Information Security Awareness Training’s Unseen Value

The idea of having as many eyes and ears on the street is any police officer’s dream come true. The same idea applies to information security officers at financial institutions. What would you think if you could add to your headcount exponentially? Unless your senior management is on a spending spree that action is not likely to happen.

There is another way, however, to add to your headcount – through information security awareness training. The more involved your institution’s employees are in reporting information security incidents and knowing what they are accountable for in keeping your institution secure, the better prepared your institution will be.

The fact that many financial institutions still place information security training and awareness lower on the list than technological responses to mitigate security threats is a mistake. Bonnie Kramer, Chief Operating Officer at the Financial Service Centers Cooperative (FSCC), in San Dimas, CA, said institutions need to protect information through security awareness training, especially when it comes to new hires. FSCC’s 300 credit unions have an average asset size of $445 million and represent 12 million members.

“When institutions hire individuals there needs to be more background checks performed. There needs to be shared information between institutions, but because of privacy issues, that isn’t. So, training for the new employee is essential to let them know what is expected of them,” Kramer noted.

The value of having trained staff who know when to pick up the phone can’t always be measured, but the value is high. Dr. Eric Cole, a well-known information security expert who specializes in insider threat mitigation explains, “The information security awareness program should be viewed as one of the best ways to train staff to report suspicious activity. I’ve seen it in my investigations when you finally catch someone, and then begin talking to coworkers who were around them, the co-workers inevitably say ‘Oh yeah, we knew that he was acting weird or suspicious, he looked like he was doing something strange. That leads to the question of ‘why didn’t you say something?’”

Cole said their reply usually consists of, “‘Oh, I didn’t know if I should say something, and get that person in trouble,’ or ‘I didn’t know who I should tell it to, and I didn’t know if I would get in trouble for reporting it.’”

“You can’t expect to reach everyone with an information security awareness program, but if you get at least 20 to 30 percent of your employee base involved and educated, that gives you more information than if you didn’t have an active employee information security awareness program,” said Cole.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.