What does a breach at business networking site LinkedIn have todo with you?

Who is the “go to” risk management professional in your ITgroup?

Risk management in financial services often equates to the risksassociated with investment vehicles and loan portfolios. Riskmanagement in the information processing side of the house is oftencoupled to IT security.

News Update, June 7, 2012: LinkedIn Hack Confirmed, Change YourPasswords

It has been reported that the business networking site LinkedInhas suffered a breach of perhaps more than 6 million accountpasswords. This should matter to your credit union. I'lloffer some background.

At a recent NACHA conference I was listening to a financialplatform vendor describe the care with which they construct theirsoftware, develop a rules console for the embedded risk engine, thetesting, the training for the end users and so forth in an effortto provide a solid and safe financial environment for aninstitution's end users.

During the question-and-answer period that followed anotherattendee asked if the risk engine was a “set it and forget it”technology or if the vendor provided continuing advice on its use.This question triggered a lively discussion that includedconversation on the roles of vendors and the roles of risk analystsat financial services firms and how or even if technology is “riskmanaged” at different times.

The paradigm with which the session attendees were most familiaris the TSA's Threat Level color scheme. Yellow is an elevatedthreat level, orange is a high threat level and red is the code forexisting severe threat level. Airport visitors understand that whenthe threat level is red, air travel will be a little lessconvenient.

How does this tie together with the LinkedIn breach?

There is a possibility that some of your customers use LinkedIn.It's possible, that despite your best efforts to educateend users not to reuse passwords, some of the passwords for onlineaccounts at your credit union may be strikingly similar oridentical to those the customer chose for their LinkedInaccount.

Who decides if this represents an elevated threat level at yourinstitution? Can the scrutiny of online account activity beratcheted up a bit for a higher, albeit remote, threat level?

During the discussion at the NACHA meeting it became clear thatthere are two types of financial institutions; those in which theroles of risk management relative to online and mobile channeltechnology are well defined and those in which those roles are alittle “fuzzier”.

Those who worked at the former felt that there were controls inplace to more closely monitor accounts and transactions if thethreat level were to go from orange to red. For instance, the useof phone-based out-of-band authentication for customer logons couldbe applied more liberally on a temporary basis.

Those who worked at the latter weren't sure how controls wouldbe adjusted to meet an increased threat level. In a worst casescenario, the wrong time to find out how your technology mightadjust to an elevated threat level – is after a compromise.

JohnZurawski is vice president of sales and marketing at Authentify Inc. inChicago.