Sean Murphy, Chief Information Security Officer

October is Cybersecurity Awareness Month. We sat down with Sean Murphy, Chief Information Security Officer, to learn more about him and his commitment to keeping member information secure.

What do you do at BECU?

I lead BECU's Cybersecurity program. I am responsible for putting into place all the tools, processes, and policies BECU uses to safeguard our members' personal and financial information. Additionally, I lead a team of about 35 super-smart professionals dedicated to helping BECU achieve our goals and protect our well-earned reputation in our community.

What is Cybersecurity Awareness Month?

In 2004, the US Department of Homeland Security established October as Cybersecurity Awareness Month. The participation of government and private-sector organizations has grown tremendously over the last 15 years as the importance of cybersecurity defenses has grown within organizations. But, the month is not limited to business or government organizations.

The focus of Cybersecurity Awareness Month also includes internet safety, social engineering, and usage of secure internet of things (IoT) that we can all use in our personal lives. Typically, organizations spend the month providing events, contests, communications, and town halls to double down on cybersecurity learning opportunities.

How can people protect themselves online?

There is always some risk with being online, so my best piece of advice is, "It CAN happen to you." A healthy dose of skepticism is a good foundation that may help you take internet safety seriously. Some more tangible steps to take:

1. Look for Verification
   If you are looking at social media web sites for an organization, there will be a verification checkmark on legitimate web sites besides the profile name. No checkmark = unverified site. Be skeptical.
2. Run Security Updates
   Keep your computers and devices current with security updates. For your personal Windows laptop, for example, turn on Automatic Update in Windows. Other devices have similar capabilities. Use them.
3. Back-Up Your Files
   Back up your sensitive information. If you have a ransomware attack, where you cannot access your data, you will be glad you have a backup copy.
4. Change Your Default Passwords
   Be sure to change the default passwords on your networking, security, and Smart devices. Contact your manufacturer if you have difficulty with this.
5. Opt-Out of Cookies
   Opt-out of tracking cookies with your browser. Check your browser for its cookie settings.
6. Be Selective
   Be selective with what you share online. Social Engineers (people after your information) can piece together personal information from numerous sites or sources to create a database for identity theft with a simple Google search.
7. Be Careful with Downloads
   Be careful with what you download from the internet. Use malware scanning tools before you download an application or software.
8. Unplug
   Disconnect your computer from the internet and turn it off as much as you can. Someone can't attack your computer if it is powered off or disconnected from your network.
9. Report Scams
   If you suspect you've encountered a scam, it's important to report it to help the authorities and to get the word out to other potential victims. If it was a sweetheart scam, you should contact the police and/or the Federal Trade Commission. If the scammer impersonated an organization, please notify that organization as well as the Federal Trade Commission.

If the scam happened online, you can report it to the FBI's Internet Crime Complaint Center. Here is a list of other places to report scams.

What are some of the newest fraud techniques scammers are using?

Remember what I said about cybercriminals piecing together information from several public sources? Well, they also use previously stolen information they acquire, purchase, or steal from a second illegal source to create fraudulent financial accounts like a home equity line of credit (HELOC). Once they have the fraudulent account, they attempt to get checks they can cash at other financial institutions. BECU has several security and fraud controls in place to prevent, detect, and respond to these types of attacks. But, this scenario underscores the need for all of us to continue to be very cautious with sharing our personal and financial information.

What's the one thing you would tell people to do when it comes to staying safe online?

First and foremost, be skeptical. If it sounds too good to be true, it probably is. Additionally, guard your privacy. There are increasing amounts of settings in social media and networking devices that help protect us. Use them.

What are some of the security initiatives you and your team are working on at BECU?

There are three general categories of initiatives we are doing at BECU. First, we are investing in cybersecurity using a North Star aspiration of the National Institute Standards and Technology (NIST) Cybersecurity Framework. Without going into too much detail, the framework is the foundation of the current Credit Union and financial institution requirements. It helps us deliver value as well as to measure our increases in cybersecurity maturity against the ever-changing threats we face.

Second, we are focusing on increasing cybersecurity awareness at BECU. Every employee plays a significant role in protecting our members' information and BECU's reputation in our community. We are doing what we can to arm our employees with tools and knowledge to be our first line of defense and our first responders against cybercriminals.

Third, we are looking to build in cybersecurity rather than bolting it on. What that means is as IT, the lines of business, or BECU strategy goes, so does Cybersecurity. We want to move from adding cybersecurity requirements or remediation to the end of a project, purchase, supplier relationship, or software application and start at the beginning.