ARLINGTON, Texas – A credit union that has a maximum-security vault to protect its cash and other valuables has absolutely no need for an alarm system or a security guard. True or false? Most people would answer “false” without hesitation, knowing that one security measure without the others leaves the credit union at greater risk of being burglarized. However, many of these same people may believe their credit union computers and information systems are secure because they have installed firewalls, encryption devices and/or intruder detections systems (IDSs). This is a dangerous presumption, Bruce Schneier, CTO and founder of Counterpane Internet Security, Inc. told TechMecca 2001 participants. Technology is not the answer to Internet security. Security must be a process that combines protection, detection and response to mitigate risk. “Software is just too easy to fool. Software doesn’t think, doesn’t question, doesn’t adapt. Without people, computer security software is just a static defense. Marry software with human beings who are experts in detecting security breaches, and you have a whole different level of security,” Schneier said. “Systems should be vigilantly monitored 24/7 by people who know what they’re doing. Quick detection and response can make up for mediocre protection.” As software becomes more complex and interconnected, it becomes easier to hack. Security vulnerabilities are programming mistakes, and most software has about 1,000 of them, according to Schneier. Once a vulnerability is announced, the software vendor usually issues a patch to correct the problem. Unfortunately, companies have to know about the patch and install the patch before it can work. And staying current on the massive number of software patches released is virtually impossible, he said. Schneier suggested that software companies should be held liable for distributing problem software. Liability would force software quality. Most attacks on the Internet are vandalistic in nature, rather than profit-driven, Schneier said. Prosecution of these cyber criminals would lead to deterrence, but most companies don’t report attacks on their systems because of the stigma associated with having an “insecure” operation. But the benefits of being online outweigh the risks, so financial institutions need to learn to manage the risk. Just as vaults, alarm systems and security guards can reduce exposure to burglars, the layered protection/detection/response process can reduce credit union computer systems’ exposure to would-be hackers. [email protected]

Complete your profile to continue reading and get FREE access to, part of your ALM digital membership.

Your access to unlimited content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Critical information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including and

Already have an account?


© 2023 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.


Credit Union Times

Join Credit Union Times

Don’t miss crucial strategic and tactical information necessary to run your institution and better serve your members. Join Credit Union Times now!

  • Free unlimited access to Credit Union Times' trusted and independent team of experts for extensive industry news, conference coverage, people features, statistical analysis, and regulation and technology updates.
  • Exclusive discounts on ALM and Credit Union Times events.
  • Access to other award-winning ALM websites including and

Already have an account? Sign In Now
Join Credit Union Times

Copyright © 2023 ALM Global, LLC. All Rights Reserved.