Improve Your Information Security Quickly, Easily and CHEAPLY - Part 2

By: (CISA, CISSP, CRISC)

Publication: The Colorado Banker , July/August 2009

Are you overwhelmed by the vast offerings of security applications, appliances, systems, and programs? Wondering which is best, if they will live up to their promise, and how they will integrate into your already complex technology environment? Discouraged by the cost and confused by the complexity of it all? We’ve all been there too many times, afraid of the global threats, but feeling like we are spinning our wheels and throwing money at a phantom enemy.

But, did you know you already have your most valuable security defense system? Did you also know, if you do not manage, monitor and tweak it, it can become your largest security hole? What is it you ask? Your employees!

Managing Your Best Security Defense System—Your Employees

We spend hundreds of thousands of dollars on security systems, applications and tools. We implement state-of-the-art technology solutions and approve detailed security policies, but too often neglect our most valuable asset and potentially our most dangerous adversary. They walk into our bank every morning and walk out every day, with the wisdom to avert potential attacks, and the cunning to circumvent security controls.

Below are some fundamentals we must practice to maximize the effectiveness of our top security defense system:

1) Inform Your Employees. I remember watching G.I. Joe on TV as a kid. Every episode ended with a short skit where one of the G.I. Joe heroes would come across some kid at school or at a playground doing something wrong. Flint, Scarlett, Dusty, or one of the “Joes” would stop them before they hurt themselves, explain the potential consequences of their actions, and give them advice. The skit would end with the Joe saying "Knowing is half the battle." (So, are all of you old G.I. Joe fans now singing the theme song?)

We must make sure our employees know and understand the consequences of their actions. This can be done through formal security awareness training, informal emails or talks (particularly related to recent events), and through the annual review and signing of your Acceptable Use Policy (expanded to include reasons, not just the dos & don'ts).

Some key areas you should include in your training:

  • Password Security: Include the value of long passwords, not sharing passwords with others, and not writing your passwords down on a sticky note and sticking them on your monitor (I know the last one sounds crazy, but you would be surprised how often we find them during an audit).
  • Mobile Device Security: Include how to protect laptops, phones, PDAs, and mass storage devices (fl ash drives, external hard drives) that may store confidential information. Include not connecting to unknown wireless connections.
  • Internet Use: Address the practice of only using websites you trust, and how to tell if a website is secure (https:, the pad lock, etc.).
  • Email: Include why not to click on emails (or attachments) with which you are not familiar, and not sending confidential information in unencrypted email.
  • Social Engineering: Make sure employees know and understand the types of spoofed email and fraudulent phone calls that typically target banks.

2) Incent Your Employees. I remember conducting a social engineering engagement for a bank where we offered a free T-Shirt if employees answered a survey with information they should not release. The bank forced the employees who "failed" the test wear their T-Shirts on the Friday they announced the results of the Social Engineering report.

On a social engineering engagement for another bank, they awarded restaurant gift cards to each employee who would not let us access their computers or enter their network closets without first verifying we had preauthorization.

These are two examples of easy, inexpensive incentives. While one is an incentive to do good and the other, an incentive to not do bad, both proved very effective in heightening employee’s awareness of security.

While not minimizing the value of security systems and applications, which are crucial to an overall effective security posture, we must ensure we spend the extra time and energy to empower our employees to protect our bank and our customers.