LAS VEGAS — It's something credit union executives disliketalking about. But the fact is that the biggest informationsecurity risk to most institutions is its employees.

Speaker after speaker on day two at the CU Infosecurity Conference in Las Vegas on Thursday hammered home thatcontention because, they said, at their root a lot of insecurityjust boils down to people problems.

Also from Credit Union InfosecurityConference:

• New Times, New Threats

The meeting room in the Platinum Hotel was filled withexecutives from dozens of credit unions, including MECU ofBaltimore, Maryland, Hughes FCU of Tucson, GeoVista CU ofHinesville, Ga., and XCEL FCU from Bloomfield, N.J.

The speakers had their ears because the messages were lively.“People are our greatest risks.

“Ninety-seven percent of data breaches involve human failure,”said Reg Harnish, founder of GreyCastle Security in Troy, N.Y. Buthe quickly amended that: “The biggest risk is not people. It's the[expletive deleted] training they get.”

People, he indicated, are not born with innate knowledge ofphishing attacks and malware and other threat vectors. But they canbe taught.

Harnish stressed that to be effective education has to be“relevant, continuous, engaging, and short so people can absorbit.”

“We can reduce susceptibility. But you have to put the effortin,” said Harnish, who added that when employees slip up, seize theopportunity to teach. “Don't wait three weeks. Right there, trainthem.”

It wasn't just people threats that got emphasized on day two.Mike Eaton, an executive with Maryland CUSO Ongoing Operations, gavea brief talk about cloud computing that emphasized a couple keypoints.

The first is that when a credit union truly embraces cloudcomputing this allows “IT to move from a technical to a businessfocus,” that is, the IT staff can stop fighting tech fires andinstead concentrate on how better information management canadvance the business objectives of the institution.

His other point was that a lot that is called cloud isn't. Truecloud, said Eaton, “is computing that is not local to the customer,it is not owned by the customer, and it is not maintained by thecustomer.”

“Cloud,” he acknowledged, “is not for everyone.”

But for many it is coming into focus as a very good solutionindeed.

A closing speaker was Jay McLaughlin, chief security officer at Q2ebanking in Austin,Texas, and his message was dramatic: “You,” he said to the roomfull of IT executives, “are no longer driving technology to yourmembers. They are driving technology to you.”

He added: “The device used for mobile banking does not matter.What does matter is that you cannot secure it.”

That, of course, changes the whole security mindset.

McLaughlin acknowledged that so far mobile banking threat havenot amounted to that much but, he predicted, you ain't seen nothingyet. To date crooks have focused on online because that is wherethe money is. But as the mobile channel grows, their attention isshifting.

“I believed they have exploits teed up, ready to be unleashed.They are coming our way.”

One solution: start viewing members as part of the securitysolution, said McLaughlin. Get them using two-factor authenticationand receiving account activity alerts and this makes them part ofthe solution.

“Use your members as a line of defense,” he urged – and goodthings just may begin to happen.