Digital Defense Has Grown as Credit Unions' Concern About Security Systems has Grown; Launches FrontLine 3.0

SAN ANTONIO, Texas – When Digital Defense was founded in 1999, credit unions’ concern about protecting their systems was nowhere near what it was today and Digital Defense’s business was a fraction of what it is today – things sure change fast. Most credit unions now realize that any compromise of their systems has far more widespread effects than just the actual attack itself. The major risk is the damage an attack can do to a credit union’s reputation. Members may feel their accounts are threatened if a hacker can break into the CU’s Web site or if internal systems are compromised whether it be from within or from the outside. Digital Defense has grown to serve 245 credit union clients in 43 states, making it the largest IT security vendor for credit unions. It’s engrained in the industry, with even NCUA contracting with the company for three straight years to train its examiners on security issues. It now has 32 employees and projected 2004 revenues of $3.3 million. The leaders are passionate about security and say some credit unions still don’t understand that securing systems needs to be part of the business process and mindset of the CU-it’s not about a one-time audit, firewalls or intrusion detection tests. The nature of credit unions makes them particularly vulnerable to third-party vendors. Most credit unions use multiple third-party vendors, for things such as Net banking, online lending, shared branching, ATMs, etc. “While you can outsource the technical part of your operation, you can’t outsource the responsibility,” said Digital Defense CTO/VP of Strategic Technology Rick Fleming. Joe Cooper, chairman and CEO of Digital Defense, said NCUA is particularly strict about credit unions taking responsibility for their third-party vendors and must remember any security problem a third-party vendor has, the credit union automatically has when they contract with that company. He quoted a line NCUA likes to use, “the use of third-parties does not diminish the responsibility of the board.” But how much can CEOs and boards really be expected to know about security? Cooper said they need a top down look, instead of being bombarded with IT jargon and facts that may mean little to them. That was the basis for Digital Defense’s just-released FrontLine 3.0. “It’s a hardware and software-based solution that allows clients to go into a secure Web site, log in and test any system at any time and test their vulnerability. It’s giving all the power to the client to test any time they want. We don’t have to be in the loop,” said Cooper. Cooper said the key is it generates reports that the board and upper management can understand without having a security background. Newly-named Digital Defense President and COO Larry Hurtado, who headed up the FrontLine 3.0 initiative, said because Digital Defense places a computer on the CU’s network, Digital Defense can do internal testing of the network as if they were physically at the credit union. Hurtado said the ASP model was chosen because if Digital Defense learns of a new vulnerability in the market, it can immediately update all credit unions on the system by updating its system once in San Antonio. Cooper said though Digital Defense is proud of 3.0, if that’s all a credit union does on the security side, its systems won’t be secure. Cooper said too many credit unions are rushing out and buying security devices like firewalls without a proper security architecture in place. “They wind up throwing a lot of dollars at solutions, without knowing what their security needs to do. They need a global view of their network.” Another major advancement with 3.0 is its trend tracking. “One big problem is it’s hard to get trend analysis to track machines over time. What we’ve done is written a lot of fingerprint software to get trend analysis, trend reporting,” said Cooper. This is vital for management and the board so they can determine if security is getting better or trending downward, he said. Credit Union Times fired some timely IT security questions at the leaders. For instance, what should credit unions be doing to protect against all the attacks on Microsoft? Fleming said Microsoft software comes with many defaults that can compromise security. Credit unions need to go in and change these defaults, such as ensuring outbound connections to the Internet can’t be made. “The flaws people find in Microsoft are big. Going back to the security architecture, your firewall rules need to be correct. Many times you can thwart a lot of these attacks,” said Fleming Credit unions using Microsoft products also need effective patch management programs. Fleming said to Microsoft’s credit, it does get patches out fairly quickly, but CUs need to update on their end. How much should credit unions be spending on IT security? That’s an individual credit union’s preference but as a guide Hurtado said 5% of the IT budget is a start. Hurtado was just recently named to his president/COO position to handle day-to-day operations, while Cooper plans to continue traveling and meeting with clients at trade shows and site visits. Many times when a growing firm makes executive changes, it’s gearing up for a run at going public. Cooper said there’s no set plan for that. “We’re not the traditional kind of technology company that’s venture capital funded. We have a small bit of angel money we raised. Our focus now is on building a real company. My background was in small business. I was always raised around building a real company and opportunities will present themselves,” said Cooper. FrontLine 3.0 is priced by asset size: $395 a month for CUs with $50 million in assets and below; $795 for $50 to $150 million; and $1,195 above $150 million. [email protected]