While we focus on criminal access to computer systems through broken software (i.e., the recent HeartBleed problem), it’s important we don’t ignore the broken window. To illustrate how physical security is important to credit unions and their small-business accountholders, I developed this story based on a real-life case. Once upon a time ... … there was a small business. Someone broke in and did minor damage. Modest items were taken. Luckily, the business owners thought, none of their computers. There was another small business. Someone broke in and did minor damage. Modest items were taken, including some spare computer equipment. A third business also had a break-in with minor damage. Computers, servers, and networking equipment were taken. Security cameras showed a couple of men in hoodies and masks, plus the carts they used to haul out their loot. In response to these incidents, broken glass was repaired. Locks changed. Deadbolts and more security cameras added. Folks sighed and moved on. But then, strange things started to happen. Charges that couldn't be accounted for (for things like auto parts and computer equipment) appeared on the companies’ credit cards. Unauthorized wire transfers were made. Company payroll transactions didn’t go where they were supposed to. Employees with access to credit cards, payroll, and bank accounts were suspected, and questioned -- sometimes by law enforcement officers. Trust was broken. Then the weirdness spread. Employees reported fraudulent credit cards, accounts, loans opened in their names. Identities were stolen. By the time all was said and done--over two and a half years later—more than 50 small businesses and their employees were affected by fraud losses of over $3 million. While the small-business owners have some security in knowing the perpetrators were caught and sentenced, it’s not a story readily ending “happily ever after.” Credit unions obviously have to pay attention to physical security as well as the security of the software on their computer systems. But remember to also advise your small-business account holders to consider physical as well as software security. You may save them--and your CU--losses and headaches.
Jim Benlein, CISA, CISM, CRISC, is the owner of KGS Consulting, which provides policy and practice consulting and auditing services on information technology and information security programs for CUs. Read other articles by Jim Benlein from Credit Union Management magazine. Also learn more about the CUES School of Business Lending. And learn more and register for CUES School of Risk Management and CUES Advanced School of Risk Management, to be held in September in Denver. Photo credit: Dollarphotoclub.com/Kelpfish