Security Awareness: How to Create an Effective Program for Employees
At Nu Union Credit Union in Lansing, Mich., MaryAnne MacIntosh oversees a program that educates everyone from the board of directors to customer service reps. And her program has not only changed the security environment within the credit union branches, but also has altered how employees approach security in their private lives. Read this interview for insights on:
- How she created this program;
- Elements of security awareness;
- Challenges in delivering the training;
- What's next?
TOM FIELD: Hi, this is Tom Field with Information Security Media Group. Today the discussion is security awareness, and I'm talking with MaryAnne MacIntosh, System Security Administrator with Nu Union Credit Union in Lansing, Michigan. Now MaryAnne, we've talked some about what you've done in terms of security awareness, give me a sense of when you started at the credit union. What was the level of security awareness talked down?
MARYANNE MACINTOSH: Well, the level of security awareness when I started 16 years ago was only for new hires, and we had broadened that to make it so that you know it wasn't just new hires. It was actually annual and giving them the information that they actually needed on a regular basis.
FIELD: So, you've got an annual training program now, and you are training everybody from the board members to the people out in the branches that are working with the customers, correct?
MACINTOSH: Oh, definitely. You have to make sure that everybody gets it. It's not just for management. It's not just for the front line. It's not just for the board. You have to let them know what the new threats are out there. You have to let them know what the new vulnerabilities are. You have to communicate that, because if you don't, then they are going to be unaware and they are going to be leaving holes in the credit union.
FIELD: What specifically spurred you to create this ongoing training program?
MACINTOSH: Well, there are always new security risks out there. You know, they are coming in at a faster pace. They are coming in daily, and if the staff is not aware of the new security risks that are out there, they can't help protect the credit union. It is everyone's responsibility. You know, just because I have the title doesn't mean that I'm the only one responsible.
FIELD: So MaryAnne, can you give me a sense of what the elements are of this program? You know, what you deliver to everybody?
MACINTOSH: Definitely. On an annual basis, I deliver the new threats that are out there. What their responsibility is. You know, we talk about phishing, pharming, social engineering. We make sure that we talk about password protection. We talk about, you know, what we can do here as well as at home. Or even you know, talk about what our members can actually do. So they have the awareness that they need on a very basic level, just to say this is just comprehensive stuff that I need to be aware of.
FIELD: Now, this sounds like a lot, but from what I understand it's really not a huge time commitment that each participant is putting into this?
MACINTOSH: Nope, it's only about 30-to-45 minutes total. You know if you keep them longer than that, we tend to lose them when it comes to security because it's so dull. It's not fun.
FIELD: But there are things that you do to make fun aren't there?
MACINTOSH: Yes definitely. If you don't have it fun and exciting for them, they are just going to be sleeping and not even paying attention. So, what I do is I actually -- this last class that I had, I had an Arnold cut out, which he was the Terminator. And the symbolism on that is to make sure that they understand that the Terminator is the bad things that are attacking the credit union. If we think of the world as the Terminator, we associate him with what, worms, viruses, hacking, fishing, farming, you know that type of stuff. So, if they can actually symbolize what is out there then they are more apt to think about it and so okay, "this is what I need to protect the credit union from."
FIELD: Now let's talk a little bit about the challenges and delivering this. I understand on one hand, it is not a big time commitment for the participants, but it is a big time commitment for you?
MACINTOSH: Oh, definitely because I have to prepare. I have to know exactly what the new threats are out there. I have to be aware of what the threats are out there. I have to make the Power Point presentation. I have to make a new way of engaging them and then actually going out to them and talking about it. The main problem is actually getting our calendars coordinated because everybody wants to take time off. You've got to decide on what is the best time to actually do it. What is going on in the rest of the credit union -- that kind of thing, so that you're not overlapping training with some other training and making it so difficult that they can't make the meeting.
FIELD: So, MaryAnne, over the course of a year, you are seeing how many people, and how long is it taking you generally to do that?
MACINTOSH: It usually takes about three months total calendar-wise to actually visit all the sites. And we have 14 locations, and we have different departments and everything. The process to actually get the training together takes about maybe a month total and then getting to see about 200, almost 300 staff members.
FIELD: Okay, but let's talk about the payoffs because I know you've seen some results. I mean, given the investment you have made, what are some of the results you've seen as you walk around the credit union?
MACINTOSH: Oh, it's wonderful. They are actually starting to question me when we go around and I talk. We are talking about what we've done at home. You know, 'Mary Anne, I notice that when my credit card comes and I'm looking at it, I'm making sure that the information is secure in there. If it is open or something, I'll call like the credit bureau or whoever their credit card company is and say, hey you know what, my envelope was opened.' Or when they are throwing out their trash after they've paid their credit card, they make sure that they put it in three different receptacles. And when I walk around the credit union and I do my security sweeps, I have noticed that they're actually clean desks, because we talk about. You know, if you leave information out, it is more apt to get taken. If you leave the temptation out, that is what is going to happen.
FIELD: So really, it's just changed the culture, and I've got to think that pays off in terms of message that your customers get, your members?
MACINTOSH: Oh, definitely, definitely. If they see that we have a clean desk or how they are holding their debit card. And you know, when we walk around we talk to the staff about it. I tell them about social engineering; they can do over the shoulder. Make sure that if you are holding the credit card with the numbers out, cover it up.
FIELD: That's excellent. Now, one criticism that I know that a lot of institutions have is that they don't really assess the level of awareness when someone comes into a institution. Are you able to do that when you get a new board member, a new employee, you get a sense of what they know and then be able to fill the gap of what they don't know?
MACINTOSH: Yes. What I do is I actually ask them when they come in for new hire training; what is the other institution that you've worked at? If you worked at a financial institution, have you gotten training before -- what kind of training they've actually gotten. And normally, it's just going over the policies, making sure that you do what is acceptable in the policies. Then I go over what is actually out there for them so that they can be aware of what is a vulnerability, what is a risk.
FIELD: I get the sense that you are generally getting pretty clean slates aren't you?
FIELD: What is next? I mean, what do you build on what you have now and accomplished in the future security awareness programs?
MACINTOSH: Well, what I would like to do is actually have an assessment program so that I know the staff members are actually learning this and they are taking it into heart. Or what they don't know, because I can sign off on the acknowledgment thing that says "yep, yep, I'll read all the policies, I'll follow the acceptable uses." But then when it comes down to it, I want to test them to say 'okay now you've watched this video, and there are some questions that I want you to answer. Okay, what are you missing? What do I need to concentrate on for you?'
FIELD: Good. That is a good next step. Is this something that you think you can move over to the member's side as well and start to do some outreach with customers?
MACINTOSH: Well, we do have training on our website for the members, and I would like to do that, but I don't know exactly how to push it out to members. You know besides webinars; we do have webinars for our members on identity theft, that kind of thing. We have it on our website. We give them the information that they need. I don't know how to actually test to see the assessment piece, and that is something that I would like to work on.
FIELD: So you are going to start going street to street and checking their trash?
MACINTOSH: Yeah, knock on the doors and say, "hey, ninety thousand members."
FIELD: Now with the id theft red flags deadline coming up this fall, every institution is thinking about security awareness. For those that aren't quite so far along as you are, what advice would you give an institution that is just embarking upon such a program?
MACINTOSH: I would say you need to start, even it is small, even it is sending out an email to your staff members; let them know what is out there. You have to start the program, because if you don't start the program, then you actually have no communication. You have no awareness. You don't have anything for them.
FIELD: Great advice. MaryAnne MacIntosh I really appreciate your time and your insight.
MACINTOSH: Thank you.
FIELD: We've been talking with MaryAnne MacIntosh with Nu Union Credit Union. The topic has been Security Awareness. For Information Security Media Group, I am Tom Field. Thank you very much.