customer security awareness - prodevmedia.com€¦ · implement a customer awareness program &...

CUSTOMER SECURITY AWARENESS: A Key Defense Against

Corporate Account Takeover & Cyber Fraud

© 2014 InfoSight™

Tom Garcia

President / CEO

InfoSight, Inc.

Presented by

What we’ll cover today …

1. The MFA & NACHA Guidance

2. Developing & implementing your program

3. How to make compliance profitable

4. Managing higher-risk commercial clients

5. Available Resources to assist

The FFIEC Guidance Supplement

On June 28th, 2011 the Federal Financial Institutions Examination Council FFIEC) released a supplement to the 2005 “Authentication in an Internet Banking) Environment” guidance that describes the measures financial institutions should take to protect Internet banking customers from online fraud.

Effective 1/1/2012

When was Reg-E enacted? 1978

1. Implement a customer awareness program & evaluate its effectiveness

2. Track the number of statement stuffers or other direct mail communications

3. Track the number of customers who report fraudulent attempts to obtain their authentication credentials

4. Track the dollar amount of losses relating to identity theft, etc.

5. Track the number of clicks on information security links on websites

2005 Guidance – the first supplement

Customer Awareness & Education

2011 Guidance

A financial institution’s customer awareness & education efforts should address both retail and commercial account holders and, at a minimum:

Customer Awareness & Education

1. Explain account holder protections relating to electronic funds transfers.

2. Explain under what circumstances, if any, you would contact a customer to request their electronic banking credentials.

3. Suggest to your commercial online banking customers that they periodically perform a risk assessment and controls evaluation.

4. Provide customers with a listing of institutional contacts for security-related events.

When is the best time to tell them? At Enrollment!

The 2011 guidance clearly delineates between the risks associated with consumer vs. business banking. The 2005 guidance did not do this and many in the industry assumed it was mainly directed towards consumer accounts.

It gives good guidance on considerations for updating risk assessments, and what environmental and customer changes to take into account when doing so.

It emphasizes a risk-based approach where controls are strengthened as risk increases

It is an “Awareness Continuum” and requires adjusting to the changes risks posed by Cybercriminals.

It recommends that financial institutions take the lead in providing resources where alternative risk control mechanisms can be found, so customers can mitigate their own risk.

2005 vs. 2011 Some observations

Risk Assessments

Layered Security & Anomaly Detection

Customer Education & Awareness

Three Key Elements

The Guidance applies both Commercial and Retail Customers

It applies to both In-house and 3rd party Service Providers

It applies to all Financial Institutions (FI)

The principles really apply to all forms of electronic banking

FIs are expected to conduct their own risk assessments and to adjust layered security controls in response to their unique risks

Risk Assessments must consider some new factors, such as customer type, transaction capabilities, sensitivity of information and transaction volume

The selection and use of authentication technologies and methods should depend upon the results of the Risk Assessment Process

FI’s should create awareness and educate customers as a key defense against fraud and ID theft

FI’s must have Layered Security, Anomaly Detection and Enhanced Controls

Additional notable key points of the guidance

Since the controls necessary to “comply” are to some extent a subjective judgment that must be made by the FI, so we might conclude, it’s “Descriptive, but not prescriptive.”

The NACHA ACH Security Framework Update

Developing & Implementing an effective Program

Some questions to get started

Three avenues to security awareness

AWARENESS TRAINING EDUCATION

Attribute: “What” “How” “Why”

Level: Information Knowledge Insight

Objective: Recognition Skill Understanding

What’s the difference?

Learning is a continuum; it starts with awareness, builds to training, and evolves into education.

What makes an effective program?

1. Developing IT security policies that consider business needs, but are tempered by known security threats and in compliance with regulatory guidelines.

2. Informing users of their online responsibilities, as documented in security policies & procedures.

3. Delivery of the materials cross-channel in an effective manner.

4. Establishing processes for monitoring & reviewing the program’s effectiveness.

The time it takes an individual to review an awareness presentation may be the difference between a secure organization & a multimillion dollar breach of security.

A successful security awareness program consists of:

What awareness, training, and/or education is needed?

What eBanking products do we offer?

Do I focus more on commercial or consumer customers?

Do I need a different program for High, Moderate &/or Low Risk Customers?

How many customers will I be training?

What training channels are most effective & efficient?

Some questions to consider

Key questions to help determine the scope of your ISA program

Information Security Officer (ISO)

eBanking Manager

Treasury Management

IT Department

Front-line employees

Executive Management

Involve key functional areas when practical…

It’s crucial that everyone understands they have a responsibility for information security awareness and training.

Failure to pay attention to information security puts an organization at great risk because security is as much a human issue as it is a technology issue.

Who do you hope will attend? Identifying who you’re talking to helps you to address their specific concerns in and banking activities. Content and delivery can differ greatly between consumer and commercial customers.

Identify your audience

Commercial mobile business banking security, wire transfers, best practices for

remote workers

Consumer online banking security,

phishing scams, identity-theft

“What behavior do we want to reinforce?”

“What do we want the audience to learn and apply?”

An awareness and training program can be effective, only if the material is interesting and current. Attendees will pay attention and incorporate what they see or hear in a session if they feel that the material was developed specifically for them.

Developing the program material

Once the awareness and training program has been designed, supporting material can be developed. Material should be developed with the following in mind:

Awareness material can be developed using one theme at a time or created by combining a number of themes or messages. The education is designed to create awareness of specific risks and threats, including the actions required to prevent and remedy security issues.

Program material topics

• Frontline defense: Passwords • Security awareness: Being diligent • Defense against online threats • Avoiding malware • Advanced malware: Trojan horses, etc. • Safe social networking • ACH & Wire Fraud • Corporate Account Takeover • Defense against social engineering • Phishing, spyware & other wares to be aware of • Cyber security & incident response essentials • Get smart about identity theft

• Smartphone security • Mobile device & laptop security • Safe online shopping • Secure Transactions • Hackers tricks of the trade & what to watch for • Encryption: what it is & why it’s necessary • Safe Internet surfing • Sharing information • Understanding cybercrime • Mission-critical email security • Safe data backup and secure storage • AND MUCH MORE!

Do you have the resources to develop your own content?

How to deliver the awareness material

1. Ease of use: (e.g., easy to access and easy to update/maintain)

2. Scalability: (e.g., can be used for various audience sizes and in various locations)

3. Direct communications: (e.g., emails, memos, computer based training, etc.)

4. Indirect communications: (e.g., posters, intranet, brochures, etc.)

• Website content • Statement stuffers • Newsletters • Monthly themed ISA tips • Onsite security awareness workshops • Educational webinars • Web-based ISA training courses • ISA Posters & branch collaterals

• Screensavers , tips, alert messages • On-hold scripts & ATM digital

messages • Company-wide email messages • Security Awareness Days • Shred Events • Awards programs • Videos & games

How to monitor the program

Monitoring Compliance: Once the program has been implemented, processes must be put in place to monitor compliance and program effectiveness.

Track the number of attendees at awareness sessions

Track the number of people trained on a particular topic

Track the number of people yet to attend awareness and training sessions

Compare the number of security incidents reported before & after the program

What other benefit does monitoring have besides compliance reporting?

Protection during litigation!

Steps to planning your ISA program 1. Identify Program Scope, Goals & Objectives

• Scope – to provide training to both types of customers • Goal – to protect customers by increasing security awareness

2. Involving Management & Employees • All employees need to be aware of the of the losses that security awareness can reduce • Employees need to comprehend the value of educating customers and be familiar with content

3. Identify Target Audiences • Segment audiences according to type of customer

4. Implementing the Program • Include efforts to achieve high visibility of the program • Methods used deliver the message to the audience • Consider the frequency of training

5. Monitoring the Program • Track the trends • Observe how well customers follow security procedures • Monitor the number & kind of security incidents reported before & after the program

6. Evaluation & Feedback • Keep abreast of changes in technology & security requirements

• Obtain feedback from audiences

The Customer Experience is key!

Usability Cost

Security

Your customers need to understand that security is as much their responsibility as it is yours.

How do you make Compliance Profitable?

Develop Customer Security Awareness

Program

Acquire content for your website & branch

collaterals, newsletters, emails, etc.

Conduct commercial customer security

workshops

Create cross-sales & new client onboarding

opportunities

Create new revenue opportunities like cyber

crime coverage

Drive new product adoption & social media

initiatives

Profitable compliance in action

Engage your customers in onsite workshops

Have a “call to action!”

InfoSight’s Customer Awareness Program

• Partner with a subject matter expert

• Prepare your customer list

• Determine how you will invite customers

• Use InfoSight’s email template

• Provide a meal or snacks

• Distribute audience handouts

• Invite your staff

Live and/or pre-recorded webinars


Email templates provided

Provide short videos with ISA tips


Newsletters & Branch Collaterals


Email & Social Media Campaigns


Educate your customers with short ISA articles

Sample topics: • Understanding cybercrime • What is malware? • ID Theft & tax filing tips • Making secure online transactions • Payment card security • How to create a strong password • Beware of spyware • Password protect your flash drive • The social engineering con game • Securing your home network • Avoiding Facebook scams • What are you sharing online? • And more!


Statement Stuffers

Support your program with print collaterals

Posters


Polls & Surveys

Top 5 Smartphone Security Concerns


Engage your customers with interactive games


www.MySecurityAwareness.com

MySecurityAwareness.com

Educational resources for: 1. Your commercial customers

• And their staff

2. Your retail customers • And their family (youth & kids)

3. Your employees

Monthly Security Theme

Downloadable Security Tools

Videos, games, quizzes, and more!

For your customers

For Business

Designed for your commercial & retail customers

For Consumers

Compliance

An effective awareness program checks all 3 boxes!

Sales Opportunities

Security

1. Create cross-sales and new-sales opportunities by conducting security workshops.

2. Drive new product adoption such as mobile and/or Cash Management Services.

3. Create new recurring revenue by selling products such as Cyber-Crime Insurance.

4. Onboarding of new prospective relationships with larger commercial clients by selectively inviting prospects.

5. Integrate with existing Social Media initiatives and/or assist in future efforts.

6. Instill confidence in your customers that doing business with your financial institution electronically is safe.

7. Reduce liability & the risk of litigation

Benefits of InfoSight’s Customer Security Awareness Program

InfoSight’s CSAP is turnkey offering both full and self-service programs!

A consideration for higher risk commercial customers

Login Page

CSAP Commercial Delivery Portal

Use your logo and colors to Brand it!

Customizable! Puts you in control by providing an interface that’s branded with your logo

Welcome page

Customer security awareness training portal

Customize and change your message at any time

Update headlines and messages at anytime or schedule them in advanced


Policies

Use the online Policy Repository to provide centralized access and distribution of policies and updates.

Course Folders


Courseware is divided into smaller courses so they can be completed in one sitting enabling the student to retain more information.


Document Library

The online Document Library can act as your own Document Sharing Solution!


Reports

CSAP Commercial Delivery Portal Features

1. Institution-branded portal - include your logo and corporate colors

2. Trackable Policy Acceptance - acquire and track signatures of policy acceptance in digital format or in writing, where necessary

3. Online Document Library - host all your documents in one accessible and centralized location including manuals, policies, procedures, HR forms, DR and emergency contact lists, etc.

4. Compliance Tracking & Reporting - by regulation, student, policy, course

5. Customizable & Automated Messaging System - notify employees of FDIC fraud alerts, IT service alerts, customer service improvement measures, health and benefit plan updates, or other internal communications or events

6. Acts as your own intranet - use it for more than just training purposes

7. Effortless Administration Controls

8. Host your own course material too

Additional Features

Unique features make this training solution like none

you’ve ever seen.

Online Risk Assessment

What we covered today …

1. The MFA & NACHA Guidance

2. Developing & implementing your program

3. How to make compliance profitable

4. Managing higher-risk commercial clients

5. Available Resources to assist

Remember that the guidance isn’t optional

Take a proactive approach

Do what you know you have to do now

Don’t solely focus on compliance

Technology alone is not the answer

Policy driven controls are also a big part of the puzzle

Focus on prevention, not just detection

Train staff to ensure they understand the controls

Educating customers on “How not to become a victim” which can be the greatest protection

Some Takeaways

So how can InfoSight help?

MFA & eBanking Security Reviews & Risk Assessments • Pre-implementation

• Enrollment

• Technology

• Operational Controls

• Customer Awareness Program

eBanking Risk Assessment Gap Analysis

Penetration Testing & Vulnerability Assessments

Virtual ISO Mentoring Programs

Turnkey Customer Awareness Program

CSAP Portal

InfoSight’s Starter Toolkit

Email: [email protected]

Request the free toolkit to help you get started:

Thank you for attending!

Customer Security Awareness

Program Toolkit

wtgarcia

InfoSightInc

@TomGarcia_IS

+InfoSightInc

customer security awareness - prodevmedia.com€¦ · implement a customer awareness program &...

Documents