New York City Credit Union Banks on Encryption

One of the biggest problems with email is that it is inherently insecure as a communications tool. While most exchanges between businesses and customers aren’t critical, the risk of personal and private data falling into the wrong hands is real, and it can have severe and lasting consequences.

“As a financial institution, protecting data is critical,” says Joe Aiello, director of technology at the Melrose Credit Union in Queens, New York. “Cyber-security is something that has to be taken extremely seriously.”

The 93-year-old not-for-profit financial institution, which holds approximately $2 billion in assets, depends on email to tackle a variety of tasks. These include handling customer-generated messages that revolve around account status, loans and more.

Many of these messages are sent from standard and unencrypted Hotmail, Gmail or Yahoo! Accounts. In some cases, members send highly confidential documents, such as applications and income tax returns.

“Email is an inherently insecure medium that presents enormous challenges,” Aiello says. “It’s the vector in which a lot of bad stuff comes into the business.”

That’s a risk Melrose Credit Union isn’t willing to take. “We have to be secure 100 percent of the time,” he explains. “We have both a moral and a legal obligation to protect the data of our members.”

Deploying a Portfolio of Encryption Services

As a result, about four years ago, Melrose opted to deploy DataMotion’s SecureMail software to deliver a portfolio of encryption services that incorporate file transfers, while integrating with the organization’s existing workflows. The solution complements other security tools, including antivirus software, a firewall, an intrusion detection system and encrypted desktops.

However, Aiello says that the email component is critical because about 80 percent of all malware infections—and resulting data thefts—now occur as a result of email.

The credit union works to educate its customers about cyber-security and how to protect their private information, but, unfortunately, that’s not enough. Using the SecureMail application, Melrose sends out a notification email that guides the customer to the portal and explains the importance of using encryption for the transfer of sensitive messages and documents.

At that point, the user signs into the system and creates an identity. Once verified, Melrose and its customers communicate via messaging within the portal.

The system can accommodate secure forms and file attachments as large as 2 gigabytes. Customers simply click a button to generate a message, attach key files and then hit a submit button. Once credit union employees log into the system, they receive messages and attachments in a decrypted state.

Of course, it’s still possible for the institution and its customers to communicate via non-secure email for more generic issues.

“We recognize that there are extra steps involved in using this system, so it’s important to strike a balance with customers,” Aiello points out. “We don’t want to send an encrypted email message that makes a person jump through extra steps unnecessarily. We want to use the encrypted email only for critical and sensitive communications.”

Aiello reports that a high percentage of the financial institution’s customers are now using the SecureMail system, and that number is rising steadily. “At some point, anyone communicating with us and sharing information winds up using this system,” he says.