Jackie Marshall, VP, IT Regulatory Compliance
Financial institutions have an obligation to safeguard customer information. In the past it has not been difficult to ensure accountholder trust and confidence with simple banking products and services. New technologies have improved the way financial institutions do business, although, these advances have also created complexities that challenge traditional methods for safeguarding customer information. Identity theft, account hijacking, social engineering, phishing and pharming – the buzz words of our time- are becoming synonymous with banking services such as credit card use, checking accounts and online banking services.
Continued consumer confidence in banking services is dependent on the ability for financial institutions to offer convenient and time-saving products and services while at the same time ensuring that customer information is safe from alteration, destruction, unauthorized disclosure and misuse. To do this, financial institutions must implement technical, physical and administrative controls. The Gramm-Leach-Bliley Act of 2001 dictates these provisions. One of the required provisions is annual training for employees on information security awareness.
A financial institution employee who does not fully understand and accept responsibilities for ensuring the security and confidentiality of accountholder information can be a huge risk for an institution – one risk that thousands of dollars in technical security controls will not mitigate.
The basis for effective information security awareness training program includes review and acceptance of well thought out (and Board-approved) policies and procedures; but, also more importantly, must include up to date trends and tactics. Every employee should have a good understanding of social engineering and pretext calling methods, cyber threats and how to respond to an attempted breach of security. Effective training also includes steps for employees to guide accountholders in avoiding spyware and protecting their information from identity theft.
Training efforts should be documented and it is a good idea to test employees for comprehension and retention of training materials. As soon as the training is completed, it is a good idea to start planning next year’s training. Better yet, it’s a good idea to re-emphasize concepts quarterly. Employees can be reminded of information security awareness practices via e-mails, posters in the break room or in other creative ways.
The bottom line is the more awareness that’s created in the institution, employees will be more effective with ensuring customer confidence in your institutions products and services.
As part of our ongoing commitment to address your regulatory needs, we are now offering onsite Information Security Awareness training classes and written Information Security Programs and for financial institutions. Please contact your Account Manager for more information