CUSTOMER SECURITY AWARENESS: A Key Defense Against Corporate Account Takeover & Cyber Fraud

Transcription

1 CUSTOMER SECURITY AWARENESS: A Key Defense Against Corporate Account Takeover & Cyber Fraud Presented by Tom Garcia President / CEO InfoSight, Inc InfoSight

2 What we ll cover today 1. The MFA & NACHA Guidance 2. Developing & implementing your program 3. How to make compliance profitable 4. Managing higher-risk commercial clients 5. Available Resources to assist

3 The FFIEC Guidance Supplement Effective 1/1/2012 On June 28th, 2011 the Federal Financial Institutions Examination Council FFIEC) released a supplement to the 2005 Authentication in an Internet Banking) Environment guidance that describes the measures financial institutions should take to protect Internet banking customers from online fraud. When was Reg-E enacted? 1978

4 Customer Awareness & Education 2005 Guidance the first supplement 1. Implement a customer awareness program & evaluate its effectiveness 2. Track the number of statement stuffers or other direct mail communications 3. Track the number of customers who report fraudulent attempts to obtain their authentication credentials 4. Track the dollar amount of losses relating to identity theft, etc. 5. Track the number of clicks on information security links on websites

5 2011 Guidance Customer Awareness & Education A financial institution s customer awareness & education efforts should address both retail and commercial account holders and, at a minimum: 1. Explain account holder protections relating to electronic funds transfers. 2. Explain under what circumstances, if any, you would contact a customer to request their electronic banking credentials. 3. Suggest to your commercial online banking customers that they periodically perform a risk assessment and controls evaluation. 4. Provide customers with a listing of institutional contacts for security-related events. When is the best time to tell them? At Enrollment!

6 2005 vs Some observations The 2011 guidance clearly delineates between the risks associated with consumer vs. business banking. The 2005 guidance did not do this and many in the industry assumed it was mainly directed towards consumer accounts. It gives good guidance on considerations for updating risk assessments, and what environmental and customer changes to take into account when doing so. It emphasizes a risk-based approach where controls are strengthened as risk increases It is an Awareness Continuum and requires adjusting to the changes risks posed by Cybercriminals. It recommends that financial institutions take the lead in providing resources where alternative risk control mechanisms can be found, so customers can mitigate their own risk.

7 Three Key Elements Risk Assessments Layered Security & Anomaly Detection Customer Education & Awareness

8 Additional notable key points of the guidance The Guidance applies both Commercial and Retail Customers It applies to both In-house and 3 rd party Service Providers It applies to all Financial Institutions (FI) The principles really apply to all forms of electronic banking FIs are expected to conduct their own risk assessments and to adjust layered security controls in response to their unique risks Risk Assessments must consider some new factors, such as customer type, transaction capabilities, sensitivity of information and transaction volume The selection and use of authentication technologies and methods should depend upon the results of the Risk Assessment Process FI s should create awareness and educate customers as a key defense against fraud and ID theft FI s must have Layered Security, Anomaly Detection and Enhanced Controls Since the controls necessary to comply are to some extent a subjective judgment that must be made by the FI, so we might conclude, it s Descriptive, but not prescriptive.

9 The NACHA ACH Security Framework Update

10 Developing & Implementing an effective Program

11 Some questions to get started

12 Three avenues to security awareness What s the difference? AWARENESS TRAINING EDUCATION Attribute: What How Why Level: Information Knowledge Insight Objective: Recognition Skill Understanding Learning is a continuum; it starts with awareness, builds to training, and evolves into education.

13 What makes an effective program? A successful security awareness program consists of: 1. Developing IT security policies that consider business needs, but are tempered by known security threats and in compliance with regulatory guidelines. 2. Informing users of their online responsibilities, as documented in security policies & procedures. 3. Delivery of the materials cross-channel in an effective manner. 4. Establishing processes for monitoring & reviewing the program s effectiveness. The time it takes an individual to review an awareness presentation may be the difference between a secure organization & a multimillion dollar breach of security.

14 Some questions to consider Key questions to help determine the scope of your ISA program What awareness, training, and/or education is needed? What ebanking products do we offer? Do I focus more on commercial or consumer customers? Do I need a different program for High, Moderate &/or Low Risk Customers? How many customers will I be training? What training channels are most effective & efficient?

15 Involve key functional areas when practical It s crucial that everyone understands they have a responsibility for information security awareness and training. Information Security Officer (ISO) ebanking Manager Treasury Management IT Department Front-line employees Executive Management Failure to pay attention to information security puts an organization at great risk because security is as much a human issue as it is a technology issue.

16 Identify your audience Who do you hope will attend? Identifying who you re talking to helps you to address their specific concerns in and banking activities. Content and delivery can differ greatly between consumer and commercial customers. Commercial mobile business banking security, wire transfers, best practices for remote workers Consumer online banking security, phishing scams, identity-theft

17 Developing the program material Once the awareness and training program has been designed, supporting material can be developed. Material should be developed with the following in mind: What behavior do we want to reinforce? What do we want the audience to learn and apply? An awareness and training program can be effective, only if the material is interesting and current. Attendees will pay attention and incorporate what they see or hear in a session if they feel that the material was developed specifically for them.

18 Program material topics Awareness material can be developed using one theme at a time or created by combining a number of themes or messages. The education is designed to create awareness of specific risks and threats, including the actions required to prevent and remedy security issues. Frontline defense: Passwords Security awareness: Being diligent Defense against online threats Avoiding malware Advanced malware: Trojan horses, etc. Safe social networking ACH & Wire Fraud Corporate Account Takeover Defense against social engineering Phishing, spyware & other wares to be aware of Cyber security & incident response essentials Get smart about identity theft Smartphone security Mobile device & laptop security Safe online shopping Secure Transactions Hackers tricks of the trade & what to watch for Encryption: what it is & why it s necessary Safe Internet surfing Sharing information Understanding cybercrime Mission-critical security Safe data backup and secure storage AND MUCH MORE! Do you have the resources to develop your own content?

19 How to deliver the awareness material 1. Ease of use: (e.g., easy to access and easy to update/maintain) 2. Scalability: (e.g., can be used for various audience sizes and in various locations) 3. Direct communications: (e.g., s, memos, computer based training, etc.) 4. Indirect communications: (e.g., posters, intranet, brochures, etc.) Website content Statement stuffers Newsletters Monthly themed ISA tips Onsite security awareness workshops Educational webinars Web-based ISA training courses ISA Posters & branch collaterals Screensavers, tips, alert messages On-hold scripts & ATM digital messages Company-wide messages Security Awareness Days Shred Events Awards programs Videos & games

20 How to monitor the program Monitoring Compliance: Once the program has been implemented, processes must be put in place to monitor compliance and program effectiveness. Track the number of attendees at awareness sessions Track the number of people trained on a particular topic Track the number of people yet to attend awareness and training sessions Compare the number of security incidents reported before & after the program What other benefit does monitoring have besides compliance reporting? Protection during litigation!

21 Steps to planning your ISA program 1. Identify Program Scope, Goals & Objectives Scope to provide training to both types of customers Goal to protect customers by increasing security awareness 2. Involving Management & Employees All employees need to be aware of the of the losses that security awareness can reduce Employees need to comprehend the value of educating customers and be familiar with content 3. Identify Target Audiences Segment audiences according to type of customer 4. Implementing the Program Include efforts to achieve high visibility of the program Methods used deliver the message to the audience Consider the frequency of training 5. Monitoring the Program Track the trends Observe how well customers follow security procedures Monitor the number & kind of security incidents reported before & after the program 6. Evaluation & Feedback Keep abreast of changes in technology & security requirements Obtain feedback from audiences

22 The Customer Experience is key! Security Usability Cost Your customers need to understand that security is as much their responsibility as it is yours.

23 How do you make Compliance Profitable?

24 Profitable compliance in action Develop Customer Security Awareness Program Create new revenue opportunities like cyber crime coverage Acquire content for your website & branch collaterals, newsletters, s, etc. Drive new product adoption & social media initiatives Conduct commercial customer security workshops Create cross-sales & new client onboarding opportunities

25 InfoSight s Customer Awareness Program Engage your customers in onsite workshops Have a call to action! Partner with a subject matter expert Prepare your customer list Determine how you will invite customers Use InfoSight s template Provide a meal or snacks Distribute audience handouts Invite your staff

26 InfoSight s Customer Awareness Program Live and/or pre-recorded webinars templates provided

27 InfoSight s Customer Awareness Program Provide short videos with ISA tips

28 InfoSight s Customer Awareness Program Newsletters & Branch Collaterals

29 InfoSight s Customer Awareness Program & Social Media Campaigns

30 InfoSight s Customer Awareness Program Educate your customers with short ISA articles Sample topics: Understanding cybercrime What is malware? ID Theft & tax filing tips Making secure online transactions Payment card security How to create a strong password Beware of spyware Password protect your flash drive The social engineering con game Securing your home network Avoiding Facebook scams What are you sharing online? And more!

31 InfoSight s Customer Awareness Program Support your program with print collaterals Statement Stuffers Posters

32 Polls & Surveys InfoSight s Customer Awareness Program Top 5 Smartphone Security Concerns

33 InfoSight s Customer Awareness Program Engage your customers with interactive games

34 For your customers MySecurityAwareness.com Educational resources for: 1. Your commercial customers And their staff 2. Your retail customers And their family (youth & kids) 3. Your employees Monthly Security Theme Downloadable Security Tools Videos, games, quizzes, and more!

35 Designed for your commercial & retail customers For Business For Consumers

36 An effective awareness program checks all 3 boxes! Compliance Security Sales Opportunities

37 Benefits of InfoSight s Customer Security Awareness Program 1. Create cross-sales and new-sales opportunities by conducting security workshops. 2. Drive new product adoption such as mobile and/or Cash Management Services. 3. Create new recurring revenue by selling products such as Cyber-Crime Insurance. 4. Onboarding of new prospective relationships with larger commercial clients by selectively inviting prospects. 5. Integrate with existing Social Media initiatives and/or assist in future efforts. 6. Instill confidence in your customers that doing business with your financial institution electronically is safe. 7. Reduce liability & the risk of litigation InfoSight s CSAP is turnkey offering both full and self-service programs!

38 A consideration for higher risk commercial customers

39 CSAP Commercial Delivery Portal Login Page Customizable! Puts you in control by providing an interface that s branded with your logo Use your logo and colors to Brand it!

40 Welcome page Customer security awareness training portal Update headlines and messages at anytime or schedule them in advanced Customize and change your message at any time

41 CSAP Commercial Delivery Portal Policies Use the online Policy Repository to provide centralized access and distribution of policies and updates.

42 CSAP Commercial Delivery Portal Course Folders Courseware is divided into smaller courses so they can be completed in one sitting enabling the student to retain more information.

43 CSAP Commercial Delivery Portal Document Library The online Document Library can act as your own Document Sharing Solution!

44 CSAP Commercial Delivery Portal Reports

45 Additional Features CSAP Commercial Delivery Portal Features Unique features make this training solution like none you ve ever seen. 1. Institution-branded portal - include your logo and corporate colors 2. Trackable Policy Acceptance - acquire and track signatures of policy acceptance in digital format or in writing, where necessary 3. Online Document Library - host all your documents in one accessible and centralized location including manuals, policies, procedures, HR forms, DR and emergency contact lists, etc. 4. Compliance Tracking & Reporting - by regulation, student, policy, course 5. Customizable & Automated Messaging System - notify employees of FDIC fraud alerts, IT service alerts, customer service improvement measures, health and benefit plan updates, or other internal communications or events 6. Acts as your own intranet - use it for more than just training purposes 7. Effortless Administration Controls 8. Host your own course material too

46 Online Risk Assessment

47 What we covered today 1. The MFA & NACHA Guidance 2. Developing & implementing your program 3. How to make compliance profitable 4. Managing higher-risk commercial clients 5. Available Resources to assist

48 Some Takeaways Remember that the guidance isn t optional Take a proactive approach Do what you know you have to do now Don t solely focus on compliance Technology alone is not the answer Policy driven controls are also a big part of the puzzle Focus on prevention, not just detection Train staff to ensure they understand the controls Educating customers on How not to become a victim which can be the greatest protection

49 So how can InfoSight help? MFA & ebanking Security Reviews & Risk Assessments Pre-implementation Enrollment Technology Operational Controls Customer Awareness Program ebanking Risk Assessment Gap Analysis Penetration Testing & Vulnerability Assessments Virtual ISO Mentoring Programs Turnkey Customer Awareness Program CSAP Portal

50 InfoSight s Starter Toolkit Thank you for attending! Request the free toolkit to help you get started: wtgarcia Customer Security Awareness Program Toolkit +InfoSightInc Seminars@InfoSightInc.com