The recent public acknowledgment of a sophisticated phishing attack appearing to target Bank Secrecy Act officers at credit unions and other financial institutions raised concern about the state of data security in the industry today.
Nationally recognized cybersecurity expert and CyberScout founder and Chairman Adam Levin told Dodd Frank Update that the news should be a wakeup call for institutions that might need it.
“It also demonstrates that these phishers and hackers are incredibly creative, very sophisticated, and they’re looking for the new bright, shiny object,” Levin said. “This is unique.”
The first public announcement came from the National Credit Union Administration, which released a statement saying that its systems did not appear compromised. The Financial Crimes Enforcement Network (FinCEN) later released a similar announcement that it appeared to avoid a breach of information.
So how could hackers have targeted a list of staffers whose status in not publicly available?
“The scary part is that it appears targeted, and this seems like a fairly wide-scale attack,” Levin said. “The thing about cyber is that every day is a new adventure. Oftentimes there are missing pieces that, over time, get found. This is a situation where, it could be over time, you find a breach of another institution that led to the uncovering of this information. You can never say never.”
Levin said you also can never let your guard down as an institution as hackers look to find vulnerabilities within your system or others.
“In the world of cybersecurity, any institution can be secure at 9 a.m. But at 9:01 a.m., because of something you missed, you become insecure,” he said.
As hackers targeting financial institutions continue to become more sophisticated, such as in apparently targeted attacks like this, what can institutions do to react to potential breaches? First, Levin explained, they need to conduct a forensic analysis to find out what might have been compromised.
“What happens is that many organizations have more data than they think they have, and in more places than they think,” he said. “Everybody has to assume that breaches have become the third certainty in life, behind death and taxes. It’s a question of how robust your monitoring system is.”
Next, Levin suggested having a third party to look into the system to find anything that your own staff might have missed in its analysis. Then, it’s a matter of getting people from all departments to work together on solutions.
“It’s not just the IT people or the information security people, it has to be a collaboration of the legal department, executives, crisis management people, everyone,” Levin said.
That’s because the next step is meeting regulatory and legal obligations.
“Unlike the EU (European Union), which has fairly set procedures, in the U.S. there are 52 jurisdictions with separate breach notification laws, not only in terms of the level of data access for a reportable breach, but you’ve got to know who and when to notify, and you have to be very deliberative about this,” he explained.
The reason for the attention to detail comes in part because of the considerations of cyber liability insurance that many institutions have. Levin said that part of the policies usually require companies to do certain things in terms of protecting data from a breach, and then complying with all local, state and federal responsibilities in terms of notification if there is a breach.
“Miss that box and you could be exposed without cyber liability insurance,” Levin cautioned.
To proactively work against breaches of information and data, Levin suggested companies follow what he terms the three Ms: Minimize the risk of exposure, Monitor and Manage the damage.
A big part of that is password protocols and two-factor authentication. But in working to minimize risk, Levin stressed that the company must get all of its employees involved in the process.
“That’s why part of the first M is creating a culture of privacy and security throughout the entire organization, from the mailroom and reception desk to the tellers and board of directors,” he said. “Everybody’s got to be a part of it and feel a sense of ownership.”
At the end of the day, Levin said he encouraged institutions to remember the words of Ronald Reagan – trust, but verify – but update the phrase for today’s challenges.
“It’s never trust, and always verify,” Levin said. “These seem like common sense and logical things, but you’d be surprised.”