Credit unions pride themselves on building stronger, more personal relationships with customers than other financial institutions do. But relationships are built on trust, and a data breach is perhaps the fastest way to obliterate that trust.

Credit unions are no stranger to the severity of data breaches. They're already struggling to cover the costs of securing customers' financial information following a string of major merchant data breaches. A NAFCU survey found that credit unions spent an average of $226,000 and an estimated 1,600 hours in 2014 on debit and credit card fraud issues resulting from merchant data breaches.

NAFCU and other associations are working to change the laws to reduce the burden that merchant data breaches put on credit unions. Yet credit unions also have their own responsibility to keep up with the ever-changing threat landscape to protect the data privacy of both their customers and their own internal organizations.

That means identifying and filling gaps that exist in their security programs. For too many organizations – credit unions and otherwise – one of those gaps is visual privacy. Case in point: A recent study conducted by Ponemon Institute, sponsored by 3M Company and the Visual Privacy Advisory Council, found that a white-hat hacker was able to “visually hack” sensitive information 88% of the time in corporate office environments.

So what is visual hacking? It's the viewing or capturing of private, confidential or sensitive information for unauthorized use. Within a credit union, this could involve someone taking a picture of a customer's account information displayed on a screen or network login information taped to a monitor. It could also involve someone visually recording sensitive documents left in open view on a desk or on a printer tray.

These examples may have sounded absurd 10 years ago, but today's technology advances make them entirely feasible. Nearly everyone now has a smartphone with a camera. Meanwhile, discrete wearable technology is growing in popularity, and anyone can purchase camera-mountable drones online.

The question is no longer, “Is visual hacking a real threat?” but rather, “How do we prevent it?”

First, a change in mindset is needed. We often think of information security from two perspectives: Physical and digital. But it's time we add a third tenet: Administrative. Focusing on administrative security will help you address the important behavioral, workspace and technological factors that are relevant to information security but sometimes excluded from security programs.

Begin by identifying administrative security risks. Look for opportunities where sensitive information could be viewed, such as at employee workstations and teller desks, and through office windows. Devices that mobile employees or executives can use to access network or customer information outside of your credit union's walls must also be included.

From there, deploy safeguards that include a combination of policies and technologies.

A clean desk policy should be in place to keep documents containing sensitive information out of view when they're not being used. Computers should also be password-protected and turned off when employees step away from their desks, and monitors should always be turned away from the public.

Keep in mind that human behavior is difficult to change, so these policies will require enforcement. Your head of privacy, or a designated privacy champion in each branch, should conduct random desk checks to ensure employees are following the new policies. You can work with your HR department to choose the enforcement approach most appropriate for your organization and its culture.

Technology safeguards should include privacy filters that are easily fitted to each computer and mobile device to blacken the screen when looking at it from an angle. Use printers that require employees to enter a code at the printer to complete their print jobs – which will help reduce sensitive documents sitting on a printer tray for extended periods of time – and place shredders next to printers to help ensure employees use them.

Lastly, most credit unions don't employ a chief information security officer like big banks do. Don't let that stop you. Ensure your head of security or security policy addresses the responsibility for integrating these critical safeguards into your data privacy policy.

Patricia Titus is CISO, security advisor and member of the Visual Privacy Advisory Council. She can be reached at 612-455-1735 or [email protected].