Keeping data security in-house
Though many of its policies were in place before news of the Equifax breach came out, Mountain America CU is doubling down on its approach to protecting member data.
UNLIKE THE DATA BREACH THAT HIT Target in 2013, analysts say the Equifax breach was monumentally perplexing because the company’s mission is to protect its 143 million clients’ data — many of whom are or were credit union members.
“If a company that manages the most sensitive financial information belonging to a majority of the people in this country isn’t implementing careful security measures and patching known vulnerabilities, it is a strong indicator that security is clearly not a high priority for companies until after a breach occurs,” said Henry Carter, assistant professor in the Computing Sciences Department at Villanova University.
Carter explained that the attackers exploited a breach in a web application tool that was known to exist in March, but “for some reason” remained un-patched for several months. Making matters worse, Equifax knew about the breach for more than six weeks before making a public announcement. The company’s CEO, Richard Smith, has since stepped down.
MACU GETS PROACTIVE
Prior to the Equifax breach, Mountain America Credit Union took inhouse proactive measures to protect its 680,000 members, including ID protection service, alerts, code words and mobile solutions.
“As long as we live in a world where stolen information is profitable to hackers, we will have to continuously improve our security measures,” said Tony Rasmussen, VP of public relations and financial education at Mountain America. “As an industry, we can neither control nor predict the next breach, so it makes sense to invest in a variety of innovative solutions that give members more control as well as peace of mind.”
The $6.8 billion MACU counts roughly 40 percent of its membership as active mobile users and 30 percent of members are active online banking/pc users. Among inhouse initiatives to protect members is the credit union’s “Card Manager” mobile service, which allows the member “to do so much more than close or freeze a potentially lost card in seconds,” noted Rasmussen.
“It puts 24/7 control in members’ hands to do a wide variety of features, including new card activation and PIN setting, lost/stolen card cancellations, card replacement orders, travel notifications and more,” he said. “If a member receives an alert for an unfamiliar transaction, Card Manager allows her to shut off any further card activity until she can verify whether that transaction was fraudulent or not.”
Villanova’s Carter said proactive measures like those undertaken by MACU are critical to member security because call, text and email scams from attackers posing as financial institutions or government agencies are increasingly hard to identify.
“There is no cure-all information-security solution for any company. However, one of the largest contributors to the widespread lack of security is that, for most companies, it is not profitable in any way,” said Carter. “Adding extra security does not increase revenue, so it is often minimized until something like the Equifax breach happens.”
In an effort to ensure member data is secure, MACU also invests in employee programs, from in-person training for new hires to on-going training for tenured staff.
The education doesn’t end with employees. MACU has specially trained “Tech Champions” staffed in branches to demonstrate a variety of mobile banking tools and innovations, such as photo balance transfers, instant loan approval and funding, Card Manager and biometric logins.
“They are also able to assist members wanting to set up alerts, notifications, code words or sign up for ID protection services,” said Rasmussen. “Our call center is staffed with special technology experts as well.”
AVOIDING BREACH PITFALLS
For credit unions looking at developing in-house data security solutions, Carter said one of the biggest mistakes an organization can make is making IT departments “entirely responsible” for managing security.
“While IT has expertise in the technical aspects of an enterprise system, they do not have a complete knowledge of the risks to the business overall,” said Carter. “Collaboration with the IT department in assessing where the greatest risks are and what data should be protected with the strongest controls will help ensure that more attention is paid to protecting the greatest risks within a company.”