DENVER – Craig Lassen, founder of Internet solutions firm Cavion Technologies, has found that CU roots don't die off easily. Cavion was sold to Liberty earlier this year after it fell on financial hard times, ultimately declaring bankruptcy. Cavion is now alive again as the Liberty Cavion online banking unit. Lassen founded Sigmacom, an integration, wide area communications company in 1992. He sold off the integration part of the company to Convergent Communications, which ironically also declared bankruptcy this year. The software solutions of Sigmacomm were the foundation for what later became Cavion. Lassen was the brains behind the Cavion concept which revolved around giving CUs real-time kiosk and Internet banking solutions. Aggregating CUs and CU vendors on a secure private network to allow seamless, cost-effective integration of solutions was also part of the Cavion vision. "The credit unions at that time wanted to be protected from the Internet, but to put in a firewall back then cost between $100,000 to $250,000. We had the wide area communications knowledge and the wide area network experience to offer credit unions a secure private network, essentially an intranet," said Lassen. Cavion put all of its clients behind one centralized firewall. Now with firewall prices coming down, Lassen said the new model is for each CU to have their autonomy and have a separate ISP hook-up and firewall. Lassen left Cavion, the company he founded, in 1999. In his eyes he didn't leave, he was pushed out. "Once I brought in the final amount of capital to go public, I lost control of the company. I got a message from one of the principal investors that they wanted Dave (Selina) to run the company. They wanted someone to pretend the company was much bigger and cutting edge than it actually was. I was more down to earth, wanting to portray the company for what it was. The change was to build up the image of Cavion to credit unions, and I wasn't the dot.com kind of guy to do it," said Lassen. Lassen was offered a job working under Selina, but he turned it down. Lassen said he holds no ill-will against his successors at Cavion, but thought they made some major errors that cost the company its future. "They spent an enormous amount of money to move from a building that was totally adequate to down south to the tech section (of Colorado). They wasted time and money to go to a new building. They were running the company on a single T1 for awhile that cost them efficiency and reputation," said Lassen. But the events at Cavion are all in the past for Lassen, and strangely enough it is his Cavion roots that helped him found his current company, Cadamier (Finnish for "winds of change"), an IT security firm specializing in intrusion detection and firewalls. Once the dark clouds began clustering over Cavion, CEOs of Cavion CU clients began calling Lassen and in essence saying "you got us into this mess, now get us out of it," said Lassen. The CEOs wanted to be assured they could be disconnected from Cavion without losing all of their online services. "I started receiving calls in the early part of November. I had been watching Cavion and the difficulties they were having. At that point the credit unions who trusted me back then and were some of my first partners, called me and said `gosh Craig, what do we do, how do we disconnect from this monster we're connected to. ' " The first step was to get the CUs their own ISP service, and then set up the CU's own firewalls to protect their Web and secure-form servers. From those humble beginnings of helping out former clients, Lassen saw a real need for IT security consulting, especially with the security provisions of Gramm-Leach-Bliley. Today, Cadamier has 15 credit union clients, representing over $1 billion in assets. Building on his past business experience where he said he was blindsided by some employees and investors that wanted to make big money taking Cavion public, Lassen is building Cadamier the way he wanted things to go for Cavion – slowly, but surely. " I've reassembled some of the really dynamic powerful people from the early days of Cavion. Most of them were ousted because they were supporters of me. We're small, and we work hard. It's a great team. We're building a revenue base model, taking it one credit union at a time," said Lassen. The seven-person company is funded solely by the founders – there is no outside money, stressed Lassen. This gives the company complete control over its future, allowing it to grow at its own pace. Lassen said he will add new employees only when he sees enough new business to warrant new hires. Cadamier helps out where CUs are a bit "sheepish" said Lassen, that is hiring employees to monitor the security of their systems. Cadamier specializes in intrusion detection, the area Lassen believes CUs need to focus the most attention. The company installs and manages network and firewall protection. He's not yet sold on CUs spending hundreds of thousands of dollars on penetration testing, a popular trend occurring right now in CU land. "Penetration testing is too expensive and there are too many potential problems with it down the road. They're a static one-time perspective. If you're going to spend that kind of money I advise intrusion detection." He's not opposed to CUs doing penetration testing, but CUs must focus IT dollars on both intrusion detection and virus protection. Lassen said penetration testing is only as good as the people doing it, and it's easy for them to play on the "fear factor" CEOs have of seeing the CU broken into by hackers. Cadamier provides intrusion detection system monitoring of third-party solutions. Lassen said if a detection system isn't being monitored correctly, CUs are missing the boat. "We've moved into full 24/7 monitoring, supplying monthly firewall reports, essential to any credit union that has ISP service. The only way to do it is to have the historical perspective." That historical perspective shows activity both coming from the outside and from the inside. The sad fact, said Lassen, is 80% of successful attacks are engineered from the inside. Cadamier takes a four-prong approach to firewalls – firewall maintenance, rule set review, logging and report, and trouble monitoring. With NCUA's new e-commerce examinations, the need for good IT security information is now vital, said Lassen. "NCUA has started to see things pretty clearly. Credit unions have gone from paper-based to electronic-based organizations. NCUA's EC II segment of its e-commerce examination is fast getting a reputation for being comprehensive and time-consuming." Lassen's Cadamier is coaching some of its clients through the process. "EC II digs down deep to see if credit unions know what they're doing with data. But NCUA didn't stop there. The second piece was to roll that into the annual safety and soundness exams. We in Colorado have pulled together a consortium to see how to get through the exams and put policies in place that are adequate but not overburdensome," said Lassen. Credit unions shouldn't feel undermanned in the security world, said Lassen, because most organizations are. "Current credit union staffs are so overburdened, and security can be such a time hog, sucking away time from your people." The solution? Third-party IT security firms of course, said Lassen. [email protected]