Ponemon Institute, an independent agency that conducts research on privacy, data protection, and information security policies, states that:

51% of CEOs surveyed said their company experiences cyber attacks hourly or daily

60% of employees circumvent security features on their mobile devices

It doesn’t take qualified research or a fancy publication in a trade journal for us all to agree that: Every employee in your credit union is a potential penetration point for your network, systems, and your data. Getting rid of all the employees doesn’t seem like a popular risk mitigation option, so we’re left with education and behavior modification.

Assess, Train, Monitor, Repeat

The foundation of any good information security or data protection program is the component of security awareness and training. At CUdefender, we are strong advocates for making credit union employees aware that threats exist but also teaching them how to recognize threats and know exactly how to respond to keep data and systems secure.

This four-step approach seems to help employees retain information they are taught and change behaviors over the long term.

1. Assess – It is imperative that credit unions understand the level of risk within their own institution. Simulated attacks and knowledge assessments are great tools for helping accomplish this, but it shouldn’t just be about penetration testing; it should also be about education and motivation for employees. Take this opportunity to provide employees guidance about how they can make better choices in the future. This education is critical to long-term retention. As Art Gilliland, General Manager of Enterprise Security Products at HP, told Kathryn Dill of Forbes Magazine, taking advantage of a teachable moment directly following an action is more effective than a general conversation later. “Educate at that moment,” said Gilliland. “It can be private, but it’s very powerful at the time of failure.”
2. Train – Providing in-depth training as an add-on to specific teachable moments provides employees a better understanding of the potential risks. It’s during this phase that staff gets a sense of how important their actions are to the safety and security of your credit union. It’s critical to think beyond phishing attacks and email and extend training to include the many other channels where attacks may be present such as social networks.
3. Monitor – After employees receive in-depth training, effectiveness must be monitored and measured as this helps to identify your weaknesses and which employees may require additional training. Many credit unions stop after training and don’t take the extra steps to formalize key performance indicators (KPIs) to establish a clear path forward. Where should you be 6 months or a year from now? Having clearly defined goals and publishing the general trend will further serve to keep security top-of-mind and keep staff motivated.
4. Repeat – Cybersecurity threats are ever changing and come in many different forms: phishing, smishing (malicious SMS/Texts), and vishing (classic fake phone calls); social engineering, social network threats, and lost or stolen devices are just some of the issues credit unions are facing. Hackers are fast learning and relentless. Their approaches are becoming more varied and complex. For these reasons, it is critical that we continue to reinforce best practices and teach good behavior. A security awareness and training program that gives you the ability to deliver training with high frequency (bi-monthly) is key to realizing the best possible results.

As with anything, security awareness and training is just a small piece of the puzzle. Following the four-steps outlined above can vastly improve your training program and make for a strong foundation, but be sure to think holistically. At CUdefender, we help protect credit unions from cyber threats by providing guidance as well as a full range of easy to implement tools delivered 100% from the cloud. Feel free to visit our website http://www.cudefender.com or reach out to our team for more information.