Onsite Coverage: New Times, New Security Threats
LAS VEGAS — About 50 credit union IT executives filled the room at the annual Credit Union Infosecurity Conference and, on day one, they heard presentations about new threats in a new era as speakers offered insights into social media and document management.
A key message: “Social media impact your credit union whether you have them or not,” said Mike Kiefer, general manager at reputation management firm BrandProtect.
His point in Wednesday’s session at the Platinum Hotel and Spa was that whether or not a credit union uses Facebook or Twitter or Google+, its members and maybe also its employees already are talking about the institution online and a savvy credit union takes steps to listen in on the conversation.
Also from Credit Union Infosecurity Conference:
“It’s not about you. It’s about them,” said Kiefer. He added that many experts now classify social media as “a top five business risk.”
Kiefer stressed that a credit union needs to have an employee social media policy – what can and what shouldn’t they say online?
Ditto for a vendor social media policy. What can they say about the institution?
Particularly worrisome, said Kiefer, are what he called “rogue” executive and corporate sites which are social media pages that purport to belong to, say, a credit union CEO or the credit union itself but are erected by imposters.
He flashed a slide of a rogue site that plagued Bank of America for several days until Google took it down and, suggested Kiefer, if that can happen to the biggest, it certainly can happen to smaller institutions.
The antidote is straightforward: “Register your social domains. Claim the corporate pages and also the executive pages,” he urged.
He also stressed that credit unions need to “continually revise their social media policy for employees, agents and contractors” and in that effort, they also need to raise security awareness.
Still more worries were aired by Steve Comer, an executive with document management company Hyland Software who warned “this is an area often overlooked in security.”
The problem of course is that documents contain sensitive member information and if it is released by an employee – typically in a careless mistake, but occasionally as a result of malicious intent – there are substantial hits on reputation that can lead to lost revenues.
Comer offered pungent advice: “If it isn’t needed, don’t store it.” Many institutions, he stressed, create troubles for themselves by hanging onto information long after it ceased to have a business value.
That is why he stressed that, “first and foremost, every credit union needs a document retention policy.”
Another key to good document management: “Restrict access to member data on a need to know basis.” A teller, for instance, rarely would have a valid need to know a member’s full Social Security number and Comer’s point is that sound policy is “to give people the least privileges necessary.”
He also stressed that every user needs a unique ID to access member data, a practice not always followed, he said, with many institutions using a generic access ID – such as “CU-USER1” – which makes it nearly impossible to determine who accessed what, if and when problems arise.
Among the credit unions attending this three-day event - which bills itself as the only conference specifically focused on credit union security - are Stanford Federal Credit Union in Palo Alto, Calif., Hughes Federal Credit Union in Tucson, Ariz., Kansas State University Federal Credit Union in Manhattan, Kan., and Southland Credit Union in Los Alamitos, Calif.