AT&T just got the bill for its insider data breach, and it’s in the ballpark of a $25 million civil penalty settled in conjunction with the FCC. In 2013 and 2014, employees at call centers in Mexico, Colombia, and the Philippines used proprietary network information to gain unauthorized access to PII (personally identifiable information) for more than 275,000 customers and sell it on the black market. In addition to the financial penalty, AT&T is being forced to do what some say it should have done in the first place – assess privacy and data security, and implement better practices to protect PII. But AT&T is not alone in their vulnerability to inside security threats – in fact, it’s estimated that 35% of cyberattacks come from internal sources – but as data breaches continue to occur, many organizations are responding to inside threats only after sensitive information has been stolen.
Cybersecurity has become a particularly hot topic for the financial industry in the last couple years, as data breaches become more commonplace and more expensive for credit unions and banks. Credit unions especially have made cybersecurity a top priority as they lobby more vocally for better regulations around data breaches and policies to protect them from footing the bill for retailers’ breaches. However, a recent survey conducted by Awareness Technologies in partnership with CUNA Strategic Services shows that credit unions are now extremely concerned about threats to cybersecurity coming from inside their walls. In fact, the survey shows that some credit unions don’t even feel confident that they know what steps are being taken to shore up data protection. A vast majority (83%) of surveyed credit unions admitted that their top concern is sensitive information or PII being transferred to unauthorized or malicious third parties, particularly through USB devices. While that concern is reasonable, an alarming 77% of participants said they either did not believe they had comprehensive protection against internal data threats or they were unsure of their level of protection. Their uncertainty flies in the face of the regulations that govern credit union security programs – specifically Part 748 of NCUA’s regulations, which dictates that credit unions must have appropriate internal security policies, detection methods, and protocol for when unauthorized access occurs.
Considering the fact that a high percentage of data breaches occur from the inside out (human error, lost/stolen devices, malicious information theft, etc.), it’s unsettling to think that credit unions haven’t risen to the security challenge. While insider threats can be difficult to detect and block, there are easily-implemented ways to reduce the risk of an insider breach – options that don’t require using liquid cement to fill employees’ USB ports.
Here are some ways credit unions and other organizations can improve security policies to prevent the most preventable breaches:
- Password protect or physically lock up sensitive information
- Implement and enforce password management policies
- Give users the lowest levels of access they need to perform job functions
- Allow only authorized devices on company wireless networks and restrict BYOD policies
- Train employees on proper use of public WiFi
- Educate employees on security policies and conduct regular reviews
- Automate collaboration policies with a secure file-sharing tool that can restrict file access and enforce data loss prevention rules