Trends in cybercriminal attacks, and how credit unions should respond to them, were another hot-button issue focus at CU Times’ virtual cybersecurity conference, Defending Your Credit Union Against Data Breaches.
Natasha Chilingerian, managing editor at Credit Union Times, served as moderator for the panel discussion that included Alex Ricardo, privacy-breach response manager at Beazley; and Chad Carrington, vice president, IT, cybersecurity, and facilities at the $10.1 billion Sacramento, Calif.-based The Golden 1 Credit Union.
Ricardo cautioned, “A data breach is not always a disaster. Mishandling it is.” He explained that much like other organizations that own the personally identifiable information on employees as well as members, most of the threat or liability extends not from lawsuits or regulatory investigations, but rather the lack of experience in properly assessing, investigating, and responding to the privacy/data breach incident at hand.
“Many liability pitfalls arise in the course of those phases leading up to the possibility of lawsuits or regulatory investigations,” Ricardo said.
With respect to causes of such incidents, Ricardo noted Beazley saw a surge with spear phishing, malware intrusions via social engineering tactics, ransomware, and broken business practices such as a lack of ample encryption on portable media devices.
Ricardo suggested beyond some of the obvious measures, both from a network security and physical security prospective, the best course of action to protect against the liability, which surfaces within a privacy/data breach incident, is to have a robust incident response plan as well as having proper employee education on privacy awareness.
Among other things, the incident response plan needs routine updating to keep current and present clear and easy-to-use guidance in the midst of a crisis incident.
Carrington reviewed some of the cybercriminal trends seen at Golden 1 in the last six months. These included ransomware in which four incidents occurred within the credit union’s environment.
Carrington stated that eventually all organizations could take on ransomware so they must prepare. “Everyone needs to be diligent and ready to respond to it,” said Carrington. He added credit unions should identify the intrusion and recover the data quickly.
Other cybercriminal trends seen at The Golden 1 are malicious email, particularly involving CEO phishing, also known as business email compromise.
“You have to be very diligent in looking at these things,” Carrington said. He warned attacks touch many facets of the organization.
