By John San Filippo
Cybersecurity expert Jim Stickley, CEO of Stickley on Security, has been a well-established and popular speaker on the credit union circuit for years. His sessions have always followed the same format: provide details on the latest scams with the potential to affect credit unions or their members, give a live demonstration of said scams, and then provide practical advice on how to protect against those scams. Stickley went a different route when he spoke at SymEast in mid-April, opting for an AMA (ask me anything) format.
To relax the audience, Stickley began by walking around the room presenting each attendee with either a Hostess Twinkie or a Hostess Ding-Dong, depending on which treat he deemed most appropriate for that person. Finopotamus co-founder John San Filippo was presented with both a Twinkie and a Ding-Dong. To encourage participation, each person who asked a question was rewarded with a Hostess Fruit Pie hand-delivered by Gina Kovacs, vice president of sales for Mahalo Banking. (Stickley is also CEO of Mahalo Banking.)
Despite the unique format, the session shared one common trait with all previous Stickley presentations: It was packed with plenty of useful information.
On Scams That Center Around Zelle
“The problem with Zelle is that there are no real checks and balances,” Stickley told the audience. “When people are transferring funds with Zelle, it just kind of goes. And so that's where all the criminals are focused.” He noted that virtually all other person-to-person (P2P) platforms, such as Venmo and PayPal, offer various checks and balances so a user has some assurance about who is receiving their money.
“Zelle works great and it’s not really being hacked,” he continued. “It's just that morons are willing to send money based on an email or phone call.” He said that non-tech savvy members often assume that just because their credit union offers a service, it’s somehow protected from scams.
“Nobody is getting ‘hacked.’ It’s always somebody making a bad decision,” he added.
What can a credit union do about these scams? “If you offer Zelle to your members, you should be doing a lot of education around the risks of Zelle and warning your members ahead of time of all the scams that are tied to it,” admonished Stickley. “Just type in Zelle scams on Google and you’ll find a million of them.”
On Cybersecurity Training and Awareness for Employees
Given the high rate of employee turnover due in part to the Great Resignation, Stickley told the audience that a persistent training and awareness program is especially important now.
“If you do training once a year, or maybe have an offsite meeting where you train everybody on security and that's it for the year, you're cooked,” said Stickley. “The reason is technology, especially on the scam side, is changing so rapidly. I mean like weekly.” He added that although education and awareness tend to be lumped together, they’re two very different things.
“Education is education. If you do education once a quarter, you’re probably fine,” he said. “However, awareness to me is a daily thing. It's letting people know daily. Here's a new risk. There's a new whatever. An email should go out to the entire credit union.”
He noted that well-informed employees are in a better position to help members prevent fraud. What’s more, these constant reminders help keep cybersecurity top of mind.
On Potential Russian Cyberattacks
“The odds of Russia attacking your credit union are relatively low,” claimed Stickley. “That's not where they're going to get the most bang for their buck. They're going for big-ticket items right now. Maybe if you’re a multi-billion-dollar credit union, there’s a little bit of a risk.” He said like all other hackers, Russians would be looking for a bigger payday, focusing on the national and international megabanks.
He noted that state-sponsored Russian hackers would also be interested in the terror aspect of their misdeeds. “If a small, mom-and-pop credit unions gets hacked, it probably won’t get any further than the local news,” he said. “If Chase or Bank of America get hacked, it’ll be big national news and probably international news. People will freak out.”
According to Stickley, credit unions that do business with large companies should focus on potential supply-chain hacks. He recalled the infamous Target breach of 2013. In that case, one of Target’s suppliers was hacked and because that supplier had access to Target’s internal systems for legitimate business reasons, malware was able to spread from the supplier’s computers to Target’s.
On the Reemergence of Backups to Physical Media
“Remember when Amazon had its outage and it took down Netflix and part of Facebook? That was only one data center,” noted Stickley. “Now imagine if Russia is truly able to get into systems like that and take those offline. How big of an impact would that have on every person in this room?” He urged attendees to consider where they’re storing data such as backups, noting that cloud-based storage has become ubiquitous. He suggested credit unions should consider a hybrid approach to data security that includes backup to physical media.
“Hard-copy backups seem so dated with everybody going to the cloud,” he continued, “but you still want to make sure you can access your data in case something really critical happens to your cloud connectivity.”
On Advice for Mobile Users
When asked for some tips on keeping mobile devices secure, Stickley said that desktop and laptop computers represent a significantly greater security risk than any mobile device.
“Mobile devices hold up pretty well,” said Stickley. “It’s not the device that creates a risk; it’s the apps you put on the device.” He added that just because an app is downloaded from Apple or Google doesn’t ensure that the app is safe. Even so, he said that laptops and desktops are much less secure. He suggested, where feasible, credit unions should consider replacing laptop and desktop computers with Chromebooks, which are considered mobile devices and thus enjoy the added safety of a mobile device.
“Chromebooks are very inexpensive and they are almost bulletproof,” claimed Stickley. “They're almost hack proof, not guaranteed, but compared to a standard Windows PC, or even a Mac, it’s night and day. You're going to reduce your risk drastically.”