The NAFCU Journal July - August 2017 - 18

''

The best front
line against physical
security breaches is
not the expensive
cameras and locks,
but the awareness of
your employees.

''

security. We spoke with security
experts to discover the measures you
may be underdoing, or overdoing, that
expose your credit union to physical
security breaches.
1. You spend too much on cybersecurity, and too little on physical security.
Safety spending is like a pendulum,
explains Spencer Coursen, founder of
Coursen Security Group in Washington, D.C.: When cybersecurity breaches
are in the news, credit unions focus
their investments on cybersecurity and
spend less on physical security, leaving
holes that are easy to exploit. Then,
when physical security issues are on
the upswing, credit unions increase
spending on that and decrease funding
for cybersecurity.
The Fix: "Smart money would go
toward the creation of a Global Security Operations Center [GSOC] so
there's a unified response to any security issue," says Coursen. "There would
still be dedicated personnel to manage
physical and IT assets, but their actions
would be coordinated by the GSOC,
which is able to see the big picture of
the organizational landscape." According to Coursen, a GSOC can also provide budget recommendations so that
resources are directed where they'll
have the most positive impact on the
credit union's security.
2. There's too much of a gap between
physical security and cybersecurity.
The lines are blurring between physical
security and cybersecurity; for example,
18

criminals are installing skimmers on
ATMs and vestibule locks (physical)
to collect PINs and passwords (cyber).
They're using stolen data (cyber) to create badges that will give them access to
the credit union (physical). And they're
hacking into cameras (cyber) in order to
case the facility (physical).
The problem isn't only that credit
unions are overspending on cybersecurity and underspending on physical
security, as mentioned earlier; it's that
there's often a disconnect between the
two, according to Ken Stasiak, CEO of
SecureState in Cleveland.
"There are probably two separate groups
that handle physical and cybersecurity,"
says Stasiak. With two different departments working on different aspects of
credit union security, key vulnerabilities
are sure to be missed.
The Fix: "Keep an eye on the convergence of the physical and the cyber,"
says Stasiak. "Just be aware." Part of that
awareness is integrating physical security
and cybersecurity risk assessments
instead of conducting each assessment
separately. Also, a GSOC can help ensure
that cyber and physical security issues
are being addressed together.
3. You overdrill your employees in
physical security procedures.
If you train your employees to the point
where every action they take during a
physical security situation is scripted to
a T, any bad guys who may be lurking
among your staff, or who know an
employee, will know exactly what to do,
says Coursen. For example, a criminal
planning a robbery might think, "Nancy
and James are in charge of locking the
windows, but James is a little slower, so
that's where I'll hit."
The Fix: Since physical security breaches
- from robberies to natural disasters
- rarely unfold according to plan, it's a
good idea to make sure employees have
some leeway in how they react, allowing
them to rely on their own instincts. Give
employees a general script of what to do

during various types of physical security
situations, and hold regular drills in
areas where they're needed (see "Always
Be Prepared," page 20), but don't drill
employees to the point that their reactions are scripted and automatic.
4. You underestimate the power of
awareness and your employees' internal radar.
The best frontline against physical
security breaches is not the expensive
cameras and locks, but the awareness
of your employees. Often, they notice
when something seems "off " but are
hesitant to bring it to the attention of
management because they think, "It's
probably nothing."
The Fix: "The comedian Louis C.K. says
that if he thinks of something more than
twice, he has to write a joke on it," says
Coursen. It's the same for your credit
union: "If an employee thinks of something twice, they should report it." He
recommends setting up a phone number
and email box, such as security@yourcredit-union.org, where both employees
and members can report situations that
strike them as strange, such as a car that's
been sitting in the parking lot all day.
Coursen also suggests that credit unions
offer incentives, such as a free dinner, to
employees who spot red flags planted by
management. For example, management
may have a man in a red parka enter the
credit union, look around, and leave.
The employee who spots and reports the
situation wins the prize.
5. Your credit union overrelies on
in-house security audits.
Taking care of regular security audits
in-house can save money, but it can also
backfire in a way that opens the credit
union up to even more risk. According
to Coursen, employees may not want to
bring bad news to management or "rat
out" other employees. Also, if there are
potential criminals among your staff,
they'll get a sneak peek into your physical security system. Finally, employees
may not know what to look for; for
THE NAFCU JOURNAL  JULY-AUGUST 2017



Table of Contents for the Digital Edition of The NAFCU Journal July - August 2017

Our First 50 Years
Events Calendar
From the Chair
Inside NAFCU
The Digital Download
How Secure Is Your Credit Union?
The Bank Secrecy Act
2017 Annual NAFCU Award Winners
2016 NAFCU Annual Report
Getting to Know …
Management Insight
Compliance Central
Inside NAFCU Services
From the President’s Desk
The NAFCU Journal July - August 2017 - Cover1
The NAFCU Journal July - August 2017 - Cover2
The NAFCU Journal July - August 2017 - 1
The NAFCU Journal July - August 2017 - Our First 50 Years
The NAFCU Journal July - August 2017 - Events Calendar
The NAFCU Journal July - August 2017 - From the Chair
The NAFCU Journal July - August 2017 - 5
The NAFCU Journal July - August 2017 - Inside NAFCU
The NAFCU Journal July - August 2017 - 7
The NAFCU Journal July - August 2017 - 8
The NAFCU Journal July - August 2017 - 9
The NAFCU Journal July - August 2017 - 10
The NAFCU Journal July - August 2017 - 11
The NAFCU Journal July - August 2017 - 12
The NAFCU Journal July - August 2017 - 13
The NAFCU Journal July - August 2017 - The Digital Download
The NAFCU Journal July - August 2017 - 15
The NAFCU Journal July - August 2017 - How Secure Is Your Credit Union?
The NAFCU Journal July - August 2017 - 17
The NAFCU Journal July - August 2017 - 18
The NAFCU Journal July - August 2017 - 19
The NAFCU Journal July - August 2017 - 20
The NAFCU Journal July - August 2017 - 21
The NAFCU Journal July - August 2017 - The Bank Secrecy Act
The NAFCU Journal July - August 2017 - 23
The NAFCU Journal July - August 2017 - 24
The NAFCU Journal July - August 2017 - 25
The NAFCU Journal July - August 2017 - 26
The NAFCU Journal July - August 2017 - 27
The NAFCU Journal July - August 2017 - 28
The NAFCU Journal July - August 2017 - 29
The NAFCU Journal July - August 2017 - 2017 Annual NAFCU Award Winners
The NAFCU Journal July - August 2017 - 31
The NAFCU Journal July - August 2017 - 32
The NAFCU Journal July - August 2017 - 33
The NAFCU Journal July - August 2017 - 34
The NAFCU Journal July - August 2017 - 35
The NAFCU Journal July - August 2017 - 36
The NAFCU Journal July - August 2017 - 2016 NAFCU Annual Report
The NAFCU Journal July - August 2017 - 38
The NAFCU Journal July - August 2017 - 39
The NAFCU Journal July - August 2017 - 40
The NAFCU Journal July - August 2017 - 41
The NAFCU Journal July - August 2017 - 42
The NAFCU Journal July - August 2017 - 43
The NAFCU Journal July - August 2017 - 44
The NAFCU Journal July - August 2017 - 45
The NAFCU Journal July - August 2017 - 46
The NAFCU Journal July - August 2017 - 47
The NAFCU Journal July - August 2017 - Getting to Know …
The NAFCU Journal July - August 2017 - 49
The NAFCU Journal July - August 2017 - Management Insight
The NAFCU Journal July - August 2017 - 51
The NAFCU Journal July - August 2017 - Compliance Central
The NAFCU Journal July - August 2017 - 53
The NAFCU Journal July - August 2017 - Inside NAFCU Services
The NAFCU Journal July - August 2017 - 55
The NAFCU Journal July - August 2017 - From the President’s Desk
The NAFCU Journal July - August 2017 - Cover3
The NAFCU Journal July - August 2017 - Cover4
http://www.nxtbook.com/ygsreprints/NAFCU/nafcu_MarApr2020
http://www.nxtbook.com/ygsreprints/NAFCU/nafcu_JanFeb2020
http://www.nxtbook.com/ygsreprints/NAFCU/nafcu_NovDec2019
http://www.nxtbook.com/ygsreprints/NAFCU/G109023_nafcu_septoct2019
http://www.nxtbook.com/ygsreprints/NAFCU/G106941_nafcu_julaug2019
http://www.nxtbook.com/ygsreprints/NAFCU/G105388_nafcu_mayjun2019
http://www.nxtbook.com/ygsreprints/NAFCU/G103030_nafcu_marapr2019
http://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2019
http://www.nxtbook.com/ygsreprints/NAFCU/G100235_nafcu_novdec2018
http://www.nxtbook.com/ygsreprints/NAFCU/G98517_nafcu_septoct2018
http://www.nxtbook.com/ygsreprints/NAFCU/G96479_nafcu_julaug2018
http://www.nxtbook.com/ygsreprints/NAFCU/G93390_nafcu_mayjune2018
http://www.nxtbook.com/ygsreprints/NAFCU/G90161_nafcu_marapr2018
http://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2018
http://www.nxtbook.com/ygsreprints/NAFCU/G83806_nafcu_novdec2017
http://www.nxtbook.com/ygsreprints/NAFCU/G80296_nafcu_septoct2017
http://www.nxtbook.com/ygsreprints/NAFCU/G79086_nafcu_julyaugust2017
http://www.nxtbook.com/ygsreprints/NAFCU/G75911_nafcu_mayjune2017
http://www.nxtbook.com/ygsreprints/NAFCU/G73247_nafcu_marapr2017
http://www.nxtbook.com/ygsreprints/NAFCU/G71923_nafcu_janfeb2017
http://www.nxtbook.com/ygsreprints/NAFCU/G69249_nafcu_novdec2016
http://www.nxtbook.com/ygsreprints/NAFCU/nafcu_septoct2016
http://www.nxtbook.com/ygsreprints/NAFCU/g63853_nafcu_julaug2016
http://www.nxtbook.com/ygsreprints/NAFCU/g61005_nafcu_mayjun2016
http://www.nxtbook.com/ygsreprints/NAFCU/g58935_nafcu_marapr2016
http://www.nxtbook.com/ygsreprints/NAFCU/g56716_nafcu_janfeb2016
http://www.nxtbook.com/ygsreprints/NAFCU/g55605_nafcu_novdec2015
http://www.nxtbook.com/ygsreprints/NAFCU/g53582_nafcu_sepoct2015
http://www.nxtbook.com/ygsreprints/NAFCU/g52154_nafcu_july2015
http://www.nxtbook.com/ygsreprints/NAFCU/g50302_nafcu_mayjune2015
http://www.nxtbook.com/ygsreprints/NAFCU/g48554_nafcu_marapr2015
http://www.nxtbook.com/ygsreprints/NAFCU/g47118_nafcu_janfeb15
http://www.nxtbook.com/ygsreprints/NAFCU/g45886_nafcu_novdec2014
http://www.nxtbook.com/ygsreprints/NAFCU/g44155_nafcu_sepoct2014
http://www.nxtbook.com/ygsreprints/NAFCU/g42892_nafcu_julyaug2014
http://www.nxtbook.com/ygsreprints/NAFCU/g41296_nafcu_mayjun2014
http://www.nxtbook.com/ygsreprints/NAFCU/g39799_nafcu_marapr2014
http://www.nxtbook.com/ygsreprints/NAFCU/g38961_nafcu_janfeb2014
http://www.nxtbook.com/ygsreprints/NAFCU/g38041_nafcu_novdec2013
http://www.nxtbook.com/ygsreprints/NAFCU/g36539_nafcu_sepoct2013
http://www.nxtbook.com/ygsreprints/NAFCU/g34910_nafcu_julaug2013
http://www.nxtbookMEDIA.com