LAS VEGAS — About 50 credit union IT executives filled the roomat the annual Credit Union Infosecurity Conference and, on day one,they heard presentations about new threats in a new era as speakersoffered insights into social media and document management.

A key message: “Social media impact your credit union whetheryou have them or not,” said Mike Kiefer, general manager atreputation management firm BrandProtect.

His point in Wednesday's session at the Platinum Hotel and Spawas that whether or not a credit union uses Facebook or Twitter orGoogle+, its members and maybe also its employees already aretalking about the institution online and a savvy credit union takessteps to listen in on the conversation.

Also from Credit Union InfosecurityConference:

• People Threats, Cloud, IT Consumerization

“It's not about you. It's about them,” said Kiefer. He addedthat many experts now classify social media as “a top five businessrisk.”

Kiefer stressed that a credit union needs to have an employeesocial media policy – what can and what shouldn't they sayonline?

Ditto for a vendor social media policy. What can they say aboutthe institution?

Particularly worrisome, said Kiefer, are what he called “rogue”executive and corporate sites which are social media pages thatpurport to belong to, say, a credit union CEO or the credit unionitself but are erected by imposters.

He flashed a slide of a rogue site that plagued Bank of Americafor several days until Google took it down and, suggested Kiefer,if that can happen to the biggest, it certainly can happen tosmaller institutions.

The antidote is straightforward: “Register your social domains.Claim the corporate pages and also the executive pages,” heurged.

He also stressed that credit unions need to “continually revisetheir social media policy for employees, agents and contractors”and in that effort, they also need to raise security awareness.

Still more worries were aired by Steve Comer, an executive withdocument management company Hyland Software who warned “this is anarea often overlooked in security.”

The problem of course is that documents contain sensitive memberinformation and if it is released by an employee – typically in acareless mistake, but occasionally as a result of malicious intent– there are substantial hits on reputation that can lead to lostrevenues.

Comer offered pungent advice: “If it isn't needed, don't storeit.” Many institutions, he stressed, create troubles for themselvesby hanging onto information long after it ceased to have a businessvalue.

That is why he stressed that, “first and foremost, every creditunion needs a document retention policy.”

Another key to good document management: “Restrict access tomember data on a need to know basis.” A teller, for instance,rarely would have a valid need to know a member's full SocialSecurity number and Comer's point is that sound policy is “to givepeople the least privileges necessary.”

He also stressed that every user needs a unique ID to accessmember data, a practice not always followed, he said, with manyinstitutions using a generic access ID – such as “CU-USER1” – whichmakes it nearly impossible to determine who accessed what, if andwhen problems arise.

Among the credit unions attending this three-day event – whichbills itself as the only conference specifically focused on creditunion security – are Stanford Federal Credit Union in Palo Alto,Calif., Hughes Federal Credit Union in Tucson, Ariz., Kansas StateUniversity Federal Credit Union in Manhattan, Kan., and SouthlandCredit Union in Los Alamitos, Calif.