Why Build Your Information Security Awareness Program?
Ever since there have been banks, there have been bad guys trying to get the money out of them. With the rapid growth of technology, we need to not only look at our physical risks, but all of the technology we have come to live with, or that we canâ€™t live without at our institutions.
How strong are your institutionâ€™s information security practices? It really depends on what approach your institution takes, how important information security is to your management and how aware your employees and customers are about information security. The better educated your institutionâ€™s staff, the better your chances of catching or even stopping an information security incident from happening. (And your auditors and regulators will be happier with you too.)
Information security at many financial institutions remains, as in most businesses, divided into tiers. At the high end are the â€œHavesâ€ â€“ those individual institutions, along with their employees and customers who are â€œup-to-dateâ€ on the latest technology. Information security is part of the institutionâ€™s culture and they are more or less prepared for anything that comes their way. And yes, they have money properly budgeted for their information security program. They know what to do, and their employees also know what not to do. They actively educate their customers and the public at large about the need for strong information security practices.
At the low end are those institutions that do â€œcheck box compliance information security,â€ these are categorized as the â€œHave Nots.â€ They use un-patched operating systems, and with pressure from their senior management to keep spending down, they only spend the nominal amount on information security, probably less than what they spend on their coffee caddy and vending machine maintenance. They donâ€™t know what to do, and are only good on paper in terms of readiness in case of a computer virus infection, or worse.
The rest of the institutions out there are designated as the â€œHalf-Way Haves.â€ You, depending on your institutionâ€™s attention to information security, probably fall into this group and are somewhere between the two groups described above. You know what youâ€™d like to do about some of the outstanding issues, but your management hasnâ€™t given you the budget or an indication of when youâ€™ll get funding.Youâ€™re unsure of what to do most of the time, and are struggling to keep up with the regular day to day issues facing your department. Youâ€™re viewed as â€œpart of the IT groupâ€ and have little or no voice in business decisions being made, or new applications that are installed on networks, except you may be brought in at the end of the project to â€œexamine security vulnerabilities.â€ Not that your advice to the project leader is listened to, they just want to have you sign off on the project. Maybe this is not how grim it is at your institution, but there are those horror stories of information security departments that were not really effective in protecting the institutions they were meant to protect. Youâ€™ve heard those tales whispered in low tones at the back of the break room.
Whether your institution is a small asset sized bank, savings and loans, credit union, or a multinational financial institution, they all have something in common . . . money and data. And the crooks are trying at every turn to separate them from it through a growing list of malware, social engineering techniques, automated attacks, and more. These days, chances are, no matter what your asset size or location geographically, youâ€™re a target.
Phishers are constantly looking for ways to coax well-meaning individuals into opening malicious files or divulging personal information. Then the increasingly usual story of identity theft and ruined credit begins. And it doesnâ€™t end well. It all depends on what motivates criminals. If you have data, money, bandwidth and equipment to aid in their criminal acts, you are a target.
Awareness plays a key role in the prevention of falling prey to some of these attacks. Financial institutions are advised to keep their staff up to date on the latest types of attacks. Constantly remind your staff of the risks involved in opening emails from unknown senders and sending out personal information, in your newsletters, emails and postings.
Show them the threats of identity theft, to their own personal information, the institution and most importantly your customers. Check to see if your awareness training and program is on target, and take a turn at testing it. Try to use social engineering, make suspicious phone calls and send email, requesting personal information -- these are all tests to use on your employees. You want to make sure that those on your front lines arenâ€™t readily giving away customer information or your institutionâ€™s information. If you have staff that responds, treat them gently the first time, take time to explain, that while this was only a test, the next email or phone call could be the real criminal trying to get the same kind of information your testers asked for during your â€œsocial engineeringâ€ test.
You should be quite pleased if you have a number of employees who report your â€œtestâ€ email or phone call as being suspicious. Encourage employees to call your information security department when their increased information security awareness â€œsensesâ€ that something just doesnâ€™t look right with an incoming email or a customer request.