Bank Directors Seminar, Coeur d'Alene, ID, September 15-17, 2019

Security Awareness Strategies

• Present your staff with information about being aware of security, and then come up with a set up where you send them a link they want to click on. This is a process known as “phishing simulation.” If your staff members click on the links, and they probably will, it will take them to a safe page. However, on the page is a message telling them that they fell for a scam, and though they are safe this time, there could be great repercussions. • The staff members who click the link should be tested again. This way, you will know if the message got through. • Make sure when you give these tests that it isn’t predictable. Send the emails at different times of day and make sure they look different and have a different message. For instance, don’t send the “lose 10 pounds” email twice. • Think about hiring someone, a stranger, who will try to get your staff to give them sensitive information about your company over the phone, through email, or even in person. This is a valuable test, as it helps you to determine who the “weak links” are in your company. • Give your staff quizzes throughout the year to see who is paying attention to security.

Security Awareness Strategies • You should focus on education, not discipline, when you are doing this. Don’t make them feel bad or punish them. Instead, make sure they know what they did wrong and work on not doing it again. • Ensure that your team knows that a data breach can also result in financial, legal, and criminal problems. • Schedule checks of workstations to see if any employee is doing something that might compromise your company’s sensitive data. This includes leaving information on a screen and walking away. • Explain the importance of security to your staff, and encourage them to report any activity that seems suspicious. • After training and testing your staff, make a list of all concepts that you want them to understand. Look at this list often, and then evaluate it time and time again to see if anything needs changed. • Don’t forget company officers. When company officers are omitted from this kind of training it poorly reflects on the organization. Some security personnel are afraid to put their Executives on the spot. That is a huge mistake. Security starts from the top.