ST PETERSBURG, Fla.—The Target data breach, one-year old Thanksgiving day, ushered in a wave of successful cyber-attacks on the U.S. that have elevated financial institutions’—and consumers—attention to card security.
PSCU CIO Gene Fredriksen addresses how the cybersecurity landscape has changed in the past year and shares five important lessons FIs and payments processors have learned in that time.
1. Technology is just a part of the CU’s problems: “Business processes are made up of people, processes, and technology components,” explained Fredriksen. “Focusing only on technology controls leaves the door open for people-based attacks, such as phishing or social engineering. Many breaches this year were the result of accidental or intentional acts by employees.”
2. The CU can outsource systems, but it should not abdicate responsibility to protect information: “If information from your company disappears as the result of a breach, you have the burden of recovery and notifying those who might be harmed,” said Fredriksen. “The responsibility goes all the way to the board, as we have seen repeatedly this past year.”
3. There is always a bad guy smarter and better funded than the CU: “Ensure that your security systems are robust, agile, and adaptable. If you try to rely on static, commercial controls, and don’t pay attention to the daily evolving threats, you will be breached,” noted Fredriksen. “We have also seen that a large security budget or staff is no protection if not properly organized to address risk.”
4. A weak foundation amplifies risk: “Many breaches took advantage of legacy or unpatched systems which should have been upgraded or replaced,” he said. “Building sophisticated security systems on top of outdated or obsolete foundations will not protect your systems or information.”
5. Data breaches are, unfortunately, becoming a part of doing business:“No matter what you do, the question is not ‘if’ you will be breached, it is ‘when.’ So prepare and practice your response—again and again,” urged Fredriksen. “Your members may forgive you for the breach, but they will not forgive an inept response and notification.”