The NAFCU Journal May - June 2018 - 21

''

Using an outside firm that
understands the security
industry is critical for us.

''

- SCOTT WILSON, CEO, SEACOMM FEDERAL CREDIT UNION

we provide. We have regular education
on security, with cybersecurity a major
component of that, throughout our
entire organization."
Rose admits reaching this level of data
security readiness didn't happen overnight. More like two to three years, and
that's partially because he had to build
up a budget. Today, he admits, he has a
much easier time gaining budget approvals "because security is that important to
our industry and to our business."

SEACOMM SEES
IMPROVEMENTS
OVER THE YEARS

Scott Wilson, CEO of SeaComm Federal Credit Union, headquartered in
Massena, N.Y., is also devoting more
time, mental energy and budget to data
security at his 45,000-member, $550
million-asset credit union. "That's what
keeps me up at night: wondering, how
do we protect the data members entrust
us with? That's why we focused a lot of
resources in this area."

exposure from other businesses. So, we
want to be sure we can't be compromised in a similar way."

Today, very few fall for phish scams
at SeaComm, and Wilson believes
that's because of the credit union's data
security training and ongoing education.
From each new employee's first day, staff
are trained in common attacks and how
to avoid falling for them. "Constant, constant staff training is important, and for
everyone, including me as CEO."

GAINING CONTROL OVER
GROWING DATA SOURCES

PHISH TALES AND
OTHER INSIDER THREATS

To help minimize risk, SeaComm,
Affinity and other credit unions typically
ban employees and contractors from
using peripheral storage devices such as
CDs, DVDs or USBs - all of which have
been used as attack vectors in the past.
Similarly, network access controls reduce
the risk of someone trying to infiltrate a
network using the credit union's Wi-Fi.

Wilson says SeaComm had a "very
poor response" during penetration
("pen") testing done during his watch
10 years ago. This meant a higherthan-expected number of people fell
for socially engineered ploys that
allowed outsiders to gain unauthorized
access to sensitive data.

What aren't always as obvious are
so-called "smart" cameras, wireless
printers, even coffeepots that act as
nodes on a credit union network.
Unless these are strongly passwordprotected, they could become an agent
for unauthorized access elsewhere.
(Remember, too, that nonwired printers,
paper files and computer screens can
also divulge data through "visual
hacking" when sensitive content is put
in plain sight.)

Perhaps no threat is more ominous than
the one posed by the people working
within a credit union. Employees, contractors and business partners - even
members - can intentionally or erroneously open a conduit for criminal activity
with just a few keystrokes or clicks.

For SeaComm, those resources include
increasing staff to ensure full IT
coverage. It also means augmenting a
staff of seven with outside information
security providers.

"We were surprised initially that people
were so trusting," the CEO says. "But
credit unions in general are filled with
people who are friendly and want to
trust others. We tell them you can be
friendly and trusting but, as President
Ronald Reagan used to say, 'Trust but
verify.' You can't just blindly click a link
or let someone in because they said they
had permission."

"Using an outside firm that understands
the security industry is critical for us,"
Wilson explains. "We think we're all
well, but someone else can introduce
a best practice we may not have been
aware of. They help us prioritize based
on what we need and look at all facets
of our internal system. For instance,
patching and VPNs [virtual private networks used to encrypt data in transit]
are two critical areas where we've seen

Bad actors have become incredibly good
at spear phishing - which is more
targeted than other bogus emails baiting
users to divulge their financial data.
Today's phishers spoof actual employees,
often HR staffers or chief executives,
with what appear to be legitimate email
requests with malicious links or outright
asks for sensitive information. That's
why, as a best practice, no one should
respond to a suspicious email they

THE NAFCU JOURNAL  MAY-JUNE 2018

weren't expecting and instead should call
to confirm the request is real.

Many credit unions also now store
data in the cloud to save on physical
storage costs and provide easy retrieval
of archived e-files. As with all vendors,
credit unions should carefully research
how these services are protected before
signing a contract. Generally, cloud
service providers are responsible for
security of the cloud, while the customer
is responsible for security in the cloud.
All of these contemporary issues are why
any data security policy must include
a section on how to properly handle
electronic data in storage and in need
of destruction. For credit unions, laws
exist that dictate secure records retention
and safe data disposal. But, as Tollerton
21



Table of Contents for the Digital Edition of The NAFCU Journal May - June 2018

Conferences
From the Chair
Washington and Industry Briefs
Trump, Credit Union CEOs Discuss Issues at White House
Growth Strategies
In Cybersecurity We Trust?
The New Landscape of Mobile Banking
2018 Annual Conference Exhibitor Directory
Executive Spotlight
Management Insight
Compliance Central
Inside NAFCU Services
The NAFCU Journal May - June 2018 - Cover1
The NAFCU Journal May - June 2018 - Cover2
The NAFCU Journal May - June 2018 - 1
The NAFCU Journal May - June 2018 - 2
The NAFCU Journal May - June 2018 - Conferences
The NAFCU Journal May - June 2018 - From the Chair
The NAFCU Journal May - June 2018 - 5
The NAFCU Journal May - June 2018 - Washington and Industry Briefs
The NAFCU Journal May - June 2018 - 7
The NAFCU Journal May - June 2018 - 8
The NAFCU Journal May - June 2018 - 9
The NAFCU Journal May - June 2018 - Trump, Credit Union CEOs Discuss Issues at White House
The NAFCU Journal May - June 2018 - 11
The NAFCU Journal May - June 2018 - 12
The NAFCU Journal May - June 2018 - 13
The NAFCU Journal May - June 2018 - 14
The NAFCU Journal May - June 2018 - 15
The NAFCU Journal May - June 2018 - Growth Strategies
The NAFCU Journal May - June 2018 - 17
The NAFCU Journal May - June 2018 - In Cybersecurity We Trust?
The NAFCU Journal May - June 2018 - 19
The NAFCU Journal May - June 2018 - 20
The NAFCU Journal May - June 2018 - 21
The NAFCU Journal May - June 2018 - 22
The NAFCU Journal May - June 2018 - 23
The NAFCU Journal May - June 2018 - The New Landscape of Mobile Banking
The NAFCU Journal May - June 2018 - 25
The NAFCU Journal May - June 2018 - 26
The NAFCU Journal May - June 2018 - 27
The NAFCU Journal May - June 2018 - 28
The NAFCU Journal May - June 2018 - 29
The NAFCU Journal May - June 2018 - 30
The NAFCU Journal May - June 2018 - 2018 Annual Conference Exhibitor Directory
The NAFCU Journal May - June 2018 - 32
The NAFCU Journal May - June 2018 - 33
The NAFCU Journal May - June 2018 - 34
The NAFCU Journal May - June 2018 - 35
The NAFCU Journal May - June 2018 - 36
The NAFCU Journal May - June 2018 - 37
The NAFCU Journal May - June 2018 - 38
The NAFCU Journal May - June 2018 - 39
The NAFCU Journal May - June 2018 - 40
The NAFCU Journal May - June 2018 - 41
The NAFCU Journal May - June 2018 - 42
The NAFCU Journal May - June 2018 - 43
The NAFCU Journal May - June 2018 - 44
The NAFCU Journal May - June 2018 - 45
The NAFCU Journal May - June 2018 - 46
The NAFCU Journal May - June 2018 - 47
The NAFCU Journal May - June 2018 - Executive Spotlight
The NAFCU Journal May - June 2018 - 49
The NAFCU Journal May - June 2018 - Management Insight
The NAFCU Journal May - June 2018 - 51
The NAFCU Journal May - June 2018 - Compliance Central
The NAFCU Journal May - June 2018 - 53
The NAFCU Journal May - June 2018 - Inside NAFCU Services
The NAFCU Journal May - June 2018 - 55
The NAFCU Journal May - June 2018 - 56
The NAFCU Journal May - June 2018 - Cover3
The NAFCU Journal May - June 2018 - Cover4
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_NovemberDecember2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_SeptOct2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_JulAug2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_MayJun2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_MarApr2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_JanFeb2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_NovDec2019
https://www.nxtbook.com/ygsreprints/NAFCU/G109023_nafcu_septoct2019
https://www.nxtbook.com/ygsreprints/NAFCU/G106941_nafcu_julaug2019
https://www.nxtbook.com/ygsreprints/NAFCU/G105388_nafcu_mayjun2019
https://www.nxtbook.com/ygsreprints/NAFCU/G103030_nafcu_marapr2019
https://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2019
https://www.nxtbook.com/ygsreprints/NAFCU/G100235_nafcu_novdec2018
https://www.nxtbook.com/ygsreprints/NAFCU/G98517_nafcu_septoct2018
https://www.nxtbook.com/ygsreprints/NAFCU/G96479_nafcu_julaug2018
https://www.nxtbook.com/ygsreprints/NAFCU/G93390_nafcu_mayjune2018
https://www.nxtbook.com/ygsreprints/NAFCU/G90161_nafcu_marapr2018
https://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2018
https://www.nxtbook.com/ygsreprints/NAFCU/G83806_nafcu_novdec2017
https://www.nxtbook.com/ygsreprints/NAFCU/G80296_nafcu_septoct2017
https://www.nxtbook.com/ygsreprints/NAFCU/G79086_nafcu_julyaugust2017
https://www.nxtbook.com/ygsreprints/NAFCU/G75911_nafcu_mayjune2017
https://www.nxtbook.com/ygsreprints/NAFCU/G73247_nafcu_marapr2017
https://www.nxtbook.com/ygsreprints/NAFCU/G71923_nafcu_janfeb2017
https://www.nxtbook.com/ygsreprints/NAFCU/G69249_nafcu_novdec2016
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_septoct2016
https://www.nxtbook.com/ygsreprints/NAFCU/g63853_nafcu_julaug2016
https://www.nxtbook.com/ygsreprints/NAFCU/g61005_nafcu_mayjun2016
https://www.nxtbook.com/ygsreprints/NAFCU/g58935_nafcu_marapr2016
https://www.nxtbook.com/ygsreprints/NAFCU/g56716_nafcu_janfeb2016
https://www.nxtbook.com/ygsreprints/NAFCU/g55605_nafcu_novdec2015
https://www.nxtbook.com/ygsreprints/NAFCU/g53582_nafcu_sepoct2015
https://www.nxtbook.com/ygsreprints/NAFCU/g52154_nafcu_july2015
https://www.nxtbook.com/ygsreprints/NAFCU/g50302_nafcu_mayjune2015
https://www.nxtbook.com/ygsreprints/NAFCU/g48554_nafcu_marapr2015
https://www.nxtbook.com/ygsreprints/NAFCU/g47118_nafcu_janfeb15
https://www.nxtbook.com/ygsreprints/NAFCU/g45886_nafcu_novdec2014
https://www.nxtbook.com/ygsreprints/NAFCU/g44155_nafcu_sepoct2014
https://www.nxtbook.com/ygsreprints/NAFCU/g42892_nafcu_julyaug2014
https://www.nxtbook.com/ygsreprints/NAFCU/g41296_nafcu_mayjun2014
https://www.nxtbook.com/ygsreprints/NAFCU/g39799_nafcu_marapr2014
https://www.nxtbook.com/ygsreprints/NAFCU/g38961_nafcu_janfeb2014
https://www.nxtbook.com/ygsreprints/NAFCU/g38041_nafcu_novdec2013
https://www.nxtbook.com/ygsreprints/NAFCU/g36539_nafcu_sepoct2013
https://www.nxtbook.com/ygsreprints/NAFCU/g34910_nafcu_julaug2013
https://www.nxtbookmedia.com