NEW! Carrots Over Sticks

Building Trust and Boosting Security

 By Chris Tuzeneu 

What if I told you it was possible to build a stronger security culture within your bank for about $600 a year? And I’m not even selling anything!

Building a culture of security where employees genuinely care about security best practices and proactively report threats is easier said than done. If I polled a room full of bank presidents and technology officers, I’m sure almost all of them would say they wished their employees were a bit more security-minded. As many tools and security layers as we put into place, we all know we’re one click away from a malware or ransomware download, and one lost credential from Business Email Compromise. How do we make the shift from apathy to alertness?

Most banks, if not all, are doing monthly email phishing tests, in line with FFIEC guidelines. Conducting regular testing with training if someone clicks on the bad link is a great catalyst for conversations about security in general and building good habits around email. Here are a few tips to get the most out of your investment and build that security culture.

Reporting should be easy. An under-utilized feature of these phishing platforms is a button easily installed into Outlook that allows reporting of suspected malicious emails with a single click. If the reported email is part of the monthly test, the employee gets a congratulatory message, instantly rewarding their diligence. If it isn’t, a copy of the email is sent to your security person to review and, if necessary, take action.

Reporting should be safe. A recent survey by security company Arctic Wolf found that nearly one in three respondents did not feel safe reporting a security incident if they were at fault. This is due to the fear of termination, as many organizations have policies in place penalizing mistakes such as clicking links or entering credentials. This seems reasonable at first glance, since these actions open our banks to serious threats, but the side effect is an unwillingness to alert anyone out of fear of the repercussions. If you have a policy like this in place at your bank, I would invite you to reconsider that position. If we want to trust our employees to alert us swiftly to any cybersecurity threat—even if they were the cause—they should trust that their job is secure.

Reporting should be rewarded. Beyond removing penalties, some positive reinforcement goes a long way to training desired employee behavior. Imagine you announced a $10 coffee shop gift card to the first three people to report the phishing campaign each month, and a $20 gift card to the first person to report an actual threat? Further gamification could include a leaderboard posted in the break room, a quarterly drawing for a prize, anything to spur on a little friendly competition. It would certainly get everyone talking, and that’s always a win for security.