How secure are your home offices?

September 22, 2020 at 9:51 am Leave a comment

As the person ultimately responsible for mitigating both legal and compliance risks to your credit union, you don’t need to know all the answers, but you need to know what questions to ask. One of the questions you should be asking your IT team about is how safe your virtual private network (VPN) is. 

Recently, the FBI and the CISA issued a joint guidance warning companies in high-profile industries, including the financial sector, that they are being targeted by increasingly sophisticated attempts to gain access to virtual private networks. Think about it – a little more than six months ago, we were all concerned about personally identifiable information being sold on the dark web. According to these reports, there is a growing market for VPN identification. Given the sudden movement towards remote work, this trend was inevitable, but the more remote work becomes the norm rather than the exception, the more examiners will be expecting to see what steps your credit union is taking to prepare. 

As explained in this joint examiner guidance released in June, “examiners will review the steps management has taken to assess and implement effective controls for new and modified operational processes. Examiners will assess actions management has taken to adapt fraud and cybersecurity controls to manage heightened risks related to the adjusted operating environment. Examiners will also review how management has assessed institutions’ third parties’ controls and service delivery.” In addition, NCUA has emphasized that information technology remains a top priority during the pandemic. 

Some of the techniques being used can be guarded against regardless of the size and sophistication of your institution. For example, the highly influential KrebsOnSecurity posted a blog in August describing increasingly brazen vishing attacks in which hackers contact employers pretending to be from the company’s IT department, requesting login information to access the employee’s account. According to Krebs, this technique is particularly effective against newer employees, who are interacting with their IT department for the first time.

Finally, some of the classics are also being used. Good old fashioned emails requesting login information are still being responded to, reminding us yet again that our computer systems are only as safe as our most technologically inept employees allow them to be. Full disclosure – there are weeks when I talk to the IT department more than I talk to my own kids. 

What this means for your day today is that you may want to remind employees not only that they should be aware of suspicious emails, but also who they are talking to, particularly if they receive a proactive phone call. In addition, this is yet another example of why one of the trickiest parts of remote working is going to be onboarding new employees. My personal suggestion is that even if an employee is going to work remotely, a lot of the orientation process should still be done live and in-person. 

Entry filed under: HR, technology. Tags: , , , , , , .

To Pay or Afterpay, That is the Question Don’t Overlook Your Overdraft Practices

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 755 other followers


%d bloggers like this: