News Column

Broken Software AND Broken Window

June 1, 2014

Benlein, Jim

While we focus on criminal access to computer systems through broken software (i.e., the recent Heartbleed problem), it's important we don't ignore the broken window.

To illustrate how physical security is important to credit unions and their small-business accountholders, I developed this story based on a real-life case that you can read at

Once upon a time, there was a small business. Someone broke in and did minor damage. Modest items were taken. Luckily, the business owners thought, none of their computers.

There was another small business. Someone broke in and did minor damage. Modest items were taken, including some spare computer equipment.

A third business also had a break-in with minor damage. Computers, servers, and networking equipment were taken. Security cameras showed a couple of men in hoodies and masks, plus the carts they used to haul out their loot.

In response to these incidents, broken glass was repaired. Locks changed. Deadbolts and more security cameras added. Folks sighed and moved on.

But then, strange things started to happen. Charges that couldn't be accounted for (for things like auto parts and computer equipment) appeared on the companies' credit cards. Unauthorized wire transfers were made. Company payroll transactions didn't go where they were supposed to.

Employees with access to credit cards, payroll, and bank accounts were suspected, and questioned-sometimes by law enforcement officers. Trust was broken. Then the weirdness spread. Employees reported fraudulent credit cards, accounts, loans opened in their names. Identities had been stolen.

By the time all was said and done-over two and a half years later-more than 50 small businesses and their employees were affected by fraud losses of over $3 million.

Credit unions obviously have to pay attention to physical security as well as the security of the software on their computer systems. But remember to also advise your small-business account holders to consider physical as well as software security. You may save them-and your CU-losses and headaches.

Comment on this post and read others by Benlein on the CUES Skybox blog at http:// And learn more and register for CUES School of Risk Management ( and CUES Advanced School of Risk Management (, to be held in September in Denver.

Recent Posts

"When determining if someone should make the short list of potential new directors, keep in mind that your board is an extension of your credit union's brand. You want to select people who will be good brand representatives in the community."

CUES Marketing Specialist Leisa Goodman in "Five Ways to Find new Board Members," coverage of CUES' Board Chair Development Seminar (, on CUES Skybox: http://tinyurl. com/flndnewdirectors.

"Actively disengaged employees are 'CAVE' dwellers, consistently against virtually everything."

Michael Neill, CSE, president of Michael Neill and Associates, Atlanta, CUES' strategic provider for ServiStar (, quoted in "Engage the Unengaged Employee" at unengaged.

'Choosing how you show up every day with a focus on supporting your team, your members, and your community will ensure value is created and grows."

2011 CUES Next Top Credit Union Exec Devin Seite, corporate trainer/leadership for $12 billionServus Credit Union (, Edmonton, Alberta, reflecting on CEO Institute III. Read more of his post on the NTCUE blog at http://tinyurl. com/howyoushowup; then nominate a rising star for the 2014 NTCUE challenge byjune 6. Sign up for the Aug. 17-22 CEO Institute at Wharton at cues.o rg/i nstitu tes.

By Jim Benlein, CISA, CISM, CRISC

Jim Benlein, CISA, CISM, CRISC, is the owner of KGS Consulting, which provides policy and practice consulting and auditing services on information technology and information security programs for CUs.

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Credit Union Management

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters