By Jason Hoenich on May 7, 2019
The truth? Everyone in every industry needs security awareness training—even if you work at a luxury soap market or custom sneaker house. But this goes double for the financial services industry.
Financial institutions are the number one target for cybercriminals, and that’s where cybercriminals get their jollies through ransomware, phishing, and more. Security awareness training might seem like an obvious step for you, but there’s more to the story than educating your employees—you’ll also meet some pretty crucial levels of federal compliance.
Financial services companies get attacked more than a billion times a year, according to PayPal CEO Dan Schulman, who also serves on the board of Symantec. In 2017 alone, financial services companies lost $16.8 billion to cybercriminals.
Cybercriminals are skimming business payment pages to steal credit card information, sending phishing scams to bank employees to pull logins and other private info, and doing so much more. Some of the major incidents over the past year included:
- October 2018: Cybercriminals got unauthorized access to some of HSBC’s U.S. customer accounts, including names, addresses, contact information, birthdates, account information, and transaction history.
- May 2018: The Bank of Montreal, Canada’s fourth-largest bank, was contacted by criminals who were reportedly in possession of nearly 50,000 customer accounts. Additionally, cybercriminals reported that they got unauthorized access to the account information of 40,000 customers of the Canadian Imperial Bank of Commerce, the fifth-largest lender in Canada.
If banks are one of the biggest targets for cybercriminals, your employees need the right training, and your culture of security needs to be strong. Unfortunately, in many community banks, in particular, a culture of security never gets established because banks outsource their IT and security to a third party. But when 28 percent of data breaches are the result of negligent employees, according to an IBM/Ponemon study, training and culture are vital. Don’t be reactionary; be proactive and preempt the problems.
What is security awareness training?
Security awareness training gives employees the knowledge and tools to be able to handle any and all security threats that could come up on the job, including:
- Phishing scams
- Desktop security
- Wi-Fi security
- Password security
- And more!
And it doesn’t have to be PowerPoints and quizzes and mind-numbing speakers all day every day. Make sure you pick a security awareness partner who delivers engaging, fun, meaningful, and—dare we say—hilarious training videos that your employees will love, and that change behaviors for the better.
Now that you’re sold on security awareness training, let’s look at how you can also achieve compliance in the process.
What’s the Gramm-Leach-Bliley Act (GLBA) got to do with it?
Enter the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999! Enforced by the Federal Trade Commission (FTC), federal banking agencies, and other federal regulatory bodies, as well as state insurance oversight agencies, this law requires that financial institutions explain how they share and protect nonpublic personal information (NPI), including:
- Social Security numbers
- Credit and income histories
- Credit and bank card account numbers
- Phone numbers and addresses
To achieve compliance with GLBA, financial organizations need to:
- Communicate to customers how they share data
- Inform customers of the right to opt out of sharing with third parties
- Apply specific protections to private data based on an InfoSec plan created by the financial institution
On that last note, the plan is mandated by the Safeguards Rule, which came about in 2002. The plan has to be completely tailored to your institution’s size, operations, complexity, and sensitivity of NPI. According to the Safeguards Rule, you’ve got to have training in place, and it’s got to be coordinated by one or more employees—and that’s you! Some other specifics you’ll need in your plan:
- Identify and assess the risks to customer information throughout the company and assess how effective current safeguards are.
- Design and implement a safeguards program and regularly monitor and test it.
- Work with security partners who can help you maintain the safeguards.
- Make sure your plan is agile so you can pivot for changes, including business operation changes, new security threats, or anything that changes in your security ecosystem.
So, the tl;dr (too long; didn’t read) is that GLBA compliance means that you not only have to create a plan and strategy for taking care of NPI, but that you have to dish out security awareness training to make sure your security plan and NPI are truly safe—and achieve compliance, of course.
If ensuring GLBA compliance sounds like a lot, just breathe. Compliance and security awareness training are an important part of your job, and meeting compliance requirements doesn’t mean breaking the bank. We know how to help you build a security awareness training program to ensure you’re compliant, and we promise we won't bore you or your employees to tears.
Check out our Financial Services Industry Case Study to see how we helped one financial institution turn up the volume on its security awareness culture, win over employees, and create a company culture around security.