Internal and external fraud, whether part of technological-based scams or executive embezzlements, was a really hot-button issue at CU Times’ virtual cybersecurity conference, Defending Your Credit Union Against Data Breaches.
Michael Ogden, executive editor of the Credit Union Times, was the moderator for a panel including Elizabeth Allison, information security officer for $2.4 billion Biloxi, Miss,-based Keesler FCU; Ann Davidson, vice president of risk consulting for Allied Solutions; and Peter Strozniak, fraud reporter for the Credit Union Times.
Allison talked about the importance and evolution of security training and provided tips on developing a program, which includes social engineering preparedness, testing, and benchmarking assessments.
“It’s not just an IT thing anymore, humans are the weakest link,” Allison warned one employee can cause a data breach. She also suggested policies and procedures are worthless if not followed.
Strozniak used recent credit union cases to provide insights and lessons on how to detect or prevent internal fraud. “How did they get away with it and why?” he asked and answered.
Strozniak described how embezzlers are successful in a number of ways. He offered a word of caution and common sense: “Just because a CEO or other executive is a control freak, does not means he or she is an embezzler.”
However, very controlling executives could be a warning sign for boards. Then there are the manipulators as well.
He offered internal fraud prevention techniques such updating internal controls. “Regulators say they are key to eliminating internal fraud,” Strozniak said. Then test the controls, use them and always, trust but verify.
Strozniak also suggested getting the right auditor helps detect unusual activities; and establishing and a whistleblower option.
Davidson described today’s cyberthreats as sophisticated. “Your credit union may be impacted by both the internal risk and external risk of your members.”
Pro-active action helps keep credit unions ahead of the threats. “Most attacks are perpetrated by external players, as opposed to internal employees,” Davidson said. “Attackers are mainly going for payment and financial institution data, which they can quickly convert into cash.”
The bad news is that hacking and malware are the most popular cybercriminal methods. The really bad news is attackers are faster at breaching systems.
Because phishing attacks are not going away, Davidson recommended taking extra caution when clicking on an email individuals are not expecting to receive and not to open email attachments.
“It’s not a matter of if but when,” Davidson said. Fraud remediation and recovery plans helps mitigate financial and nonfinancial fraud wherever it occurs. “Don’t wait until the credit union or members notice the risk or fraud.”
Davidson also pointed out the importance of collaboration, “Working together is key for the success of credit unions and their members.”
