The level of Cyber-security at credit unions needs to make the
leap from boilerplate policy to part of the business planning process,''
advised Randy Karnes, CEO of WESCO, the Kentwood, Michigan, data
processor. ''It not a question of if you will be penetrated,
but when, he told attendees at Callahan and Associates New Horizons
Financial Strategies Conference in Vail, Colorado recently.
In today's networked world-where the Internet is ''part of
the culture of an organization, we not only create a link to credit
union member data, we also create a link to the backbone of a credit
union's operation,'' he said. That could mean successful e-hackers
might also be reading a CEO's correspondence to the board of directors
while perusing member records. While Karnes said that CUs have always
been protective of member privacy and the need to make member data
safe, they lack an understanding that security risks must materially
alter the way they run the business. ''When you combine technology
products and people it requires constant diligence,'' he warned.
''It's an evolutionary curve,'' he explained. ''We
started out with hi-tech consultants and moved to taking ownership
of the data. Now, we must take it further by incorporating network
security into every business process and make it another step in
the business plan.'' Credit unions that believe they can just
check things off a list or just buy security are fooling themselves.''
Recent movies like ''The Net'' and ''Swordfish''
are extreme examples, he said, but they do serve to raise the awareness
of the need for protective measures. Still, Karnes said that most
of data integrity is common sense- like having a password policy
and conducting regular employee training on the importance of data
Karnes recommended that credit unions think and plan for it as
they do for disaster recovery and said that NCUA's e-commerce questionnaire
(part of the Information Systems & Technology Safety and Soundness
Examination Program) indicated that, rather than requiring specifics
sought a plan of action with regard to security.
The right mindset, he said, is not that network security is the
sole responsibility of the IT (Information Technology) manager,
but rather that it belongs to the whole credit union team.''