<p>COLUMBIA, S.C. – Cyber crime is big news these days, and a growing menace. System-snarling computer viruses spread like the real thing while hard-pressed IT staffs hasten to patch the latest vulnerability in their Internet servers. Identity theft and financial fraud grows, and reports are regularly aired of confidential consumer data being snagged by hackers breaking into supposedly secure e-commerce sites. Credit unions, of course, aren't immune, and the movement, in addition to the potential for financial loss, is in some ways particularly vulnerable to a second kind of fallout: the loss of trust. "People trust their credit unions. It is one of our greatest assets and liabilities," says Kathryn Antonetti, manager of IT networks and security at Boeing Employees Credit Union in Seattle. With that dual burden in mind, Credit Union Times asked the people in charge of IT security at several credit unions and vendor companies what was "keeping them up at night," what their biggest concerns were and how they were addressing them. As IT security chief at $3.8 billion BECU, Antonetti says her biggest concern is that confidential data from her CU's 306,000 members "will fall into the hands of cyber-criminals." "I'm not talking about bored teen-agers out to deface Web sites. I'm talking about sophisticated criminals with intent to profit," Antonetti says. (And profit they often do. For instance, 223 of 503 respondents – 19% were financial institutions, the rest government and other industries – from around the country in the 2002 CSI/FBI Computer Crime and Security Survey reported $455.85 million in financial losses to computer crime last year, with $115.75 million of that actual financial fraud.) Hackers and other cyber-criminals also are persistent, as anyone who has watched the activity on such intrusion-detection software as Black Ice can attest. "I liken it to searchlights on a castle wall. People have always been out there looking for holes, but we didn't know until we put a spotlight on them how often they were trying and what they were looking for," says Clint Kaiser, director of information security at First Tech Credit Union in Beaverton, Ore. Kaiser's $900 million-plus CU has three people, including him, dedicated to protecting the security entrusted to First Tech by its 90,000 members. In addition to dealing with the constant probing from potential intruders through the Internet, Kaiser says he's concerned with the growing use of remote technology, "the mobile workforce," as he puts it. "We've got plus or minus 20 users, mostly in management, who use them, and it's always a big concern for me how to continue to protect those machines when they get out of the protection of our corporate environment," he says. In general, Kaiser says, he sees that situation improving over the next few years, just as virus protections have advanced in recent days. But, he adds, while keeping current can be a challenge, automatic updates for virus protections and security patches for server software are becoming more robust, although they need to be monitored carefully to see how they affect other internal software processes. "It all takes time and resources away from other things we need to be doing," Kaiser says. Meanwhile, for Jerry Johnson, manager of information systems at Pacific Community Credit Union in Fullerton, Calif., his greatest fear would be "an unauthorized intrusion perpetrated on our host." But he quickly adds that the risk of an actual hack into the $125 million CU's core processing system is "currently remote for several reasons." Those include being on a separate system from the Web site and using UNIX instead of Microsoft server technology. Microsoft's servers, and about everything else the software giant offers, do seem to be the most tempting of targets, of course, and it's that kind of attention that John DeMita wants to avoid. "My favorite saying is `If Microsoft can get hacked, we certainly can, too,' " says the vice president of ASP services for Open Solutions Inc. in Glastonbury, Conn. As a service bureau hosting confidential consumer information, and with increasing regulatory pressure from federal examiners and strengthened privacy laws, " the last thing we do is brag. We work hard to stay below the radar. We work hard to make security safer around here, but it's not perfect," DeMita says. "I think security will always be a hot button," he adds. OSI, like many other vendors and credit unions, use firms like TrueSecure to test their vulnerability. They also check up on each other, which has become increasingly important in these days of account aggregation, online lending and other third-party activity. "As we continue to expand our services to members, we have increased our partnerships with third-party service providers, and have established a process to screen these partners," says Antonetti from BECU. "Through this screening process we seek to understand their security and privacy policies, to find out who manages their network, and determine whether they themselves are audited regularly by a third party," she says. Of course, those vendors expect something in return. "As a supplier, we take all of the security measures we can, but the ultimate responsibility then lies with the credit union to ensure that security over time," says John Schooler, senior vice president and chief technical officer for core processor and technology provider USERS Inc., which serves nearly 400 credit unions from its base in Valley Forge, Pa. He adds that he sees security as a "journey, not a destination" and that credit unions and vendors will continue to work together and will "always be challenged to keep on top of new issues and improve our security measures in response." The process is continual, participants agree. For instance, "our next IT security project, and the next logical step in our security evolution, is the implementation of an intrusion detection system (IDS)," says Johnson at Pacific Community CU. "Because of cost considerations, our initial foray will probably be a Linux server running any of several open-source IDS programs. We've not made a final determination at this point," he says. Besides commitment to new technology, there's also the good, old human resources approach. For instance, Clark County Schools Employee Credit Union is counting on "staff and member education" to help in the fight, says Jim Morrell, vice president of information systems for the $240 million, 31,000-member CU in Vancouver, Wash. Besides internal training, with help of marketing and staff development resources, "our network administrator is also using our intranet home page to share articles he has written on the importance of having a heads-up approach for viruses attached to e-mails," says Morrell, who also serves as chairman of the CUNA Technology Council. "We couple those with pats-on-the-back, also on the intranet, when we see people taking pro-active steps," he says. And what does the future hold? "The crystal grows dark and shapes are only dimly seen . but I trust that the tools I will have at my disposal will be better," says Johnson, the MIS at Pacific Community CU. "They'll have to be to offset the more sophisticated intrusion techniques being used by the hacker community." Johnson also takes an optimistic view of the technological arms race taking place between hackers good and bad. "Realize that a great deal of the `security' issues associated with networks are the direct result of pushing the envelope. The original design of TCP/IP never envisioned performing `e-commerce.' As new iterations of established programs and protocols are implemented, many of the current concerns will pass away," he says. Antonetti, the BECU security manager, sees that old immutable law, supply and demand, at work. "I anticipate that in five years' time, the proliferation of identity theft will drive consumer demand for tools to protect themselves, including personal firewalls, hard-token authentication and potentially biometrics," she says. "I believe that the public will look to their financial institutions to support these security measures. And as private information is increasingly shared among service partners, our members will demand greater accountability of the entities who act as custodians of their personal data," Antonetti says. Indeed, an optimistic note is rung by one industry professional responsible for securing the personal data of 160 credit unions entrusted to his operation. "The good news is that because so much attention has been focused on the Internet, there is a whole host of companies dedicated entirely to helping identify and minimize Internet security risks," says Dan Jorna, general manager of DataSafe Online Operations for USERS. Jorna, however, says credit unions need to not neglect "common-sense procedures" regarding internal networks at the same time, including proper disposal of printed documents, erasing tape media and proper password use inside the enterprise. "The best practices aren't new, but at a time when the focus is skewed to the Internet, it's worth revisiting them and making sure your credit union is adhering to them," he says. -</p> <p>[email protected]</p>