Security Lessons for Credit Unions Post Target Breach
As we learn more about the mechanisms behind the massive Target data breach, the very real risks posed by third-party network access come into sharper focus. Credit unions, like organizations in nearly every other sector, often rely on vendors and other external partners to perform a variety of functions, such as payroll processing, benefits administration, facility maintenance and even employee training.
While these outside relationships are crucial, vendors’ access to sensitive data must be closely managed as part of the organization’s broader breach prevention strategy. Fortunately, credit unions have a number of tools available that can reduce the risk of vendor access and help the company maintain a strong security posture.
The implementation of effective security protocols begins with a determination of which data sets require the highest levels of protection. Credit unions and other financial institutions manage and store many different types of highly confidential data – member account numbers, Social Security numbers and other personal information.
Different types of information require different levels of protection, and a strategy that assumes all data should receive the same level of protection quickly becomes either prohibitively expensive or unworkable. These systems either apply weak security to sensitive information or they make routine, non-confidential information too secure and, therefore, difficult to access. That inhibits daily activities that are essential to operations and customer service.
By separating data sets and stratifying the levels of security accordingly, credit unions can more easily grant and manage appropriate access levels for third parties.
With the list of sensitive data sets and their corresponding locations in hand, credit unions should next identify which vendors have access to those protected assets. If blanket access levels have been established, there will likely be a subset of vendors with login credentials that grant them access to information far beyond their needs. In addition, there exists a potential that vendors who no longer provide services may still have network access.
Employees should never share login credentials with each other or with vendors or visitors. And, the vendor should immediately notify you if a previously credentialed employee leaves so that access can be terminated. Implementing automatic account expirations and requiring affirmative renewals of third-party account access from the individual managing the contractor or vendor, as well as periodic audits, are recommended as methodologies to remove access for those no longer working with your credit union.
Next Page: Spotting Potential Gaps
Spotting Potential Gaps
With the most valuable information assets segregated and identified, security assessments may be focused on these areas to identify potential security gaps along those access pathways. Take the time to periodically examine how vendors gain access to your network and what is accessible once they have been authenticated. Consider exposures beyond just the point of connection as a vendor’s “BYOD” or remote access policy may provide an attack vector into your organization if that vendor does not have adequate security measures in place to monitor and block attacks from these points that then pivot into your network.
Along with internal measures, credit unions should attend to any potential security exposures that may exist on the vendors’ side of the equation. Require that external partners employ security safeguards commensurate with the value of the data you are entrusting to them and that they conduct security training for their employees and contractors. If your sensitive data leaves your network, ensure that strong encryption is used during transit as well as during storage and track the return or final disposition of your data.
Any security gaps can now be closed, either with technology or with process. If the responsibility for a security measure falls to the vendor and is not in your control or line of sight, it is best to specify in the legal agreement with that vendor exactly what protocol is to be followed, how you will be able to audit or confirm that it is being followed, and what should occur if it is not followed. Ensure that workers and vendors alike understand that they are not to share their account ID or password, and instruct them on the proper procedure for refusing and, if the refusal is not accepted, reporting any request to share credentials as well as other potential security breaches.
Finally, in this era of ever-tightening compliance mandates, it’s important that credit unions never rely solely on compliance as assurance that information is secure. It is fairly common for “compliant” organizations to experience a data breach. Regulations, which are necessarily slow to develop and evolve, typically trail technology, which changes rapidly. Compliance often falls below the threshold of sufficient security, and it is incumbent upon the individual organizations to determine and communicate to their vendors how their information and their customers’ information are to be protected.