The # 1 strategy to protect against the rogue credit union employee

by: Michele Dowis and Robin Remines

Regardless of the size of the Information Technology Team in your Credit Union – knowledge base and duties differ for everyone. You may have some team members that have “access to everything”. Without, separation of duties (requiring more than one person to complete particular tasks creating an internal control), that team is considered vulnerable or at risk of becoming an insider threat!

What is an “insider threat”? It’s a threat to your credit union from within your organization. Employees, former employees, contractors and your coworkers who have information regarding security practices, data and the computer systems. The threat could involve fraud, theft of confidential information or even intentional service disruption of computer systems. These insiders may have accounts, access to computer systems, know the timing of processes and transaction posting, and any other details that make it easier to sidestep security controls of which they are aware. Any attempt could be for personal gain but could also be shared externally possibly creating a data breach.

There’s an inherent trust that we place on our IT Teams. (As well there should be!) But, just like our front office employees who handle money,what happens if someone on that team isn’t as honest as you thought in the hiring process? We don’t want to go into those negative ways of thinking because it makes us uncomfortable. But let’s face it – money is insurable where data/reputation are not. So how do we protect against this threat?

Separation of duties is the logical response in mitigating this risk and is discussed as a necessary strategy in the FFIEC IT Handbook.  Protect your IT Team just like you do your tellers. You have dual control processes in place for cash, opening the branch and other high risk functions. Why not create similar controls over the actual systems? DATA/MEMBER Information is far more valuable that money. Money is insurable and replaceable – your credit union reputation isn’t!

continue reading »