customer security awareness - prodevmedia.com€¦ · implement a customer awareness program &...
Post on 07-Jul-2018
216 Views
Preview:
TRANSCRIPT
CUSTOMER SECURITY AWARENESS: A Key Defense Against
Corporate Account Takeover & Cyber Fraud
© 2014 InfoSight™
Tom Garcia
President / CEO
InfoSight, Inc.
Presented by
What we’ll cover today …
1. The MFA & NACHA Guidance
2. Developing & implementing your program
3. How to make compliance profitable
4. Managing higher-risk commercial clients
5. Available Resources to assist
The FFIEC Guidance Supplement
On June 28th, 2011 the Federal Financial Institutions Examination Council FFIEC) released a supplement to the 2005 “Authentication in an Internet Banking) Environment” guidance that describes the measures financial institutions should take to protect Internet banking customers from online fraud.
Effective 1/1/2012
When was Reg-E enacted? 1978
1. Implement a customer awareness program & evaluate its effectiveness
2. Track the number of statement stuffers or other direct mail communications
3. Track the number of customers who report fraudulent attempts to obtain their authentication credentials
4. Track the dollar amount of losses relating to identity theft, etc.
5. Track the number of clicks on information security links on websites
2005 Guidance – the first supplement
Customer Awareness & Education
2011 Guidance
A financial institution’s customer awareness & education efforts should address both retail and commercial account holders and, at a minimum:
Customer Awareness & Education
1. Explain account holder protections relating to electronic funds transfers.
2. Explain under what circumstances, if any, you would contact a customer to request their electronic banking credentials.
3. Suggest to your commercial online banking customers that they periodically perform a risk assessment and controls evaluation.
4. Provide customers with a listing of institutional contacts for security-related events.
When is the best time to tell them? At Enrollment!
The 2011 guidance clearly delineates between the risks associated with consumer vs. business banking. The 2005 guidance did not do this and many in the industry assumed it was mainly directed towards consumer accounts.
It gives good guidance on considerations for updating risk assessments, and what environmental and customer changes to take into account when doing so.
It emphasizes a risk-based approach where controls are strengthened as risk increases
It is an “Awareness Continuum” and requires adjusting to the changes risks posed by Cybercriminals.
It recommends that financial institutions take the lead in providing resources where alternative risk control mechanisms can be found, so customers can mitigate their own risk.
2005 vs. 2011 Some observations
Risk Assessments
Layered Security & Anomaly Detection
Customer Education & Awareness
Three Key Elements
The Guidance applies both Commercial and Retail Customers
It applies to both In-house and 3rd party Service Providers
It applies to all Financial Institutions (FI)
The principles really apply to all forms of electronic banking
FIs are expected to conduct their own risk assessments and to adjust layered security controls in response to their unique risks
Risk Assessments must consider some new factors, such as customer type, transaction capabilities, sensitivity of information and transaction volume
The selection and use of authentication technologies and methods should depend upon the results of the Risk Assessment Process
FI’s should create awareness and educate customers as a key defense against fraud and ID theft
FI’s must have Layered Security, Anomaly Detection and Enhanced Controls
Additional notable key points of the guidance
Since the controls necessary to “comply” are to some extent a subjective judgment that must be made by the FI, so we might conclude, it’s “Descriptive, but not prescriptive.”
The NACHA ACH Security Framework Update
Developing & Implementing an effective Program
Some questions to get started
Three avenues to security awareness
AWARENESS TRAINING EDUCATION
Attribute: “What” “How” “Why”
Level: Information Knowledge Insight
Objective: Recognition Skill Understanding
What’s the difference?
Learning is a continuum; it starts with awareness, builds to training, and evolves into education.
What makes an effective program?
1. Developing IT security policies that consider business needs, but are tempered by known security threats and in compliance with regulatory guidelines.
2. Informing users of their online responsibilities, as documented in security policies & procedures.
3. Delivery of the materials cross-channel in an effective manner.
4. Establishing processes for monitoring & reviewing the program’s effectiveness.
The time it takes an individual to review an awareness presentation may be the difference between a secure organization & a multimillion dollar breach of security.
A successful security awareness program consists of:
What awareness, training, and/or education is needed?
What eBanking products do we offer?
Do I focus more on commercial or consumer customers?
Do I need a different program for High, Moderate &/or Low Risk Customers?
How many customers will I be training?
What training channels are most effective & efficient?
Some questions to consider
Key questions to help determine the scope of your ISA program
Information Security Officer (ISO)
eBanking Manager
Treasury Management
IT Department
Front-line employees
Executive Management
Involve key functional areas when practical…
It’s crucial that everyone understands they have a responsibility for information security awareness and training.
Failure to pay attention to information security puts an organization at great risk because security is as much a human issue as it is a technology issue.
Who do you hope will attend? Identifying who you’re talking to helps you to address their specific concerns in and banking activities. Content and delivery can differ greatly between consumer and commercial customers.
Identify your audience
Commercial mobile business banking security, wire transfers, best practices for
remote workers
Consumer online banking security,
phishing scams, identity-theft
“What behavior do we want to reinforce?”
“What do we want the audience to learn and apply?”
An awareness and training program can be effective, only if the material is interesting and current. Attendees will pay attention and incorporate what they see or hear in a session if they feel that the material was developed specifically for them.
Developing the program material
Once the awareness and training program has been designed, supporting material can be developed. Material should be developed with the following in mind:
Awareness material can be developed using one theme at a time or created by combining a number of themes or messages. The education is designed to create awareness of specific risks and threats, including the actions required to prevent and remedy security issues.
Program material topics
• Frontline defense: Passwords • Security awareness: Being diligent • Defense against online threats • Avoiding malware • Advanced malware: Trojan horses, etc. • Safe social networking • ACH & Wire Fraud • Corporate Account Takeover • Defense against social engineering • Phishing, spyware & other wares to be aware of • Cyber security & incident response essentials • Get smart about identity theft
• Smartphone security • Mobile device & laptop security • Safe online shopping • Secure Transactions • Hackers tricks of the trade & what to watch for • Encryption: what it is & why it’s necessary • Safe Internet surfing • Sharing information • Understanding cybercrime • Mission-critical email security • Safe data backup and secure storage • AND MUCH MORE!
Do you have the resources to develop your own content?
How to deliver the awareness material
1. Ease of use: (e.g., easy to access and easy to update/maintain)
2. Scalability: (e.g., can be used for various audience sizes and in various locations)
3. Direct communications: (e.g., emails, memos, computer based training, etc.)
4. Indirect communications: (e.g., posters, intranet, brochures, etc.)
• Website content • Statement stuffers • Newsletters • Monthly themed ISA tips • Onsite security awareness workshops • Educational webinars • Web-based ISA training courses • ISA Posters & branch collaterals
• Screensavers , tips, alert messages • On-hold scripts & ATM digital
messages • Company-wide email messages • Security Awareness Days • Shred Events • Awards programs • Videos & games
How to monitor the program
Monitoring Compliance: Once the program has been implemented, processes must be put in place to monitor compliance and program effectiveness.
Track the number of attendees at awareness sessions
Track the number of people trained on a particular topic
Track the number of people yet to attend awareness and training sessions
Compare the number of security incidents reported before & after the program
What other benefit does monitoring have besides compliance reporting?
Protection during litigation!
Steps to planning your ISA program 1. Identify Program Scope, Goals & Objectives
• Scope – to provide training to both types of customers • Goal – to protect customers by increasing security awareness
2. Involving Management & Employees • All employees need to be aware of the of the losses that security awareness can reduce • Employees need to comprehend the value of educating customers and be familiar with content
3. Identify Target Audiences • Segment audiences according to type of customer
4. Implementing the Program • Include efforts to achieve high visibility of the program • Methods used deliver the message to the audience • Consider the frequency of training
5. Monitoring the Program • Track the trends • Observe how well customers follow security procedures • Monitor the number & kind of security incidents reported before & after the program
6. Evaluation & Feedback • Keep abreast of changes in technology & security requirements
• Obtain feedback from audiences
The Customer Experience is key!
Usability Cost
Security
Your customers need to understand that security is as much their responsibility as it is yours.
How do you make Compliance Profitable?
Develop Customer Security Awareness
Program
Acquire content for your website & branch
collaterals, newsletters, emails, etc.
Conduct commercial customer security
workshops
Create cross-sales & new client onboarding
opportunities
Create new revenue opportunities like cyber
crime coverage
Drive new product adoption & social media
initiatives
Profitable compliance in action
Engage your customers in onsite workshops
Have a “call to action!”
InfoSight’s Customer Awareness Program
• Partner with a subject matter expert
• Prepare your customer list
• Determine how you will invite customers
• Use InfoSight’s email template
• Provide a meal or snacks
• Distribute audience handouts
• Invite your staff
Live and/or pre-recorded webinars
InfoSight’s Customer Awareness Program
Email templates provided
Provide short videos with ISA tips
InfoSight’s Customer Awareness Program
Newsletters & Branch Collaterals
InfoSight’s Customer Awareness Program
Email & Social Media Campaigns
InfoSight’s Customer Awareness Program
Educate your customers with short ISA articles
Sample topics: • Understanding cybercrime • What is malware? • ID Theft & tax filing tips • Making secure online transactions • Payment card security • How to create a strong password • Beware of spyware • Password protect your flash drive • The social engineering con game • Securing your home network • Avoiding Facebook scams • What are you sharing online? • And more!
InfoSight’s Customer Awareness Program
Statement Stuffers
Support your program with print collaterals
Posters
InfoSight’s Customer Awareness Program
Polls & Surveys
Top 5 Smartphone Security Concerns
InfoSight’s Customer Awareness Program
Engage your customers with interactive games
InfoSight’s Customer Awareness Program
www.MySecurityAwareness.com
MySecurityAwareness.com
Educational resources for: 1. Your commercial customers
• And their staff
2. Your retail customers • And their family (youth & kids)
3. Your employees
Monthly Security Theme
Downloadable Security Tools
Videos, games, quizzes, and more!
For your customers
For Business
Designed for your commercial & retail customers
For Consumers
Compliance
An effective awareness program checks all 3 boxes!
Sales Opportunities
Security
1. Create cross-sales and new-sales opportunities by conducting security workshops.
2. Drive new product adoption such as mobile and/or Cash Management Services.
3. Create new recurring revenue by selling products such as Cyber-Crime Insurance.
4. Onboarding of new prospective relationships with larger commercial clients by selectively inviting prospects.
5. Integrate with existing Social Media initiatives and/or assist in future efforts.
6. Instill confidence in your customers that doing business with your financial institution electronically is safe.
7. Reduce liability & the risk of litigation
Benefits of InfoSight’s Customer Security Awareness Program
InfoSight’s CSAP is turnkey offering both full and self-service programs!
A consideration for higher risk commercial customers
Login Page
CSAP Commercial Delivery Portal
Use your logo and colors to Brand it!
Customizable! Puts you in control by providing an interface that’s branded with your logo
Welcome page
Customer security awareness training portal
Customize and change your message at any time
Update headlines and messages at anytime or schedule them in advanced
CSAP Commercial Delivery Portal
Policies
Use the online Policy Repository to provide centralized access and distribution of policies and updates.
Course Folders
CSAP Commercial Delivery Portal
Courseware is divided into smaller courses so they can be completed in one sitting enabling the student to retain more information.
CSAP Commercial Delivery Portal
Document Library
The online Document Library can act as your own Document Sharing Solution!
CSAP Commercial Delivery Portal
Reports
CSAP Commercial Delivery Portal Features
1. Institution-branded portal - include your logo and corporate colors
2. Trackable Policy Acceptance - acquire and track signatures of policy acceptance in digital format or in writing, where necessary
3. Online Document Library - host all your documents in one accessible and centralized location including manuals, policies, procedures, HR forms, DR and emergency contact lists, etc.
4. Compliance Tracking & Reporting - by regulation, student, policy, course
5. Customizable & Automated Messaging System - notify employees of FDIC fraud alerts, IT service alerts, customer service improvement measures, health and benefit plan updates, or other internal communications or events
6. Acts as your own intranet - use it for more than just training purposes
7. Effortless Administration Controls
8. Host your own course material too
Additional Features
Unique features make this training solution like none
you’ve ever seen.
Online Risk Assessment
What we covered today …
1. The MFA & NACHA Guidance
2. Developing & implementing your program
3. How to make compliance profitable
4. Managing higher-risk commercial clients
5. Available Resources to assist
Remember that the guidance isn’t optional
Take a proactive approach
Do what you know you have to do now
Don’t solely focus on compliance
Technology alone is not the answer
Policy driven controls are also a big part of the puzzle
Focus on prevention, not just detection
Train staff to ensure they understand the controls
Educating customers on “How not to become a victim” which can be the greatest protection
Some Takeaways
So how can InfoSight help?
MFA & eBanking Security Reviews & Risk Assessments • Pre-implementation
• Enrollment
• Technology
• Operational Controls
• Customer Awareness Program
eBanking Risk Assessment Gap Analysis
Penetration Testing & Vulnerability Assessments
Virtual ISO Mentoring Programs
Turnkey Customer Awareness Program
CSAP Portal
InfoSight’s Starter Toolkit
Email: Seminars@InfoSightInc.com
Request the free toolkit to help you get started:
Thank you for attending!
Customer Security Awareness
Program Toolkit
wtgarcia
InfoSightInc
@TomGarcia_IS
+InfoSightInc
top related