Ask a roomful of IT managers andchief information security officers at credit unions if the usersare their biggest information security risk and almost every arm inthe room will go up.

Ask how many have implemented a training program to deal withinformation security at their credit union, however, and the numberof hands raised will likely dwindle. Then ask how many havetraining programs in place where they can benchmark their results.Unfortunately, the number of hands raised usually plummets.

So, if they agree that information security is one of theirbiggest risks, why aren't CISOs and IT managers doing more aboutsecurity training?

Before answering that question, let's take a look at why theyshould care. Phishing—targeted email attacks designed to stealpersonal and corporate data as well as financial accountcredentials—are on the rise. According to the latest numbers fromthe Anti-Phishing Working Group, there were 125,215 attacksrecorded worldwide in the first quarter of 2014.

The biggest target: Unsuspecting non-management employees, whoinadvertently click on links within emails, and launching phishingattacks that allow cybercriminals to access user names andpasswords, financial account information, Social Security numbersand more. It's big business: EMC pegs global losses from phishing attacks at over $5.9 billion in2013 alone.

But the hard reality of it is that, despite the risks tosensitive data, there are obstacles—real or perceived—that preventcredit unions from successfully creating programs that trainemployees to recognize and avoid attacks.

Let's look at some of the most common obstacles to companiesimplementing security training programs, and discuss the best waysfor security and IT personnel to overcome them.

• Cost. After seeing the $5.9 billion price tagassociated with phishing attacks and understanding how malwareattacks can damage business, the majority of companies should belooking for ways to find the budget immediately. Training programsdo not need to be expensive— they just need to be effective.
• Red tape. At some credit unions, an employeetraining program just involves IT, but in others it might involveseveral departments. Overcoming the red tape can bedifficult; however, it's not insurmountable with properplanning.
• No time to implement. Time is tight for IT andsecurity departments. Alongside their day-to-day activities,IT teams are tasked not only with preventing attacks but also withhandling them if they do occur. Many can't imagine taking onanother task; however, there are many options for outsourcingmanagement and implementation of a security education program tominimize internal time spent on it.
• No time to repeat. Training works best when itis reinforced and updated based on new threats. Making time totrain and reinforce proper behavior can help prevent moresignificant drains on your time down the road.
• No way to measure. It's often difficult tomeasure behavior that you're trying to eliminate. However, if youstart with a baseline before beginning training as well as analyzeresults after each training session, you can determine howsuccessful each session is and understand what messages are sinkingin.
• Concerns about privacy. It's the job of humanresources and legal departments to worry about the privacy andlegal implications of training programs. Collaborating withstakeholders to understand their concerns and refine your planbefore starting the program will help you avoid fire drillsmid-program.
• No management buy-in. This is perhaps the mostdifficult—and the easiest—problem to solve. It's difficult becausewinning management approval on any expenditure can be a challenge;however, it's easiest because the facts support your case: trainingemployees actually helps thwart attacks that can impact yourcompany.

All of these obstacles point clearly to the need for a plan towin the approval of necessary departments and management. And, moreimportantly, all of these obstacles can be overcome.

It's important to remember that credit union employees who canidentify, report and avoid attacks create another line of defensefor your company, working with you to keep data secure. Needless tosay, providing training that allows them to spot and avoiddangerous situations should be a priority.

As with any plan, upfront communication is key. Clearlyarticulating the problem in terms that hit home with businessdecision-makers, setting clear goals and mapping how the businesscan benefit from cyber-smart employees will put you on the rightcourse toward winning approval for your security educationplan.

Joe Ferrarais CEO of Wombat SecurityTechnologies in Pittsburgh.