You're not safe.

That's the sentiment of John Prisco, president/CEO of Triumfant,a Rockville, Md.-based endpoint security provider that offerssolutions for malware detection, remediation, monitoring andsecurity management of endpoint computers.

“There shouldn't be a sense of security because it doesn't existtoday, but we can't give up,” he said. “We have to keep trying withmore innovative techniques to try and stop the adversary.”

Prisco has worked closely with financial institutions andgovernment agencies to ensure their technology is not onlycompliant, but well-protected – something he said is lacking inmost agencies and companies today.

“I mean, look at the Secretary of State,” Prisco said. “He saidit's very likely that his emails are being read by the Chinese, theRussians and the North Koreans, and he writes them assuming thatthey are reading them. There's something very, very wrong with thatpicture.”

Earlier this month, Secretary of State John Kerry said in aninterview with “CBS Evening News” that countries have consistentlyengaged in cyberattacks against America, and he writes his emailswith that in mind. The interview came after NBC News reportedChinese hackers had been spying on the personal email accounts oftop U.S. officials since 2010. Two weeks ago, the Joint Chiefs ofStaff said Russian spies breached their unclassified email server,and last month, the Office of Personal Management tried to explainin congressional hearings how Social Security numbers, bank accountnumbers, addresses and more belonging to 22 million Americans werestolen by the Chinese government for more than a year before theagency realized it was happening.

This comes on the heels of some of the largest attacks onprivate companies in American history: Confidential data from SonyPictures Entertainment was leaked in November, JP Morgan Chase wasbreached last summer after an employee's login credentials werestolen, and debit and credit card information for 40 millionaccounts was stolen in 2013.

The problem, Prisco said, is most companies and governmentagencies don't care enough to provide adequate security.

“They can't feel safe and they shouldn't feel safe,” Priscosaid, referring to consumers. “Because many of the companies andgovernment agencies view security as an expense item that is to becontrolled and minimized. Do you think OPM cared? I don't. They hadancient computers, they had very poor security. Do you think SonyPictures cared? I don't. They had very lax security and it's onlywhen somebody's exposed, then the lawyers spin it. They only carewhen they're in the hot seat. As long as that attitude persists,you're going to see these breaches, at least one a week.”

It may sound dire, but Prisco said he is a proponent of the “nospin zone,” and if small financial institutions don't watch themistakes of those “too big to fail,” they will fall victim.

“Look at some of the biggest companies in the financial sectorlike JP Morgan,” he said. “Now they care. They spend an enormousamount of money on security, yet they were one of the biggestbreaches in American history and why did that happen? Well ithappens because they are listening to very well-marketed productsthat are spending hundreds of millions of dollars on marketing hypebut their products aren't that good. Most of the security productsout there today are just a notch above any virus, which is almostuseless.”

And more regulations from the government aren't much better, hesaid.

“They're better than nothing, but not much better than nothingbecause compliance is not protection,” he said. “Compliance is justnot enough. It helps to check the box, it helps with insurance, ithelps the lawyers feel as if they're not liable, but at the end ofthe day consumers are still unprotected.”

Kari Anne Amosk, director of debit and checking consulting atthe St. Petersburg, Fla.-based Advisors Plus, said credit unionsare already complying with regulations and protecting its members,and that the CFPB should instead focus on how merchants andretailers can provide more protection.

Amosk joined Advisors Plus to help credit unions create the mosteffective strategies for maximizing their checking and debit cardportfolio growth. She is currently assisting credit unions who maybe subject to upcoming CFPB regulations regarding overdraftcharges. Prior to joining Advisors Plus, she worked as a vicepresident and senior product manager at Key Bank.

“What needs to be done in terms of the pushing back is really onthe merchants,” she said.

She added credit unions need timely disclosures from merchants,just as they must give timely notifications to their members.

“How soon do they have to tell us? What do they have to tell us?What's their responsibility and also, what needs to be done interms of the cost?” she asked of merchants. “Who is ultimatelyresponsible for that breach in terms of where it's occurred?”

But both Prisco and Amosk agree that the answer for creditunions is to focus on what they can control. And Prisco said creditunions need to go beyond checking the compliance box.

“The main problem is that there are 21st Century adversariesthat are quite skilled and, today, we're all trying to fight themwith 20th Century technology,” he said. “There's a gap betweenpenetration and remediation so as more innovation occurs, it willget better. But innovation is not going to come from the largecompanies that are in the land-grab mode and trying to gain marketshare. Innovation is going to come from smaller companies that havebright people working on actually solving problems.”

Prisco said given the amount of third parties that credit unionswork with, they should focus on working with those that are usingmore advanced security techniques. He said products that rely onprior signatures and old intelligence platforms won't do thetrick.

“Those platforms are all based upon signatures,” he said.“They're a half step in the right direction but the full step inthe right direction is to use an analytics-based anomaly detectionkind of product with continuously monitoring endpoints. There's noone product that is going to solve this problem 100%, but there isa defense strategy that will work and it will include anetwork-based approach. It will include an endpoint-based approachso that you can cut off some of the attacks as they penetrate thenetwork, and those that get through those shields – and they alwaysdo – would be picked up on the endpoint by an anomaly protectionproduct that can really see changes that occur and synthesizeremediation without having signatures or any former priorknowledge.”

Prisco said he would suggest to consumers to only work withorganizations that have a two-step login authentication system, socredit unions should also be employing that method.

“It's much harder when you're getting a key sent to your cellphone via text to complete your login,” he said. “It's much harderto steal somebody's credentials that way because they have to be onyour computer and on your phone in order to do that and that's muchharder to do.

It's not good enough to put in your password and then tell themwhere you went to grammar school.”