LAS VEGAS — It’s something credit union executives dislike talking about. But the fact is that the biggest information security risk to most institutions is its employees.
Speaker after speaker on day two at the CU Infosecurity Conference in Las Vegas on Thursday hammered home that contention because, they said, at their root a lot of insecurity just boils down to people problems.
Also from Credit Union Infosecurity Conference:
The meeting room in the Platinum Hotel was filled with executives from dozens of credit unions, including MECU of Baltimore, Maryland, Hughes FCU of Tucson, GeoVista CU of Hinesville, Ga., and XCEL FCU from Bloomfield, N.J.
The speakers had their ears because the messages were lively. “People are our greatest risks.
“Ninety-seven percent of data breaches involve human failure,” said Reg Harnish, founder of GreyCastle Security in Troy, N.Y. But he quickly amended that: “The biggest risk is not people. It’s the [expletive deleted] training they get.”
People, he indicated, are not born with innate knowledge of phishing attacks and malware and other threat vectors. But they can be taught.
Harnish stressed that to be effective education has to be “relevant, continuous, engaging, and short so people can absorb it.”
“We can reduce susceptibility. But you have to put the effort in,” said Harnish, who added that when employees slip up, seize the opportunity to teach. “Don’t wait three weeks. Right there, train them.”
It wasn’t just people threats that got emphasized on day two. Mike Eaton, an executive with Maryland CUSO Ongoing Operations, gave a brief talk about cloud computing that emphasized a couple key points.
The first is that when a credit union truly embraces cloud computing this allows “IT to move from a technical to a business focus,” that is, the IT staff can stop fighting tech fires and instead concentrate on how better information management can advance the business objectives of the institution.
His other point was that a lot that is called cloud isn’t. True cloud, said Eaton, “is computing that is not local to the customer, it is not owned by the customer, and it is not maintained by the customer.”
“Cloud,” he acknowledged, “is not for everyone.”
But for many it is coming into focus as a very good solution indeed.
A closing speaker was Jay McLaughlin, chief security officer at Q2ebanking in Austin, Texas, and his message was dramatic: “You,” he said to the room full of IT executives, “are no longer driving technology to your members. They are driving technology to you.”
He added: “The device used for mobile banking does not matter. What does matter is that you cannot secure it.”
That, of course, changes the whole security mindset.
McLaughlin acknowledged that so far mobile banking threat have not amounted to that much but, he predicted, you ain’t seen nothing yet. To date crooks have focused on online because that is where the money is. But as the mobile channel grows, their attention is shifting.
“I believed they have exploits teed up, ready to be unleashed. They are coming our way.”
One solution: start viewing members as part of the security solution, said McLaughlin. Get them using two-factor authentication and receiving account activity alerts and this makes them part of the solution.
“Use your members as a line of defense,” he urged – and good things just may begin to happen.