The other question I find myself asking in relation to the first two is "does it really matter?" Most, if not all, IT professionals, no matter in what capacity they may serve, have some knowledge of information security and its necessity in this day and age. The sad truth is that it really doesn't matter what that next hack will be or when it will come. We need to be prepared regardless. The problem with security from a good guy point of view is that we will forever and always be playing catch up to the bad guys. It is a perpetual game of cat and mouse and as long as computers continue to evolve, there will be security issues.

Why am I telling you this? Because I truly believe that there is one tool that we can all use that will minimize the impact of that next big hack if used properly; one tool that can be tailored to each person within the credit union, but can be delivered en masse; one tool that costs little, but provides a significant ROI. That tool is simply, awareness.

When my father was in the military, his unit would go out periodically into the woods and play war games. The unit would be split up into aggressors and defenders. The defenders never knew when the attack was coming or how, but because they were aware that it was coming and they had the tools to fight back, they always prevailed.

The same can be said for the credit union and security awareness as the tool. Each person in the credit union plays a large part in the overall security of the credit union network and information assets. Each person needs to have the tools and training to combat as many attempts to steal that information or money as possible and that training should start with IT. Although IT has the biggest knowledge requirement for fighting back against the bad buys, the tellers, member service reps, and loan officers also have attacks against them on a regular basis through email, phone, text messages, the internet, and sometimes, even in person.

When all of the staff of the credit union are aware of the various types of attacks, social engineering for frontline staff and the more technological hacks like DDoS attacks for the IT staff, it doesn't really matter when that attack comes or from what direction because the staff are aware of the need for security and have the tools to fight it.

It is not always feasible to have a staff member dedicated to information security, but that does not relieve us of the responsibility to remain diligent and knowledgeable about information security. Setting up awareness training can be as simple as creating a presentation on social engineering, or ways viruses and Trojans can get on the computer.

Basic topics like safe surfing, social engineering, and strong password creation can go a long way in strengthening the tools our staff members need to maintain a high level of security. Keeping those topics up to date is also important because social engineering trends change as well as other attack vectors.

However, in order to get buy-in, which is probably the most important piece of this security puzzle, you have to make it interesting, which can be difficult at times, and you have to emphasize the personal stake that we all have in the safety and soundness of the credit union. Once you get that vested interest, maintaining a high security posture gets much easier.

Will Rainwater is the IT manager at APL Federal Credit Union in Laurel, Md. He can be reached at 443-778-4679 or [email protected].