CU InfoSecurity 2017: Cybersecurity Assessment, Going Phishing
Credit unions received tips on boosting cyberprotection and adhering to regulatory compliance using the Cybersecurity Assessment Tool, better training, and workflow automation at the CU InfoSecurity 2017 conference in San Diego.
Jim Brahm, CEO of security assessment firm SCA Security and Leo Maduzia, chief IT compliance and risk officer for the $7.5 billion San Diego County Credit Union tag-teamed on some big and more distinct cybersecurity pictures.
Brahm spoke about lessons learned and what SCA discovered in helping credit unions work with the Cybersecurity Assessment Tool, which the Federal Financial Institutions Examination Council developed to help financial institutions identify risks and determine cybersecurity preparedness. SCA’s wheelhouse is offering information security assessment in the areas of risk and vulnerability, in addition to providing penetration testing to help credit unions meet regulatory requirements and safeguard member data.
In some cases, SCA helped credit unions complete or review their assessment with the tool, or provided a review of their cybersecurity efforts in general.
Maduzia followed up by explaining how SDCCU tackles cybersecurity.
The session also offered the advice that organizations while cybersecurity assessment does provide a measurable process for financial institutions to measure preparedness, it not the same as a risk assessment, which identifies and analyzes potential hazards.
Leticia Saiid, tandem Software Support Manager at technology and security company CoNetrix, spoke of the link between phishing and cybersecurity.
Saiid suggested ways to utilize training to prepare for phishing attacks. One way is by to send simulated phishing messages to the employees with the goal to test them and provide education and practice. “Phishing messages don’t come around frequent enough to practice responding to them; they come around frequent enough to harm us,” Saiid said.
The tandem Software product builds the training in, and registers and measures if staff opens the emails, click on links, opens attachments or deletes them. If an employee does click on a link it directs them to a landing page of education information about phishing.
“Phishing training is standard security training done once a year and that’s it. Infrequency typically isn’t very valuable for education and training,” Saiid added.
Mike Fitzmaurice, VP, workflow technology at process automation company Nintex, explained his company tackles everything from basic business functions to company-wide processes with a few clicks, not code, helping organizations improve how they work.
This includes coordinating business process automations with compliance, security and internal policies. Fitzmaurice pointed out, “It’s not just one piece of software, it’s not just one database, you have content in lot of places.”
“So, no one vendor is going to be able to say ‘we’ve made our app more compliant and more responsive to customer privacy concerns,’” Fitzmaurice explained. That’s why financial institutions need workflow automation software so if somebody requests a review of their data the system can fetch all the right content, in the right place, and bring it back in a nice documented form.
Fitzmaurice demonstrated how the process works and the process allows member to review, edit, correct, or change the extracted information. “We are in the workflow business, workflow content and automation; we can connect a lot of applications together and automate a lot of information that happens between people.”