Sally Beauty is the latest to fall victim to a data breach, and the PR nightmare has begun. This happened of course at the time I started writing this blog post. It looks as though retailers are getting slammed with data breaches, a factor, no doubt, due to the lack of regulations they have to follow.
Given that, let me address a regulation your credit union needs to follow to further reduce the chances of a data breach. Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers’ information against security threats. Log management can be helpful in identifying possible security violations and resolving them effectively. Furthermore, per NCUA Regulation 748 Appendix A. III. C. 1.d., change control procedures should be in place designed to ensure that system modifications are consistent with the credit union's information security program.
On May 17th 2013, both www.federalnewsradio.com and www.wtop.com were compromised. The websites were infected by an exploit kit type virus via a fake Flash installer. This problem could have easily been avoided via an effective patch management program.
Credit unions should be able to answer the following questions to demonstrate a strong patch management program:
Retailers sharing the financial burden of breaches and having more regulatory oversight and standards is definitely an issue, and your voice should be heard by your local political representatives. However, it is important not to forget that we, as an industry, should continue to lead by example and demonstrate how to balance regulatory responsibility with a strong security posture.
By Idrees Rafiq, Jr., AVP IT Consulting, Credit Union Resources, Inc.