SECURITY'S SECRET WEAPON - AWARENESS

By Kevin Hamel

Effective security programs bring people, process, and technology together for a common purpose — to protect member privacy and funds. With that backdrop, I must ask: Why is developing, implementing, and maintaining a solid corporate security program such a challenge? 

The issue isn’t technical. Technology solutions have been developed to address nearly every security need. The issue doesn’t involve process either. Financial institutions know how to implement processes to virtually eliminate the likelihood of security breeches. The biggest security management issue today is people.

People respond to phishing scams. People share passwords and open email attachments from unknown senders. People slip past the most sophisticated firewalls simply by clicking “yes” to a new program or screen saver.

Are people just plain lazy, silly, or stubborn? Not really. More likely, they don’t understand the importance of today’s security procedures, nor do they understand their role in protecting their financial institution from security risks.

To make your security program really work, your staff must have a vested interest in securing the institution’s electronic entry points. The following ideas will help you encourage employee participation in your security efforts: 

Sell employees on security. Connect the dots between security breeches and your institution’s performance. Show employees the impact of downtime due to a computer virus. With estimates of infected server downtime averaging 14 hours, ask your employees how an outage might affect your customers, reputation, and income.

Step further into your downtime example by showing employees how a virus disaster could impact the organization’s net income, bonus pool or retirement match. With virus disaster costs ranging between $50,000 and $500,000, your employees will use more caution when opening unknown email attachments.

Include security in every job. Formalize each employee’s security responsibilities by including them in their job description. Decide who does what before a security incident occurs. Just as you shouldn’t debate who prepares the bait money after a robbery, you don’t want to ask who should patch the institution’s computers after a hacker has exploited a correctable software defect.

To eliminate ambiguity, put your IT department manager in charge of patching computer software. Require your security administrator to produce reports of network intrusions on a monthly basis. Tell your tellers to change their passwords every 30 days or less. Security works best when it’s a specific part of everyone’s job function.

Leverage your incentives.  Financial institutions can underscore the importance of fulfilling security responsibilities by incorporating those tasks in an employee’s annual performance review. Using the examples above, the IT manager could have an objective related to patching computers, and one of the security manager’s objectives could focus on security reporting. By rewarding appropriate performance, security’s importance will reach every corner of the institution. 

Seeing is believing. Demonstrate the importance of security policies by word and deed, starting at the top. Nothing undermines a security culture faster than seeing policy exemptions for executive management. If the policy requires a password-protected screen saver on every computer, then the president’s PC should have that feature just like everyone else’s. This clearly communicates that everyone, regardless of rank, takes security seriously and abides by the same policies and procedures.

Attitude is everything. Management should take every opportunity to communicate the importance of security programs and how they benefit the long-term health of the institution. Negative talk can undermine any institution-wide initiative. When a few people characterize your security efforts as a “Big Brother” intrusion, they doom it to failure. Fight that negativity by making security part of the institution’s culture. Pick a few employees to evangelize security, and ask them to pick a few more. Spreading the security message deepens the practice and convinces employees that security is a strategy for success.

Finally, these suggestions can create an environment that pulls employees into the process of securing the institution and its customers from a new class of threat. If your employees understand how security affects everyone, they can strengthen it and your institution’s future.