Keep­ing data se­cu­rity in-house

Though many of its poli­cies were in place be­fore news of the Equifax breach came out, Moun­tain Amer­ica CU is dou­bling down on its ap­proach to pro­tect­ing mem­ber data.

Credit Union Journal - - Front Page - BY W.B. KING

UN­LIKE THE DATA BREACH THAT HIT Tar­get in 2013, an­a­lysts say the Equifax breach was mon­u­men­tally per­plex­ing be­cause the com­pany’s mis­sion is to pro­tect its 143 mil­lion clients’ data — many of whom are or were credit union mem­bers.

“If a com­pany that man­ages the most sen­si­tive fi­nan­cial in­for­ma­tion be­long­ing to a ma­jor­ity of the peo­ple in this coun­try isn’t im­ple­ment­ing care­ful se­cu­rity mea­sures and patch­ing known vul­ner­a­bil­i­ties, it is a strong in­di­ca­tor that se­cu­rity is clearly not a high pri­or­ity for com­pa­nies un­til af­ter a breach oc­curs,” said Henry Carter, as­sis­tant pro­fes­sor in the Com­put­ing Sciences Depart­ment at Vil­lanova Univer­sity.

Carter ex­plained that the at­tack­ers ex­ploited a breach in a web ap­pli­ca­tion tool that was known to ex­ist in March, but “for some rea­son” re­mained un-patched for sev­eral months. Mak­ing mat­ters worse, Equifax knew about the breach for more than six weeks be­fore mak­ing a pub­lic an­nounce­ment. The com­pany’s CEO, Richard Smith, has since stepped down.


Prior to the Equifax breach, Moun­tain Amer­ica Credit Union took in­house proac­tive mea­sures to pro­tect its 680,000 mem­bers, in­clud­ing ID pro­tec­tion ser­vice, alerts, code words and mo­bile so­lu­tions.

“As long as we live in a world where stolen in­for­ma­tion is prof­itable to hack­ers, we will have to con­tin­u­ously im­prove our se­cu­rity mea­sures,” said Tony Ras­mussen, VP of pub­lic re­la­tions and fi­nan­cial ed­u­ca­tion at Moun­tain Amer­ica. “As an in­dus­try, we can nei­ther con­trol nor pre­dict the next breach, so it makes sense to in­vest in a va­ri­ety of in­no­va­tive so­lu­tions that give mem­bers more con­trol as well as peace of mind.”

The $6.8 bil­lion MACU counts roughly 40 per­cent of its mem­ber­ship as ac­tive mo­bile users and 30 per­cent of mem­bers are ac­tive on­line bank­ing/pc users. Among in­house ini­tia­tives to pro­tect mem­bers is the credit union’s “Card Man­ager” mo­bile ser­vice, which al­lows the mem­ber “to do so much more than close or freeze a po­ten­tially lost card in se­conds,” noted Ras­mussen.

“It puts 24/7 con­trol in mem­bers’ hands to do a wide va­ri­ety of fea­tures, in­clud­ing new card ac­ti­va­tion and PIN set­ting, lost/stolen card can­cel­la­tions, card re­place­ment or­ders, travel no­ti­fi­ca­tions and more,” he said. “If a mem­ber re­ceives an alert for an un­fa­mil­iar trans­ac­tion, Card Man­ager al­lows her to shut off any fur­ther card ac­tiv­ity un­til she can ver­ify whether that trans­ac­tion was fraud­u­lent or not.”

Vil­lanova’s Carter said proac­tive mea­sures like those un­der­taken by MACU are crit­i­cal to mem­ber se­cu­rity be­cause call, text and email scams from at­tack­ers pos­ing as fi­nan­cial in­sti­tu­tions or gov­ern­ment agen­cies are in­creas­ingly hard to iden­tify.

“There is no cure-all in­for­ma­tion-se­cu­rity so­lu­tion for any com­pany. How­ever, one of the largest con­trib­u­tors to the wide­spread lack of se­cu­rity is that, for most com­pa­nies, it is not prof­itable in any way,” said Carter. “Adding ex­tra se­cu­rity does not in­crease rev­enue, so it is of­ten min­i­mized un­til some­thing like the Equifax breach hap­pens.”

In an ef­fort to en­sure mem­ber data is se­cure, MACU also in­vests in em­ployee pro­grams, from in-per­son train­ing for new hires to on-go­ing train­ing for tenured staff.

The ed­u­ca­tion doesn’t end with em­ploy­ees. MACU has spe­cially trained “Tech Cham­pi­ons” staffed in branches to demon­strate a va­ri­ety of mo­bile bank­ing tools and in­no­va­tions, such as photo bal­ance trans­fers, in­stant loan ap­proval and fund­ing, Card Man­ager and bio­met­ric lo­gins.

“They are also able to as­sist mem­bers want­ing to set up alerts, no­ti­fi­ca­tions, code words or sign up for ID pro­tec­tion ser­vices,” said Ras­mussen. “Our call cen­ter is staffed with spe­cial tech­nol­ogy ex­perts as well.”


For credit unions look­ing at de­vel­op­ing in-house data se­cu­rity so­lu­tions, Carter said one of the biggest mis­takes an or­ga­ni­za­tion can make is mak­ing IT de­part­ments “en­tirely re­spon­si­ble” for man­ag­ing se­cu­rity.

“While IT has ex­per­tise in the tech­ni­cal as­pects of an en­ter­prise sys­tem, they do not have a com­plete knowl­edge of the risks to the busi­ness over­all,” said Carter. “Col­lab­o­ra­tion with the IT depart­ment in as­sess­ing where the great­est risks are and what data should be pro­tected with the strong­est con­trols will help en­sure that more at­ten­tion is paid to pro­tect­ing the great­est risks within a com­pany.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.