Whether you’re new to the financial industry or a seasoned veteran, grasping the basics of computer security is vital to protecting yourself, your organization, and your members from the harmful effects of hackers. And whether CUSO or credit union, there is a lot at stake, which is precisely why such high standards are held within the industry.
Failure to provide a robust and well integrated computer security policy within your organization can have dire consequences to three primary areas: your obligations to members, your reputation, and legally.
In 2017, Equifax experienced a massive data breach which exposed the personal information of 147 million people. As with many of their kind, the breach was the result of multiple points of failure, but it was the overarching lack of discipline in security practices that would be criticized. Through the breach, Equifax had failed to properly secure the privacy of its members; suffered extensive damage to its reputation; and finally suffered legal consequences in the form of a $425 million settlement to support those exposed.
Subsequent research into the situation would reveal that the failures were mostly technical, but stemming from the failures of individuals to follow best practices and procedures: namely in applying patches and renewing certificates.
As with all computer security, there will always be a network component and a person component. Networks need constant patching and auditing to ensure they are secured and no holes are available. It’s the role of employees to act as the human firewall that protects the network—from the network administrator to the CEO. It is everybody’s responsibility to ensure your organization is not at risk, and you can do so by following the three R’s of security:
Recognize: Understand and adhere to computer security best practices.
Respond: Act on any attempts to improperly access company data.
Report: Report and document any unusual activities or behavior.
The biggest threat to your credit union or CUSO may not be the network. Social engineering is often the weakest link in an organization’s layered security, because bad actors know precisely how to prey on our human nature to get through. They will use sympathy or a sense of urgency to convince individuals to act without going through the proper channels—an undisciplined staff might let somebody through and all it takes is one.
Email by far the most common attack method, though phone and text messages are also used. Chances are you’ve seen attempts first hand. Spoofed emails purporting to be from your CEO or executives who need something right away. A “vendor” sending an invoice they need you to check urgently. A client who’s trying to access their account, but they just can’t for the life of them remember their password and they need to get in immediately…
All of these methods and more will be used to earn your trust and get you to click on something unsuspecting, or to hand over information you are not meant to give out. For specific tips on spotting these attempts:
- Be careful with emails—these can be made to look like they came from somebody you know, but the email address itself is one you don’t recognize.
- Are you expecting that attachment? If not, it might be worth checking in with the person before clicking on it. Attachments can contain malicious code that will use the opportunity to infiltrate your network.
- Same thing goes for links. Hover your mouse over the link because it might not be sending you where you think it is.
Also, beware of found USB drives! I know you’re curious to see what you might find on it, but what you might find is a virus left intentionally to infiltrate your system. (Your administrators might have even disabled PC USB ports to the network’s benefit and your annoyance.) Turn any found drives over to IT so they can inspect it securely.
Though this is far from a full list of computer security best practices to follow, I hope it inspires you to newfound appreciation for the importance of keeping your networks safe. After all, it’s a responsibility that falls on everybody, not just your network administrators.