The "Internet of Things" — in which everything is connected to everything — is ballyhooed in the popular culture as a great thing. And maybe it is, unless you’re responsible for protecting data at, say, a credit union.
That’s because hackers can come in from anywhere now, including the thermostat and the copier, if they’re connected to the Internet. That was one takeaway from the CU InfoSecurity Conference this week in Las Vegas, NV.
“Vendors will want to tell you that this is a great feature, because it sends alerts that your printer is about out of toner,” Rusty Wilson, CIO at Ingalls Information Security in Alexandria, LA, told a Wednesday afternoon session. “Don’t let them connect to your network. Believe me, they’ll still sell you toner.”
Other weak spots? A thermostat connected to the Internet so the vendor can operate it online. The CISO at a big California credit union asked about that. “Why do I have to have that on my network? I can see the HVAC system on it and it doesn’t need to be.”
And don’t forget the cameras and their DVRs that are recording every move in the building. Or the old PC in the conference room still running on unpatched, unprotected XP.
“The problem is that malware are like ticks. You find then in the most unexpected places,” Wilson says. “And they can be there for a long time, undetected.”
Another problem? Wireless routers connected to the same network as tellers. And then there are the myriad devices that senior managers and board members and others want to access the system from, including smartphones and iPads.
Convincing them that more controls are needed may become a bit easier. The NCUA is now asking harder questions than ever about cybersecurity in its examinations, following up on FFIEC recommendations that followed a pilot project regulators conducted last year among 500 or so credit unions and community banks.
Regulators are now recommending that board members and senior managers be well informed about their credit unions’ cybersecurity policies, practices, and risk.
Also read: FFIEC Recommends Cyber “Self-Knowledge”
The official guidance has yet to be issued, but at least one security consultant — Brian Fischer of Security Compliance Associates in Clearwater, FL, says he’s already seen hard questions asked and findings citing shortcomings after NCUA examinations at client credit unions.
Here are some other things I learned at the conference this week at the Golden Nugget in Las Vegas.
Everyone gets breached. One speaker asked the group of about 50 credit union CIOs, CISOs and other security specialists how many paid for remediation — including issuing new cards — as a result of the Target breach. Nearly every hand went up.
“They’re going to happen. Now you really need to concentrate on your response as much prevention,” says Ron Schlect Jr., managing partner of BTB Security in Bala Cynwyd, PA.
Let the lawyers lead. “If you’re breached, hire an attorney,” Wilson says. “Because the moment they get involved, attorney-client privilege kicks in. That includes letting them hire the people to manage the response.”
Wilson says that protection can be very helpful later on if lawsuits are filed and questions are asked about the credit union’s reaction to the loss of confidential member data.
Some job security. PSCU CISO Gene Frederiksen says as the first generation of IT security specialists like him near retirement, he hopes the industry is taking steps to groom their successors. “I’ve been in this field since the 80s and at the time, we thought it would be temporary,” he says. “That obviously wasn’t the case. We need to make sure other people are ready to take over. This isn’t going away and it isn’t getting any easier.”
Good help is already hard to find, especially when it comes to information security. Security consultant Schlect says he regularly hears from credit union clients that they’re short staffed, and that when they do get management clearance to hire, finding qualified IT security specialists is tough.
One of the credit union managers in attendance agreed, adding, “Here we are spending a couple hundred thousand dollars on technology to deal with this problem and we often don’t even have the intellectual capacity in-house to use it properly.”