A 4-Step Action Plan for Online Security Breaches

While many credit unions are breathing a sigh of relief after implementing multi-factor authentication, it’s clear that security will continue to be in the forefront of IT initiatives as credit unions update systems to counter new attacks.

 
 
While many credit unions are breathing a sigh of relief after implementing multi-factor authentication, it’s clear that security will continue to be in the forefront of IT initiatives as credit unions update systems to counter new attacks. The majority of Technology Survey respondents reported undertaking major security-related initiatives in 2007 or 2008. Financial institutions are finding the need to continually examine and adjust their practices in the face of new threats and technology advances.

Develop an Action Plan to Handle Security Breaches
Even credit unions with the best systems in place can find themselves responding to a security breach by another partner provider. While it’s difficult to anticipate every fraud situation, credit unions should have action plans in place covering the major types of fraud seen today, including phishing, spoofing, internal security breaches, and vendor security breaches. These action plans should be periodically reviewed and updated to ensure appropriate personnel are involved.

The action plan should cover the following issues:
1. Member Notification
As security breaches don’t always occur during business hours, credit unions should have a team prepared at a moment’s notice to develop written notifications to members. Communications need to be carefully worded – many fraud attempts today start with information about a “potential security breach”. The difficulty lies in balancing the need to inform members quickly along with the need to determine the extent of a breach in order to not worry members unnecessarily.

2. Resources available to answer member’s questions
Since fraud could occur at any time, the credit union should have a plan for bringing in extra personnel to handle evening or weekend calls. The credit union should also be sure that other channels are available to respond to members, including e-mail response and website resources such as FAQ or knowledge base help.

3. Helping members whose accounts might be compromised
The credit union should consider how quickly new credit cards, ATM cards, or account numbers can be created and provided to members. Are there provisions for members with an urgent need for a replacement card?

Depending on the situation, members may need credit monitoring tools or resolution services. While many credit unions are offering fee-based credit monitoring and resolution services to their membership, they should research the cost of providing this service directly to members whose accounts become compromised by fraud. Credit unions should consider developing a relationship with a provider in order to be able to act quickly and communicate this service to members as soon as a breach occurs.

4. Educate Employees
Employees need to be educated on all types of fraud but need to be particularly aware of types of online fraud and whom to notify if members call in with suspicious situations. Employees need to be able to respond to members who call with security questions and concerns with online banking.

The credit union’s action plan should be periodically reviewed with all employees to heighten awareness of security measures and reinforce their role.

As with physical security challenges, credit unions should perform comprehensive risk assessments periodically to understand potential weaknesses and identify areas to strengthen network security. Credit unions should start with their vendor relationships to understand their existing safeguards and implement solutions that complement these systems to ensure a broad-based plan is in place.

 

 

 

Aug. 6, 2007


Comments

 
 
 
  • You left out the most important step of all. CURE THE BREACH. If its phishing, get the phishing sites taken down. If its a network breach, fix the vulnerability.
    Lars Harvey