Author: Karen Crumbley, firstname.lastname@example.org
Ask someone how they achieve optimal physical health and you will likely hear about the following three components: exercise, diet, and annual physicals. The combination of these three items provides a straightforward approach to preventing poor health or identifying any warning signs before they have an opportunity to progress. The same principles apply to information security awareness for a financial institution’s (FI’s) stakeholders (employees, board members, and customers). That is, given the same preventative measures, an FI may reduce the number and extent of information security breaches due to fraud. Consider implementing the following three measures in order to achieve information security wellness.
The FI, much like the human body, needs mental exercise in order to stay fit. One example of exercise for the FI is to periodically assess how well its stakeholders can identify potential signs of fraud. Performing these assessments can help board members and employees avoid the risk of social engineering threats:
- Do employees know the red flags that would indicate a phishing email vs a legitimate email message? How well would they perform in the event that a fraudster had researched their social media profiles in order to construct a convincing email to ask for non-public information?
- If an USB flash drive were planted in the lobby, would a staff member pick it up and plug it into a machine on the FI’s network?
If there is hesitation in answering these questions, it is important to discover the current health of your FI’s education and awareness program. Measure the base line status in order to assess progress and see what educational methods may impact your FI’s stakeholders. Soliciting a third party to assist in testing behaviors may be beneficial in order to simulate real-world threats and keep staff on their toes by engaging them in regular “exercise” to test their awareness.
Information Security awareness is the “diet” for an FI and commonly FIs approach information security awareness and education strictly as an annual event. Additionally, Gramm-Leach-Bliley Act compliance for protecting customer information is not new, but that does not have to mean that educational content cannot be fresh. Ideally, there should be a well-balanced stream of information throughout the year to address the latest threats to non-public information or cyber security within the organization. Helping employees to recognize the signs of fraud and respond appropriately is a process. As an alternative to the annual binge, try feeding information to your FI staff on current topics and the latest threats to non-public information throughout the year. Understand that the criticality to stay ahead of the curve is an important best practice. One contributing factor for a regular diet of information security focus is the increased pressure from regulatory agencies on cyber security directives.
3. Annual Physicals
Annual physicals are essentially a series of tests to assess the current state of wellness. One methodology for measuring effectiveness of the FI’s information security awareness is to administer tests that measure results through a web-based training course. This allows employees to take all they have learned throughout the year and apply it. Unlike watching a video or hanging up posters, web-based testing will quantify results, track activity, and yield findings where there is a common thread. Perhaps there are areas of weakness that need additional attention. Identifying these areas will drive the diet and exercise regimen for the FI going forward and get everyone into SHAPE (StakeHolder Awareness Program Engagement).
All FIs can achieve information security awareness wellness and health by continuing these three basic initiatives throughout the year. The goal is for the FI to adapt and respond to the dynamic threats that exist. These strategies apply to all stakeholders in your organization. New employees will need to be educated and more seasoned employees will need to have accordant reminders and reinforcement. What can you do to improve your FI’s information security awareness health?