A good friend and I were recentlyreminiscing about how we first met and the experiences we hadshared together both personally and professionally over a number ofyears.

Our friendship is a bit interesting as he is a retiredwhite-collar crime supervisor from the FBI who also has a strong ITforensics and technology background. He also worked “crypto”(cryptography)during his time in the military and put that skill to use duringhis time with the bureau.

He also is a published author of a leading book on criticalincident management and how to protect data and what to do in caseof worse case scenarios. (If you want the name of the book, contactme at [email protected] andI'll forward it to you.)

I first met my friend at a local ISSA chapter meeting when I was workingfor a very well-known network security firm. I was tasked withputting together a public partnership with the FBI to promotebetter awareness and cooperation on matters of technology andsecurity. (Look into your local Infraguard chapter ifinterested.)

After working together, we became good friends hosting localseminars and developing other projects to enhance the knowledge andbest practices that would help keep organizations safe and withincompliance according to the law.

One reality he kept stressing to me was the biggest threat to anorganization's security: the human factors found within yourorganization. Time and time again he would drill that fact into theattendees at the seminars and back it up with the crime statisticsthe bureau kept on such things.

With that in mind, my systems engineer and I were conducting asecurity presentation to a very large and well-known financialinstitution in our area. Our task that day was to show how ourholistic security appliances, software and processes could helpsecure their network.

During our presentation, we worked with their Internal IT staffand started running our first layer of security – which was anintrusion detection appliance. As I went about my presentation, mysystems engineer caught my eye and gave me nod to meet him out inthe hallway.

I excused myself and we went out to discuss his concerns.

Apparently, our device had immediately picked up a backgroundprocess running, which at that time was a brute force passwordcracker program called: “Jack the Ripper.” The alarms on it wereoff the charts and he wondered how we should handle thatsituation.

I went back into the meeting and asked to speak to the CIO inprivate, where I shared our results.

I told him to leave the intrusion detection appliance running.They were welcome to it as long as they needed it to complete theirinternal investigation. I also handed him the contact informationof my FBI friend and advised to call him.

The FBI came in and completed their investigation, whichdiscovered one of the company's IT staff was running the program togain password access to the accounts. The culprit was charged andlater convicted and sentenced – and we made a very good sale out ofthe situation.

Lessons learned: No matter how much security or how diligent youare, the human factor is something that has to be addressed andprotected against much more than the perceived outside threats.

Next Page: Breaches Underscore

The recent breach of account numbers at several large retailersunderscores this issue even more. I think you will see that whenthe investigations are finally completed and the post-mortemresults are published there will have been a strong human elementinside these organizations or their tech partners that were theweak link. I could be wrong on this assumption, but wouldn't betagainst it.

So how does this relate to our current environment in the creditunion industry? For starters, understand that whatever methodologyand ideology your organization subscribes to, people are ultimatelyyour greatest strength – but also your weakest link.

When it comes down to securing data and member information, itbecomes a matter of degrees of trust. Who do you trust with whatlevels of access and responsibility? For example, I would bewilling to bet very few organizations have policies against havingcell phones at work.

I'm not going to be popular with this statement, but they don'tbelong there – period. They can easily be used to take pictures ofaccount information on screens, used as mass storage devices, andat the very least can be used to inject harmful programs into anotherwise secure environment.

Solution? Lock them up at work – the cell phones, that is.

Another area of risk is access to the unsecured documents inyour imaging systems. Are your paper and electronic files secure? Ihave seen too many supposed imaging systems that lack even thebasic constraints regarding security. At the very least, make surethere is a complete audit trail on access of documents and theability to set multiple layers of security on the printing, access,and export of documents.

Failure to do so can result in the loss of key data just aseasily as a hacker can gain access to electronic files. Couple thatwith a smart phone and you have a recipe for big time breaches.

For more information on this issue, research regulation DoD 5015.2 dealing with records management. Make sure yourimaging providers can meet this level of compliance.

Although this article is as a much about reliving the glory dayswith my friend, the lessons learned over a lifetime of experience,and prosecution of bad guys, it should leave no doubt that thebetter approach to securing your members' data is this: Creating anenvironment for your employees that makes it difficult for them toaccess both physical and electronic files unsupervised can havelong-term benefits for all involved.

What I do hope is that you begin to approach how to betterhandle your own security procedures by stirring some thought aboutwhat you are currently doing and how you can do it betterespecially with the human component.

I will say it is good to look back at times to move forwardbecause as the saying goes, “Those who do not remember their pastmistakes are bound to repeat them in the future.”

What proactive mechanisms or security processes are in place atyour organization to mitigate any possible breaches?

ScottCowan is vice president of sales and marketing at Millennial Vision Inc.in Salt Lake City.