Conn. program takes in-depth look at cybersecurity
CROMWELL, CT -- A number of topics related to cyber security – including outreach to law enforcement, threat trends, the source of losses to credit unions and board responsibility, and more – were covered at the 2015 Connecticut Cybersecurity Basics Conference for Credit Unions.
Sponsored by NASCUS, the Credit Union League of Connecticut and the Connecticut Department of Banking, the one-day conference Sept. 14 in Cromwell, Conn., focused on the key topics facing credit unions and their regulators today in cyber security.
Andrew P. Dodd, FBI special agent, computer intrusion program, in the bureau’s New Haven field office, told the nearly 100 participants assembled at the conference that credit unions and other financials should reach out to law enforcement any time there has been an intrusion into consumer information or other Internet crimes -- and share what you know, regardless of loss. He also urged the group to collect as much information as possible, to help determine if an investigation will be opened and what, if any, public exposure the victim may face. He also emphasized that information should be collected before calling law enforcement. Once law enforcement becomes involved, he stated, restrictions on gathering evidence may attach.
Dodd also suggested that financial institutions know in advance who to call in law enforcement (a “known person”), as opposed to only calling publically listed numbers – and to verify contact information at least annually.
Rick Lacafta, director of insurance services for the Financial Services – Information Sharing and Analysis Center (FS-ISAC ) broke down “threat trends” into three broad categories: Cyber Crime, Hacktivists and nation-state.
Cyber crime, he stated, is practiced mostly by “bad guys” based in Eastern Europe and in Asia. He noted that there is a “complete service based economy supporting their activities” and that “attacks are a mix of social engineering and technical attack.” He stated that “hacktivists” engage in a variety of actions, including direct denial of service (DDoS) and website defacement. Finally, “nation state” actors, Lacafta stated, are typically motivated by espionage, disruption, or destruction, and typically target both governments and the private sector.
Jonathan Moore of CUNA Mutual Group, recommended that participants estimate their exposure to cyber threats by “adding up the numbers:” Number of members, number of former members, number of employees, number of former employees, joint owners (who are not counted as members), and indirect applications – those who do not count as members.
As for who is causing losses at credit unions, Moore stated, “unintended disclosure” of information is the leading source – accounting for one in every four (25%) of total data breaches. Coming in second is hacking or malware (at 19%) and “insider” violations (at 17%).
With regard to responsibilities of board directors, Attorney David Reed of Reed & Jolly LLC suggested three things for elected volunteers to keep in mind: Not all breaches can be prevented; if a breach does occur, the CU’s security program will come under close scrutiny, and; board members will ultimately be held responsible for a deficient security program.