The Target Corp. breach has data security fresh on the minds of many, and one expert says small CUs need to realize they no longer can dodge attention from scammers and thieves due to their size.
Eric Bruen, president and CEO of $23.5 million Desert Valleys FCU, Ridgecrest, Calif., said that small credit unions often lack a high level of sophistication needed to detect and prevent intrusion.
"Many small credit unions rely on their core processor to provide security against intrusion but do not fully realize the necessity to monitor Internet traffic within the credit union as well for screen capturing or other monitoring type viruses," he said.
According to Bruen, another flaw small credit unions have is their dependency on firewall settings to serve as a fully effective means to stop intrusion. "I have not seen a credit union with less than $30 million in assets that is effectively monitoring reports or with sufficient escalation procedures to detect and notify members of an intrusion," he assessed.
The key, Bruen argued, is that small credit unions have held onto an illusion that their volume of transactions and cards are "simply not worth the effort" of potential intruders.
Desert Valleys FCU has a sniffer system set up to monitor Internet traffic. Bruen said it has a monthly summary created that shows traffic and whether or not it penetrates the CU's firewall.
"We still feel there is more work that can be done to ensure greater security but the cost of an in-house solution is simply beyond our abilities," he said. "The hard part is that most third-party solutions also are beyond the cost tolerances for many small credit unions."
Suzanne Leedale, president and CEO of $34 million SLO CU in San Luis Obispo, Calif., said her small credit union is one of those that relies on a vendor for data security.
"When I first got here [January 2008] we had all of our data in-house and really did not have security in place," Leedale recalled. "We moved to a hosted environment, meaning our core processor stores our sensitive data and we access it via virtual private network. Consequently, our core processor maintains security over the sensitive data."
Leedale said SLO CU does penetration testing on its internal network, "but we do not do the additional expense of intrusion detection software because the data is not stored here."
What One Expert Is Seeing
Those observations are very much in keeping with what IDentity Theft 911 is seeing, according to Deena Coffman, information security officer for the provider of data risk and identity management services.
"Malware is now being targeted at smaller credit unions, as well as community banks and really any small businesses," she said. "Malware is becoming available even to the novice hacker."
Some malware programs, Coffmann explained, can scan the Internet to find the low-hanging fruit — such as routers that still have default account names and passwords. She said any password that is in the dictionary can be hacked "very easily" with what are known as "brute force" password programs.
Some business websites are not secure because there are no transactions being taken on the site, but Coffman warned in such instances the site can be used as a stepping stone to launch an attack on another site — and there is "cyber liability" if a website is used to infect another.
"Smaller institutions such as credit unions often do not run sophisticated intrusion detection software or data loss prevention tools due to the expense involved," she said. "But if data is exiting the network, including Social Security numbers or unencrypted account numbers, or cases of large volumes of data going out, especially to an unknown IP address, it needs to be checked out."
Small businesses of all types increasingly are becoming targets because they are a "side door" into other companies, Coffman continued. She said this could apply to the vendors that work with credit unions, or small businesses that service a larger company and has business accounts with the credit union.
