“The bad guys don't know we exist.”

“We are not on the cyber criminals' radar screen.”

Every week credit union executives say exactly this to me, butnow the Comptroller of the Currency, Thomas Curry, has a wakeupcall for you, too.

In a Sept. 18 speech to the Exchequer Club of Washington, D.C., Curry spelledout what your biggest problem is: “As our largest institutionsimprove their defenses, it is very likely that hackers will turntheir attention to community banks. These smaller institutions canprovide a point of access into the system, and they may haveless-sophisticated defenses than large banks.”

For “community bank,” substitute “credit union.”

Bottom line: the least-defended institutions – which includesmost credit unions with assets below a few hundred million dollars– now loom as tasty targets for hackers.

But, just maybe, there is a simple, comparatively low-cost lineof defense that would be especially suited to credit unions – atleast that's a thought put forward by Tim Clouse, vice president ofinformation technology at Advantis, a $1 billion credit union in Milwaukie, Ore.

First, however, understand that Curry's contention is that cyberthreats are multiplying daily. He noted in his talk that financialinstitutions, really in just a very years since online bankingdebuted, have become technology companies that depend on Internetand cellular channels for distribution of vast amounts ofinformation and also money. That also puts them in the sights ofcyber criminals.

Curry, in the way of Washington mandarins, speaks a hedgedlanguage where meanings may be shrouded. Trend Micro Vice PresidentJ. D. Sherry offered this blunt interpretation: “The key message isthat many credit unions have antiquated approaches to sophisticatedcyber-attacks. Curry is telling credit unions that are on tightbudgets to take a new look at this. The lack of investment indefenses – it's like going into a gunfight with a knife.”

Tom DeSot, chief information officer at Digital Defense, offeredkindred thoughts. “There's an expectation on the part of the memberthat their credit union – whether it's $1 billion or $1 million –will offer the same services. They are implementing home banking,mobile apps, all kinds of things.

“The problem is that they don't have the ability to secure them.The small credit union is at great risk. It is positive that theregulators are recognizing the risks. They are telling the creditunions to build security into their budgets. This will become anissue in the exams.”

Here is how bad matters get. In its research, WhiteHat Securityfound that 81% of the banking websites it analyzed had at least oneserious vulnerability, said Gabriel Gumbs, the Santa Clara, Calif.,company's director of solutions architecture.

Many have multiple flaws, Gumbs said.

Exactly what do credit unions need to do to ramp up theirdefenses? That's where Advantis' Tim Clouse's idea kicks in. In aninterview, he said that in his mind the single best defense wouldbe more – and faster – information sharing about attacks. Heelaborated: “Criminals share information. They share hacks, theyshare processes. As a group, credit unions now are openly sharinginformation learned.”

Advantis, he added, shares information through a system operatedby vendor Guardian Analytics.

Added Clouse: “By their nature, credit unions are collaborative.We need more of that, we need more group protection. In the pastyou didn't want to embarrass yourself or suffer reputation risk (byrevealing breaches.). Now, we really need to share experiences, formutual defense.”

Hear how hackers looted institution A, hear how otherinstitutions now can alert themselves to the early signs of similarattacks and, maybe, ward off intruders before suffering losses,suggested Clouse.

Of course, credit unions also have to continually step up theircyber defenses and, suggested Clouse, “I believe there will be arole for CUSOs in this.” That is, a CUSO may be an ideal structurefor delivering cost-effective defensive tools, he said.

Clouse sighed that “the ability of smaller credit unions to payfor adequate defenses is a concern,” especially – he added – wheneven modestly skilled criminals can go to hacker forums, spend afew hundred dollars to buy exploit kits, and, suddenly, thatcriminal can mount a polished attack against an institution thatmay have scant defenses.

It's not a fair fight? No, it isn't – but exactly that isCurry's message. There will be more instances where crooks go aftercredit unions that had thought they were too small to botherwith.

Which is why hard work on security now has to be on the to-dolist of every credit union, regardless of size. And there will bework, plenty of it. “There is no silver bullet” said Clouse.