COLUMBIA, S.C. – Computer crimes – including viruses, worms and denial-of-service attacks along with actual theft of information and assets – continue to soar, and while a price tag is hard to place on the damage, there is an intangible cost that credit unions particularly should fear, experts say. "Members vote with their dollars, and they're going to take them elsewhere if they think you can't protect yourself and them," says Rick Fleming, vice president of security operations at Digital Defense Inc. (www.digitaldefense.net) in San Antonio, Texas. Even the simplest of Internet crimes, one that would seem to cost very little to fix, can actually drain a lot of at least one priceless asset – trust. "If someone with an agenda of some kind defaces a Web site with pornographic or political messages, that can make a member think, `If my credit union can't even stop that, how can they protect my money," says Fleming, whose clients include about 100 credit unions. The problem escalates when viruses or worms start snarling operations, denying service to members trying to access accounts through home banking or automated telephone operations, and tying up staff time fixing the problems, Fleming observes. And then there's the threat of actual intrusion into the accounts – stealing personal information and even funds. Fleming says his firm has seen increasing interest in Internet security since the Sept. 11 terrorist attacks, but reports show the problem was growing rapidly before that fateful day. A recent nationwide survey by the Computer Security Institute and the FBI showed computer-intrusion crimes – including viruses, worms, denial-of-service attacks, fraud and theft – increasing in all categories throughout 2001. The actual losses reported by just 186 of the more than 500 organizations responding totaled more than $370 million. "Estimating domestic or global losses caused by virus, worm or denial-of-service attacks are difficult to calculate," says Brian Burke, senior research analyst in the Internet Security Program at IDC (www.idc.com) in Farmingham, Mass. "As of yet, there is no truly accurate way to predict these losses," he adds. "There are several factors that have to be considered. Loss of revenue, property theft, property damage, content liability, reputation damage and service interruption are just a few. I've even seen some estimates include salaries of security people who are hired." Ultimately, the best defense here is a good defense. "We take a pro-active approach to vigilance," says Harold Randolph, director of the CUNA Network Services Operations Center in Tempe, Ariz., a provider of hosting services to 260 credit unions. "Watch the early warning networks, maintain current virus-scanning practices and maintain all security patches on operating systems," he advises. Fleming at Digital Defense agrees with the need to be aware and to move fast. "The software and operating-system vendors are getting much better at getting out the patches that fix vulnerabilities, but on the administration side, there's not yet the sense of urgency," he says. He recounts a recent incident in which a credit union's lawyers were "going through their new contract with us, taking it apart and putting it back together, while the Code Red virus was running right through their system, big time. We weren't on contract yet, so we couldn't really intervene, but we helped them with information as best we could." Indeed, sharing information is emerging as the most powerful tool against this war on America's data security. For instance the SANS Institute and National Infrastructure Protection Center has just issued their newest list of the top 20 critical Internet security vulnerabilities. They can be accessed through the SANS (System Administration Networking and Security) Institute Web site at www.sans.org. "Everyone must understand that many of the vulnerabilities in the SANS Top 20 list not only produce Internet-wide dangers like Code Red or NIMBA, but they also open the victim computers to intrusion by anyone, anywhere in the world," says Bob Gerber, chief of analysis and warning at the NIPC. "An informed public has always wielded considerable power in the marketplace to reward vendors for quality products and to punish others. I am sure that will be the case with computer security as well," he adds. Gerber also noted the importance of computer security to the individual in a way that may also resonate to the credit union movement. "I conducted a small focus group the other day with someone whose opinion I hold in highest regard – I asked my wife what computer security meant to her," Gerber says. "She said, `Anyone who can manipulate the personal information on my computer can manipulate my life.' " – [email protected]