Around 50 credit union IT executives filled the meeting room atthe Platinum Hotel in Las Vegas and, over three days last week,they heard from speaker after speaker with new warnings, freshapproaches to helping employees dodge phishing attacks, and aboveall, better ways to protect the data that are the lifeblood of anyfinancial institution.

Face it: the era of the crook with a mask and a gun robbing afinancial institution is fast disappearing. Value today is in dataand it's the data that are under relentless assault by ever smartercrooks.

Also from Credit Union InfosecurityConference:

• People Threats, Cloud, ITConsumerization
• New Times, New Threats

Credit unions in attendance at the conference were large – the $1.2 billion MECU of Baltimore – and others were small – the $108 millionGeoVista CU in Hinesville, Ga. – and still others were mid-sizedsuch as the $448 million Air Academy FCU from Colorado Springs, Colo.

They came because, as one executive explained, “we want to hearwhat's new, what we should be recommending to our CEO and theboard.”

Bottom line: information security is a dynamically changinglandscape and that, fundamentally, is what brought the ITexecutives to the conference.

Speakers rewarded them with valuable insights. Here's a look atfive.

* You can't count on the regulator for an informationsecurity prescription. That was the chilling warning fromJim Brahm, CEO of Security Compliance Associates, who said thatinformation security regulations and advice from federal regulatorstypically have been “vague” and inconclusive. “They usually are non-specific,” saidBrahm.

He added: “There is a lot of inconsistency in informationsecurity regulation and how it is enforced.”

“We see big differences in what examiners say from state tostate.”

He added that “we see very little focus on information securityin most credit unions, especially those with under $1 billion inassets.”

“As a credit union gets larger – over $1 billion – there isusually more focus by the regulator.”

Brahm's takeaway message: credit unions cannot rely onregulators to offer a blueprint for what needs to be done to secureinformation. They need to arrive at that by dint of their own hardwork and study of best practices.

Next: Real Suspicious, Right Now

* Get alerts to suspicious activity in realtime, urged Kevin Nikkhoo, CEO ofCloudAccess, a security-as-a-service startup.

Getting them later could be catastrophic.

Even when the activity occurs at3 a.m. on a Saturday.

And respond in real time – then adjust controls and access asneeded.

This is because the belief is spreading among security expertsthat it may no longer be possible to fully protect data with afirewall and password authentication – that is, breaches may andperhaps will occur.

And a big step towards minimizing harmful consequences, urgedNikkhoo, is round-the-clock monitoring, frequently done inassociation with a third-party vendor. Nikkhoo added: “Continuouslymonitor, alert and report on system and authentication events.”

Nikkhoo also advised: “Restrict access to data by business needto know.”

That's because in too many credit unions too many people canbroadly and freely roam through member data – often without evenleaving an auditable trail.

Key questions that need answers, said Nikkhoo, are who islogging in, what are they accessing, and how does this affectsecurity?

Next: All In, Including the Boss

* You can't count on the credit unionCEO. Twice, in just the past year, Bruce Smalley, a vicepresident at ACI Defense, said that his company found credit unionsthat had suffered malware infections because their CEO was exemptfrom safe browsing restrictions that just about every otheremployee had to abide by when using workplace computers.

Smalley is a big advocate of “restrictive browsing policies”but, he stressed, the policies to be most effective need to beapplied to every employee. Including the boss.

Next: Protect Data, NotDevices

* Protect data, not devices.That was a central message from David Applebaum, a senior executivewith Moka5, a Silicon Valley data security firm.

The Moka5 message: it just is not possible to reliably protectevery device on the network (not in an era of BYOD), so Moka5'sapproach is to put sensitive data and applications in a protectedvirtual container that is easily downloaded to any device, via acentralized management system.

The container itself – essentially a segregated, walledworkspace – is designed to be impermeable to threats that might beaimed at the device.

Is this containerization approach the only way to keep data safein a world of multiplying threats? Hardly. But know that Moka5 andothers now are racing to innovate ways to keep data safe regardlessof the devices and of the nature and volume of threats.

Next: Let's Get Together

* Make the member part of thesolution. Too often, said Jay McLaughlin, an executivewith Q2ebanking,members are viewed as part of the problem – but the smarterapproach is to enlist them into helpmates in solving theproblem.

How? Encourage them to sign up for account activity alerts – andrecognize that the majority of cases of theft are first detected bythe account holders.

Persuade them to enroll in two-factor authentication, too,suggested McLaughlin.

Make members more informed – and keep them informed – and, saidMcLaughlin, those are big steps to a safer, more secure bankingenvironment.