The Convenience/Security Tradeoff

In credit union branches and with digital offerings, tension often exists between making services available and convenient and preventing potential breaches of members’ personal information.

For example, Sikorsky Financial Credit Union in Stratford, Conn., works with a third-party vendor where the data-sharing and vendor controls are not ideal from Brian Nesgoda’s perspective. However, the vulnerabilities and risks of using this vendor’s offering were identified, the business case was made, and the service went forward, says Nesgoda, SVP/risk management/chief information officer for the $700 million CU.

“You pick your battles,” he observes, “and you keep trying to improve the controls.” Where conflicts between offering a convenient service and security are resolved, Nesgoda explains, is at the enterprise risk management level, where the goal is setting appropriate risk tolerances. Sikorsky Financial CU relies on a finance and enterprise risk managementcommittee, made up of management and board representatives, which wrestles with these issues and reports its findings to the board.

Providing public Wi-Fi access in a credit union’s lobby is another case where convenience and security trade off. It’s a privacy vulnerability, points out Jim Benlein, CISA, CISM, CRISC, owner of KGS Consulting (www.kgs-consulting.com), Silverdale, Wash. “For security, you have to monitor Wi-Fi signals, watching for such suspicious activity as attempts to login to the credit union’s network devices or the creation of a look-alike–but fraudulent—public Wi-FI network.”

There also is a definite tradeoff between protecting member privacy and welcoming members and prospects when they walk through the branch’s front door, Benlein adds. The goal is to make the member or prospect feel welcomed, learn quickly the nature of the visit and then move the activity to an appropriately protected area, something CUs commonly do, he explains. Whether to put a computer with access to credit union systems at that first point of contact is something for CU management to consider carefully, he adds.

Self-service kiosks are another example of privacy tradeoffs CUs must make, notes Brad Ritner, director of retail design for NewGround (www.newground.com), a financial institution design-build firm based in St. Louis. For maximum privacy, you’d tuck them away behind closed doors in well-protected areas where they’d seldom be used. So instead, most CUs place them out in the open where they’re easy to see and use, and then work to see that screens and member documents are turned away from traffic areas.

In the three years Nesgoda has been with Sikorsky Financial CU, there hasn’t been an incident where member data was compromised due to branch-related causes. Still, he says, security can never be 100 percent effective.

“If you wanted no risk, you’d have to turn off the computers and lock the doors. So you look at the business case for providing a service and how much risk that justifies.”