By John San Filippo
Is Southern California-based Btech a systems integrator, a value-added reseller (VAR) or an IT consultancy? The answer is all three, and a whole lot more, according to Founder and CEO Lee Bird.
“We support almost 125 credit unions across the United States,” he told Finopotamus. “We're unique in that a lot of vendors come in and want to put their arms around everything and become the IT department. We can do that, especially for smaller credit unions, but it's typically more about us starting the relationship by filling in a specific gap or a satisfying a specific need.” He added that one common thread is that Btech’s work ultimately focuses on compliance and security.
A Credit Union Focus
Bird started the company with a business partner in 1989 as a general IT firm. When his partner left the company in 2000, Bird changed the company name to Btech and decided to focus almost exclusively on credit unions.
“We only had three credit union clients at the time,” said Bird, “but I really, really enjoyed working with credit unions. They always paid their bills on time, and they provided referrals and references. Why would I want to mess around with all these other industries?”
While Btech has kept its credit union focus for more than 20 years, the company’s services have evolved. “Our team stays on top of the latest trends and requirements,” explained Bird. “For many years, a lot of our work was in response to an audit where we'd go in and fix whatever issues were identified. But definitely over the last three years or so, we’ve focused on more proactive work to really secure our credit unions’ environments.”
For Btech, new client engagements often start with a discussion of staff shortages. This has been especially true during the pandemic. However, Bird made it clear that his company is not a placement agency nor a staff augmentation provider. “That's not what we do,” he said. “We go through a discovery process and look for those repeatable tasks or maintenance tasks that can be outsourced to Btech. That frees up the staff to focus on those things that are member-facing.”
According to Bird, another advantage to the credit union, besides simply offloading work, is that his staff is more experienced than most credit union IT departments, meaning that Btech generally does a better job than the credit union could. “I firmly believe we can do a better job,” he said. “We excel at the services that we provide.”
COVID-19 and the resulting remote work phenomenon created a whole new opportunity for Btech. “COVID was a big challenge those first few months just getting VPNs set up for people that normally were working in an office that now had to work from home,” noted Bird.
The Changing Cybersecurity Landscape
According to Bird, many credit unions struggle to keep ahead of the cybersecurity curve. “When it comes to vulnerability assessment and vulnerability remediation, a lot of credit unions still think that the annual penetration test is all that they need to do to secure their environment. That's very wrong,” said Bird.
Bird explained that while a penetration test involves someone at a keyboard using hacking skills to find passwords and get into the environment, a vulnerability assessment is using special software to scan the environment for known vulnerabilities. “A vulnerability could be anything from a missing patch to a default password on a router to a missing firmware update on a server,” he said. “Virtually all of the attacks that we see are from threat actors looking to exploit a known vulnerability that hasn't been fixed.”
He added that it’s more important than ever for credit unions to act quickly and aggressively in addressing these vulnerabilities. “The time between when a vulnerability is published and it starts getting exploited in the wild used to be weeks or months,” noted Bird. “It's literally hours now.”
Identifying any potential vulnerabilities is the first step. However, such testing is pointless if it doesn’t result in action. “One of the challenges I see is that the credit unions that do vulnerability assessments get these detailed reports with all their critical, high-risk vulnerabilities, but they don't fix them,” claimed Bird. “If you’re not going to fix it, why bother?”
The need for such testing and corrective action is constant. “I could scan your environment today and find no critical vulnerabilities and then I could scan it an hour later and I could find five,” said Bird. “The database of known vulnerabilities is continuously updated and published as new vulnerabilities are identified.”
Even larger, more technologically savvy credit unions fall short in this area. “We'll go into larger environments and find a lot of critical vulnerabilities, but the credit union classifies them as an acceptable risk,” said Bird. “There’s no such thing as an acceptable risk, in my opinion. If you discover, for example, that 20 receipt printers have a critical vulnerability, you need to replace them now. You can’t put it off.”
Bird added that the notion of smaller credit unions being safer because they’re less attractive to cybercriminals is false. “2021 was the year of what they called big-game hunting,” said Bird. “Cyber-attacks were going after big companies for the multimillion dollar ransoms. But over the course of the last eight months, they’ve focused more on small to midsize financial institutions.”
The focus is shifting to ransom without the traditional ransomware, too, he added “They go into the environment and lay dormant. They could be in there for days, weeks, months, years,” warned Bird. “During that time, they're stealing your member information. Then they contact you and say, ‘Hey, by the way, we've got all your member records. We're going to sell them on the dark web unless you pay the ransom.’”
Bird claimed that Btech keeps getting busier and busier, but he likes it that way. “Just when I think we're catching our breath, somebody reaches out with an urgent need,” said Bird. “Not to sound corny, but I love our clients. I love working with credit unions and I love making a difference. I love seeing our engineers work hard to implement technology that changes the environment.”