Kick-Start Your Institution’s Cybersecurity Awareness
January 22, 2018 by Emily Larkin
Just as information security awareness programs are a regulatory requirement for many financial institutions, they likewise represent a major pain point for most. The value of a strong awareness program is often difficult to quantify and thus gets little funding or attention, but once implemented, it can be an invaluable defense against both internal and external cyber attacks.
There are countless options for those looking to pay for security awareness materials or consultants to deliver those materials, but these measures only cover part of the challenge. How do you make information security part of your institution’s culture? How do you get buy-in across departments and leadership?
Getting started is often the hardest part for financial institutions. Here are five proven ways to kick up the buy-in and acceptance:
Start at the top
While board and executive buy-in is widely believed to be essential to a successful information security awareness program, getting to that point can be a challenge for some financial institutions. The key is to find what drives your leadership team, and in most cases, it is the revenue – presenting the potential financial impact of a cybersecurity incident and breach will quickly get the board’s attention.
This is not a scare tactic, but rather an educational opportunity for those who focus on growth and financials. There is an assumption that information security lives with the IT team and that a strong firewall will protect the company, but an effective 15-minute presentation on the risks and vulnerabilities that exist at the employee level will quickly turn around executive and board perceptions. Such a presentation might highlight:
– The regulatory requirements for an information security program;
– The average cost of a breach;
– The potential for reputational risk; and
– Some examples of the current vulnerabilities within the institution
Make information security part of every employee’s orientation
A formal introduction to a member of the information security team and hands-on training in the information security program will go far with new employees, helping to demystify information security and make it part of the welcome package. Employees will appreciate meeting new people and gaining a better understanding of the importance of information security at the institution.
Make sure information security awareness is presented as part of the company culture. Encourage new employees to report any suspicious activity – assuring them that no question or incident is too minor to report, and outlining the protocol for reporting such potential incidents.
Put information security as an agenda item on your institution’s staff meetings and individual team meetings
Give the institution’s information security team a captive audience and a high-profile platform from which to speak and share news to help create positive energy around cybersecurity awareness and encourage participation.
Topics can range from recent vulnerabilities and projects in process to new controls and, most importantly, a thank you to users for their ongoing input and vigilance. Users tend to respond to statistics and data, such as the number of threats detected or the number of phishing attempts blocked in a month, so be sure to include some numbers that will help employees understand that they are part of a company that is committed to protecting the overall business.
Exercise your information security program
One of the most effective ways to raise cyber awareness is to involve users, and phishing tests represent a great example of this effort.
There are a number of tools available that allow organizations to send a mock phishing email and track who opens the email, who clicks on the links or who opens the attachment and/or provides their credentials. The key is to pick an influential figure in the organization and have an email come from some variation of his or her email address. While some may argue that this type of exercise sets employees up for failure, in truth this is simply the reality of how attackers infiltrate institutions – since most organizations have leadership teams posted on their public websites, this information is all a potential attacker needs to launch an effective phishing campaign. Employees can benefit from seeing how easy it is to gain confidence with a short email from the right sender.
Once the data from this type of exercise is collected, it is critical to share it with employees. Of course, there’s little value to be had in shaming people by name, but certainly showing the percentage of users who bit on the phish and how they could have spotted it is extremely beneficial for everyone. Phishing tests also allow an institution to exercise its incident response plans and better understand its employees’ comfort level in reporting suspicious activity. With this type of test data, the institution can then tailor targeted training for teams that fell below the company average and improve the means for reporting incidents.
Require an annual acknowledgement of your information security awareness program
While this is a regulatory requirement for many companies, it is a best practice for all companies. The acknowledgement should apply to all employees, including executives and board members. An efficient way to do this is to make it part of the annual information security policy and program approval process – thus promoting buy-in at the top, while also receiving the required approvals.
There are countless ways to deliver and track awareness training, with online delivery that interacts with the user and allows the organization to reach remote employees being one of the most effective and efficient options. This can be accomplished through a company intranet or learning management system that provides short quizzes after the training, thus ensuring accountability and easy tracking.
Often, one of the greatest challenges in the annual training and acknowledgement process is getting full participation. Be sure to set expectations up front with the initial delivery of the annual training, then reach out to non-compliers with a friendly nudge or reminder when they miss the deadline. As a last resort, work with the IT team to have a non-responsive employee’s email and/or chat account suspended until he or she completes the annual training.
When it comes to cybersecurity, improved employee awareness is often an institution’s best defense – it just takes the right strategies and consistent and timely delivery to get your employees on board. They will appreciate your efforts, understand the importance of protecting the institution and its assets and recognize that doing so is part of everyone’s job.