Managing Security Risks Must be Part of CU Business Planning

The level of Cyber-security at credit unions needs to make the leap from boilerplate policy to part of the business planning process, advised Randy Karnes, CEO of WESCO, the Kentwood, Michigan, data processor.

 
 

The level of Cyber-security at credit unions needs to make the leap from boilerplate policy to part of the business planning process,'' advised Randy Karnes, CEO of WESCO, the Kentwood, Michigan, data processor. ''It not a question of if you will be penetrated, but when, he told attendees at Callahan and Associates New Horizons Financial Strategies Conference in Vail, Colorado recently.

In today's networked world-where the Internet is ''part of the culture of an organization, we not only create a link to credit union member data, we also create a link to the backbone of a credit union's operation,'' he said. That could mean successful e-hackers might also be reading a CEO's correspondence to the board of directors while perusing member records. While Karnes said that CUs have always been protective of member privacy and the need to make member data safe, they lack an understanding that security risks must materially alter the way they run the business. ''When you combine technology products and people it requires constant diligence,'' he warned.

''It's an evolutionary curve,'' he explained. ''We started out with hi-tech consultants and moved to taking ownership of the data. Now, we must take it further by incorporating network security into every business process and make it another step in the business plan.'' Credit unions that believe they can just check things off a list or just buy security are fooling themselves.''

Recent movies like ''The Net'' and ''Swordfish'' are extreme examples, he said, but they do serve to raise the awareness of the need for protective measures. Still, Karnes said that most of data integrity is common sense- like having a password policy and conducting regular employee training on the importance of data security.

Karnes recommended that credit unions think and plan for it as they do for disaster recovery and said that NCUA's e-commerce questionnaire (part of the Information Systems & Technology Safety and Soundness Examination Program) indicated that, rather than requiring specifics sought a plan of action with regard to security.

The right mindset, he said, is not that network security is the sole responsibility of the IT (Information Technology) manager, but rather that it belongs to the whole credit union team.''

 

 

 

July 2, 2001


More On:

Feature Article

Comments

 
 
 

No comments have been posted yet. Be the first one.