Credit Union tells customers how to secure their data

Vancity has more than 312,000 members and $10.5 billion in assets, so
security is a top priority. “We can only secure our online banking
system,” said Geordie Cree, security specialist with Vancity. “As soon
as it gets to the member’s computer, we have no control of the security
of that device.”

The only thing it can do on that end is educate
members and provide them with tools to allow them to protect their PCs
and personal information.

But Vancity didn’t have the resources to do this on its own — nor did
it make sense to reinvent the wheel. “We contacted our representative
at Microsoft and asked if there was any interest on Microsoft’s part to
do something and make that information available to others,” he said,
adding that Microsoft happened to be in the early stages of coming up
with the model Vancity now employs.

Vancity is able to link up to Microsoft’s security site and re-purpose
the information to provide members with advice on updating and
maintaining PC security. It does this on a regular basis to keep up
with the most current information.

The credit union pulls content onto its site, and when users click on that
content, they’re taken to Microsoft’s provider (which hosts the
content). Vancity gets a monthly report from the hosting company that
provides information on usage trends, which Vancity can then use to
drive members to content. For example, when they put a new link on the
Vancity home page, they can see if there’s a spike in traffic.

“It’s a work in progress,” said Cree. “Ultimately we would like to
improve upon our entire security section and put cookie crumbs
throughout the rest of our site that would draw our membership to the
security content.”

Vancity also posts security information for employees on its intranet,
though it’s not the same as on its website.

“We have a very managed
environment,” he said, “so we don’t want [employees] downloading
patches.”

While there’s no concrete measure of how this initiative is improving
overall security, it’s all about getting that information out to the
public, said Rowena Liang, Vancity’s CIO.

“The more you see it, the
more you become aware of it.” There’s also recognition that, as a
financial institution, there is only so much that it can control. “All
we can do is be proactive and try to bring as much of this information
to people and generate awareness.”

Vancity gets around 600-700 hits on its security content every month.
“We could do more, and we will be doing more work in bringing people
[to the site],” she said.

The financial institution is in the midst of redesigning the security
and privacy areas of its site to make them more prominent. The launch
of the redesign is planned for January.

Vancity was the first company in Canada that was allowed to take
Microsoft’s resources and directly republish them to the outside world,
said Bruce Cowper, senior program manager of Microsoft Canada’s
Security Initiative. Now that’s starting to happen more frequently,
thanks to RSS feeds (an easy way to distribute content over the
Internet).

“We certainly have seen an awful lot of interest from other
organizations to do something similar to Vancity, but also to do
variations on the theme,” he said. “Having those resources available to
them is a big time saver.”
According to Cowper, there is no cost to Vancity for the use of this
information. As part of the agreement, Vancity attributes the
information to Microsoft.

One of the drivers behind this was to provide up-to-date information
about security challenges and threats in order to guide consumers
toward best practices. That’s good for the consumer, as well as Vancity
and Microsoft. “That helps Vancity because hopefully their customers’
systems are more secure,” said Cowper.

A breach can potentially affect the financial institution itself, but
if the customer’s machine is compromised, then customer perception is
going to be negative ”“ which has a whole other set of repercussions.
For example, that customer may no longer feel comfortable banking
online. “So it’s a win-win situation all around to present people with
the right information to help them,” said Cowper.

Microsoft is also in the process of reviewing its online presence to
make sure it’s providing the most relevant information to Canadians, he
said. And it’s talking to other private-sector companies about
following a model similar to Vancity.

“I’ve had conversations with most of the financial institutions about
what Vancity has done,” said Cowper. “Some of them already have amazing
resources online and are looking to augment those.”

What it comes down to is that security is everybody’s responsibility,
said Liang. “The individual user has as much responsibility as any of
the institutions ”“ what we’re trying to do is make the information
available.”