Building and Sustaining an Effective Security Awareness Program
Financial institutions often view staff as their most valuable asset, but employees can also be a top vulnerability, especially if they are unfamiliar with security protocols. With the increasing rate of cyber-attacks in the financial industry, community banks and credit unions must instill the concept that security responsibilities belong to everyone in the organization and ensure all employees understand the role they play in security protection and awareness.
The truth is many financial institutions are not adequately training staff to be successful in spotting and mitigating security-related issues. To protect financial data, community banks and credit unions must adopt a solid security awareness training program.
Training Best Practices
A few best practices for establishing a strong security awareness program include:
- Conduct security awareness training at least once a year or as business conditions evolve. At a minimum, the training materials should also be updated annually to provide fresh content and account for changes in the security landscape.
- Document employee participation and completion of the program and provide proof for auditors and examiners. Financial institutions should also obtain confirmation of their employees’ understanding in the form of a quiz, a group discussion or some type of interactive activity.
- Use current news events or recent security incidents as examples to help employees analyze a real-life scenario. This is a great opportunity for learning as they will often show the direct results of a failure to follow policies and procedures.
- Incorporate social engineering testing into the program to evaluate how employees will actually react in a threat situation. Employees who get tricked by social engineering exercises may need supplemental training.
The training should include instructions on:
- Proper email use;
- Proper PC and Internet use;
- Password policy and best practices;
- Business continuity procedures and responsibilities;
- Incident Response procedures and responsibilities, which usually means “if you see something, then let
- the right person or group know about it ASAP”;
- Institution policies and procedures on cybersecurity; and
- Expected end-user behavior.
In addition to adequately training employees, financial institutions should have security awareness materials and information available to customers and members that enable them to spot security issues and adequately protect themselves as well.
It is not enough for an organization to rely solely on the IT or security department to safeguard sensitive information. When everyone is held accountable for the security of financial data, the financial institution is better equipped to handle the unexpected and protect the organization from harm. Establishing a solid security awareness training program for all employees — from tellers and loan officers to the president and CEO — is essential.