Credit unions' use of smart devices provides a better view of members' finances in real time, and allows them to better anticipate accountholder needs through the data collected. However, they must also look closer at data management, security and privacy practices.

"IoT devices rely on intimate customer data. All that information is trafficked across a network of billions of connected devices, each of which represents a potential security risk," Monica Eaton-Cardone, COO for Chargebacks911 and chief information officer for its parent company, the Clearwater, Fla.-based Global Risk Technologies.

"The biggest mistake credit unions make is not tracking or managing IoT devices. We keep track of computers, but forget about all those pesky devices and vendor equipment that gets connected to our network," Sherri Davidoff, founder/CEO of the Missoula, Mont.-based LMG Security, pointed out.

"Internet of Things devices bring virtual ears and eyes into financial business settings, and areas where credit union employees and their customers, vendors and guests work, talk and interact," Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, added.

Herold warned there are growing threats IOT devices bring into credit union environments, such as:

• Some smartphones "listen" using their microphones at all times – but what are they hearing? Video and photo apps can also capture images such as computer screens, white boards and printed documents on desks. Hacked devices can surveil and record information for extortion or something worse.
• Wearables – such as fitness trackers and smartwatches – transmit information about activities, locations and dates, among other things.
• Connected smart printers, copiers, fax machines and other office equipment can unintentionally create pathways between the internet and the credit union's network.
• Financial organization employees increasingly use digital assistants to help track activities and record meetings. This data, often kept in a cloud location indefinitely, sometimes becomes shared with unidentified third parties.

The threats are real. Malware-using botnets harnessed from IoT devices helped launch a massive DDoS attack that disrupted U.S. internet traffic in 2016. In 2017, the same Reaper IoT botnet infected nearly two million devices and spread at an extraordinary rate of 10,000 new devices per day.

Davidoff cautioned, "In the next few years, expect to see ransomware attacks that target your devices, including heating/cooling and lighting systems, security cameras, alarms, printers, copiers and door access controls."

Paul Love, chief information security officer for the Rancho Cucamonga, Calif.-based CO-OP Financial Services, said IT and security teams often overlook IoT devices as part of a vulnerability management program, and the devices don't receive the same vendor support as traditional systems. Some "less exciting" devices, like web cameras and thermostats, come with exploitable firmware and software. "Unpatched systems or systems with security weaknesses are an open door to a credit union's systems," Love said.

Love warned the diversity and speed of IoT device adoption makes the identification of weaknesses and appropriate fixes very difficult to manage. "The problem is only exacerbated by the fact many credit union IT and security teams are already tasked with an overwhelming litany of responsibilities."

Eaton-Cardone stated the frequency with which security breaches occur at financial institutions is a sign that the industry is not doing enough to address the IoT problem. "Financial institutions need to get proactive and take a more offensive role regarding security."

Neil Weitzel, director of security research at the Boston-based Cygilant, also suggested financial institutions do more to protect against the security risks introduced by new technology. "Prior to implementing or deploying new technology, a thorough penetration test that includes a code review should be done to ensure a hardened security posture is attained."

René Clayton, innovation strategist at the St. Petersburg, Fla.-based CUSO PSCU, stated, "Right now security is 100% top of mind. It's part of our business strategy and part of our cybersecurity strategy."

Gene Fredriksen, chief information security strategist for PSCU, explained credit unions need to look at how they secure the process as well as the type of information they allow and deliver. "As with any process, if you develop an insecure process or bad practices behind that device, you are putting the end consumer at risk. It's very important to realize that it's the system behind it that makes it secure or not secure."

Voice-enabled applications present unique security concerns because voices are not as easy to protect from invaders.

"Attackers are in a race to obtain technologies that allow them to capture small snippets of a person's voice," Love said. He explained these snippets can generate an entire string of fraudulent audio realistic enough to fool voice-recognition technology.

Clayton pointed out smart speakers such as Amazon Echo and Google Home are still in their infancy when it comes to banking transaction use. For the most part consumers use the speakers for basic information such as routing transit numbers and recent transactions. Only a handful of financial institutions allow voice-based financial transactions.

Clayton noted credit unions have an opportunity to take advantage of these IoT devices as long as they focus on privacy and data security. "When we take advantage of this kind of technology, it's really about consumer education. IoT can really improve authentication and security, providing that we have the right parameters from the beginning."

Davidoff recommended credit unions protect themselves by taking inventory of the devices on their network – not just workstations and servers. "Remember, even your coffee pot can be used to spread malware if it is connected to your network."

Weitzel endorsed credit unions instituting a least-privileged access model for the environment and systems, and holding all new technology to that standard. "This means understanding the use cases the device or technology provides, and only enabling the features that fill those use cases."

What about regulations? "I'm not aware of any industry standard for any of these devices," Fredriksen said. However, he noted, "There are standard things you always do to make sure that any new technology is secure before you bring it into your organization. Particularly something that could be network-connected and has its own firmware inside." This may include understanding how the device communicates, locking down the device and configuring it in a secure manner.

Brian Godwin, interim CEO for the Des Moines, Iowa-based PolicyWorks, proposed credit unions need to be especially cognizant of cybersecurity concerns when it comes to innovation. "Not only is it a growing focus of regulators, such as the NCUA, it is also an increasing concern of members in the wake of data breaches like the one that occurred at Equifax," he said. "Credit unions should conduct a risk assessment for each new product offering and ensure that controls are in place to mitigate any identified concerns."