Mastercard, PSCU tackle breach risk at credit unions
System breaches similar to events at Equifax and Marriott could just as easily happen to credit unions, leading Mastercard and the credit union service organization, PSCU, to take protective measures.
The value of practicing for a data breach goes beyond just identifying gaps in the plan or updating certain actions – it helps create a muscle memory type of reaction for executives and it sets up expectations of how and when certain actions need to be taken. Rehearsals also expose weaknesses in a financial institution’s defenses and start building relationships with security vendors and law enforcement before a breach occurs.
“If you have an incident response plan for dealing with a data breach you need to have a practice event at least once a year to make sure that the plan is still relevant and to discover what’s missing from it. If you don’t have such a plan, then you need to create one and practice it,” said Nick Curcuru, vice president of cyber security at Mastercard at the PSCU credit union member forum in Austin, Texas this week.
This preparation extends to relations with media and law enforcement agencies.
“Your [credit union] CEO should not be winging it with the press during a breach. You should not be meeting your FBI liaison for the first time when your pants are on fire,” stated Gene Fredriksen, chief security strategist at PSCU at its member forum. “Equifax had a 225-person security team in place when their breach occurred and it didn’t help them one bit. In the end Equifax took 117 days to notify consumers and the strong public reaction forced them to wing it on some things.”
The sentiment about bringing in law enforcement was echoed at the PSCU forum by Stacy Arruda, a 22 year veteran of the FBI’s cyber security team and current executive director of the State of Florida’s ISAO.
“The incident response plan needs to include when to bring in law enforcement and it needs to be within the first 30 days of the breach," Arruda said.
While credit unions may be challenged to afford large security teams and redundant systems to protect their members’ data, Fredriksen said it’s okay for credit unions to delegate and outsource certain tasks to vendors to secure servers and data.
However, Fredricksen said what’s not okay is abdicating the responsibility for security. In the end, the responsibility to prevent and contain breaches rests solely with credit union executives.
One way to proactively manage the security with a small staff is to conduct regular audits as events occur.
“Credit unions need to put more demands on their vendors," said Curcuru. "It’s no longer sufficient to do an annual security audit of your vendors. You need to validate and verify every single security patch and upgrade being conducted with a vendor as the changes are being made. You need to ask, ‘when was the patch done?’, ‘how was it done?’ ‘and what systems did it affect?’”
The executives noted that many times organizations will develop a breach strategy and incident response plan and put it on the shelf as a “one and done” exercise. Additionally, the plans often have static defenses that surround all of their data held in a single location.
Fredricksen added that cyber security must not be static because the attackers are not. It needs to be dynamic as attackers will flex to get what they want.
The adversaries financial institutions are up against today are skilled professionals who work together. They use analytics to match data from different hacks or breaches and put them together to recreate profiles.
“In the Equifax breach the hackers got the honeypot in cybercrime. It’s the government ID, which is more valuable than just a credit card which can be replaced," Curcuru said. "Credit unions need to look at how they classify the data so that the most valuable pieces of information such as government IDs and credit card numbers and not located on the same server or accessed through the same program. If someone does breach your system, you need to make it more difficult for the hackers and one way to do it is to store highly valuable data in different locations."
It’s important to realize that people are part of the equation when it comes to allowing hacks as well as fighting them.
“It's not always a technology issue. Your people can be both your best asset and worst enemy when it comes to protecting data your data,” said Arruda.