Information Security Awareness Trainingâ€™s Unseen Value
The idea of having as many eyes and ears on the street is any police officerâ€™s dream come true. The same idea applies to information security officers at financial institutions. What would you think if you could add to your headcount exponentially? Unless your senior management is on a spending spree that action is not likely to happen.
There is another way, however, to add to your headcount â€“ through information security awareness training. The more involved your institutionâ€™s employees are in reporting information security incidents and knowing what they are accountable for in keeping your institution secure, the better prepared your institution will be.
The fact that many financial institutions still place information security training and awareness lower on the list than technological responses to mitigate security threats is a mistake. Bonnie Kramer, Chief Operating Officer at the Financial Service Centers Cooperative (FSCC), in San Dimas, CA, said institutions need to protect information through security awareness training, especially when it comes to new hires. FSCCâ€™s 300 credit unions have an average asset size of $445 million and represent 12 million members.
â€œWhen institutions hire individuals there needs to be more background checks performed. There needs to be shared information between institutions, but because of privacy issues, that isnâ€™t. So, training for the new employee is essential to let them know what is expected of them,â€ Kramer noted.
The value of having trained staff who know when to pick up the phone canâ€™t always be measured, but the value is high. Dr. Eric Cole, a well-known information security expert who specializes in insider threat mitigation explains, â€œThe information security awareness program should be viewed as one of the best ways to train staff to report suspicious activity. Iâ€™ve seen it in my investigations when you finally catch someone, and then begin talking to coworkers who were around them, the co-workers inevitably say â€˜Oh yeah, we knew that he was acting weird or suspicious, he looked like he was doing something strange. That leads to the question of â€˜why didnâ€™t you say something?â€™â€
Cole said their reply usually consists of, â€œâ€˜Oh, I didnâ€™t know if I should say something, and get that person in trouble,â€™ or â€˜I didnâ€™t know who I should tell it to, and I didnâ€™t know if I would get in trouble for reporting it.â€™â€
â€œYou canâ€™t expect to reach everyone with an information security awareness program, but if you get at least 20 to 30 percent of your employee base involved and educated, that gives you more information than if you didnâ€™t have an active employee information security awareness program,â€ said Cole.