How to scare the living daylights out of a room full of credit union executives

I’m at the NAFCU CEOs and Senior Executives Conference watching a room full of industry leaders get the beejeezus scared out of them by Terry Gudaitis, PhD and Cyber Intelligence Director for Cyveillance.  It almost feels like we should be passing out popcorn and Twizzlers, and maybe even have paramedics standing by in case anyone faints before intermission. Okay, maybe I’m exaggerating a bit – but we’re not letting anyone go down into the basement to check on Mrs. Bates either.

It’s not the first time I’ve seen this happen – Cyveillance took the entire senior team at NAFCU and NAFCU Services through their cyber security training program last year, and I was one of those who walked out thinking I had to take a hard look at how I use the Internet.

Bottom line – we’re all targets, like it or not, for fraudsters that have gotten way more sophisticated than those sending billions of misspelled Viagra emails hoping for a .00001% response rate. Call it spear-phishing, whale-phishing, or similar term, criminals are targeting specific executives at specific organizations to try and get them to click on a link or go to a web page that will deliver a payload of malware that leads to a security breach. And you are a target.

It only takes a matter of minutes for a criminal to go online and gather enough specific information about an individual, their habits, location, preferences, friends and family to concoct a very believable email and gain the victim’s trust. Even a seemingly innocent tweet can lead an unsuspecting user right into a landing page riddled with destructive malware.

Social media is a complicating factor that blurs the line between our ‘personal selves’ and our ‘business selves’ – the proliferation of websites that actively encourage you to click on links to add friends or look at attachments every day makes it that much more difficult to tell the difference between a legitimate request and a fraudulent one. Terry introduced two new concepts to me: Sqwitter (someone who hijacks your identity and creates a Twitter identity) and social media squatter (same thing for a Facebook page or LinkedIn account).

Add in geo-tagging and other location-aware services and you raise the ante – check out www.RobMeNow.com for a wake-up call!

So what can you do about it?

1. Targeted Education for Executives
2. Training for Employees
3. Write and Continuously Review Social Media/Networking Policies
   • Authorized Users
   • Non-Authorized Users
4. Enforcement of those Policies
   • Consequences
   • Actions
5. Monitoring – Outside the firewall
   • What are the new Internet protocols and platforms?
   • Internal activities? What is permitted?
   • External activities? What is prohibited?
6. Organizational Feedback Loop

So, the lesson here is to BE AWARE and take the proper precautions. Cyber crime evolves every second and fraudsters are thinking up new ways to target you and your credit union. You must seek out the education and training needed for you and your staff to stay one step ahead. Terry and her team at Cyveillance offer phenomenal training, and if you’d like to learn more about it go to their landing page at www.nafcu.org/cyveillance.