Security at financial institutions – both physical premisesecurity and data security – is much weaker than one might think.That's what Jim Stickley has discovered in his more than 20 yearsof hacking into systems and robbing facilities for the purpose oftesting the strength of organizations' defenses.

The founder and CEO of the San Diego-based identity theft andfraud education firm Stickley on Security, and the keynote speakerfor CU Times' upcoming Data Breach Defense Virtual Conference, Stickley was aself-professed “nerdy kid” who spent his youth working on computersand hacking into them a bit for fun (he stressed that nothingmalicious ever occurred, however).

When he got older, he wrote software and worked as an auditorfor various companies, and in the process, he began to noticenumerous system flaws and vulnerabilities that needed addressing.Those discoveries led him to a career in security testing, whichproved to be eye-opening both for him and the organizations hetested.

“I had to convince them that they needed their security tested,”Stickley said of his early days as a tester. “It was like sellingice to Eskimos. They'd say, 'I'm secure, and I don't need to betold otherwise.' Half of that was arrogance and the other half wasbeing naïve. Now they understand that there are vulnerabilitieseverywhere, and it's not a matter of your budget or anything, itjust happens. And it's better to find out what your vulnerabilitiesare than to have a criminal find out for you.”

During his on-site testing jobs, Stickley often dressed up as anindividual who is known to be trustworthy, such as a fireinspector. About four years ago, he said, he and a colleague gainedaccess to a financial institution branch by pretending they wereair conditioner repairmen. Unfortunately, the institution'ssecurity failed big time, as they managed to steal its backupserver without any problem.

“We literally unplugged it from the wall and carried it out thedoor,” he said. “Employees were watching me, and no one said aword. One employee was outside in her car – we always had someonewaiting outside when we stole stuff so we wouldn't go too far awaywith their property – and the look on her face was of sheerterror.”

While Stickley said he has seen a distinct improvement inemployees' awareness of potential threats since he began hiscareer, financial institutions are still at great risk of beinghacked and are typically only as strong as their weakest link.

“Nowadays, if someone really focuses on your organization, it'snot a matter of if you're going to get hacked, it's a matter ofwhen,” he said. “It's like a terrorist. All you need is oneterrorist to carry out an attack, and all you need is one employeeto make a mistake.”

As a security tester, Stickley spent the majority of his timehacking into companies' systems remotely. One tactic that oftentricked users was the bogus e-card, he said. He also enteredfacilities and installed keyboard loggers to access information ata later time, and physically stole items such as servers, drives,documents, phones and laptops.

What prevented many organizations from keeping their informationsafe, he discovered, was a lack of adequate employee education. So,two years ago, he founded Stickley on Security with the goal ofaddressing that very issue. Through its SOS Advisor, SOS Executiveand Employee EDU solutions, his firm helps organizations and theircustomers, executive teams and employees stay informed of andprepared to combat the latest threats.

“One thing that frustrates me the most is the shifting ofsecurity budgets to products, when the main problem is education,”he said.

Many organizations, he said, tend to host one-day securitytraining sessions for their employees once or twice a year;however, this strategy is not effective enough to fight fraud andidentity theft. Instead, Stickley recommends scheduling quarterlytraining sessions in addition to deploying two to three emails perweek that inform employees of the latest threats.

An organization's website is also an important tool forproviding fraud and identity theft education to customers ormembers. Stickley said it's important to keep this portion of awebsite simple by focusing on three key points – what the risk is,how it can affect customers or members, and what they can do tofight it – as opposed to publishing “doom and gloom” content.

When asked what he thinks are the biggest threats credit unionsface today, Stickley said scams that originate via email top thelist. He said he even favors banning all email traffic from outsidethe credit union if possible. Web browsing poses another huge risk,he said, as cybercriminals have begun to use online advertisementsas a front for malware.

In addition to running his education-focused security firm,Stickley serves on several corporate boards and appears as aspeaker for corporations, security-related conferences, seminarsand forums, covering topics that range from basic identity theft tonational cyber terrorism. He's also shared his security insights asa guest on numerous national television shows, including NBC's“Nightly News” and the “Today Show,” CNN's “NewsNight,” CNBC's “TheBig Idea” and Anderson Cooper's “Anderson.”

For CU Times' virtual cybersecurity conference, he'llbe delivering the opening keynote, “Know Your Vulnerabilities:Credit Unions Are Only as Secure as Their Weakest Links,” whichwill cover data breach trends, how to beef up security measures tostand up to the latest cybercrimes and how to educate employees atevery level of the credit union to actively prevent attacks.

CU Times' free virtual cybersecurity conference, “DataBreach Defense,” runs from 10 a.m. to 5 p.m. ET on Tuesday, Oct. 6.To register, visit CUTimes.com/DataBreachDefenseConference.