KBA February 2018You have probably heard this before now, but the greatest threat to an organization's information security is the people. Attackers are aware of the human element, and they create schemes to exploit us. The best way to combat this weakness is to train and test employees.

The goal of information security awareness training is to create a change in employee behavior and to create a security-minded culture inside your institution. A change in culture will not happen overnight, and it may take longer for some employees to make adjustments to their behavior, but it is possible.

To create a successful information security training program, it is important not to treat it as a checklist item that holds no importance. Instead, show it is imperative to the protection of your institution and your customers.

The FFIEC IT Examination Handbook, Information Security Booklet, September 2016 states, "Training programs should include scenarios capturing areas of significant and growing concern, such as phishing and social engineering attempts, loss of data through email or removable media, or unintentional posting of confidential or proprietary information on social media. As the risk environment changes, so should the training."

The key to making information security awareness training effective is to make it practical and relevant to the work your employees do every day.

Phishing and Social Engineering Attempts

One of the primary means attackers use to exploit employees is deception, asking the employee to perform an unknowingly malicious action. Whether it is opening an attachment, clicking a link, or providing information to a caller, employees need to be mindful of requests that are out of the ordinary.

When training employees about phishing and social engineering risks, it is important to emphasize they should not click unsolicited links or attachments. Attackers can make a link say anything that they choose, so train employees to copy links they wish to open into a web browser to verify the link is legitimate before going to the site. Encourage employees to be suspicious of any unsolicited emails, phone calls, or visits from people asking for confidential information. If someone does ask for this type of information, employees should know to verify the requester's identity.

Consider implementing tests such as simulated phishing emails or other social engineering tests on a consistent basis to assess the effectiveness of training. Additional testing can be performed through physical walkthroughs or interviews with employees. If employees fail any of these tests, ensure re-training occurs with those employees.

Data Loss through Email or Removable Media

As part of information security training, educate employees not to send confidential information over unencrypted email. Make sure employees are aware of encryption options and know how to use them. For removable media (e.g., flash drives, CDs, etc.), limit the use of these devices as much as possible through policies and technical restrictions. If certain employees need access to removable media devices, add those employees to an exemption list.

Social Media and Cloud File Storage

When training employees about the proper use of social media, it is important to emphasize that statements should not be made on behalf of the bank without management's approval. Regarding cloud file storage services, train employees not to use these services without prior approval. It is also best practice to restrict access to social media and cloud file hosting websites on work systems, and only allow access for the employees who have a business need.

Password Security

One of the continual areas of greatest need in information security training is improving password strength. The hallmark of creating a great password is finding the balance between making it easy to remember, but hard to guess. Emphasize the use of passphrases, which can even include spaces in many cases. A short sentence with capitalization and punctuation works very well to make the password strong and easy to remember. Along with having strong passwords, it is important for employees not to use the same password for personal sites and work websites. Your institution could consider using password management software, allowing users to store passwords in a secure, encrypted environment, which would only require employees to remember one strong password.

Because attackers appeal to the well-intentioned and helpful nature of most people, security awareness training is paramount. As you continue to hone and perfect your organization's security training, be sure to keep up with changes in risks and new exploit methods. Evaluate effectiveness through social engineering tests, physical inspections, or employee interviews, and work closely with employees to create a security-minded culture. With today's risk landscape and the sophistication of attacks, it is vital to the protection of your institution to educate employees of these risks and teach them practical ways to respond.