Why Using Non-Conventional Security Awareness Training is Crucial!

By Gale Yocom

©2008

Financial Institutions can look to more in-depth examinations this year since the FDIC issued FIL-105-207, which updated the IT Examination Officer’s Questionnaire. The FDIC wants to make sure that insured depository institutions have security programs that guarantee the confidentiality of customer information in addition to anticipating and protecting against security threats and unauthorized access of customer information.

To ensure that these issues were addressed, there are five sections on the questionnaire, which includes Risk Assessment, Operations Security & Risk Management, Audit/Independent Review Program, Disaster Recovery/ Business Continuity Management and Vendor Management/Service Provider Oversight.

Parts 1 and 4, namely Risk Management and Disaster Recovery are much the same as the 2005 questionnaire, with some minor changes. The other sections have a number of significant changes; one of the most important is that the 2007 questionnaire has included an entirely new section that focuses on questions about Vendor Management. One particular topic of concern addresses the FIL, because most institutions do not have standard security awareness training programs in place.

Training Awareness Using Non-Conventional Methods

With so many new complex threats going beyond the standard pharming, phishing and vishing attacks, assaults are now focusing on the end user or client side exploits. These attacks are exploiting and affecting mail readers, Internet browsers and third party applications such as Adobe Reader. Because of these more sophisticated attacks, it is more important than ever to educate users/employees about these risks, which can be achieved by making sure IT Managers have compliant training sessions in place.

What we at Covetrix discovered is that most security awareness training programs are simply not enough. They are usually done annually or only when the employee is initially hired. Even with extensive training, the level of absorption of these topics is often forgotten in just a matter of weeks, usually because of a lack of interest or because of the approach of the material presentation.

After a while, employees almost get the feeling of someone crying wolf when it comes to phishing / pharming / vishing attacks, which for future reference we will refer to social engineering. The training programs must be adapted so that the critical level of importance remains high. We believe by providing non-conventional, educational and real world examples, a financial institution will not only be able to educate employees with increased absorption, but they will also be able to understand how these scams work thereby being able to spot a scam and then quickly catching it before it impedes on the customer’s privacy.

Tracking Employee Review is Critical to Retention

As our clients are eager to improve on their security levels, we believe it is vitally important to build strong teams, teams that can provide a quick response to potential threats, keeping security risks from causing havoc in the financial institution. At Covetrix, we see a need to track employee reviews of the security training material. The reason? It has been proven that more often then not, an individual may watch security awareness training videos, read e-mail messages, or review computer use handbooks with the best of intentions, yet their level of retention and absorption of the security knowledge is often limited. Covetrix has designed IT training videos that keep interest high and retention longer.

The way they work is the video pauses and asks the viewer questions about the previously viewed content before continuing. This information is also reported to IT staff for compliance during examinations. Trained individuals must be ready and prepared to make quick decisions so that nothing threatens the security of the financial institution. Yet even with willing participants, individuals are sometimes overwhelmed with too much information.

Despite the idea of ensuring that videos are watched and questioned and then asked about their understanding of content, we need the information to stick. To ensure that training methods stay in the minds of the users/employees, new ways of implementing the information must be enforced, which means it is necessary to implement non-conventional techniques.

How Non-Conventional Methods Work

In the event of identity theft scams, placing untrained people in security roles is not going to keep security risks away! What will keep them away is giving individuals the proper training, continually expanding on knowledge through effective training programs. As a well-qualified technology expert and experienced security specialist, it has become very obvious that when individuals are properly trained, they retain and absorb information more readily. And based on my years of experience, one of the best ways to help retain and absorb information is through non-conventional strategies.

What do I mean by non-conventional strategies? In most training programs, the user is given a direction of lists which may include things like the following:

  1. Don’t open bad mail
  2. Don’t go to a bad website
  3. Report all phishing emails

The problem stems from the user’s actual understanding of this information. Our videos are using non-conventional training by actually showing a user exactly what is a bad mail, how they are created, or how a hacker creates a phishing site and attacks their institution. Combined with the employee’s review of the information and non-conventional training, the knowledge transfers information in a far more effective manner.

The Outcome

As a result of implementing these innovative awareness training video strategies, we have seen a high level of success during our third party penetration testing and audits. Equally important are the individuals who are able to understand and retain information more efficiently.

It’s very clear that even the most effective training program requires periodic testing to ensure that the training program is serving the ever-changing needs of the financial institution. And just as technological challenges continue to change and grow, so too must training programs grow and change as well.

With non-conventional training strategies, financial institutions have a far better chance of keeping customers safe from scams and unauthorized access to private information.

About the Author

Mr. Gale Yocom is a recognized technology expert and President of the Dallas-based security specialist company Covetrix. For the past ten years his company has provided full service networking and security solutions to government entitities, financial institutions, and commercial businesses across the U.S. Performing security audits, asessments and implementation of security measures on ISP networks, he brings a wealth of knowledge and information to Internet security.

Mr. Yocom is known for effectively uncovering weaknesses in large institution’s security practices and has impressively strengthened the security posture of many financial institutions. Mr. Yocom can be reached by contacting him at gale@covetrix.com or by visiting him on the web at www.covetrix.com