IT Security a Balancing Act Among People, Resources, Technology

COLUMBIA, S.C. – Hackers, viruses and worms generally get the headlines, but well-deployed technology can often stay ahead, or at least catch up quickly, in that running battle of the bytes. Instead, the biggest threat to IT security at credit unions and any other organization can just as easily come from within and in the form of perhaps the most unpredictable software of all, the human mind. “Unsafe handling of member data, regardless of the media, is a much bigger threat to most institutions than a faceless hacker across the ocean,” observes Frank Leser, senior vice president/CIO at $5.8 billion Pentagon Federal Credit Union. “The popular press plays up the external threats, but these are actually the easiest to block,” Leser says. “Firewalls, intrusion detection systems and proper system management will prevent the external attacker. The real risk is the internal risk. “An employee background check is not as `cool’ as a new firewall, but it is a cornerstone of proper information protection.” Keeping the staff involved and engaged also is crucial, experts say. “The greatest threat to credit union security is staff complacency,” says Robert Broadwell, vice president of PM Systems Corp., a South Carolina-based firm that provides Internet and network security services to more than 100 credit unions through its CU Defense unit. “Over the past several years, we have found that merely having a written security policy in place is simply window dressing for many credit unions,” Broadwell says, “While they do take their policies seriously, relatively few proactively test these policies for compliance . and employees rapidly become complacent. “Human weakness, along with the trusting nature that many of us possess is probably the greatest threat to credit union security.” But don’t count out the technology. After all, that’s the cure as well as the disease, and the viruses and worms seem to continually morph, launching new kinds of fast-spreading threats. “It’s a constant battle for businesses to keep up with the threats and the controls needed to mitigate those threats,” says Dan Sheehan, senior security consultant for Vibren Technologies in Boxborough, Mass. “Trojans, denial of service, even just the prevalence of port scanning, has increased exponentially in the past few years. The generation of viruses is costing businesses millions in investing in protection for their enterprise,” says Sheehan, whose company’s client list includes Fortune 100 companies, banks and credit unions. Tools And Threats Technology is evolving along with the threats, of course. “Technology can help the credit union’s IT security staff keep their network assets safe by automating a lot of tasks,” says Niels Taylor, a PM Systems security analyst. “A password cracking tool is an obvious example. Another good example is e-mail virus scrubbing tools,” Taylor says. “Furthermore, I think that technology can help improve security awareness at the credit union. For instance, an antivirus client catches a virus at the desktop brought in by a user. The user should know better. The sys admin/security person can use this example as a teaching tool for the staff.” Besides viruses and worms brought in by e-mail, there’s the vulnerability exploited by hackers able to find their way through Web servers, a much publicized threat and one that shouldn’t be underestimated, experts observe. “Software vulnerabilities would have to be at the top of the list of other major threats,” says Sheehan at Vibren Technologies. “Microsoft’s efforts at securing its future releases of software are indicative of the seriousness to which companies are taking the threats.” It’s not just Microsoft and it’s not just server software where the efforts are being made to secure networks. “There are inroads being made in integrating security directly with the applications such as ERP and CRM,” Sheehan says. “Implementation of content inspection devices, URL screening and the pervasiveness of VPN (virtual private network) implementations is lowering the risk for businesses.” Other operational risks include identity fraud and, as Leser at Pentagon FCU notes, even the risk of location. Redundant and remote backup systems, biometrics, smart card readers and other tools still in development all become part of the equation credit union managers find themselves considering. Of course, all this new technology costs a lot of dough and it becomes a balancing act for credit unions, leveraging the technology and people already in place against the risk. To Sheehan, that’s the biggest challenge “If the security policies and guidelines become too restrictive, it has a negative impact on the bottom line,” the Vibren Technologies consultant says. “However, if comprehensive security policies aren’t in place and enforced down to the user level, this could have a detrimental impact on the business as well.” Leser notes that credit unions, like all financial institutions, are in the business of managing risk. “The key question is, `how safe does the CEO want to be’ and the corollary question then is `how much does the CEO want to be spend?’” -