BAY CITY, Mich.-Mounting federal regulations along with "normal" security-related trepidations has led COPOCO Community Credit Union to employ Open Systems Technology (OST) services.
"With regulations the way they are and all the hacking that goes on, you might think you are safe, but you really need to know you are safe," said Doreen Smith, CFO for the Bay City, Michigan-based credit union.
In many cases, security breaches are not coming from predators and hackers but from vendors who use generic security codes during installations.
"I have worked with over 50 credit unions and what I see as a leading overlooked problem is that security issues are being left behind by vendors who are either installing products or providing products," said Scott Montgomery, manager of Security Practices at OST. "A credit union with an IT staff in many cases is not aware of these security issues. So how can you fix something when you don't know it's broken?"
The answer, said Montgomery, is testing, a process that provides Smith and her team with actionable intelligence and the assurance that they are meeting FFIEC requirements and uncovering threats otherwise overlooked. "They (FFIEC) come in and ask for our security assessments and if we are having vulnerability testing and ask how often we do it," said Smith. "All I have to do is hand them the report disc Scott has made for us; it's that simple."
With 14,000 members, 35 employees and two branches, the $100-million COPOCO is overly cautious. While FFEIC testing is required annually, it opts to test every every six months. "These tests also allow us to see our weaknesses. For example, little things come up like a Microsoft patch not going up correctly, which makes PCs vulnerable," said Smith. "And we had a server migration where we went from an old server to a new server with new software. Scott's test scans found automatic passwords that weren't changed, which also made us vulnerable."
Depending on the size of the credit union, on-site testing and evaluation can take one to two days to complete. "We arrive at nine in the morning; we complete the testing by late afternoon and make our presentation the following morning," said Montgomery.
The Information Technology Security Assessment is based on a score from one to 10 and investigates variables including password vulnerability, server vulnerability, non-supported operating systems and more. "This report allows executives to change how they are responding to certain issues. They might be underutilizing their IT department or force their vendors to step up in ways they haven't before."
"Most vendors want to get in and out of an organization as quickly as they can, and we know certain vendors that leave their clients vulnerable," Montgomery continued. "In urban areas, for example, we have seen the same application installed at many, many credit unions during the same timeframe using the same password."