<p>Tom Ha sees the challenges grow daily. "Staying up to date on firewalls and anti-virus software is critical to a good operation," says the information systems manager at AmeriChoice FCU, a $70 million, 11,000-member organization in Mechanicsburg, Pa. "Money in accounts is really just another form of data, the real, physical money is stored in vaults and off-site, et cetera. But our data is of utmost concern and we do our best to keep it safe," he says. That includes defending against such things as the so-called Goner worm, the most recent headline-grabbing system snarler. Ha says it showed up at AmeriChoice (www.americhoice.org) the day it was first internationally reported, but that he had already been warned by his anti-virus provider and was protected. "It can be hard, but the same technology that they are using to spread these worms and such is also being put into play much more quickly now to defend against them," says Ha, who receives alerts through his PC, PDA and cell phone. Indeed. Just keeping up is daunting and a full-time job. "As of today, there are 57 security updates from Microsoft out for this year," Rick Woehler of PM Systems (www.pmsyscorp.com and www.cudefense.com), a South Carolina-based provider of security services to more than 300 credit unions, said in mid-December. Of course, as the biggest target, Microsoft-powered servers are a favorite for hackers surfing Internet addresses and breaking into systems, and Woehler can demonstrate just how easy it is, quickly demonstrating a series of steps that gain entry to an unprotected host system of what apparently is a small Internet services provider on the West Coast. It can also be that easy for destructive viruses and worms (the latter being particularly insidious because they propagate themselves) to enter and do their damage. Woehler says he wishes he could alert every system he receives an alert from but has to spend all his time protecting his paying customers. "PM Systems receives around 500 NIMDA (a pernicious cyber-worm) attempts per day against our 1,000-plus IP addresses. One of our monitored security customers gets around 900 per month from the BellSouth network," he says. And credit unions that think they're immune are kidding themselves, says Rick Fleming, vice president of security operations at Digital Defense (www.digitaldefense.net), a Texas-based provider of security services to hundreds of credit unions across the country. He sees problems occurring daily because of sloppy internal IS techniques, including not keeping up with necessary patches. However, Fleming says, "the leading cause of this is an `it can't happen to me because I'm too small attitude.' " " I can't tell you how many times over the past few years I've heard CEO's and board members of credit unions tell me that they didn't think their credit union was vulnerable to attack because they are too small an organization or just don't have a large Internet presence," he says. "My reply to them is that those ever-annoying telemarketers can find their home numbers, even if they are unlisted, by simply dialing every number. The same is true with hackers and script kiddies. "Script kiddies are inexperienced hacker wannabes who don't really understand what they are doing, but simply download scripts and tools from the Internet and run them. "Many times a system is compromised simply because its number, literally speaking, was up. It wasn't a targeted attack against the organization because it was a financial organization, but simply a target of opportunity because its servers were scanned and found to be vulnerable," Fleming says.</p>