Security remains a top concern at credit unions of all sizes as they deal with an ever-evolving landscape of threats while armed with flat or declining budgets to deal with the problem.More than 90% of the 83 credit unions that responded to a three-question survey sent out in early May by the Credit Union Information Security Professionals Association said their security budget this year had either decreased or stayed the same this year.Meanwhile, 42% of the respondents said the current recession has helped increase security concerns in their shop, while about 52% said they were about the same. Only 6% reported feeling more secure.The survey, sent out by CUISPA Executive Director Kelly Dowell in response to questions from Credit Union Times, also solicited dozens of comments from credit union security managers on the wide number of threats and challenges they face in keeping a firewall around their networked enterprise and their members’ assets.Basic economic problems were noted as one of the biggest impediments to keeping up. For instance, one CUISPA member said, “I think patch management is getting more and more critical and at the same time harder to keep up with. As overtime pay is being cut due to the recession, we’re having a harder time keeping systems updated with the latest security patches, and we suspect we are not alone.”Several others cited vendor management and third-party transactions of all kinds as a challenge, something that also has caught the eye of security professionals like Ben Feinstein, director of research at SecureWorks in Atlanta.“Credit unions face a real challenge of how to enforce a reasonable security policy on end points they don’t own or control,” he said.Exacerbating that, Feinstein said, is the fact that “attackers are increasingly using aspects of social engineering and the human factor to achieve their goals. It’s very difficult to defend against social engineering and human frailty with any existing technical control.”Of course, one of the key antidotes to social engineering is member education; something one of the respondents to the CUISPA survey said can take place even in these days of tight spending limits.“If there is not budget available, it would be wise to look at your end-user education, both internally for your staff and externally with your members,” one respondent said.The education also needs to start at the top.“We need to educate executive management on the benefits of risk management and how it helps make money,” another respondent wrote.Among the other concerns listed by CUISPA members:ATM security.ACH transactions processed without verification, “sometimes resulting in loss and fraud.”Complying with “all these policies, procedures and documentation required by the regulators.”Counterfeit presentations. “More crooks are trying to join and make loans.”“Numerous outside forces trying to gain access from China and Eastern Europe. I see these on the edge of my outside firewalls.”Credit unions can expect to see more of the latter. “In the past year, attackers have escalated their use of social engineering and exploiting the human factor, and have further weaponized a whole host of client-side vulnerabilities,” said Feinstein.“The threat continues to move ‘up the stack’ and into the Web application layer,” he said, attacking such widely used plug-ins as Adobe Reader, Apple QuickTime “and a slew of ActiveX controls.”“Frequently, the attackers use the successful compromise to insert malicious content into site, with the objective of compromising visitors to the Web site,” Feinstein said. The solution?“User and member education, and security awareness training,” the SecureWorks research director said. And going forward?“Are we much more secure than we were five years ago? Absolutely. Are there more risks? Definitely,” said Jim Morrell, senior vice president/ chief information officer at iQ Credit Union in Vancouver, Wash.“Today, we are a year further into identification, prevention and remediation of security concerns,” said Morrell, who’s also a former chair of the CUNA Technology Council.“Unfortunately, so are those that are trying to subversively outsmart us. I don’t believe we’ll reach a point where we’ll ever be able to put due diligence and prudent monitoring in a file with a tickler to revisit in five years,” he said.–[email protected]

Complete your profile to continue reading and get FREE access to, part of your ALM digital membership.

Your access to unlimited content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Critical information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including and

Already have an account?


Credit Union Times

Join Credit Union Times

Don’t miss crucial strategic and tactical information necessary to run your institution and better serve your members. Join Credit Union Times now!

  • Free unlimited access to Credit Union Times' trusted and independent team of experts for extensive industry news, conference coverage, people features, statistical analysis, and regulation and technology updates.
  • Exclusive discounts on ALM and Credit Union Times events.
  • Access to other award-winning ALM websites including and

Already have an account? Sign In Now
Join Credit Union Times

Copyright © 2022 ALM Global, LLC. All Rights Reserved.