Security Education: Breaking Down the Obstacles
Ask a roomful of IT managers and chief information security officers at credit unions if the users are their biggest information security risk and almost every arm in the room will go up.
Ask how many have implemented a training program to deal with information security at their credit union, however, and the number of hands raised will likely dwindle. Then ask how many have training programs in place where they can benchmark their results. Unfortunately, the number of hands raised usually plummets.
So, if they agree that information security is one of their biggest risks, why aren't CISOs and IT managers doing more about security training?
Before answering that question, let's take a look at why they should care. Phishing—targeted email attacks designed to steal personal and corporate data as well as financial account credentials—are on the rise. According to the latest numbers from the Anti-Phishing Working Group, there were 125,215 attacks recorded worldwide in the first quarter of 2014.
The biggest target: Unsuspecting non-management employees, who inadvertently click on links within emails, and launching phishing attacks that allow cybercriminals to access user names and passwords, financial account information, Social Security numbers and more. It's big business: EMC pegs global losses from phishing attacks at over $5.9 billion in 2013 alone.
But the hard reality of it is that, despite the risks to sensitive data, there are obstacles—real or perceived—that prevent credit unions from successfully creating programs that train employees to recognize and avoid attacks.
Let's look at some of the most common obstacles to companies implementing security training programs, and discuss the best ways for security and IT personnel to overcome them.
- Cost. After seeing the $5.9 billion price tag associated with phishing attacks and understanding how malware attacks can damage business, the majority of companies should be looking for ways to find the budget immediately. Training programs do not need to be expensive— they just need to be effective.
- Red tape. At some credit unions, an employee training program just involves IT, but in others it might involve several departments. Overcoming the red tape can be difficult; however, it’s not insurmountable with proper planning.
- No time to implement. Time is tight for IT and security departments. Alongside their day-to-day activities, IT teams are tasked not only with preventing attacks but also with handling them if they do occur. Many can't imagine taking on another task; however, there are many options for outsourcing management and implementation of a security education program to minimize internal time spent on it.
- No time to repeat. Training works best when it is reinforced and updated based on new threats. Making time to train and reinforce proper behavior can help prevent more significant drains on your time down the road.
- No way to measure. It's often difficult to measure behavior that you're trying to eliminate. However, if you start with a baseline before beginning training as well as analyze results after each training session, you can determine how successful each session is and understand what messages are sinking in.
- Concerns about privacy. It's the job of human resources and legal departments to worry about the privacy and legal implications of training programs. Collaborating with stakeholders to understand their concerns and refine your plan before starting the program will help you avoid fire drills mid-program.
- No management buy-in. This is perhaps the most difficult—and the easiest—problem to solve. It’s difficult because winning management approval on any expenditure can be a challenge; however, it’s easiest because the facts support your case: training employees actually helps thwart attacks that can impact your company.
All of these obstacles point clearly to the need for a plan to win the approval of necessary departments and management. And, more importantly, all of these obstacles can be overcome.
It's important to remember that credit union employees who can identify, report and avoid attacks create another line of defense for your company, working with you to keep data secure. Needless to say, providing training that allows them to spot and avoid dangerous situations should be a priority.
As with any plan, upfront communication is key. Clearly articulating the problem in terms that hit home with business decision-makers, setting clear goals and mapping how the business can benefit from cyber-smart employees will put you on the right course toward winning approval for your security education plan.