FORT LAUDERDALE, Fla.—The first female CIO of the White House urged credit unions to think about “separation” when it comes to their data security practices.
Theresa Payton, star of the CBS TV series Hunted and one of America’s most respected authorities on Internet security, told attendees at Trellance’s immersion18 annual meeting that thinking about keeping various forms of data separate can be a huge benefit if the organization is hacked, and using different email domain names for various operations can ward off clever phishing attacks.
Payton, told the meeting that credit unions should perform a “walkabout” to assess the credit union’s data security asking questions throughout the organization like “What information do you need and how do you get to that information.”
Payton said she did that when she first arrived at the White House and that her walkabout even included speaking to the chef in the White House kitchen.
“Every single item in that kitchen, every steak, every vegetable had a bar code on its wrapper,” said Payton. She said she noticed the barcodes are identical in general appearance so they must have been produced by the same system, despite the food coming from many different sources.
“Even the flower arrangements have barcodes on them,” she said.
Charging the Right Budget
Payton asked the kitchen’s chef about the barcodes and learned they are for budgeting purposes.
“So, if the food was used for a State Department dinner, the State Department receives the bill,” she said. “If food went out for another department’s function, that department is billed and another budget is charged.”
Payton explained that the White House generates a great deal of data for many different purposes, and at the same time protects large amounts of national security data.
“All of this information does not have to be stored in the same place,” she told the meeting. “There’s definitely a higher priority for storing the national security data than budgeting for food and flowers.”
Just as the White House separates and stores different kinds of data in different places, Payton urged credit unions to take a similar approach with their data security, thinking about logical separation of data types.
“You may not be thinking of this, but your information for payroll and employees should be in a separate place from your member data,” said Payton. “If one area is breached not all of your data are breached.”
What Credit Unions Can Do
That same type of thinking can protect the credit union from phishing attacks that are getting very sophisticated. Payton said that while everyone is aware of the obvious phishing scams, there are many clever and ingenious phishing scams that regularly fool staff.
Payton told the meeting that many organizations overestimate their ability to detect phishing attacks and that staff are most often fooled by emails that appear to be from coworkers.
“You can build all the security walls and fortresses and then one person clicks on a phishing link in an email and all of sudden you have malware installed inside your system,” she said.
To help guard against that, Payton urged credit unions to create a different domain name for emails that go to different places—possibly have a different domain for public-facing needs and a different domain for internal use.
Digital Disaster Drills
Payton also advised credit unions to hold “digital disaster drills.”
“Rehearse a ransomware attack. Plan on complete service unavailability and service instability, such as denial of service attacks,” she said.
Payton said that the among the organizations she works with, those that conduct digital disaster drills restore business operations much sooner than those that don’t, and are much less likely to pay crooks their ransom.
She noted that digital disaster drills can help companies plan for many cyber-attack situations and effectively deal with them. Payton said CUs should plan for what might happen if their backup data are also encrypted during a ransomware attack, something that is occurring more frequently as ransomware attacks become more sophisticated and far reaching.
Payton said these kinds of rehearsals encourage organizations to make sure their backup data are in a completely isolated location form the data they use every day—insolated physically and logically from the everyday data.
Bob Hackney Returns
Also during the meeting, former CSCU President Robert Hackney addressed the group. Hackney, who started at CSCU in 1998, shared a history of CSCU. In late December, Trellance announced it divested CSCU, the CUSO's payments processing business. The newly formed Trellance retained CSCU’s Optimize card growth solutions offerings.