Credit Unions Concerned About Insider Threats: Survey
The majority of credit unions have serious security concerns regarding insider threats according to the results of survey conducted by Westport, Conn.-based Awareness Technologies in partnership with the CUNA Strategic Services.
Results indicated that 83% of surveyed financial institutions admit their biggest concern is confidential information transferred to unauthorized recipients, while another 52% say they are worried about sensitive data being transferred by use of removable media.
Even more concerning, 77% of all credit unions surveyed said they do not believe or were unsure if they had complete protection regarding internal data threats. However, 62% stated they already have security controls in place.
Those last two statistics were alarming, Awareness said in a press release, because it suggested the overwhelming majority of credit unions surveyed did not believe they had enough protection regarding data threats that occur internally.
Part 748 of NCUA’s regulations specified among other things that credit unions must develop appropriate security programs, establish risk assessments and control measures, assist in the identification of persons who commit or attempt actions and crimes — knowingly or accidentally — that could result in data breaches and other security threats. Credit unions must also develop direct response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems—including appropriate reports to regulatory and law enforcement agencies.
“The demand for insider threat protection is growing, but it’s often an expensive and demanding process,” Michael Goldberg, vice president of corporate marketing for Awareness, said. “But we pride ourselves on making sure these solutions are cost-effective and easy to use and implement.”
Awareness Technologies provides internal threat management solutions that provide uniform coverage for on-site, remote and traveling employees.
The survey results came just as news broke that because of AT&T data breaches, which exposed about 280,000 U.S. customers' names and full or partial Social Security numbers, the company agreed to pay a $25 million civil penalty to settle a Federal Communications Commission investigation into the consumer privacy violations.
The breaches took place at call centers used by AT&T in Mexico, Colombia and the Philippines, when employees accessed sensitive customer data without adequate authorization. Those employees took payment from third parties in exchange for customer names and Social Security numbers that could unlock stolen cell phones for sale on secondary markets, the FCC said.
At an international gathering of computer security professionals in March, all but 2% of respondents surveyed believed the law should address data breaches that expose consumers' personal information, and 16% advocate criminal charges against offending companies' CEO or board members. The respondents, 102 of the 700 IT security pros attending the E-Crimes Congress in London, said legal punishments should include fines (65%), mandatory disclosure (68%) and compensation for the consumers affected (55%).
Conducted by security solutions provider Websense at the event, the survey also found a sizable majority (70%) believe the CEO is ultimately responsible in the event of a data breach, followed by those who believe responsibility lies with the chief security officer (13%), board members other than the CEO or CSO (9%), the IT department (5%) and the individual employee involved (4%).