Cooperative.com updates a reminder to local co-ops

August 29, 2011

If you haven’t logged into cooperative.com lately, when you do, you’ll notice a significant change. You’ll be asked to replace your familiar password with a different one, and you’ll have to choose four security questions.

“Some users seem to think that we’re asking them to jump through unnecessary hoops,” recalled John Gill, the Senior Director, Web Communications for NRECA. “The previous security that we had on the site was state-of-the-art when we put it in place, but that was ten years ago. The threats that are out there have just gotten worse, so we had to enhance security.”

Most of us have become so comfortable with accessing information and handling transactions online that we don’t give a second thought to security. But John and the rest of the NRECA team never stop thinking about the safety of their system. “Recently, we’ve all seen very large organizations and companies have their systems hacked,” he explained. “One of the biggest examples was Sony’s PlayStation site, where more than 100 million accounts were compromised.”

“Hackers have become more sophisticated,” he added, “and because we store personal financial and medical information about our members as part of our benefit programs, we decided to upgrade the level of security.” NRECA modeled the new access on the security protocols that banks and other financial companies use. “We assumed that co-op employees would want that extra level of assurance that their information was safe.”

John noted that large teams of hackers, many operating from Russia and China, look for companies and organizations with weak security. “Sometimes companies are targeted just because it’s easier to break in and steal their information. The Internet has made the world a very small place, and you can’t assume that threats will come from local sources.”

While the new security system follows industry best practices, Jon reminded co-op employees that even the best system can’t protect people who are careless users. “We encounter a lot of people who share their passwords with others, and that’s a big no-no,” he said. “We’ve even seen people who put their user name and password on a post-it note and stick it on the computer. That means anyone who sees it can access your information.”

The new system requires more complicated passwords. “They have to have a combination of letters, numbers, and a special character in their password, which make it tougher for a hacker to figure out. It should also keep users from using unsafe passwords such as ‘password’.” Like the present system, the new protocol has a 30-minute timeout feature. “If you’re not active on the site for 30 minutes, your session ends,” John noted. “Some people see that as an inconvenience, but you should never walk away from your computer while you’re logged in, because anyone can walk up and see all your information.”

One aspect of the new protocol seems to be creating the most confusion for users, and that’s the security questions. “Each user has to choose four questions that will be randomly asked if the user tries to do something they haven’t done before or tries to access the site from an unfamiliar computer,” explained John. “Unfortunately, it seems that a lot of people choose questions for which they can’t remember the answers. We recommend that they choose the questions they’ll be most likely to remember.”

John understands the challenges faced by those who are responsible for cybersecurity at their co-ops. “You have to strike a balance that allows you to be secure, without becoming so secure that you prevent people from using the site because it’s too complicated. It’s important to pay attention to the best practices in the industry. In addition, if you make any changes to your security protocol, you need to communicate the changes again and again before you make them, while you’re making them, and after you made them. You should try to overcommunicate, rather than risk communicating too little.”