SANTA ANA, Calif. – Nancy Powers says credit unions have to find that happy medium between being too secure and giving members what they want online. Powers, VP of IS Operations for the $3.5 billion Orange County Teachers FCU, said if a CU is overly secure its members are going to find it too cumbersome to utilize online services, but being too open leaves the CU too vulnerable to a plethora of high-tech attacks which could lead to an insurmountable hit to members' trust in the credit union. So how do you find that happy medium? The CU uses a careful mix of outside security help and internal security staff. "We think security is of the utmost importance to maintain our members' privacy and confidence in the credit union so we developed a strategy a couple years ago where we have an external security audit once a year and penetration testing regularly combined with a dedicated network security person on staff," she said. The CU's network security staffer is literally on call when it comes to hack attacks. Red Siren, the information security firm the CU uses, will page that person, no matter what time of day, when there is a potential security threat. Not all incidents require a page. The CU essentially prioritizes the threats, and only certain ones generate a page. Powers said it's not uncommon for the network security staffer to be paged in the middle of the night. She said it's a real wake-up call to the potential threats out there to credit unions. "People say to me, `you are a credit union, who would hack into a credit union?' Hackers will get into any site they can. You set up a honey pot, and it's only a matter of time before someone finds it. Credit unions are not exempt," said Powers. Dain Gary, SVP and Chief Security Officer for Red Siren, said he still can't believe that some people just don't think they're at risk because they're not a big national name like a Chase or Citibank. "My biggest challenge is to make decision makers aware of the risk. They just don't appreciate the level of risk," said Gary. That being said, he stressed that there are differences among organizations. "What is good for a credit union may not be good for an investment bank," he said. Gary believes CUs and any other type of business can't do it alone. To monitor all the potential risks to networks and online services would take a large staff said Gary. "Every month there's a new challenge, a new vulnerability. IT staffs are generally not well-resourced and don't have the skill sets to develop security policies," said Gary. Managing security is not a high-tech issue, said Gary, but a management issue. "It's a process and mindset rather than a technology you can throw against the problem. If you talk to someone about network security, they might say `oh we have a firewall or we have anti-virus.' But unless you have a staff who can keep these products current, unless there are policies in place, it's just a false sense of security." Powers agrees. At Orange County Teachers FCU all 752 staff members go through security testing quarterly. "We keep pushing out a message of security," she said. "You can't just say `security is so and so's responsibility.' It's everyone's responsibility," she said. The CU even requires staffers to go through privacy training once a year. [email protected]