Ask a roomful of IT managers and chief information security officers at credit unions if the users are their biggest information security risk and almost every arm in the room will go up.
Ask how many have implemented a training program to deal with information security at their credit union, however, and the number of hands raised will likely dwindle. Then ask how many have training programs in place where they can benchmark their results. Unfortunately, the number of hands raised usually plummets.
So, if they agree that information security is one of their biggest risks, why aren't CISOs and IT managers doing more about security training?
Before answering that question, let's take a look at why they should care. Phishing—targeted email attacks designed to steal personal and corporate data as well as financial account credentials—are on the rise. According to the latest numbers from the Anti-Phishing Working Group, there were 125,215 attacks recorded worldwide in the first quarter of 2014.
The biggest target: Unsuspecting non-management employees, who inadvertently click on links within emails, and launching phishing attacks that allow cybercriminals to access user names and passwords, financial account information, Social Security numbers and more. It's big business: EMC pegs global losses from phishing attacks at over $5.9 billion in 2013 alone.
But the hard reality of it is that, despite the risks to sensitive data, there are obstacles—real or perceived—that prevent credit unions from successfully creating programs that train employees to recognize and avoid attacks.
Let's look at some of the most common obstacles to companies implementing security training programs, and discuss the best ways for security and IT personnel to overcome them.
All of these obstacles point clearly to the need for a plan to win the approval of necessary departments and management. And, more importantly, all of these obstacles can be overcome.
It's important to remember that credit union employees who can identify, report and avoid attacks create another line of defense for your company, working with you to keep data secure. Needless to say, providing training that allows them to spot and avoid dangerous situations should be a priority.
As with any plan, upfront communication is key. Clearly articulating the problem in terms that hit home with business decision-makers, setting clear goals and mapping how the business can benefit from cyber-smart employees will put you on the right course toward winning approval for your security education plan.