Best Practices in Building Security Awareness
With the Identity Theft Red Flags Rule compliance date creeping closer, we contacted several banking institutions from around the country for their insights on keeping an information security training program robust and interesting.1. Perception is huge - Security is often seen as a "beating over the head" to some, and many employees feel they are being corrected and/or told what they should and should not do. Try the friendly "We're here to help" approach first, says Jason Bawcum, Vice President of Security at Community South Bank in Parsons, TN.
2. Remind on key messages - Because with any topic, out of sight/out of mind is what happens, says Evelyn Royer, VP Risk Management, Support Services, Purdue Employees Federal Credit Union, West Lafayette, IN.
3. Don't let lawyers or technicians write the program - Otherwise you'll end up with a dry, boring program. Make your program understandable to everyone, repeatable and interesting, says Matthew Speare, Senior Vice President of Information Technology at Buffalo, NY's M & T Bank.
4. Expand responsibility of information security to all areas of the bank. "We focus so much on the front lines that the back-office areas tend to miss the importance of securing their information," says Brandon Farmer, Senior Vice President of Operations and Technology at Bank of the James, Lynchburg, VA.
5. Match training to employee - Develop different training to match the employee type. "Compliance training isn't the most exciting training content, so the challenge is creating the 'need to know' content for the various job families and then making it something that is somewhat enjoyable to experience," says Mike Vantrease, who oversees Learning and Development at the Bank of The West, California's fifth largest bank with $62 billion in assets. "A teller doesn't need the same level of training as an information security specialist."