Add spyware to the list of rogue programs threatening credit union systems' stability.
Also known as snoopware, spyware is software that can self-install itself on a PC, covertly gathering user information and activity. Keystrokes, account numbers, passwords, Internet history and screenshots-all may be recorded by the spy.
As if viruses and worms weren't trouble aplenty, spyware now accounts for more than half of all customers' application crashes, according to Microsoft.
CU employees often innocently invite spyware onto their computers when they download shareware, explained Chris Christianson, network security manager at $1.4-billion Travis CU in Vacaville, Calif. "Nobody ever sees the harm in installing a screensaver or a weather program."
Although credit unions interviewed for this story don't track- or won't reveal-the resources they spend battling spyware, they seem to be invested in combating the problem.
Spyware "is an area of growing concern and will be a focus for us in 2005," said Jerry Johnson, vice president of IT at $372-million March Community CU in Moreno Valley, Calif. "I won't rest easy," he added.
One CU's Strategy
Whereas Johnson plans to dodge most threats by migrating to lower risk Citrix Systems and thin client architecture this year, the best defense against Windows-targeted spyware, as with most network security efforts, lies in a layered approach, according to a number of CUs.
"Since there is no silver bullet, we are using a number of different products and have really taken a 'defense in-depth' strategy," said Travis CU's Christianson.
Anti-spyware programs are one obvious strategy. But CUs can't be picky in the fledgling anti-spyware market. The most popular anti-spyware is also the only widely available software.
However, corporate firewall and anti-virus vendors such as McAfee and Norton are joining the battle, adding anti-spyware options to popular programs.
Charlie Lai, chief information officer at $1-billion Fairwinds CU in Orlando, Fla., said he uses three anti-spyware programs - Webroot SpySweeper Enterprise Edition, Spybot Search & Destroy and Spyware Blaster-all of which work like anti-virus software, screening and deleting computer files that match threats. Navy FCU is also deploying multiple products, according to Loren Carson, corporate spokesperson for the Merrifield, Va.-based credit union.
"There is no one single spyware package that works for all situations, so we use the product that matches the issue," she said.
Best practices for network security should also factor into defending against spyware, added Bradley Wood, network administrator at $286-million iQ CU in Vancouver, Wash.
'Best Way To Prevent Unwanted Programs'
"We have set security settings in Internet Explorer to high," said Wood. "This is one of the best ways to prevent unwanted programs from getting on workstations."
"We also use a product on our firewall that prevents users from going to many Internet sites," he continued. "Although this does not eliminate the need for a spyware strategy, it does eliminate many of the websites people can go to in order to get infected."
Tootie Holmes, manager at IEC FCU in Springfield, Ill., added that her $12-million CU has loaded Microsoft Service Pak 2 on all PCs.
In addition, Holmes said a tight line of defense is held by the CU's three-person staff.
"Being small, we are able to have control," said Holmes. "We only have one email address, and all employees know not to open anything up unless they know where or from whom it is coming. They also know they are not to go to sites that are inappropriate and may use the Internet for business only."
Though Navy Federal is the nation's largest CU, management here will sometimes sit down with an employee one-on-one when spyware is detected on a PC, Carson said.
"We review the employee's browsing and e-mail habits to determine how the spyware got there," she said. "We also take this as an opportunity to educate the employees about the threats spyware presents."
Travis CU's Christianson agreed: "Educating employees about the company's information systems security policy and then holding them accountable goes a long way."
Occasionally, spyware causes enough trouble that a CU throws in the towel on a PC hard drive.
Plans For No More Reformatting
The larger CUs interviewed said they have each reformatted about a half dozen PCs per year-out of hundreds of workstations-because of damage from spyware or adware.
Fairwinds CU has had its hands a little fuller, reformatting from three to six PCs per week out of the approximately 600-plus PC devices at the CU, Lai said.
IEC FCU hasn't had to reformat any machines, Holmes said.
Christianson sees a future where hard drives may stand up better to spyware. "With the improvements in anti-spyware technology, this year we don't expect to have to reformat any hard drives."
CUJ Resources
For additional information on this story:
SpywareGuide: www.spywareguide.com
Fairwinds CU: www.fairwinds.org
