Mitigating cyber threats in your home and across your electronic devices
Hello Friends!
In the spirit of Cybersecurity Awareness Month…
It is common knowledge that the US financial system remains a top target in recent years for cyber criminals. And the federal government has deep bipartisan support to direct enormous ongoing resources to protect it. Multiple government agencies like CISA are tasked with reducing this real threat. But did you know there is a growing consensus that cyber criminals assume credit unions are a softer target than banks? That could not be further from the truth for many reasons—one being that most leading cloud and network cyber defense solutions for the financial services industry are sold and scaled across all types of financial institutions. Working in a credit union in 2024, all employees have must be vigilant for phishing scams, signs of data breaches, and all other types of fraud or theft and know how to report and mitigate them. And to run financial institutions with the latest tech and most secure networks and VPNs comes with a high price-tag in the annual budget. Credit unions allocate time and resources for cyber risk training delivered through multiple channels including those mandatory compliance learning (you know that annual web course you took three times before you passed with 100%!) Data Breaches and cyber-incidents have become a part of our digital society with cyber resiliency as our unified goal. These stories of attacks and scams are in the news almost daily, so we regularly discuss with our teammates while fielding frequent questions and concerns from our members about their individual account security and data privacy. At the end of the day, credit unions are able to demonstrate to their Regulators such as the NCUA that they have taken reasonable steps to avoid these catastrophes. And the NCUA has cyber incident specific reporting guidelines as well as readiness resources available. And speaking of regulation—we will discuss your own consumer data privacy protections later in this article.
So, with all this focus and deep knowledge to protect your credit union and your members—have you taken the same steps to protect your own data and maintain the appropriate level of data privacy as a consumer on your own home network and devices? I work in risk management and have seen first-hand how damaging financial fraud and cyber incidents can be to our institutions. It has ultimately closed the doors for some. Years ago, when I worked as an underwriter of both loan origination and default loan servicing, I saw fraud and scams in loan files which grew my interest in risk management. One of my first roles worked closely with BSA/KYC where I obtained my CAMS designation. But I will admit to you all that being a victim of elaborate financial fraud myself—and seeing this impacting my family, friends and clients—only drives me to want to do more to stop it. This Summer I decided to conduct my own “tabletop exercise” of my home WIFI network and all mobile devices and I did not like what I found. I will walk you through some of the most common adjustments you can make and at minimal cost. If you can devote 5-10 hours and a budget of less than $400; my checklist below should help:
- Contact or research your current internet service provider (ISP). Ultimately for me, I made a switch to a different provider because multiple breaches had exposed some of my personal data. They even mailed me some of the data that they determined was stolen from their datacenter. To be candid here, the big ISPs would like to provide guarantees of secure private networks, and some used to advertise this, however they can no longer ensure this given many have had breaches in the last 12 months with cyber criminals often penetrating their offshore data centers. Further evidence that you should utilize your own (auto-connect) VPN consistently.
- If your VPN does not operate correctly—replace it! There have been significant advancements in VPN technology and a number of VPNs reportedly have experienced service interruptions from hacks. Family and friends have told me their VPN just shuts off at times and I have observed those back-to-back robocalls can also trip up some cellphone carrier VPNs. And if you think back, you just may recall browsing, emailing, making an online payment on your work or home laptop even alter your VPN abruptly disconnected?! I have also seen this occur.
- When is the last time your ISP (internet service provider) required you to change your modem / wireless router network password? Someone recently told me, “Jeff, I guess that factory password came with the ISP modem/Wi-Fi router at installation back when we bought the house 4 years ago!” And think of all of the guests in your home over even one year that stored or know your Wi-Fi PW. So, we know ISPs don’t require these security updates like the network password changes required at least quarterly at the credit union—that’s on you. However, I think this would be beneficial legislation to introduce for American consumer protection. And one more thing on this subject—stop using your ISP’s modem wireless router combo. It’s just more secure to acquire your own wireless router (I use an ORBI mesh system) and just plug it into your ISP modem. If your ISP has notified you of a data breach, you could also request that they ship you a new modem.
- When is the last time you changed your home guest Wi-Fi? Have you limited any domain sites using features like parental controls. Some experts believe you should carry your higher risk home Wi-Fi-enabled devices like those wireless speakers and lamp outlet plugs made in China on different and isolated home networks from your primary. Not to worry, they can still safely share the same modem.
- If you work remotely from home and effectively use your company VPN for the work devices—determine what is sufficient to protect your other web traffic. VPNs have increased in sophistication exponentially. I personally use Netgear Bitdefender VPN + Armor with an internet kill switch. The armor works like an enhanced VPN masking all of the real IP addresses on the connected devices in my home.
- If like so many Americans, you have received a notice that your data was compromised in a data breach by a financial institution or other organization that held your data at some time … how did you respond and address the issue? As an example, did you initiate the offer for free credit monitoring? Remember—to reduce your chances of being the next victim—you should use private browser features—as APPLE finally mastered for iPhone IOS.
- Now let’s focus on your password managers/key chains—there are a few names, and the dark web calls these “combo lists”. Many Americans passwords are marketed and sold on the dark web. Do you know ALL passwords that could potentially be published on your combo list. That’s even more reason to inventory online passwords and update them often. A good VPN provider can monitor the dark web and tell you when your data—like a combo list—has been exposed. And again—if you see this type of alert—act!
- If your ISP accesses your modem remotely and tells you that you have 20 recently active devices on your network, can you account for all of them? You should know all devices that have access to your network no different than your credit union knows any employee with active login credentials.
- How much are you willing to spend to protect your mobile devices with YOUR OWN VPN and auto-renew any software when it is required? Turn on auto-updates for your mobile apps and keep in mind that many of the devices on your home Wi-Fi network (like smart TVs) also require routine software updates (check them). My software subscriptions for secure, networking, encryption, and cyber risk detection only total to a couple hundred dollars per year.
- Do you leverage multi-factor authentication (MFA) for any online account that you use? Turn it on!
- Ask your cell phone carrier if they offer additional protective subscriptions. I use a third-party vendor called Robo-Killer that filters spam text messages for me and automatically receives those annoying spam and robocalls/voicemails from the “Loan Approval Dept” or “Extended Car Warranty” and removes that noise. Think carefully before you answer that unknown caller as they can be after your voice print. Watch out for URL links and even question QR codes that can contain malware.
- Contingency plan—well that might sound dramatic to have a BCDR plan at home but as you have read above there are simple things you can do as a checkup for your tablets, devices, and all active online accounts. If your accounts are compromised and the last known PW is changed, you should know how to regain control of those accounts same day. Remember that those response times we measure in the workplace known and measured for BCDR focus on recovery times—equally important to your family and protecting of assets.
Privacy policies and consents for your devices that connect to the cloud
The EU has had General Data Protection Regulation (GDPR) for almost a decade. The GDPR is a European Union (EU) law that protects the privacy and security of individuals’ personal data—which became law in 2018. And if you are a lucky resident of the state of California, your data protections may very well cover you across our borders and around the globe, due to the California Consumer Privacy Act (CCPA) of 2018 and the California Privacy Rights Act (CPRA) of 2020. And the EU is leading today with the newly passed “Responsible AI Act” that was put into law in August with an up to 2-year grace period for full compliance. If you have ever used an internet browser while traveling in Europe—you have seen GDPR in action. Your browser search and webpages open differently and request your consent of choices as it relates to use of cookies and transmission of your personal data. I said we would talk about regulations again and I can only say this one way—our government has not passed sufficient consumer data protection laws and the end result has been a wild wild west for retailers eager to spy on our households in order to drive sales and revenue. True, regulators have passed similar legislation defining some of our private data like PII (Personally Identifiable Information) and NPI (Nonpublic Information). If we looked at all citizen’s personal data through the same lens as we defined those, we would be much closer to the protections that exist for our friends and allies in the EU.
It seems that as a society many Americans prefer digital conveniences over any privacy. But again, for those that have been scammed before, we are suspicions of the possibilities. I’ll give you a few examples from my home. First, Alexa and Siri are not listening on my devices! I do not consent to “customized experiences”—as said differently this is an opportunity to share your personal information over big data and the retailers are lined up, ready to put their advertisements in front of you. I saw this play out with the Samsung TVs in my home. There is the expression that says “nothing in life is free.” I decided during the pandemic to cut the cord and save money by utilizing my Samsung TV Plus network. I started to notice that the TV commercial breaks were extremely targeted at my interests from internet searches on my home network. We know tech giants like Facebook, Google, YouTube and others developed this technology over a decade ago. So, I grabbed the TV remote and went to Samsung privacy settings, and they offered an option to select sell my information. So, the lesson here, check the privacy settings in fine detail for all your home streaming devices.
One last topic too important not to address here. Our elderly are being targeted by cyber fraud. This fraud is rampant—often caught by a number of teams, including front line employees like tellers. Including BSA/AML and card fraud, elder financial abuse is a horrendous fraud. It is important to educate senior citizens (and our own families and neighbors) on the steps they need to take to protect themselves. Unfortunately, studies show that senior citizens are less likely to update their mobile devices or update their software across these devices—and some may not review their accounts regularly—but they might answer that unsuspecting phone call. If you need a way to articulate the importance—watch the opening scene of the movie “The Bee Keeper”, when a senior woman is targeted by a cyber-criminal organization who wipes her online accounts in less than 2 minutes flat. I don’t believe in scare tactics, but not all Americans see and feel the threat as we do in financial services, so it is important to stress the crucial importance. Don’t let that scene get you down, there are law enforcement agencies (Interpol perhaps the most well-known) working together and successfully taking down large cyber-crime rings.
I hope I have provided some take-aways that will increase your online security. Always remember that any type of electronic communication can be a conduit for these crimes, so do regular checkups on the technology you use. As new tech and AI advancements arrive, so will new fraud schemes! Please reach out to me with any questions or comments— or for a complimentary follow up discussion. I won’t cold call you (which is a real industry challenge for B2B salespeople today) but do look out for my emails or secure LinkedIn messages to stay in touch. Together, we can be a cyber-resilient America and tackle these important issues protecting our financial system and our most vulnerable Americans and infrastructure.
*The opinions expressed are those of the author and should not be considered professional advice.