ARLINGTON, Texas – A credit union that has a maximum-security vault to protect its cash and other valuables has absolutely no need for an alarm system or a security guard. True or false? Most people would answer "false" without hesitation, knowing that one security measure without the others leaves the credit union at greater risk of being burglarized. However, many of these same people may believe their credit union computers and information systems are secure because they have installed firewalls, encryption devices and/or intruder detections systems (IDSs). This is a dangerous presumption, Bruce Schneier, CTO and founder of Counterpane Internet Security, Inc. told TechMecca 2001 participants. Technology is not the answer to Internet security. Security must be a process that combines protection, detection and response to mitigate risk. "Software is just too easy to fool. Software doesn't think, doesn't question, doesn't adapt. Without people, computer security software is just a static defense. Marry software with human beings who are experts in detecting security breaches, and you have a whole different level of security," Schneier said. "Systems should be vigilantly monitored 24/7 by people who know what they're doing. Quick detection and response can make up for mediocre protection." As software becomes more complex and interconnected, it becomes easier to hack. Security vulnerabilities are programming mistakes, and most software has about 1,000 of them, according to Schneier. Once a vulnerability is announced, the software vendor usually issues a patch to correct the problem. Unfortunately, companies have to know about the patch and install the patch before it can work. And staying current on the massive number of software patches released is virtually impossible, he said. Schneier suggested that software companies should be held liable for distributing problem software. Liability would force software quality. Most attacks on the Internet are vandalistic in nature, rather than profit-driven, Schneier said. Prosecution of these cyber criminals would lead to deterrence, but most companies don't report attacks on their systems because of the stigma associated with having an "insecure" operation. But the benefits of being online outweigh the risks, so financial institutions need to learn to manage the risk. Just as vaults, alarm systems and security guards can reduce exposure to burglars, the layered protection/detection/response process can reduce credit union computer systems' exposure to would-be hackers. [email protected]

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.