About two years ago, a small, ruralbased credit union received a call from the Federal Bureau of Investigation (FBI) letting them know they had been hacked.
With less than a dozen computers tethered to a network managed by a third-party vendor, the credit union officials were informed an employee had fallen for a phishing scam and opened a malicious link in an unsolicited email. That malware quietly unleashed code to remotely comb through computer files. It turned out, there was little rummaging required; the credit union employee’s desktop included an unencrypted Word file with all the passwords needed for daily functions. A subsequent inspection also showed that key servers were exposed to malware when employees used them for general functions such as web browsing and email.
“Unfortunately, these scenarios are low-hanging fruit for attackers,” says Tom Tollerton, CISSP, CISA, QSA, who is senior manager for the IT Advisory–Cybersecurity group at Dixon Hughes Goodman LLP in Charlotte, N.C. “Lack of threat awareness, poor decisions and unsecured systems make easy targets and can severely increase the likelihood of a compromise of members’ data security.”
Such an extreme case of data security negligence is, fortunately, uncommon. But as cybersecurity threats grow and information systems become more complex, federally-insured credit unions must rise to the challenge and properly protect sensitive data — both theirs and those of their members.
This article originally appeared in the NAFCU Journal (May-June 2018) and is used by permission here.