UECU plays an active role in keeping our members' information and accounts safe from troublemakers. Our dedicated staff works with great people from Alpine Cyber Solutions to make sure we head off trouble. But we can't do it alone.
Account owners have an important role to play, because safe and secure technology is just one piece of the cybersecurity puzzle. UECU consistently strives to improve and increase account security through ongoing testing, training and new technology. Unfortunately, all it takes is a shared password or personal information, outdated account owner contact information, or responding to a troublemaker's urgent and anxiety-inducing email, call or text message to break through the firewall; namely, the human one.
Today, we talk with Alpine Cyber Solutions President and Chief Technology Officer Steven Pressman and Alpine's Technical Business Analyst David Bock to understand the roles that both organizations and individuals play in keeping their information and their accounts safe. For both sides of that equation, the human firewall is the most important variable.
Learn how to become a great human firewall at work and at home. Our digital footprint is only getting bigger. Secure yours today.
Topics & Timing
(00:28) Today's topic is cybersecurity: how to keep your information and your accounts safe and secure
(01:06) Why do security breaches happen? 1) It's easy money, and 2) humans make mistakes.
(01:24) UECU works hard to protect our members' accounts and information, but individuals have an important role to play as well. It's a partnership.
(01:44) Cybersecurity facts to consider: the average cost of a data breach so far in 2023 is $4.45M; The financial industry has the second highest average cost of $5.9M; and the two most used methods to secure that information is phishing and stolen credentials.
(02:40) Meet our guests from Alpine Cyber Solutions: Technical Business Analyst David Bock, and President/Chief Technology Officer Steven Pressman. Learn how they made their way to their current career and what they like to do for fun.
(13:20) Topic discussion about Cybersecurity begins with an overview of how UECU, with help from Alpine, keeps on top of Cybersecurity.
(14:11) What is Vulnerability Management? It's not the plot to a Rom-Com!
(15:07) QUOTE "Literally everything that we're going to talk about what we do with the Credit Union, applies to everyone's personal life in some way, shape or form. There's nothing different that a company needs to do to protect data that a person doesn't need to do to protect their data." - Steve
(15:45) Vulnerabilities are something that are known (or unknown) to be wrong on a device, such as a flaw in a piece of software. We have to search for those that are known, and indicators of the unknown. In both cases, we then overcome them. Today, these scans are continuous.
(23:15) Penetration Testing is when we rely on trusted individuals/services to try to access our systems/information by either physically entering the building in an unofficial capacity, creating a relationship with an employee to gain needed information, or looking for known system vulnerabilities that haven't been patched yet to "get in."
(26:50) Many people think a hacker gets in by penetrating the system firewall. It very rarely works if the firewall is being kept up-to-date. It more often happens by getting through the "Squishy Parts" (the humans) as Steve refers to them.
(27:25) QUOTE "There's a term we like to use called the Human Firewall, where we train people to understand that they have a very active role in cybersecurity." - Dave
(27:36) Phishing and Social Engineering are attacks aimed at people (employees and individuals). People try to "fish" for information through various contact methods, perhaps providing a link that downloads malicious software, or a link that takes you to a look-alike website where you are asked to enter personal information.
(28:35) Services like Alpine make phone calls and send emails to employees to test our responses to phishing attempts. Dave says it's the worst part of his job when he gets someone to do something they shouldn't do.
(29:06) These attackers (and testers) prey on the inate nature of people who want to be helpful and who react too fast.
(31:00) Policies and Procedures are the most boring part of cybersecurity, but also the most important part of being prepared for a cyber attack. These define what the goal is regarding cybersecurity (what we actively do to protect) as well as outlinining how we'll respond to attacks. This makes it possible for us to practice and be prepared.
(35:35) QUOTE "There are times for creativity and invention. In a crisis is not that time." - Steve
(37:00) What is CISO as a service (Chief Information Security Officer)? All businesses need to be cybersafe. They run a company's securing program and measure it for success. Large businesses may hire their own internal CISO, but that doesn't mean medium and smaller businesses are exempt. Third party providers like Alpine can fill that role.
(42:50) Security Awareness Testing and Training is focused on strengthening the Human Firewall. It's one of the best things a company can do. Ongoing testing is needed to train people how to protect themselves and their access to information.
(45:53) QUOTE "What can people do to protect themselves? Sometimes it's just being uber-suspicious." -Janene
(46:06) QUOTE "You hate to say it, but you have to suspect everything." -Steve
(50:37) QUOTE "You have to have this "Batman-level" paranoia." -Dave
(50:47) Slow down when responding to calls and emails. We're so used to doing everying fast, fast, fast. It's worth the time needed to verify that the request you've received is legitimate. They often include legitimate information to gain your cooperation and trust.
(50:23) Incident Response: what to do when the attack gets through starts with knowing who to turn to for guidance.
(54:20) Successful Cybersecurity requires all of the following: Protect, Detect (scanning for issues), Identify what is yours (know where your "borders" are), Response & Recovery.
(56:10) Practicing incident response if very important because it helps everyone understand the risks and find and overcome challenges. And when a real challenge presents itself, they are ready to go.
(01:01:11) What can individuals do to protect themselves and their information?
(01:01:40) Social media, mobile apps and info-gathering. Those "Get to know you" question posts, or just general information you share (like your favorite pet's name) are often gleaned by others to create a list of answers to things like security questions.
(01:03:52) QUOTE "If you're using an app, or a platform, or a service that doesn't cost anything, you're paying with information." -Janene
(01:07:15) When considering new mobile apps to download, look at reviews (it should be generally good), how many people have downloaded it (it should be a lot), and consider if the permissions it is requesting are necessary for it to work properly.
(01:11:38) Passwords -make them challenging, and consider alternatives like using biometrics and authenticator apps. Consider a password manager.
(01:12:15) Authentication methods are replacing passwords, and this is a good thing. UECU's improved mobile and online banking systems offer this option now.
(01:14:12) Use a password manager for your whole family. Pay for it. It's worth it.
(01:15:00) QUOTE "Email is the worst insecure mechanism by which you can share something" referring to sharing passwords or information with those you trust. -Steve
(01:15:55) Use Multifactor Authentication whenever possible. Preferably one that notifies you in an app, not by text or email. Authentication apps like Google Authenticator, Microsoft Authenticator or your Password Manager's authenticator add-on.
(01:17:18) Password Managers shared with family are also a valuable way to help after a family member passes away. Written password lists are a risk.
(01:20:23) UECU has a protocol to identify members when they call us. This may be an inconvenience, but it's important. We do it to protect our members.
(01:22:32) Lock your phone with a password, a code, face ID, fingerprint ID...something. An unlocked phone is a risk because texts, emails, access to accounts...it's all there. Protect it. Same thing goes for your smartwatch that's connected to your phone.
(01:23:43) Check to see if your email has been compromised: visit www.haveibeenpwned.com
(01:25:00) Change your email password frequently. It's one of the most important passwords you have. Most sites that allow you to reset your password with a link sent to your email. Protect it.
(01:29:30) Check for additional security features that may be included with services you are paying for, such as extra storage space you may already be buying from your phone manufacturer or service provider.
(01:30:15) QUOTE "In an airport, take a book" referring to the high risk of using free wifi options at airports or other places you visit. - Dave
(01:31:00) Sometimes the services you already have or are purchasing have great side benefits, such as ID theft protection and restoration services that come your UECU visa card and checking accounts. It's an investment is safety.
(01:32:05) Email safety - what can you do to protect yourself?
(01:36:14) Urgency in an email (phone or text) message is a red flag.
(01:36:54) QUOTE "Anything that comes in that's demanding that you do something right away, take action right away, is a huge red flag." -Dave
(01:37:18) QUOTE "If it smells wrong, it's wrong" in regards to emails or messages you receive. -Steve
(01:38:40) QUOTE "Don't click the link, go to the source" regarding links given in suspicious messages. -Janene
(01:39:10) Even if you get messages or calls from UECU or Utilities Employees Credit Union, it's okay to be suspicious. We never ask you to provide personal information that way. Reach out to us directly if you are concerned. We understand and appreciate that you are taking steps to stay safe.
(01:42:12) It's important to keep your contact information updated whereever you have accounts or do business with that has your personal information. If we're concerned about suspicious activity on your accounts, we need to be to contact you directly.
(01:43:38) We discuss links to great online resources provided by the US government www.cisa.gov, legitimate organizations like www.security.org, and here at uecu: www.uecu.org/fraudprevention. Links noted below.
(01:46:55) Final Words from Steve: Practice. You have to make cybersecurity an ongoing focus. Train that "muscle" so it grows. Make small changes all of the time. Be vigilant.
(01:48:55) Final Words from Dave: Take your time. Slow it down. Don't respond quickly. Think it through.
(01:26:40) Use your phone to set reminders to pay your bills on time. It's the biggest factor in having a good credit score. - Janene
(01:50:25) Save early, save often. If you have a 401K, max it out. -Steve
(01:51:25) Invest in companies that are doing good things (instead of just buying their product!)
Find out if your email has been compromised (and remember to change your password if it has been a while!): www.haveibeenpwned.com