A Business Technology Place

All I ever needed to know about information security awareness training

This week I completed the annual information security awareness training module. This material is now required for every employee of the company as part of the growing compliance controls for information security. Over the past several years, the core content in the training has changed little. So I’m thankful the group making our content updates the modules to give it a fresh look-and-feel each year.

It occurred to me, as I listened to the audio of the training content, I could summarize information security awareness with three important principles I learned as a young child:

  1. Don’t talk to strangers

The most prevalent way criminals steal sensitive information is by taking advantage of our good nature. In fancy-speak, the term is social engineering. The most common examples we experience today are email and phone messages asking us to respond or click. Some attempts I receive are comical, but in recent years they’ve become better disguised. The simplest action is to not respond to any unsolicited communication. But, if you think it’s legitimate, then contact the person or organization on your terms via channels they establish.

  1. Know your address

I remember as a young child learning my address and phone number. It was part of my identity and something I had at all-times. In information security we prove our identity by wearing identification badges and signing-in at security checkpoints. ID badges are helpful in large building settings so everyone can distinguish me from a visitor or contractor. In simplest terms,  Knowing my address and who lives/works with me, increases my chances of staying safe.

  1. Treat others as you want to be treated

Earlier this year I wrote about the data we see and are exposed to at work. In today’s information age, the most valuable asset we protect is information about people in our systems. This could be employee data or data about other people our customers share with us. Information security training covers several classifications for data, including NPI, PII, PHI, and PCI. But the key concept is the same in all cases. We should protect and hold this data confidential. In simple terms, we should treat others data as we would want them to treat our personal data. It’s an extension of the Golden Rule relevant in our information driven society.

Long live moms and kindergarten teachers.

Onward and upward!

(Photo credit: Public Domain Image)

Using online banking to beat phishing

Phishing and spear phishing attacks do more than increase fraud.
The fall-out of criminals impersonating sites that don’t belong to them to trick people into giving their personal information goes beyond fraud and identify theft statistics. Similar to terrorist attacks, it changes the processes and procedures that law abiding citizens go through to transact normal business. Basically, it changes our daily routines because the average Joe has to go through and think about extra stuff to be security conscious. One example is that consumer advocates and the media coach consumers not to open emails that ask for personal information or to update their account.

So how do you deliver messages to consumers that they can trust?
For banks, brokerages, and credit unions, this makes email a tough digital channel to deliver messaging because the content concerns an account or service from the bank or credit union with personal financial information. What’s the first thing you think when you get an email from your bank that says your monthly statement is ready for viewing? (Click here to open the statement)

The online banking inbox provides a nice alternative for a secure message area.
What makes phishing attacks so deceptive is the receiver doesn’t truly know the originating source.  But the online banking inbox is controlled by the owning financial institution.  It’s a place where the account holder trust the message contents. Now I realize that not everyone uses online banking and that consumers may have a relationship with a financial institution that doesn’t require online banking. So this isn’t and end-all solution, but it can be a piece of an overall communications strategy to consumers.

This idea promotes the use of online banking as a richer resource center.
Online banking areas are growing in service offerings. Financial institutions have filled it with a stack of valuable tools for consumers. Bill pay, funds transfer, financial management tools, tax software, and account opening, are a few examples.  They do this because online banking is sticky. The more services an account holder uses, the harder it is for them to leave the relationship.

Online banking messages do not require an email address to be delivered.
It’s known in the financial industry that banks and credit unions do not have accurate email lists for their account holders. So the online message center helps with delivery but also provides another touch-point to collect the email address from the customer. Financial institutions can ask their account holders to setup their email to be notified when a new message is placed in their online banking inbox. I know, this sounds like double messaging. But remember the idea is to find a place to put trusted messages about financial accounts and consumers may not log into online banking as frequently as they do with their email account.

So how do you want to receive secure messages?
What’s your preference for receiving sensitive messages that concern your financial accounts? Is there a way to beat the phishing and spear phishing attacks?