Credit unions pride themselves onbuilding stronger, more personal relationships with customers thanother financial institutions do. But relationships are built ontrust, and a data breach is perhaps the fastest way to obliteratethat trust.

Credit unions are no stranger to the severity of data breaches.They're already struggling to cover the costs of securingcustomers' financial information following a string of majormerchant data breaches. A NAFCU survey found that credit unionsspent an average of $226,000 and an estimated 1,600 hours in 2014on debit and credit card fraud issues resulting from merchant databreaches.

NAFCU and other associations are working to change the laws toreduce the burden that merchant data breaches put on credit unions.Yet credit unions also have their own responsibility to keep upwith the ever-changing threat landscape to protect the data privacyof both their customers and their own internal organizations.

That means identifying and filling gaps that exist in theirsecurity programs. For too many organizations – credit unions andotherwise – one of those gaps is visual privacy. Case in point: Arecent study conducted by Ponemon Institute, sponsored by 3MCompany and the Visual Privacy Advisory Council, found that awhite-hat hacker was able to “visually hack” sensitive information88% of the time in corporate office environments.

So what is visual hacking? It's the viewing or capturing ofprivate, confidential or sensitive information for unauthorizeduse. Within a credit union, this could involve someone taking apicture of a customer's account information displayed on a screenor network login information taped to a monitor. It could alsoinvolve someone visually recording sensitive documents left in openview on a desk or on a printer tray.

These examples may have sounded absurd 10 years ago, but today'stechnology advances make them entirely feasible. Nearly everyonenow has a smartphone with a camera. Meanwhile, discrete wearabletechnology is growing in popularity, and anyone can purchasecamera-mountable drones online.

The question is no longer, “Is visual hacking a real threat?”but rather, “How do we prevent it?”

First, a change in mindset is needed. We often think ofinformation security from two perspectives: Physical and digital.But it's time we add a third tenet: Administrative. Focusing onadministrative security will help you address the importantbehavioral, workspace and technological factors that are relevantto information security but sometimes excluded from securityprograms.

Begin by identifying administrative security risks. Look foropportunities where sensitive information could be viewed, such asat employee workstations and teller desks, and through officewindows. Devices that mobile employees or executives can use toaccess network or customer information outside of your creditunion's walls must also be included.

From there, deploy safeguards that include a combination ofpolicies and technologies.

A clean desk policy should be in place to keep documentscontaining sensitive information out of view when they're not beingused. Computers should also be password-protected and turned offwhen employees step away from their desks, and monitors shouldalways be turned away from the public.

Keep in mind that human behavior is difficult to change, sothese policies will require enforcement. Your head of privacy, or adesignated privacy champion in each branch, should conduct randomdesk checks to ensure employees are following the new policies. Youcan work with your HR department to choose the enforcement approachmost appropriate for your organization and its culture.

Technology safeguards should include privacy filters that areeasily fitted to each computer and mobile device to blacken thescreen when looking at it from an angle. Use printers that requireemployees to enter a code at the printer to complete their printjobs – which will help reduce sensitive documents sitting on aprinter tray for extended periods of time – and place shreddersnext to printers to help ensure employees use them.

Lastly, most credit unions don't employ a chief informationsecurity officer like big banks do. Don't let that stop you. Ensureyour head of security or security policy addresses theresponsibility for integrating these critical safeguards into yourdata privacy policy.

Patricia Titus is CISO, security advisor and member ofthe VisualPrivacy Advisory Council. She can be reachedat 612-455-1735 or [email protected].