1 15 Table of Contents 17 28

Pub. 9 2020 Issue 3

L E A D I N G A D V O C A T E F O R T H E B A N K I N G I N D U S T R Y I N K A N S A S 16 EFFECTIVE TIPS TO BOOST YOUR EMPLOYEE SECURITY AWARENESS TRAINING PROGRAM T here you are, working diligently at your computer, when you receive the dreaded email. You are invited (required) to attend the upcoming annual Employee Security Awareness Training session. Oh no, has it already been a year? Please, please don’t make me sit through that long, boring training and waste an hour or more of my day, AGAIN. Sound familiar? We all know that Employee Security Awareness Training is a key aspect of your Information Security Program. In fact, the FFIEC IT Examination Booklet Information Security 2016 states, “Training should support security awareness and strengthen compliance with security and acceptable use policies. Management should educate users about their security roles and responsibilities and communicate with them through acceptable use policies.” We even know that training should focus on important issues such as end-point security, log-in requirements, and password administration guidelines. But still, the question remains, “Do we really have to do Employee Security Awareness Training, again?” The answer is Yes, and here’s why. The truth is simple. People are the weakest link. A bank can have all the latest technology and systems in place, but their employees will always be the weakest link, as well as the first line of defense, in the security chain. It only takes one employee out of a hundred to click on a link that introduces malware into your network. Or one employee who answers a few seemingly innocent questions, and important credential information used to hack a loan officer’s email is in the hands of a threat actor who can now demand a fraudulent wire transfer. As humans, we want to be trusting, and the bad guys work hard to be convincing. Training not only addresses the technology but also the human element when it comes to keeping your bank and customer information safe. Here are a few tools to help make that happen. Annual Training Is Not Enough Think back to last year’s security awareness training session. Was it really long, with a lot of jargon and information overload? Sitting through all of the required training at one time can be overwhelming, with too much information to remember. A better approach is to have more frequent trainings, maybe monthly or quarterly, that are shorter, but more focused and pertinent. Ongoing, consistent training communicates the importance of the bank’s security culture, while allowing employees to understand and retain the training objective. Use Real-Life Situations It can be hard to relate to national breaches or vulnerabilities, but bringing a security issue to a more relatable level can drive home a security point. For instance, demonstrating how easily simple passwords can be hacked, or identifying what information can be stolen from a mobile phone with no By Missy Oliver, Compliance and Security Consultant, CoNextrix

RkJQdWJsaXNoZXIy OTM0Njg2