How 1 CU Is Examining Risk Across The Enterprise
As phishers bear down on credit unions, BECU business units are responding by removing their side-blinders and taking a look at fraud risk across the enterprise.
"Last year, business unit management was working in silos," explained Kathryn Antonetti, IT Systems and Security Manager at the $5.6-billion CU. "I don't know how we ever managed."
The shift from a siloed approach to an enterprise-wide look at fraud is profound, continued Antonetti.
"It's difficult to accept, defer or mitigate risks when you look at them in silos," she said. "To manage risk, you really need to look at all the avenues and tools available to you across the enterprise and confirm that the actions you're taking are in line with the overall strategy. We look at risk holistically. Then we rank the risks and look for point solutions to address each risk."
For the past year, a core group comprising the Security Risk, Information Technology, Legal Compliance and Insurance business units has met to survey BECU's fraud landscape.
Early next year, the group will expand to include the CU's other business units, said Antonetti. "We'll start by educating business unit management about business risks, get them thinking about the top risks in their area and challenge them to come up with controls," she said.
BECU's approach is in line with recent TowerGroup research, which suggests a "holistic approach to combating fraud."
TowerGroup further recommended tightening controls by revamping business processes, for example by automating account opening and funding.
The Latest Risks
"We haven't gotten as far as revamping our business processes," said Antonetti.
Meanwhile, BECU's holistic surveillance helps make the most of the CU's existing technologies.
"We focus on the latest risks and controls using a basic set of tools that are flexible," explained John Snodgrass, Security Risk manager at BECU. "A lot of the technology we buy is functional technology and is not specific to one need. In some cases that technology can fit the need and in some cases we have to buy something new."
Snodgrass pointed to recent phishing threats to the financial industry wherein hackers scrape confidential information and then verify that the data is good through Paypal transactions of less than $1.
"We became aware that the bad guys were verifying transactions using Paypal," Snodgrass said.
BECU turned to existing database monitoring tools to check for spikes in the number of transactions under a dollar.
With phishers' attention more focused on targets that are less prepared to defend themselves, such as community banks and credit unions, BECU's technology strategy will include stronger authentication for online banking.
"We've seen many more phishing attempts," Antonetti said. "And we're looking to release controls in third quarter 2006, including two-factor and behavioral authentication solutions."
Two-factor authentication requires more than just something the user knows-a personal PIN-but also data from something the user has-a computer or token.
Behavioral authentication detects anomalies in users' Internet Protocol addresses or log-in times.