What does a breach at business networking site LinkedIn have to do with you?
Who is the “go to” risk management professional in your IT group?
Risk management in financial services often equates to the risks associated with investment vehicles and loan portfolios. Risk management in the information processing side of the house is often coupled to IT security.
News Update, June 7, 2012: LinkedIn Hack Confirmed, Change Your Passwords
It has been reported that the business networking site LinkedIn has suffered a breach of perhaps more than 6 million account passwords. This should matter to your credit union. I’ll offer some background.
At a recent NACHA conference I was listening to a financial platform vendor describe the care with which they construct their software, develop a rules console for the embedded risk engine, the testing, the training for the end users and so forth in an effort to provide a solid and safe financial environment for an institution’s end users.
During the question-and-answer period that followed another attendee asked if the risk engine was a “set it and forget it” technology or if the vendor provided continuing advice on its use. This question triggered a lively discussion that included conversation on the roles of vendors and the roles of risk analysts at financial services firms and how or even if technology is “risk managed” at different times.
The paradigm with which the session attendees were most familiar is the TSA’s Threat Level color scheme. Yellow is an elevated threat level, orange is a high threat level and red is the code for existing severe threat level. Airport visitors understand that when the threat level is red, air travel will be a little less convenient.
How does this tie together with the LinkedIn breach?
There is a possibility that some of your customers use LinkedIn. It’s possible that despite your best efforts to educate end users not to reuse passwords, some of the passwords for online accounts at your credit union may be strikingly similar or identical to those the member chose for their LinkedIn account.
Who decides if this represents an elevated threat level at your institution? Can the scrutiny of online account activity be ratcheted up a bit for a higher, albeit remote, threat level?
During the discussion at the NACHA meeting it became clear that there are two types of financial institutions; those in which the roles of risk management relative to online and mobile channel technology are well defined and those in which those roles are a little “fuzzier”.
Those who worked at the former felt that there were controls in place to more closely monitor accounts and transactions if the threat level were to go from orange to red. For instance, the use of phone-based out-of-band authentication for customer logons could be applied more liberally on a temporary basis.
Those who worked at the latter weren’t sure how controls would be adjusted to meet an increased threat level. In a worst case scenario, the wrong time to find out how your technology might adjust to an elevated threat level – is after a compromise.