ROSELLE PARK, N.J. - This typical summer afternoon found Glenn South helping staffers feed handwritten receipts, vouchers, check deposit slips and the like into the traveling shredder that had stopped by County Educators Federal Credit Union. It may sound low tech, but it's one less thing that could show up in the 60 pages or so the CU gets in a typical security report from its consultant, ECCT (www.ecct.net) in Yaphank, N.Y. South is president and CEO of $84 million, 15,500-member County Educators. The organization has 29 full-time staffers, six part-timers and ECCT, an integration and security services provider that South considers "practically a part-time member of our IT staff." County Educators (www.countyedfcu.org) relies heavily on ECCT to provide the technology and expertise to monitor online and internal security, as well as to conduct security assessments and reviews, such as one that recently came back with more than 60 pages of observations and recommendations. "We thought we were doing pretty well, but they pointed out to us open ends we didn't know we had. Some were minor. Some were pretty severe, but our IT person got right on it and within two weeks she already had 90% of the problems corrected," South says. County Educators had nothing to hang its head about, says Dean Marshall, a certified security specialist and executive vice president at ECCT. "One thing we usually find is that when credit unions have a reasonable IT staff and good management, they're doing more right than they realize or give themselves credit for," he says. Recommended areas for improvement can range widely, from security policies that haven't been approved and ratified by the board to inadequate data center protections of high and low tech varieties. "Sometimes it's as simple as not having a proper list of people allowed in the center or not having the right door locks in place," Marshall says. Riding a wave of change in credit union land, ECCT provides a basket of security-related services, including risk assessment, policy development, on-site security awareness training on such topics as passwords and social engineering, and 24/7 intrusion monitoring, detection and prevention from an off-site location on the eastern end of Long Island. A new area is compliance review to ensure credit unions are meeting the increasingly complex requirements of the NCUA and other agencies, a service that about 15 credit unions already have used, says ECCT, which has a client list of about 400 credit unions. "We've been doing work exclusively for credit unions for about 12 years," says ECCT's president and CEO, Bud Heege. "We're primarily a network company but in the past four or five years we've really delved into the security area, and we work a lot with another side product, thin-client terminals." For County Educators, South says ECCT has become "a kind of turnkey operation as far as security is concerned. What they do for us would take us hundreds of man hours to do on our own, and we would have to hire someone of the same caliber as the people they have on their staff, which probably would cost us about $60,000 to $70,000 a year plus benefits. "Right now, we're getting that for the cost of basically a part-time person." [email protected]