Testing Your Employees' Information Security Response and Awareness LevelsHow would your employees respond to a phishing email? Would they immediately forward it to your information security officer, or would they shrug it off and hit the delete key? What if they receive a call or voice message from someone asking for what (at the time) seems to be innocuous information on a customer? Have you trained your employees to raise a red flag of suspicion on phone calls or voice mails that don't seem 100 percent legitimate or are coming from an unidentifiable source?
Whether your institution is a small asset sized bank, savings and loan, credit union, or a multinational financial institution, there is something these institutions have in common - information and money. The criminals will try all sorts of ways to separate the information and money from your institution through a growing list of malicious software, social engineering techniques, automated attacks, and more. You have to realize that despite your best efforts to create a "lower" security profile for your institution, no matter where your institution is located or how big or small you are, you've got a bull's eye painted dead center on the doors of your building and your customers.
Phishers are constantly looking for ways to coax well-meaning consumers to open malicious files or divulge personal information. Then the sad tale of identity theft and ruined credit begins, and it never fades to a happy ending.
Awareness plays a key role in the prevention of falling prey to some of these attacks. Financial institutions are advised to keep their staff up to date on the latest types of attacks. Constantly remind your staff of the risks involved in opening emails from unknown senders and sending out personal information, in your newsletters, emails and postings.
Show them the threats of identity theft, to their own personal information, the institution and most importantly your customers. Check to see if your awareness training program is on target, and take a turn at testing it. Try to use social engineering, make suspicious phone calls and send email, requesting personal information -- these are all tests to use on your employees. You want to make sure that those on your front lines aren't readily giving away customer information or your institution's information. If you have staff that responds, treat them gently the first time, take time to explain, that while this was only a test, the next email or phone call could be the real criminal trying to get the same kind of information your testers asked for during your "social engineering" test.
You should be quite pleased if you have a number of employees who report your "test" email or phone call as being suspicious. Encourage employees to call your information security department when their increased information security awareness "senses" that something just doesn't look right with an incoming email or a customer request.