KBA May / June 2020There you are, working diligently at your computer when you receive the dreaded email.  You are invited (required) to attend the upcoming annual Employee Security Awareness Training session.  Oh no, has it already been a year?  Please, please don't make me sit through that long, boring training and waste an hour or more of my day, AGAIN.  Sound familiar?

We all know that Employee Security Awareness Training is a key aspect of your Information Security Program.  In fact, the FFIEC IT Examination Booklet Information Security 2016 states, "Training should support security awareness and strengthen compliance with security and acceptable use policies. Management should educate users about their security roles and responsibilities and communicate them through acceptable use policies."  We even know that training should focus on important issues such as end-point security, log-in requirements, and password administration guidelines.  But still, the question remains, "Do we really have to do Employee Security Awareness Training, again?" The answer is Yes, and here's why.

The truth is simple.  People are the weakest link.  A bank can have all the latest technology and systems in place, but their employees will always be the weakest link, as well as the first line of defense, in the security chain.   It only takes one employee out of a hundred to click on a link that introduces malware into your network.  Or one employee who answers a few seemingly innocent questions, and important credential information used to hack a loan officer's email is in the hands of a threat actor who can now demand a fraudulent wire transfer.  As humans, we want to be trusting, and the bad guys work hard to be convincing.  Training not only addresses the technology but also the human element when it comes to keeping your bank and customer information safe. Here are a few tools to help make that happen.

Annual Training is Not Enough

Think back to last year's security awareness training session.  Was it really long, with a lot of jargon and information overload?  Sitting through all of the required training at one time can be overwhelming, with too much information to remember.  A better approach is to have more frequent training, maybe monthly or quarterly, that is shorter but more focused and pertinent.  Ongoing, consistent training communicates the importance of the bank's security culture, while allowing employees to understand and retain the training objective.

Use Real-Life Situations

It can be hard to relate to national breaches or vulnerabilities, but bringing a security issue to a more relatable level can drive home a security point.  For instance, demonstrating how easily simple passwords can be hacked, or identifying what information can be stolen from a mobile phone with no security, is relatable and memorable.  Instead of stating facts about the last password weakness breach or telling employees which passwords not to use, scale the information to a real-life circumstance.  Which leads me to my last point.

Train a New Way

Security Awareness Training doesn't have to be boring.  Training can be interactive using role simulations, team cyber issue problem solving, even question and answer sessions.  Test for effectiveness and provide incentives for good outcomes. Getting your employees involved and identifying themselves as a part of the solution can rejuvenate your employee training program.  Work with your employees to generate buy-in and make them ambassadors of your security.  Create a re-energized Employees Security Awareness Training program by training your staff in new and better ways, and deploy your employees as front-line protection for your bank and customer information.

A good Security Awareness Program is integral to helping your employees understand your bank culture relating to security.  While management sets the tone for a commitment to security, the employee's knowledge and awareness play a primary role in protecting the bank, and customer information.  By providing relevant security awareness training, you are inviting your employees to participate in successfully protecting the confidentiality, availability, and integrity of the bank's information and information assets.