secure, single point of access to content stored in existing enterprise content sources; and managing enterprise content across all laptop, desktop and mobile devices.

Wilson added credit unions must ensure all operating systems and computers are updated with the latest security patches and running anti-virus software.

The key to minimizing threats is early detection, Comer added.

“It seems simplistic, but the earlier the data can be analyzed and the earlier the triggers are identified, the easier it is to rectify and/or stop entirely,” he said.

Reinger also emphasized the importance of training the frontline and investing in real-time fraud tools to detect fraud and stop any risk of a loss on day one.

“Credit unions have to invest in monitoring tools and review anything out of the norm that their employees do,” Reinger said. “We start by conducting a thorough background check on employees with a rigorous interview process. However, internal controls still need to be set, as well as creating reports for fraud investigators to look at for unusual patterns of behavior.”