For credit unions, security isn't just about protecting thevault. It's about shielding sensitive information from determined,increasingly innovative cybercriminals, who continuously probeexternal defenses and devices.

And when it comes to external fraud threats, the size of the financial institution does notmatter.

“Credit unions are faced with the same threat of external fraudas the regional and big banks,” Brian Reinger, workflow developerfor the $8.6 billion, Chicago-based Alliant Credit Union, said.

Many institutions don't know enough about their data footprints,another expert said. From financial and credit card data to SocialSecurity numbers and healthcare information, they often don't knowwhat, how much or where personally identifiable information existson their network.

“Sensitive data footprints are becoming hot topics, especiallyat the executive level, and organizations in all industries areconcerned about how much sensitive data they have,” former ethicalhacker and CEO of the New York City-based Identity Finder ToddFeinman explained.

Organizations must protect all sensitive data that could be usedto commit identity theft when placed in the wrong hands. For creditunions, that means member data such as SSNs, addresses, drivers'licenses and birth dates.

Internal fraud will always be a problem, but there are a limitednumber of insiders who normally have direct data access, EldonSprickerhoff, chief security strategist for the Canadian firmeSentire, maintained.

“On the other hand, the threat from external attackers, thanksto the increase in organized criminal interest and activity, isstill significantly greater,” Sprickerhoff said.

It's not just the hacker living across the globe and looking toattack infrastructure whom financial institutions need to worryabout. It's also third parties such as those that service IT and ATMs, DodiGlenn, vice president for the Sioux City, Iowa-based PC Pitstop,said.

“In some ways, smaller financial institutions are at greaterrisk of external fraud than the mega banks because they lack theresources and breadth of data to detect these attacks,” Agari FieldChief Technology Officer John Wilson pointed out.

Dusan Petricko, digital forensics and cybersecurity manager atthe New York City-based LIFARS, noted some smaller financialinstitutions lack the technology, knowledge and resources toprotect themselves adequately.

Sprickerhoff warned of the following broad categories ofexternal fraud in which cybercriminals desire access to users'accounts:

• Using a lean approach, they exploit individual accountholders.The individual accountholder must help prevent the loss ofcredentials (email and/or account) and the financial institution isresponsible for detecting unusual behavior within the account.

• Using a broad approach, the external attacker gains accessthrough weaknesses within the financial institution's securitystance to obtain sensitive data from a large number of individualaccounts.

• Another common approach is the business email compromise, inwhich a wire transfer request comes from a fake email account thatlooks legitimate.

The Anti-Phishing Working Group just announced the number ofobserved phishing attacks in the first quarter of 2016 hit a newhigh since it began tracking them in 2004. The APWG noted a 250%increase in phishing sites between October 2015 and March 2016, andthe uptick indicated an alarming trend.

“Phishing of the credit union's employees is probably one of thebiggest external risks, because it turns an employee into theunwitting agent of the criminal,” Wilson said.

Phishing or spear phishing through emails can also open the doorto a devastating ransomware attack.

“Unfortunately, ransomware is getting increasingly moresophisticated and can now very successfully evade traditional waysof detection,” Petricko said.

Once ransomware strikes, there is essentially no way to continuedoing business unless the victim's organization pays theransom.

Another threat comes via ATM or point of sale card skimming andblack box attacks.

“Card skimming attacks are increasing, especially in the U.S.,and will continue as long as magnetic stripe cards are still beinggenerated,” Terry Pierce, senior product manager for the RanchoCucamonga, Calif.-based payments CUSO CO-OP Financial Services,said.

The number of ATMs in the U.S. compromised by criminals rose546% in 2015 over 2014, analytics software firm FICO reported.

ATM attacks take place when external skimming devices, camerasand/or malware is attached to or placed near the machine tointercept card data and capture PINs.

“The black box attack is another form of skimming where theperpetrators cut holes on the top of the ATM to gain access to theATM,” Pierce explained. “The black box, which is an externalelectronic device, is connected to the ATM, which controls the ATMto dispense cash.” According to recent data, black box attacks areon the rise in Europe and migrating to the U.S.

To fend off these attacks, Pierce recommended credit unionsfollow PCI DSS best practices, set limits on all cards andproducts, harden operating systems and stay up to date withpatches.

The speed of payments is helping to increase the likelihood offraud, Michael Lynch, chief strategy officer for the Boston-basedInAuth, said. In the past, back-office employees had more time tolook for potential fraud.

“Now the industry is preparing for this real-time payments worldand that is going to be a key driver of fraud,” he said.

A typical fraud deterrent technique used during authenticationis to recognize a device with a specific person's credentials,Lynch explained.

“Device recognition is really important,” Lynch said. “Then weassess the risk factor of the device itself.”

While the real-time payments push is great for the consumer, itisn't so great for fraud protection, he added.

“Any time in my experience we do anything faster with no timefor a manual review, we see fraud,” Lynch said.

Personal data is at the core of both the problem and thesolution.

“Big data is what every financial institution is striving to geta better handle on because data drives the business, from securityto products and everything in between,” Steve Comer, sales managerof financial services for the Westlake, Ohio-based Hyland, said.“The ever present challenge is sifting through the data to find therelevant information.”

Comer explained technologies with advanced capabilities to takedata, recognize patterns, and provide more relevant and accurateinformation in less time and in a more automated fashion do existtoday. The key is connecting the dots between the systems where allof this data exists and maintaining accurate networkintelligence.

Financial institutions fall short when it comes to understandinghow much sensitive data they have because the concept is new tothem, Feinman said. He suggested credit unions first focus onidentifying the risk and the problem.

“You start to look at, where is all my sensitive data, who hasaccess to it, when was the last time we even used it?” he said.“Some organizations have petabytes of information. Even thesmallest organization will have multiple terabytes.”

He added protecting sensitive data requires the righttechnology; people in the organization who can implement, use andoperate it; and good processes. He also recommended credit unionstake three steps: Identify their sensitive data footprint, reducethat footprint and figure out how to protect it.

Sometimes that requires getting rid of unneeded data bydigitally shredding it, which involves permanently overriding thedata with junk data and then deleting the overridden data. In somecases, the solution is redaction, replacing sensitive data withcharacters or symbols, or encryption.

Experts made several other recommendations for protectingagainst external threats.

“Anything that can help improve the nonrepudiation of credentialuse will aid in minimizing the threats of external fraud,”Sprickerhoff said.

This could include the use of two-factor authenticators.

“Strong encryption and access restrictions on systems wherecredentials are stored in bulk will aid in minimizing the threatagainst large-scale account heists,” he said.

Yorgen Edholm, CEO at the Palo Alto, Calif.-based Accellion,said, “People learn by experience. When it comes to threats, theexperience we had from a year ago or two years ago is not at allthe experience we should rely on. Once these guys find avulnerability, they will use that.”

Edholm suggested providing secure private cloud file sharing andcollaboration; offering a secure, single point of access to contentstored in existing enterprise content sources; and managingenterprise content across all laptop, desktop and mobiledevices.

Wilson added credit unions must ensure all operating systems andcomputers are updated with the latest security patches and runninganti-virus software.

The key to minimizing threats is early detection, Comeradded.

“It seems simplistic, but the earlier the data can be analyzedand the earlier the triggers are identified, the easier it is torectify and/or stop entirely,” he said.

Reinger also emphasized the importance of training the frontlineand investing in real-time fraud tools to detect fraud and stop anyrisk of a loss on day one.

“Credit unions have to invest in monitoring tools and reviewanything out of the norm that their employees do,” Reinger said.“We start by conducting a thorough background check on employeeswith a rigorous interview process. However, internal controls stillneed to be set, as well as creating reports for fraud investigatorsto look at for unusual patterns of behavior.”