SAN ANTONIO, Texas - When Digital Defense was founded in 1999,credit unions' concern about protecting their systems was nowherenear what it was today and Digital Defense's business was afraction of what it is today - things sure change fast. Most creditunions now realize that any compromise of their systems has farmore widespread effects than just the actual attack itself. Themajor risk is the damage an attack can do to a credit union'sreputation. Members may feel their accounts are threatened if ahacker can break into the CU's Web site or if internal systems arecompromised whether it be from within or from the outside. DigitalDefense has grown to serve 245 credit union clients in 43 states,making it the largest IT security vendor for credit unions. It'sengrained in the industry, with even NCUA contracting with thecompany for three straight years to train its examiners on securityissues. It now has 32 employees and projected 2004 revenues of $3.3million. The leaders are passionate about security and say somecredit unions still don't understand that securing systems needs tobe part of the business process and mindset of the CU-it's notabout a one-time audit, firewalls or intrusion detection tests. Thenature of credit unions makes them particularly vulnerable tothird-party vendors. Most credit unions use multiple third-partyvendors, for things such as Net banking, online lending, sharedbranching, ATMs, etc. "While you can outsource the technical partof your operation, you can't outsource the responsibility," saidDigital Defense CTO/VP of Strategic Technology Rick Fleming. JoeCooper, chairman and CEO of Digital Defense, said NCUA isparticularly strict about credit unions taking responsibility fortheir third-party vendors and must remember any security problem athird-party vendor has, the credit union automatically has whenthey contract with that company. He quoted a line NCUA likes touse, "the use of third-parties does not diminish the responsibilityof the board." But how much can CEOs and boards really be expectedto know about security? Cooper said they need a top down look,instead of being bombarded with IT jargon and facts that may meanlittle to them. That was the basis for Digital Defense'sjust-released FrontLine 3.0. "It's a hardware and software-basedsolution that allows clients to go into a secure Web site, log inand test any system at any time and test their vulnerability. It'sgiving all the power to the client to test any time they want. Wedon't have to be in the loop," said Cooper. Cooper said the key isit generates reports that the board and upper management canunderstand without having a security background. Newly-namedDigital Defense President and COO Larry Hurtado, who headed up theFrontLine 3.0 initiative, said because Digital Defense places acomputer on the CU's network, Digital Defense can do internaltesting of the network as if they were physically at the creditunion. Hurtado said the ASP model was chosen because if DigitalDefense learns of a new vulnerability in the market, it canimmediately update all credit unions on the system by updating itssystem once in San Antonio. Cooper said though Digital Defense isproud of 3.0, if that's all a credit union does on the securityside, its systems won't be secure. Cooper said too many creditunions are rushing out and buying security devices like firewallswithout a proper security architecture in place. "They wind upthrowing a lot of dollars at solutions, without knowing what theirsecurity needs to do. They need a global view of their network."Another major advancement with 3.0 is its trend tracking. "One bigproblem is it's hard to get trend analysis to track machines overtime. What we've done is written a lot of fingerprint software toget trend analysis, trend reporting," said Cooper. This is vitalfor management and the board so they can determine if security isgetting better or trending downward, he said. Credit Union Timesfired some timely IT security questions at the leaders. Forinstance, what should credit unions be doing to protect against allthe attacks on Microsoft? Fleming said Microsoft software comeswith many defaults that can compromise security. Credit unions needto go in and change these defaults, such as ensuring outboundconnections to the Internet can't be made. "The flaws people findin Microsoft are big. Going back to the security architecture, yourfirewall rules need to be correct. Many times you can thwart a lotof these attacks," said Fleming Credit unions using Microsoftproducts also need effective patch management programs. Flemingsaid to Microsoft's credit, it does get patches out fairly quickly,but CUs need to update on their end. How much should credit unionsbe spending on IT security? That's an individual credit union'spreference but as a guide Hurtado said 5% of the IT budget is astart. Hurtado was just recently named to his president/COOposition to handle day-to-day operations, while Cooper plans tocontinue traveling and meeting with clients at trade shows and sitevisits. Many times when a growing firm makes executive changes,it's gearing up for a run at going public. Cooper said there's noset plan for that. "We're not the traditional kind of technologycompany that's venture capital funded. We have a small bit of angelmoney we raised. Our focus now is on building a real company. Mybackground was in small business. I was always raised aroundbuilding a real company and opportunities will present themselves,"said Cooper. FrontLine 3.0 is priced by asset size: $395 a monthfor CUs with $50 million in assets and below; $795 for $50 to $150million; and $1,195 above $150 million. [email protected]