Buy-in by degrees: Five ways to bolster your bank’s cybersecurity awareness
December 11, 2017 by Emily Larkin
For many financial institutions, information security awareness programs are a regulatory requirement. Yet requirement doesn’t by any means equal enjoyment: They represent a major pain point for most and are frequently seen as an annual obligation. Their value is often difficult to quantify; thus they get little funding or attention. But once implemented, these programs mount an invaluable defense against internal and external cyberattacks.
Options abound to pay for security awareness materials or consultants to deliver them—but that only covers part of the challenge. How do you make information security part of your culture? How do you get buy-in across departments and leadership? Getting started often equals the hardest part for financial institutions. Below are five proven ways to kick up buy-in and acceptance:
1. Start at the top. Board and executive buy-in as part of a successful information security awareness program are a given. But this can pose challenges in some financial institutions. Find what drives your leadership team—which in most cases is revenue. Then, get the board’s attention by outlining the potential financial impact of a cybersecurity incident and breach. This is not a scare tactic but a reality check and an education for those focused on growth and financials. Many assume information security lives with the IT team and that strong firewalls will protect the company. A focused 15-minute presentation on risks and vulnerabilities at the employee level will quickly inform executive and board perceptions. This presentation could outline:
- regulatory requirements for an information security program
- the average cost of a breach
- the reputational risk, and
- examples of the current vulnerabilities within your institution.
2. Make information security part of every employee’s orientation. A formal introduction to an information security team member, and hands-on training, will go far. This gives new employees a face and person to link with the information security program. Make sure information security awareness permeates company culture. Encourage new employees to report any suspicious activity and review the protocol for reporting potential incidents. Assure them that no question or incident is too minor to report. Lastly, take employees by the information security office—and introduce them to the team. Demystify information security and make it part of the welcome package. Employees will appreciate meeting new people and better understanding information security’s importance at your institution.
3. Put information security on the agenda at staff and team meetings. Speaking to and sharing news with a captive audience creates positive energy around cybersecurity awareness and encourages participation. Topics can include:
- recent vulnerabilities
- projects in process
- new controls in place, and most importantly,
- thanking users for their input and vigilance.
We’ve found that our users respond to statistics and data. Just recently, we presented the number of threats and phishing attempts our systems blocked in a month. Employees like to know they are part of a company committed to protecting the overall business.
4. Exercise your information security program. Involving users represents a very effective way to raise cyber awareness. Phishing tests are a great example. A number of available tools will allow you to send a phishing email and track who opens it, who clicks on the links or who opens the attachment and provides credentials. Pick an influential figure in your organization and send an email from some variations of their email. Some may argue this sets up employees for failure—but this is exactly how attackers infiltrate institutions. Employees then benefit from seeing how easy it is to gain confidence with a short email from the “right” sender. Most organizations post their leadership teams on their public website. This is all a potential attacker needs to launch an effective phishing campaign.
Once you collect data from the exercise, share it with the employees: Again, users love data and stats. Stress that you will not shame people by name; make this clear in advance as well. That said, show the percentage of users who “bit on the phish” and how they could’ve spotted it. This benefits everyone. We do this at staff meetings and set goals for the next quarter’s phishing test. We’ve seen a dramatic drop in the number of employees willing to open suspicious emails. Phishing tests also allow you to exercise incident response plans and better understand your employees’ comfort level in reporting suspicious activity. You can then take test data, tailor training for teams that fall below the company average and improve your means for reporting outages.
5. Require annual acknowledgement of your information security awareness program. While a regulatory requirement for many companies, this also serves as a best practice. The acknowledgement should include all employees—including executives and board members. For efficiency’s sake, make it part of your annual information security policy and program approval process. This way you promote buy-in at the top and receive required approvals—two vital components of a successful program. Countless ways exist to deliver and track awareness training; online delivery that interacts with the user lets you reach remote employees in an especially effective, efficient way. You can accomplish this via company intranet or learning management system that provides short post-training quizzes; this also ensures accountability and easy tracking. Partial participation is not an option. So how do you make it happen? Set expectations up front with the initial delivery of annual training, then reach out to noncompliers with a friendly nudge or reminder when they miss the deadline. This typically motivates most employees. Approach the inevitable stragglers in person and ask when they will complete the tasks. As a last resort, suspend the employee’s email and/or chat account until they finish annual training. This may sound harsh, but it works. Rest assured that employees will participate in a timely manner going forward.
You can attain improved employee awareness—and the good news is it can happen quickly. The right strategies, along with consistent and timely delivery, get users on board to build your greatest defense. They will appreciate your efforts, understand the importance of protecting the institution and its assets, and recognize it as part of everyone’s job. Remember: Information security begins with making sure your workforce has all the right information.
For the full story featuring Sageworks, visit BAI Banking Strategies – Buy in by degrees: Five ways to bolster your bank’s cybersecurity awareness