Among the best steps banking customers can take to protect themselves against cybercrime is using a password manager, and they should expect doing so to make their lives easier.
That’s according to a veteran of cybersecurity, Mike Newborn, who is now the chief information security officer at Navy Federal Credit Union. It is
Navy Federal recently partnered with the support network to help the credit union’s members gain the confidence needed to know what next steps to take if they are a victim of fraud or scams and to help members guard themselves against such crime, according to Newborn.
People who currently serve or have served in the military, alongside their families, are “disproportionately targeted for online crimes,”
Newborn spoke with American Banker about the partnership, the cybersecurity strategies he sees as vital for banking customers to follow, the measures the credit union takes to protect its members, and why those measures can make everyday digital life easier for people rather than detracting from ease of use.
Mike, what makes you an expert on cybersecurity? What has been your professional experience in the field?
MIKE NEWBORN: I’ve been doing cybersecurity risk management for almost 24 years. This is the third role I’ve had as a lead or chief of security. I’ve been the chief information security officer of Navy Federal for almost three years.
Before Navy Federal, I was a security officer at one of McKinsey and Co.’s business practices as well as an associate partner. I did a lot of consulting globally, a lot of travel, and I got to see all of these different organizations across sectors that I probably never would have been exposed to if I hadn’t worked for McKinsey.
I was at McKinsey for about three years; I was at Bloomberg BNA, now known as Bloomberg Industry Group, for a few years before that. I spent most of my career — 15 years — at VeriSign. They do critical infrastructure protection.
Why did Navy Federal pursue a partnership with the Cybercrime Support Network? What do they offer your members?
Navy Federal is a very mission-oriented organization. Our mission is our members — that’s our tagline. The Cybercrime Support Network is also a very mission-oriented network. Their mission is to help individuals and businesses deal with and fight threats associated with cybercrime.
Given that both organizations are very mission-oriented, there were clear synergies between their mission and the needs of our members. Our members have the opportunity to be educated better from a cybersecurity standpoint.
CSN supports two different websites —
What's some of the low-hanging fruit that people can get after if they are concerned about their security? Or, even if they're not, what should consumers be doing to improve their own banking security?
One big problem we see is credential reuse, and a kind of cyberattack we see frequently in the banking industry is credential stuffing.
People reuse credentials for a lot of things, and sometimes they reuse them with their banking and financial accounts, so the bad guys will just try to stuff them. That means they take a credential — a username and password — and put them into a bunch of websites. If they are able to log in, they make a note that it worked and potentially do something later with the credential and that website where it worked.
If we can encourage our members out there to use unique passwords on every single website or application that they need to create them for, then that's a huge win. But, that's very difficult to do without the help of technology. That's why you get the recommendations that you should invest in a password manager, and there are many good password manager options out there.
Some are free, some are paid. Some of them offer features that are well beyond just managing your password that make your life easier as well. There are a lot of benefits from that, not just for security but for convenience.
I said “low-hanging fruit,” but a better phrase might be about eating your vegetables, because I think many people see security that way.
Yeah, there's this idea that security means friction and that, if you're going to try to be more secure, you have to eat a lot of vegetables without getting any dessert, but that’s not the reality.
For example, password managers offer the ability to automatically populate login forms or easily type in your credit card or your other personal information, and they add security.
I don't think that there is a trade-off between ease of use and security, and I think the industry is moving past that mindset. I think we're trying to find ways to blend security and ease of use.
What are some other things users can do to improve their own security?
Don't share credentials. Keep your devices, computers, and apps all up to date. Apply the latest patches, and make sure you're applying them from trusted sources.
Use some sort of antivirus or endpoint detection capability where you can. A lot of times you don't have to pay for that; the built-in ones are great. So if you use Windows, you can use the built-in Windows one — Microsoft Defender Antivirus.
It’s also important to have good password hygiene in general. That means use strong passwords. You can have a password with mixed characters, and a lot of people will use phrases so it's easier to remember. Come up with a sentence and replace vowels with numbers, capitalize certain letters, and end it with a symbol.
I will admit it is difficult to do this without the help of a password manager. If you're not using a password manager, then you're storing passwords on a piece of paper or likely something that isn't secure. I’ve seen people store passwords as contacts in Outlook, or they put them in a spreadsheet on their computer.
And what about from your side of things? What can Navy Federal do to improve security for customers without creating friction?
We can do a few things. For example, the first time you log in from a new device, you're required to go through the multifactor authentication process, but you have an option to say, “I trust this computer; it's not a public computer.” We then won't make you go through MFA as often.
You can also enable Face ID on your mobile app, and as long as you've logged in recently, and you select the right options, Face ID is all you need to log in. You don't have to enter your password every time.
Those are examples where we've empowered our members. We’ve put them in a framework where they have to do certain things to satisfy the risk appetite that we were comfortable with, but if members want to be even more secure, they can require full, strong authentication every time they log in.
We also have a security center to give members the option to enable the notifications they want, so for example, you can get notified every time you have a credit card transaction. Or, you can just rely on Navy Federal’s advanced detection systems to look for anomalous activity, and we’ll still let you know when we see fraud.
I think promoting security and ease of use is really important, and anytime we decide that we're going to make a significant change, we have a process that we go through to try to understand what the impact to the member would be. We have members of all different backgrounds, ages, and technical proficiencies, so we have to consider all those situations.
Sometimes, you don't get it right on the first try, but we take feedback very seriously, and that's how Navy Federal maintains very high marks across all financial institutions — not just credit unions — for customer experience. We are very customer-oriented, and we're always learning about the changing environment, especially on cybersecurity.