For as long as they have been in business, banks have been obvious targets for thieves. Yet the fact is, what is stored on the computer hard drive and backup tape or compiled on the data spreadsheet likely is more valuable than the stacked hundred dollar bills tucked away in the teller's drawer.
Realizing that human error is a leading cause of security breaches, Exchange Bank regularly conducts awareness tests on mission-critical topics (yes, dealing with gun-toting bandits is still included). But the main thrust of the initiative is to ensure that the company's 450 employees are practicing secure information handling and are informed of the latest system threats. To pass, workers must achieve a perfect score. If they do not, they re-take the computer-based tutorial until they ace it.
Bob Gligorea, the bank's information security officer, says applying such a no-nonsense approach toward converging data and physical security not only protects customers from potential identity theft and the bank from losing revenue, but it also keeps the company out of the headlines. And in a marketplace that has seen increased media coverage of information breaches because of new public disclosure laws — 22 states, including California, now mandate consumer notification — staying out of the public eye is something to strive for these days.
"We don't want to be on page one of the Santa Rosa Press-Democrat or page B1 of the Wall Street Journal," Gligorea says. "That's pretty much a place we don't want to see our names. It's just too expensive to have a security breach."
But across the verticals, most companies do not seem bent on perfection, experts contend. While most enterprises recognize today's treacherous threat landscape and the need to cultivate security-conscious employees, few enterprises actually have sound awareness training programs in place, says Khalid Kark, a senior analyst with Forrester Research.
Laws lead the way
For some, particularly financial institutions and healthcare organizations, training programs have been deployed for more than three years because of compliance requirements laid out in federal regulations, such as the Gramm-Leach-Bliley (GLB) and Health Insurance Portability and Accountability (HIPAA) Acts.
But the laws are defined generally, leaving the level of execution entirely up to the company. In some cases, that leads to unsatisfactory results.
"A lot of organizations are just trying to get the checkbox done," Kark says. "They have to want to do it."
On average, aside from the high-tech sector and federal government, organizations are not investing the appropriate amount on security awareness training, according to various statistical reports.
"What's surprising is that not a lot of them have put in the effort, time and commitment to make it an effective program," Kark says. "I am constantly surprised by how little we are doing. I think we definitely need to be more proactive. Just putting something on the [company intranet] doesn't mean someone's going to read it — and we've found a lot of times they don't."
There is no denying the value of a thorough training regimen covering both information and physical security, especially in today's climate of increasing financially motivated cybercrimes, said Chris Cook, principal of Security Awareness Inc., a training vendor based in Tampa, Fla.
"Any company that has information worth protecting — whether it's their employee information, their client information or their proprietary information — should have an awareness program," Cook says. "They could be targeted for financial gain by outsiders, by their competitors and, depending on what country they're in, by corporate espionage."
Support for the message
The key to successful workplace training is two-fold, Forrester's Kark says.
First, enterprises must cater the presentation to their employees, offering real-life examples and explaining how being responsible will help the company prosper.
Kark fondly recalls a client — an international beverage company whose name he would not divulge — that built its awareness training around protecting its brand image. This strategy motivated the employees to believe in the product and offered a compelling reason why they should want to protect the company's critical infrastructure.
"The key is tying the awareness training to the business objective," he says.
Second, Kark says, let the company's most effective communicators lead the presentation. While some topics may be complex, security awareness can be boiled down to levels the less technologically savvy can understand.
"I tell my clients, it doesn't have to be the security group leading that [training] group, as long as they have good communication in place," Kark says.
Effectively relaying the message is of paramount importance at Jackson National Life, a Lansing, Mich.-based insurance company with 2,500 employees and $68 billion in total assets, says Jim Carter, director of IT security.
"One of the things we try not to do is speak in acronyms," he says. "You have a lot of non-IT folks in there. We use real-world examples. We're addressing it in terms people can understand. We try to leave the IT portion out."
Experts agree that all employees — from the unpaid college intern to the IT executive to the millionaire CEO — should undergo security awareness training. The theory is that all workers, no matter their connection to the company's bottom line, have access to confidential information in some capacity.
"It doesn't matter if it's the person sweeping the floors that picks up a merger-and-analysis report that's fallen off someone's desk," Cook says. "They need to know that's valuable information that needs to be protected."
Depending on their role within the company, employees might be better served with different types of training, says Lee Futch, product manager for Symantec's Security Awareness Program.
Web-based training works well for the average employee because "it's a good way to track [their] participation and understanding." Meanwhile, executives typically respond better to live seminars, and IT professionals require more intricate courses that provide them with a deeper understanding of the subject matter, Futch says.
"Whatever it ends up being, there's not going to be a one-size-fits-all solution for training," she says.
Companies may view employees as potential risks, but an informed employee is worth exponentially more than any security technology.
"We see employees as the stewards and custodians of our data," Carter says. "In order to help mitigate the risk of the human element, it's important we provide awareness training."
At Jackson National Life, all new employees take an introductory course within three to four weeks of joining the company. The class covers account management, passwords, email use and computer viruses, among other IT security rules of thumb, Carter says. Additionally, the firm offers occasional "lunch-and-learn" events focused on security.
"We have people here from all categories," he says. "We have the folks from the physical plant. We have folks from the legal department. It doesn't matter to us. We're addressing everyone. I think you would be remiss if you didn't do that."
Hitting the new employee with awareness training is pivotal, experts say. New hires are quite impressionable, and companies should want them thinking about security right from the start.
Cover the gamut
As part of Security Awareness Inc.'s training program, used mostly by big businesses and government agencies, 17 topics are covered. Included among them: social engineering, privacy, password construction, identity theft, software/copyright laws, encryption, VPNs, viruses and data backups, Cook says.
Additionally, about 30 percent of the course covers physical security objectives, such as monitoring "equipment placement." So, for example, an outsider cannot easily view a computer screen. Cook says the hope is that those who complete the training will become improved critical thinkers.
"The object of awareness is not just to teach them about security, but to also change the culture of the organization so security is a building process," he says.
A voluntary information security standard published by the International Organization for Standardization is also finally gaining steam, Kark says. Known as ISO/IEC 17799, the standard provides best practice recommendations on IT topics, including security awarness training.
Still, many companies lack in-depth programs, instead choosing to implement bare-bones training courses so they can meet federal requirements set forth in GLBA, HIPAA and the Federal Information Security Management Act.
"It's pretty broad in how it's interpreted," says Luciano "J.R" Santos, vice president of information security at Seattle-based Washington Mutual, which provides awareness training for its 60,000 employees per GLBA guidelines. "I view it as a regulatory checkbox. In order for you to really build a culture, you need to start taking it to the next level to make sure people are retaining information."
"You need to do more targeted training," he adds. "Tell war stories that could impact their world. We bring it home for them. They remember stories, not just facts."
In-house or outsource it?
As security awareness training programs grow in popularity, companies must decide how to formulate courses that could prevent the financial loss and embarrassment of an information security breach.
To that end, many training vendors have popped up to provide companies with organized content covering the major security topics. Some enterprises with large budgets and less available time prefer outsourcing training course development, says Lee Futch, product manager for Symantec's Security Awareness Program.
"A lot of times, large firms will start out doing some [training development] in-house and then realize that is not something that can be done well for an already burdened security officer," she says.
Smaller companies often opt to compile information themselves through the web's plethora of free resources, although Futch says she is not convinced their training programs are effective. In some cases, companies not compelled by federal regulations and audits do not offer any awareness training at all.
Training vendors are effective because they offer evolving web-based e-learning courses customized to a company's needs. The vendors also offer other training materials — such as posters, pamphlets, banners and screensavers — so enterprises can continue to hammer home the message of security. Security Awareness Inc., a Tampa, Fla.-based vendor, offers free games, such as security word scramble and bingo, that replace numbers with pertinent terms.
For the customer?
Probably the most common instance in which a company feels obligated to provide security instruction for its customers is in the case of phishing. The popular scam dupes unsuspecting email recipients every day. Many online retail sites and banks have included information about the scheme on their websites or in monthly statements.
"We just tell them we don't send out emails with links on them," says Bob Gligorea, information security officer for Exchange Bank. "If you get an email that appears to be coming from us that has a link on it, well, don't click on it."
Going forward, the bank is considering starting an awareness training program for customers. Companies who offer something like this could gain "a competitive advantage" over industry foes, says Forrester Research senior analyst Khalid Kark.
"Some security awareness is being driven by customers," Kark says. "They actually want to know what you're doing within your organization. A lot of customers are actually asking for it."