Why Build Your Information Security Awareness Program?

Ever since there have been banks, there have been bad guys trying to get the money out of them. With the rapid growth of technology, we need to not only look at our physical risks, but all of the technology we have come to live with, or that we can’t live without at our institutions.

How strong are your institution’s information security practices? It really depends on what approach your institution takes, how important information security is to your management and how aware your employees and customers are about information security. The better educated your institution’s staff, the better your chances of catching or even stopping an information security incident from happening. (And your auditors and regulators will be happier with you too.)

Information security at many financial institutions remains, as in most businesses, divided into tiers. At the high end are the “Haves” – those individual institutions, along with their employees and customers who are “up-to-date” on the latest technology. Information security is part of the institution’s culture and they are more or less prepared for anything that comes their way. And yes, they have money properly budgeted for their information security program. They know what to do, and their employees also know what not to do. They actively educate their customers and the public at large about the need for strong information security practices.

At the low end are those institutions that do “check box compliance information security,” these are categorized as the “Have Nots.” They use un-patched operating systems, and with pressure from their senior management to keep spending down, they only spend the nominal amount on information security, probably less than what they spend on their coffee caddy and vending machine maintenance. They don’t know what to do, and are only good on paper in terms of readiness in case of a computer virus infection, or worse.

The rest of the institutions out there are designated as the “Half-Way Haves.” You, depending on your institution’s attention to information security, probably fall into this group and are somewhere between the two groups described above. You know what you’d like to do about some of the outstanding issues, but your management hasn’t given you the budget or an indication of when you’ll get funding.You’re unsure of what to do most of the time, and are struggling to keep up with the regular day to day issues facing your department. You’re viewed as “part of the IT group” and have little or no voice in business decisions being made, or new applications that are installed on networks, except you may be brought in at the end of the project to “examine security vulnerabilities.” Not that your advice to the project leader is listened to, they just want to have you sign off on the project. Maybe this is not how grim it is at your institution, but there are those horror stories of information security departments that were not really effective in protecting the institutions they were meant to protect. You’ve heard those tales whispered in low tones at the back of the break room.

Whether your institution is a small asset sized bank, savings and loans, credit union, or a multinational financial institution, they all have something in common . . . money and data. And the crooks are trying at every turn to separate them from it through a growing list of malware, social engineering techniques, automated attacks, and more. These days, chances are, no matter what your asset size or location geographically, you’re a target.

Phishers are constantly looking for ways to coax well-meaning individuals into opening malicious files or divulging personal information. Then the increasingly usual story of identity theft and ruined credit begins. And it doesn’t end well. It all depends on what motivates criminals. If you have data, money, bandwidth and equipment to aid in their criminal acts, you are a target.

Awareness plays a key role in the prevention of falling prey to some of these attacks. Financial institutions are advised to keep their staff up to date on the latest types of attacks. Constantly remind your staff of the risks involved in opening emails from unknown senders and sending out personal information, in your newsletters, emails and postings.

Show them the threats of identity theft, to their own personal information, the institution and most importantly your customers. Check to see if your awareness training and program is on target, and take a turn at testing it. Try to use social engineering, make suspicious phone calls and send email, requesting personal information -- these are all tests to use on your employees. You want to make sure that those on your front lines aren’t readily giving away customer information or your institution’s information. If you have staff that responds, treat them gently the first time, take time to explain, that while this was only a test, the next email or phone call could be the real criminal trying to get the same kind of information your testers asked for during your “social engineering” test.

You should be quite pleased if you have a number of employees who report your “test” email or phone call as being suspicious. Encourage employees to call your information security department when their increased information security awareness “senses” that something just doesn’t look right with an incoming email or a customer request.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.