MADISON, Wis. (12/26/13)--Splashy cybercrimes that feature devious hackers breaking through a giant bank's firewalls generally make front-page news. But that's far from the whole story about how consumers' confidential data gets into the wrong hands.
Research shows employee error puts sensitive data at risk far more often, Jay Isaacson, CUNA Mutual Group's credit union protection product management director, told the Credit Union National Association for the December issue of the Credit Union Front Line Newsletter
The article was written well before Target announced last week that 40 million debit and credit card accounts were compromised in a breach. (See News Now
story, "Breach Aftermath: CUs Rally to Help Members.")
Verizon data security experts analyzed more than 47,000 data "security incidents" in 2012. In these incidents, the exposure of this sensitive data didn't necessarily involve crime or result in monetary losses, but exposed gaps and oversights that could be exploited.
"Error" ranks as the largest threat category, making up 48% of all incidents, according to Verizon's 2013 Data Breach Investigations Report. Errors included lost devices, errantly addressed emails and faxes, and publishing mistakes.
Threats caused by malware and "misuse"--which covers employees' violations of data-use policies--tied for second, at 20%.
All credit unions implement various network security measures to protect data against high-tech attacks. But, according to Issacson, employees also can protect members' sensitive data with these measures:
- Double-check the destination of e-mails or fax numbers before hitting "send." Before sending e-mails that involves sensitive data to members or third-party vendors, first check with the credit union's information security policies to determine if they permit transmitting members' confidential data. If so, best practices recommend sending only encrypted data.
- Avoid saving data to movable memory devices--and keep laptops secure if transporting them off-site. Laptops are a major target for thieves. Whenever possible, don't take a laptop containing members' confidential data out of the office. If laptops are taken off-site, they should never be left in plain sight in a car or unattended in a coffee shop or library, or in other situations that invite theft.
Member data saved to thumb drives, CDs or other portable media present a huge risk. That's why some credit unions lock down the USB ports and CD/DVD drives on their workstations.
Don't lose track of member data saved to external memory devices. Delete the data or destroy the disk as soon as the data are transferred.
- Properly destroy data devices. Data storage devices such as old tape drives, disks and computer hard drives should be rendered unreadable, just as old paper documents would be shredded.
- Beware of targeted phishing attacks. Financial services employees are at greater risk than the general public for phishing schemes. A common phishing attack tricks financial institution employees into opening an infected e-mail attachment or clicking on a link to an infected website. This automatically installs malicious software (malware) on to the work computer, possibly creating a back door into the credit union's network.
Criminals search social networks such as LinkedIn to discover employers, job titles, and e-mail addresses, and generally send phishing e-mails to a specific group of employees at a credit union--a tactic called "spear phishing."
Be careful about any e-mail that contains a link or file, even if it appears to be from a professional organization or social network. The credit union might have an acceptable use policy prohibiting employees from using credit union-owned computers for personal purposes, including surfing the Internet and/or checking personal e-mail.