Two security experts told credit unions that while the Internet seemingly presents a new security challenge every day, and that while credit unions are responding with expensive software solutions and firewalls, good security often starts with something as mundane (and often overlooked) as a lock on a door.
Jeff Gallery, senior vice president, administration, for Dubuque, Iowa-based DuTrac Community Credit Union, and Brad Miller, CEO of security consultancy Perimeter Internetworking, told the National Association of Community Credit Unions' annual conference that there is no one method or strategy for fighting cyberattacks.
"I often am asked, what is the 'best' thing to do for security," said Gallery. "The answer is, there is no 'best' move in chess, 'best' pitch in baseball or 'best' play in football. There is no one thing. People need to analyze their particular situation, find 'high-impact' steps and take action."
Miller agreed. "There is no one way. CUs are put in the position of deciding what is 'adequate' security," he said. "They have a dilemma: they must weigh cost versus risk."
Gallery said Dubuque, while it is a small, safe community, is not immune. DuTrac's firewall receives its share of attacks. The CU's eight branches are serviced by an IT staff of five, which he described as a "pretty lean operation."
The layman's view of security is: better safe than sorry, Gallery noted. The members' view is: it better be safe, or you'll be sorry.
Security begins with the physical security of buildings, he explained. This includes controlling internal building access, placing locks on the computer room door, and having locking PCs or terminals.
Other issues to beware of: disposal of old hard drives, floppies and CDs, physical access to printed materials, and the after-hours cleaning company.
"When credit unions look at security, they have to look at all angles. They can have the best equipment in the world, but what if a teller walks away from a computer with a member's information on the screen for any passerby to see? What is the cleaning staff doing at night?"
Members must also be educated about the scams that take advantage of the instant response of the Internet, including "phishing" schemes-e-mails sent to the public asking for account numbers and passwords. These e-mails purport to be from financial institutions, but really are generated by thieves. Other low-tech attacks that formerly arrived by postal mail now make the rounds via e-mail, such as the Nigerian bank scam and phony auto purchases.
The increase in potential impact comes when you multiply users times institutions times assets at risk times the number of areas that must be watched, said Gallery. "The cumulative effect is a huge challenge, and we don't know what we don't know," he said.
With all of these hackers and scammers about, CUs have the regulatory requirement to ensure the security and confidentiality of member records and information. Gallery pointed out IT staffs have a huge responsibility, as they are expected to protect computer networks, the phone system, the HR system, the credit card system and more.
The key question to answer, he said, is can the credit union handle security of all these areas internally? If not, the CU must decide to train its staff or outsource security to a provider. "Good security covers multiple areas of exposure with multi-level, multi-layered solutions," he said.
CUs Ideal Targets
Miller, whose company is based in Trumbull, Conn., said the number of "bad guys" is increasing as the number of homes with broadband Internet access rises.
More importantly, he said, the number of days to "exploitation" is decreasing. When a vulnerability is published in the hacker community, hackers are ready within days or sometimes hours with "malware"-software designed to damage or disrupt a system.
"The security challenge to credit unions is real, because they are ideal targets," said Miller. "No matter how small the credit union is, there's still a lot of money, and people go where the money is. A hacker would rather go after a small institution than Citibank, an institution with the highest security spending per desktop. A credit union is unlikely to have a complex security system."
So what can CUs do? Miller compared the situation to the punch line of the old joke: I don't have to outrun the bear; I just have to outrun you.
"Don't be the slowest, don't try to lead, just stay ahead of the pack," he counseled. "Make sure you have adequate security by having a multi-layered system, starting with physical security. Mitigate desktop and server vulnerabilities. Have multi-layer virus defenses that cover the desktops, servers, the gateway networks and Internet browsing, as well as multi-layer intrusion protection."
