Threats can lurk in strange places, so, as a card program manager, it is necessary to think broadly. Driving this point home, the presenter at a recent cybersecurity conference shared how a financial services company was breached through an unlikely source. It gave fraudsters access to all the company’s files, including sensitive client information. The source? A new thermostat in the building for which the company never changed the default password. If this story sounds familiar, it is reminiscent of the fraudsters who accessed Target’s POS systems in 2013 through the login of an HVAC company. Apparently, some companies did not learn from Target’s experience. What about your organization? Stories like these highlight how, even though you might be protecting data within your line of job duties, additional threats may still remain. Following is another example from the cybersecurity conference presenter and some things you can do.

Another Threat

Mobile devices represent another broad threat. The cybersecurity presenter recommended that, if employees access work email via their devices (and who doesn’t do this?), they should:

• lock their device when not in use
• have a strong password of letters, numbers, and characters to unlock the device 

The presenter went on to describe how, if an employee were to lose their device, the employee should contact the company IT department, who should be able to remotely wipe out that employee’s phone to prevent fraudsters from using it. Lots of “should” statements. There are also complicating factors if it is a personal mobile device that the employee uses for work.

Who is Responsible?

Going back to the first example, whose job was it to change the default thermostat password? It likely fell to maintenance personnel—people you would never think about as being potential gatekeepers to sensitive files. In reality, cybersecurity is everyone’s responsibility. Are all employees in your organization trained on security at least annually? What are your policies pertaining to mobile devices?

What You Can Do

If you are a card program manager wondering what you can do with this broad information, a good start is simply having a discussion with your management and/or IT representative. Since you handle sensitive information, it might also be beneficial for you to be part of a more general team within your organization that looks at security holistically. At a minimum, make sure you know:

• where your card-related data is stored, including any sensitive/personal cardholder information
• who has access and whether the access is appropriate
• the potential vulnerabilities that could impact your program; for example, you do not want a lost mobile device in another part of your organization to open the door to fraud
• what protective actions are possible to keep the data separate and restricted

Finally, continue to incorporate security topics into card program training.

Available External Resource

Ironically, just as I was about to publish this post, I was notified about the Verizon report, Data Breach Digest: Perspective is Reality, which is filled with cybercrime case studies and tips. If you want to dive in (it is a 100-page report), download it from: http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more…

Subscribe to the Blog

Receive notice of new blog posts.