IT Security Awareness in Finance – “ People are

the weak link”       [ PDF ]

By Philip M. Cronin, CISSP, and Bruce Eissner

Technical improvements, but… There have been dramatic improvements in IT security technology in the last few years. IT security experts point to a substantial list of technological innovations that includes Intrusion Detection and Prevention Systems; End-point Security Policy Enforcement /Quarantine; Biometrics; Centralized Security Management (in house or outsourced); Computer Forensic Technology; In/Out-bound Content Management; and more.

However, the human factor in security appears not to have improved at a rate anything like the improvements in technology. In fact, security experts contend – with evidence -- that modest gains
in human (employee) security awareness has been outstripped by new cons like phishing, spyware and an growing batch of cleverly social-engineered email worms.

“Lack of internal security awareness is still one of our biggest threats. Technology can reduce risks to a point, but it is people who are the weakest link,” contends a keynoted participant the 2004 “Global Security Survey” from Deloitte. Studies and actual audit data from March 2005 strongly support this fear (see box).

Regulations Require Training: The Gramm-Leach-Bliley Act (GLBA) of 1999 requires IT Security Awareness Training for all employees of financial service providers, including all companies "engaging in financial activities." Examples of organizations that are affected by these rules include insurance agencies, tax preparers, finance companies, collections agencies, leasing agencies, travel agencies and financial advisors. Moreover, other regulations -- US Bank Secrecy Act (BSA) and the US PATRIOT Act -- also specifically require financial institutions to conduct ongoing, updated training for their personnel.

If the “people” don’t buy in, the strategy will not work: The financial vertical, always benchmark for best practices, has invested heavily in IT security, as they should. However, enterprise analysts, citing the adage that security is based on an equal triad of “People, Policies and Technology”, suggest that too much reliance is made on technology and that the focus has been lost on the “People” part of the triad.Simply put, an investment in technology will not work unless there is wide-spread commitment on the parts of everyone in the enterprise. In one study of the financial vertical, 80% of the respondents reported that they have an information security strategy. However, when asked if line and functional leaders led and embraced that strategy, only 47% answered “yes.’” (ibid, Deloitte)

Awareness guidelines are available: There is no shortage of sound guidance for IT security awareness training. The Computer Security Act of 1987 mandated NIST and OPM to create guidance
for computer security awareness and training. Additional requirements are laid out in FISMA, and Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program," identifies four critical steps for training and awareness — from assessing needs to postimplementation
feedback and adjustment. Further requirements are laid out in Special Publication 800-16 titled, "Information Technology Security Training Requirements: A Role- and Performance-Based Model." The
learning continuum modeled in this guidance provides the relationship between awareness, training, and education. The publication also describes a methodology that can be used in developing training courses for a number of different audiences, from line to executive, that have significant information security responsibilities. More is on the way. Specific training and general awareness are raising concerns within many agencies and among regulators who realize that technology will not help if users and managers -- the “people” -- do not take security steps as well.

For buy-in, generic training is not enough: Training materials typically review acceptable-use policies and include issues like desktop security, log-on requirements, password administration
guidelines, etc. Equally important, training should also deal with social engineering and the policies and procedures that protect against social engineering attacks.

The challenge is to ensure that training is effective. Each institution not only has its own policies and its own technology. It has its own culture. Effective training must be tailored to all three. Moreover, institutional security training should create a legacy that is tested by feedback and reinforced by renewal.

In addition to straightforward compliance, effective security training creates actual value. It makes an existing investment in technology more effective. It helps to make information security staff more efficient and effective. It builds awareness, and it reduces by measurable degrees the risks to business not only from existing attack sources but also from suspicious events of any nature.

There are some basic principles that will ensure this result:

Experienced teachers of adults know that an audience of grown-ups responds to real examples and that the examples must be put in the context of their own work and personal lives. Adult learners
like to know about events that they can understand. As adults, they may resist theory, and they are unlikely to accept authority without question; but they do absorb quickly the lessons that have been learned the ‘hard way,’ especially by others. Thus, for IT Security Awareness Training to be effective, the teacher needs to use meaningful current events to answer even basic questions like:

• Why must I have such a complex password?
• What should I do if a technician calls and asks for my password?
• How should I treat email attachments and why?
• What would the Bagle worm look like?
  

(In addition to newsworthy events, real-world, documented
examples, from such sources as the U.S. Secret Service and
CERT® Coordination Center in “Insider Threat Study: Illicit Cyber
Activity in the Banking and Finance Sector,” August 2004 can be
useful in a security training curriculum.)

The key factor for success is getting people to take collective, collegial ownership of security awareness. In smaller companies, this can be facilitated in small classes, usually of no more than 20 people, using engaging materials, including exercises, that help participants buy in to policies and procedures. For larger companies, the challenges are somewhat more complex, because the distance between security administrators and staff seems to be greater. Employees of large financial enterprises often complain about the “compliance people,” who appear to be a cross between an alien civilization that has invaded their business and a spying police force that is keeping them from pursuing that business. Security awareness training should be differentiated from other compliance
issues. While some compliance requirements may feel like impositions, it is not difficult for personnel to grasp the need to repel intruders and even to be vigilant about the threats from
internal tampering. Even in the largest organizations, training must ensure that every responsible person has a real sense of his or her role. Bigger companies often have a stronger ingrained, unwarranted faith in technology, and the challenges of building the “people” aspect of security awareness can consequently be greater. But they can be overcome.

In summary, training needs to emphasize “awareness,” not just “security.” For adult learners, mere “security” can seem to be something that is managed by someone or something else. But “awareness” is a posture that they can adopt – and that they like.

1 IRS Audit by the Inspector General For Tax Administration, Audit # 200420035