 |
Security's Secret Weapon - Awareness
By Kevin Hamel, Vice
President, Security Officer |
|
Effective security programs bring
people, process, and technology together
for a common purpose — to protect member
privacy and funds. With that backdrop, I
must ask: Why is developing,
implementing, and maintaining a solid
corporate security program such a
challenge?
The issue isn’t technical. Technology
solutions have been developed to address
nearly every security need. The issue
doesn’t involve process either.
Financial institutions know how to
implement processes to virtually
eliminate the likelihood of security
breeches. The biggest security
management issue today is people.
People respond to phishing scams. People
share passwords and open email
attachments from unknown senders. People
slip past the most sophisticated
firewalls simply by clicking “yes” to a
new program or screen saver.
|
 |
Are
people just plain lazy, silly, or stubborn? Not
really. More likely, they don’t understand the
importance of today’s security procedures, nor
do they understand their role in protecting
their financial institution from security risks.
To make your security program really work, your
staff must have a vested interest in securing
the institution’s electronic entry points. The
following ideas will help you encourage employee
participation in your security efforts:
Sell employees on security. Connect the dots
between security breeches and your institution’s
performance. Show employees the impact of
downtime due to a computer virus. With estimates
of infected server downtime averaging 14 hours,
ask your employees how an outage might affect
your customers, reputation, and income.
Step further into your downtime example by
showing employees how a virus disaster could
impact the organization’s net income, bonus pool
or retirement match. With virus disaster costs
ranging between $50,000 and $500,000, your
employees will use more caution when opening
unknown email attachments.
Include security in every job. Formalize each
employee’s security responsibilities by
including them in their job description. Decide
who does what before a security incident occurs.
Just as you shouldn’t debate who prepares the
bait money after a robbery, you don’t want to
ask who should patch the institution’s computers
after a hacker has exploited a correctable
software defect.
To eliminate ambiguity, put your IT department
manager in charge of patching computer software.
Require your security administrator to produce
reports of network intrusions on a monthly
basis. Tell your tellers to change their
passwords every 30 days or less. Security works
best when it’s a specific part of everyone’s job
function.
Leverage your incentives. Financial institutions
can underscore the importance of fulfilling
security responsibilities by incorporating those
tasks in an employee’s annual performance
review. Using the examples above, the IT manager
could have an objective related to patching
computers, and one of the security manager’s
objectives could focus on security reporting. By
rewarding appropriate performance, security’s
importance will reach every corner of the
institution.
Seeing is believing. Demonstrate the importance
of security policies by word and deed, starting
at the top. Nothing undermines a security
culture faster than seeing policy exemptions for
executive management. If the policy requires a
password-protected screen saver on every
computer, then the president’s PC should have
that feature just like everyone else’s. This
clearly communicates that everyone, regardless
of rank, takes security seriously and abides by
the same policies and procedures.
Attitude is everything. Management should take
every opportunity to communicate the importance
of security programs and how they benefit the
long-term health of the institution. Negative
talk can undermine any institution-wide
initiative. When a few people characterize your
security efforts as a “Big Brother” intrusion,
they doom it to failure. Fight that negativity
by making security part of the institution’s
culture. Pick a few employees to evangelize
security, and ask them to pick a few more.
Spreading the security message deepens the
practice and convinces employees that security
is a strategy for success.
Finally, these suggestions can create an
environment that pulls employees into the
process of securing the institution and its
customers from a new class of threat. If your
employees understand how security affects
everyone, they can strengthen it and your
institution’s future. |
