Data Security: Preventing That One Mistake

The vast majority of security breaches all share one thing in common: a single employee making a single mistake—and often, it's a mistake that wouldn't have been prevented by adding yet another firewall or other piece of technology.

"In 2015 just about every major breach that you read about was tied back to an employee making a mistake," said Jim Stickley, CEO of San Diego-based Stickley on Security Inc. "In most cases these mistakes were tied back to emails and web browsing where an employee was unaware of the latest techniques criminals were using to gain access to their computers."

If the solution isn't investing in yet another solution, what is it? Training, Stickley said.

"Training really comes down to two parts: education and awareness. People often treat these as one and the same, but education is the general courses people would think of when dealing with training," said Jim Stickley CEO of the San Diego, Calif.-based Stickley on Security Inc. "Awareness is keeping employees and executives aware of the very latest security threats."

After vetting a handful of vendors, the Spokane, Wash.-based $1.5 billion Numerica Credit Union recently partnered with Stickley on Security. Chief Information Officer Kelley Ferguson said the goal is to better educate its 110,000 members and 450 employees.

"This is another tool in the tool belt," said Ferguson. "We appreciate the rotating, updated and fresh information our members have access to. We are teaching employees and members how to be protected on mobile, web and against different types of scams."

Whereas filters, firewalls, anti-virus and malware prevention solutions catch many would-be scams, the amount of email "phishing" attempts grows exponentially each year. Stickley explained that through creative emails, unpatched applications and robust malware, criminals are gaining login credentials and confidential information as well as gain control over desktops and networks of the compromised systems. Worldwide, phishing attacks ranks as one of the top entry points into compromised organizations.

Last year, for example, Stickey noted that a large number of banks were infected with malware known as Carbanak, an advanced and persistent threat attacking financial institutions via employee Microsoft Word documents. While the industry at large was aware of the threat, that knowledge often wasn't passed on to employees.

 

Training for the Good Fight

The first line of defense is employees. Numerica CU has a strategy that includes training on information security for all new hires, followed by quarterly and annual training sessions. To further this pursuit, Stickley on Security's cloud-based BadPhish and Employee EDU have been added to the mix.

"BadPhish and Employee EDU are paramount and really rounds out our education for our work force," said Ferguson. "This is a partnership we value. We tell them what threats and concerns we are seeing and what we need to educate our employees."

All Numerica CU employees will be required to train with the cloud-based BadPhish solution. This course is integrated, which allows for customized assignments and tracking.

"We are randomly going to use BadPhish, which sends out phishing attacks to employees. This will help keep their eyes keen and aware to phishing emails," said Ferguson. "I can almost guarantee that some people will fail. Then they will be directed to take that education piece right then and there."

The educational process for these employees won't be days or hours, but rather five or 10 minutes, said Ferguson. "This will help them better gauge what they should be looking for."

For Numerica CU's approximate 30 technology employees, the training is more intensive. "The will go through the same process teller goes through, but they will have advanced training as well because they are the experts," said Ferguson. "When they are asked questions by other employees or members, they need to have the answer."

For these tech employees, the Employee EDU solution comes into play. This approach provides a more robust level of understanding threats—more so than just phishing scams.

"Employee EDU also provides fully customizable one-off security education courses, continued security awareness updates and even comprehensive phishing testing," said Stickley.

Employees access the administrated, customized course through an online portal where they are provided an overview about the new subject, he explained. The course is broken into four parts: written, video, game and testing. To pass the course the employee must answer a set number of questions correctly.

"The employee can choose to go through the course in whatever order they like with testing obviously saved for the end," said Stickley. "Employees can come and go as often as needed completing one section at a time or complete the entire course all at once."

 

Training Culture

Before partnering with Stickley on Security, Numerica CU had developed a culture that supported continuing education. As a result, adding new methodologies and applications was second nature.

"Training and education is built into our employees' work time," said Ferguson. "They are not expected to do this training outside of work hours or try to squeeze it in."

If a credit union is not in the position to invest in security solutions and educational training, Stickley said executives should do their best to stay aware of new security threats and determine best practices to warn staff of these potential threats.

"Something as simple as a Google search for the word 'scam' or 'cyber threat' or 'security vulnerability' will provide important information about what is happening at that moment," said Stickley. "But if you are reading about it, it means someone is already exploiting it; so the sooner you get the word out to your staff, the less risk your organization will face."

For reprint and licensing requests for this article, click here.
Technology
MORE FROM AMERICAN BANKER