Security training and awareness
How are finance organizations implementing security training and business processes?
To become compliant and keep data safe, you need to do more than have the right technology in place. User security, by its very nature, is human-based so technology should go hand in hand with effective training and business processes — with equal attention to all three. This section uncovers some shocking statistics from businesses on both side of the Atlantic that are not placing enough importance on the human aspect of security.
The increasing importance of training in compliance requirements
An engaging training programme is vital to security awareness and can significantly improve compliance.
PCI DSS in the UK places much more importance on training now than before. As of June 2015, Requirement 9.9 states organizations that handle cardholder data must “train personnel to be aware of suspicious activity” when conducting “periodic inspections of point-of-sale devices to detect tampering.” Before June 2015, training was not a specific requirement but was a form of “best practice”. On a wider training scale, organizations must implement a formal security awareness program to make all personnel aware of the importance of cardholder data security, according to Requirement 12.6.
Chapter 6.2 in the FCA’s Financial crime: a guide for firms, part 2 document has a section dedicated to training and awareness. It details areas of best practice including “innovative training and awareness campaigns”, “Simple, memorable and easily digestible guidance for staff on good data security practice” and “testing of staff understanding of data security policies on induction and once a year after that.”
In the US, the Safeguards Rule from GLBA requires organizations that deal with customer money to produce a written information security plan — of which employee management and training is a part. Companies should train employees to “take basic steps to maintain the security, confidentiality, and integrity of customer information, including not sharing or openly posting employee passwords in work areas, and reporting suspicious attempts to obtain customer information to designated personnel.”
Companies are falling short with training
Despite clear guidance from compliance requirements in the UK and US, organizations are still way behind an acceptable level of security education. Alarmingly, just 37% of UK organizations provide ongoing training sessions — and while organizations in the US fare a little better at 52%, customers would still rightly be worried by these results.
Tough reprimands for leaking or stealing information can obviously dissuade malicious activity, but many employees are unaware of what would happen to them if their employer caught them in the act. Just 48% of US and 30% of UK employees are aware that their company responds swiftly to suspicious activity on the network, and only 45% or US and 27% of UK employees are aware of the penalties their company would impose.
Processes, policies and procedures
Business processes, procedures and policies provide structure and regularity when it comes to user security.
What the compliance requirements are with regard to processes
The 12th and final Requirement of PCI DSS is dedicated entirely to maintaining “a policy that addresses information security for all personnel.” Security policies and procedures must “clearly define information security responsibilities for all personnel” and organizations must “review their security policy at least annually.”
The FCA recommends that organizations perform regular internal audits that review data security covering “all relevant areas of the business including IT, HR, training and awareness, governance and third-party suppliers.”
The GLBA Safeguards Rule, which dictates what organizations do with regard to employee training, requires financial institutions “do a risk analysis on their current processes.”
SOX in the US places a great deal of importance on senior responsibility when it comes to security. Section 302 states that “signing officers (principal executive officers, principal executive finance officers or equivalent, so likely a CEO or CFO) are responsible for establishing and maintaining internal controls.” Section 404 states that companies must produce an annual internal control report that states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
Why companies need to do more to implement security procedures
While the term “policies” or “procedures” can mean different things to different organizations, companies across the UK and US are still falling short of basic security checks that are applicable to all organizations.
Just 68% of those we surveyed in the US and 57% of those in the UK are even aware of the existence of a documented information security policy in their organization. Furthermore, just 44% of US and 26% of UK employees are aware that their company regularly produces security audit reports. These figures only report awareness, so the actual figures of whether companies do produce documented security policies or audits may be higher — but if that’s the case, then senior management isn’t communicating procedures with employees effectively, which is a worry in itself. Policy communication with everyone in an organization helps reinforce the importance of security and may even dissuade malicious activity from those who realise they may get caught.
With regard to responsibility for security, organizations could be accused of playing a game of hot potato. Just 53% of US and 34% of UK employees state that their company clearly defines roles and responsibilities, 56% in the US and 34% in the UK know who to report a security breach to, and, worryingly more, only 41% in the US and 25% in the UK believe that senior management takes responsibility of information security.