How CU Security Experts View Their Operations, Market
Credit unions are engaged with cyber-villains in a battle that will never be won-hackers spar with increasingly dastardly deeds, while Information Technology executives continue to batten down the hatches.
"In the next few years, it's likely that we'll all have to increase our security measures even more," said Sam Tuohey, vice president of Information Systems at $584-million Stanford FCU (SFCU) in Palo Alto, Calif.
"Today, members aren't just using online banking to view data and transfer money from one account to another. They can pay bills, order checks, change personal information, and send money to accounts at other financial institutions," he continued.
The Credit Union Journal recently asked a number of CU technology experts to identify how information security tools and approaches will need to evolve as cyberattackers turn their attention towards credit union coffers.
According to Jerry Johnson, vice president of IT at $350-million March Community CU in Moreno Valley, Calif., credit unions will have to separate the wheat from the chaff as they consider various information security vendors.
"Cybercrime and IT security is an area where many companies are attempting to position themselves as 'experts' in order to sell products and services-many with questionable value-to credit unions," explained Johnson.
For example, March Community once got gold stars on its security practices from a third- party internet security assessment provider, he said.
But Johnson's own investigation days later unearthed a sobering surprise: He found that March Community's firewall lacked a DMZ and related proxy services.
In the world of cybercrime, sobering surprises may be the norm. "The only way to be 100% secure from attack is to shut the systems off," said SFCU's Tuohey.
"But there are ways to come close to that 100 percent measure," he added.
Rob Guilford, senior vice president of information technology at Wescom CU in Pasadena, Calif., said $2.7-billion Wescom CU is decidedly positive about vendor expertise.
"We are confident that the industry-leading hardware and software vendors are staying at the forefront in security and intrusion detection to minimize risk of cyberattack," he said.
Guilford is particularly pleased to see that Wescom's diverse business partners are beginning to make products that work in complement.
"Vendors such as Cisco Systems, Network Associates and Symantec are integrating their products so that organizations have protection on Windows-based systems and network devices such as routers," he said.
"For example, until recently, Wescom's Intrusion Detection System did not have the capability to monitor Secure Socket Layer Internet traffic because of encrypted data," said Guilford. "However now we are able to offload Secure Socket Layer to our load balancing system and the Intrusion Detection System can monitor web traffic more effectively."
Additional layers of password security could also contribute to data protection, said Tuohey.
Tuohey put forth the reliable yet costly approach to protecting member data by distributing tokens that issue second, random passwords to members as they log in to their accounts. Members would have 30 seconds to verify their log-ins with the second password.
Currently, SFCU requires telecommuters to log in to the network via the password token.
Harbor One CU in Brockton, Mass. will add to the yellow tape around its network to make sure employees and the public alike have access only to what they need, said Dick Bastiansen, SVP-operations and manager of Information Systems at the $1.1-billion CU.
"We are working to further tighten access to our network by restricting attachment sizes and FTP capabilities, he said. "We also wish to expand our activity monitoring at both the network and application level to see who does what, and when."
At $1.4-billion Mountain America CU in West Jordan, Utah, advanced patch management is demanding attention in the near term, according to CIO Annette Zimmerman.
"We are anxiously awaiting a new product that will enable us to check every device plugging into our network to ensure the latest patches have been loaded," she said, referring to software expected this year from a Cisco Systems partnership with Symantec.
"The product will be a great tool to aid in controlling all of the laptop computers that we have," she explained.