MADISON, Wis. (2/16/12)--Financial services account for about 35% of records compromised by data breaches, according to a 2011 Verizon study. Increasingly, cyber thieves are concentrating on financial service organizations with 10 to 100 employees, the size of many credit unions, the study said.
"Credit unions seem to fit the bill that cyber thieves are targeting" said Ken Otsuka during a CUNA Mutual Group webinar,"Cyber Risks and the Data Breach Hot Seat" on Wednesday. "They are looking for the path of least resistance, which often leads to credit unions."
Otsuka, senior consultant for credit union protection at CUNA Mutual, provided advice on how credit unions can manage cyber/data breach risk.
Encryption is the best starting point to mitigate risk, Otsuka said. "Confidential data at any point should be encrypted," he said.
Encryption should be used to secure communications and data storage, authentication credentials and the transmission of sensitive information. Encryption can be used not only when sending e-mails but also within operating systems, data servers and file systems, Otsuka said.
Credit unions should employ a data loss prevention (DLP) solution, Otsuka said. A DLP helps organizations determine where confidential information is located on file servers and networks. It helps control access and security and distinguishes between authorized and unauthorized users.
For example, a DLP can send notification if an employee is attempting to download confidential data on a flash drive, Otsuka said.
Management of mobile technology also is a risk management area for credit unions, especially as credit unions increasingly use their personal smartphones for business purposes.
Encryption can help mitigate the risk presented by mobile technology, Otsuka said. Also, software is available password protects business data on mobile devices. Smartphones can attract viruses that could compromise business data, he added.
Credit unions are also increasingly providing their board members with tablets, which can download reports with confidential member data, Otsuka said. Again, encryption is an essential preventative. Tablets should be equipped with antivirus software and directors should be prohibited from downloading nonessential applications.
"There should be a corporate policy for the acceptable use of any mobile device," Otsuka said.