SAN ANTONIO-Smaller credit unions are being urged to take special steps to guard against insider threats.
John Petrie, VP and chief information security officer at Harland Clarke Holdings Corp., sees the insider threats coming from either an employee of the CU or a business partner who may intentionally steal sensitive data-perhaps due to the economy-or simply make a mistake and expose the data to crooks. "The smaller credit unions don't have enough people or time to get things done."
What many small CUs do not have and need, said Petrie, is a baseline set of security standards. "The first step is to get controls in place based on a standard that reduces risk significantly. The second thing is to put in place policies for some type of quid pro quo-if someone does something, even inadvertently, the person is taken to task."
The final step is to install technology to prevent sensitive information from going outside the credit union in an unsecure manner. One of the simplest ways a small CU can accomplish that, said Petrie, is to take advantage of all the functionality inside software programs the credit union purchases.
"How many times does a small credit union professional go to a conference and get pulled aside by one of the boutique vendors who says they need to buy 15 different things to ensure the CU's data security? Instead, maybe the credit union can buy one product that does five things well and all they have to do is turn on all the features."
For example, when it comes to anti-virus solutions or desktop operating systems: "Some small credit unions are still operating in Windows NT and XP environments," observed Petrie. "If they do a simple upgrade, capitalize it over three years, and take advantage of all the new security features that Microsoft puts into their platform at the desktop level they could reduce their fraud risk by as much as 20%."
