1 CUSTOMER SECURITY AWARENESS: A Key Defense Against Corporate Account Takeover & Cyber Fraud Presented by Tom Garcia President / CEO InfoSight, Inc InfoSight
2 What we ll cover today 1. The MFA & NACHA Guidance 2. Developing & implementing your program 3. How to make compliance profitable 4. Managing higher-risk commercial clients 5. Available Resources to assist
3 The FFIEC Guidance Supplement Effective 1/1/2012 On June 28th, 2011 the Federal Financial Institutions Examination Council FFIEC) released a supplement to the 2005 Authentication in an Internet Banking) Environment guidance that describes the measures financial institutions should take to protect Internet banking customers from online fraud. When was Reg-E enacted? 1978
4 Customer Awareness & Education 2005 Guidance the first supplement 1. Implement a customer awareness program & evaluate its effectiveness 2. Track the number of statement stuffers or other direct mail communications 3. Track the number of customers who report fraudulent attempts to obtain their authentication credentials 4. Track the dollar amount of losses relating to identity theft, etc. 5. Track the number of clicks on information security links on websites
5 2011 Guidance Customer Awareness & Education A financial institution s customer awareness & education efforts should address both retail and commercial account holders and, at a minimum: 1. Explain account holder protections relating to electronic funds transfers. 2. Explain under what circumstances, if any, you would contact a customer to request their electronic banking credentials. 3. Suggest to your commercial online banking customers that they periodically perform a risk assessment and controls evaluation. 4. Provide customers with a listing of institutional contacts for security-related events. When is the best time to tell them? At Enrollment!
6 2005 vs Some observations The 2011 guidance clearly delineates between the risks associated with consumer vs. business banking. The 2005 guidance did not do this and many in the industry assumed it was mainly directed towards consumer accounts. It gives good guidance on considerations for updating risk assessments, and what environmental and customer changes to take into account when doing so. It emphasizes a risk-based approach where controls are strengthened as risk increases It is an Awareness Continuum and requires adjusting to the changes risks posed by Cybercriminals. It recommends that financial institutions take the lead in providing resources where alternative risk control mechanisms can be found, so customers can mitigate their own risk.
7 Three Key Elements Risk Assessments Layered Security & Anomaly Detection Customer Education & Awareness
8 Additional notable key points of the guidance The Guidance applies both Commercial and Retail Customers It applies to both In-house and 3 rd party Service Providers It applies to all Financial Institutions (FI) The principles really apply to all forms of electronic banking FIs are expected to conduct their own risk assessments and to adjust layered security controls in response to their unique risks Risk Assessments must consider some new factors, such as customer type, transaction capabilities, sensitivity of information and transaction volume The selection and use of authentication technologies and methods should depend upon the results of the Risk Assessment Process FI s should create awareness and educate customers as a key defense against fraud and ID theft FI s must have Layered Security, Anomaly Detection and Enhanced Controls Since the controls necessary to comply are to some extent a subjective judgment that must be made by the FI, so we might conclude, it s Descriptive, but not prescriptive.
9 The NACHA ACH Security Framework Update
10 Developing & Implementing an effective Program
11 Some questions to get started
12 Three avenues to security awareness What s the difference? AWARENESS TRAINING EDUCATION Attribute: What How Why Level: Information Knowledge Insight Objective: Recognition Skill Understanding Learning is a continuum; it starts with awareness, builds to training, and evolves into education.
13 What makes an effective program? A successful security awareness program consists of: 1. Developing IT security policies that consider business needs, but are tempered by known security threats and in compliance with regulatory guidelines. 2. Informing users of their online responsibilities, as documented in security policies & procedures. 3. Delivery of the materials cross-channel in an effective manner. 4. Establishing processes for monitoring & reviewing the program s effectiveness. The time it takes an individual to review an awareness presentation may be the difference between a secure organization & a multimillion dollar breach of security.
14 Some questions to consider Key questions to help determine the scope of your ISA program What awareness, training, and/or education is needed? What ebanking products do we offer? Do I focus more on commercial or consumer customers? Do I need a different program for High, Moderate &/or Low Risk Customers? How many customers will I be training? What training channels are most effective & efficient?
15 Involve key functional areas when practical It s crucial that everyone understands they have a responsibility for information security awareness and training. Information Security Officer (ISO) ebanking Manager Treasury Management IT Department Front-line employees Executive Management Failure to pay attention to information security puts an organization at great risk because security is as much a human issue as it is a technology issue.
16 Identify your audience Who do you hope will attend? Identifying who you re talking to helps you to address their specific concerns in and banking activities. Content and delivery can differ greatly between consumer and commercial customers. Commercial mobile business banking security, wire transfers, best practices for remote workers Consumer online banking security, phishing scams, identity-theft
17 Developing the program material Once the awareness and training program has been designed, supporting material can be developed. Material should be developed with the following in mind: What behavior do we want to reinforce? What do we want the audience to learn and apply? An awareness and training program can be effective, only if the material is interesting and current. Attendees will pay attention and incorporate what they see or hear in a session if they feel that the material was developed specifically for them.
18 Program material topics Awareness material can be developed using one theme at a time or created by combining a number of themes or messages. The education is designed to create awareness of specific risks and threats, including the actions required to prevent and remedy security issues. Frontline defense: Passwords Security awareness: Being diligent Defense against online threats Avoiding malware Advanced malware: Trojan horses, etc. Safe social networking ACH & Wire Fraud Corporate Account Takeover Defense against social engineering Phishing, spyware & other wares to be aware of Cyber security & incident response essentials Get smart about identity theft Smartphone security Mobile device & laptop security Safe online shopping Secure Transactions Hackers tricks of the trade & what to watch for Encryption: what it is & why it s necessary Safe Internet surfing Sharing information Understanding cybercrime Mission-critical security Safe data backup and secure storage AND MUCH MORE! Do you have the resources to develop your own content?
19 How to deliver the awareness material 1. Ease of use: (e.g., easy to access and easy to update/maintain) 2. Scalability: (e.g., can be used for various audience sizes and in various locations) 3. Direct communications: (e.g., s, memos, computer based training, etc.) 4. Indirect communications: (e.g., posters, intranet, brochures, etc.) Website content Statement stuffers Newsletters Monthly themed ISA tips Onsite security awareness workshops Educational webinars Web-based ISA training courses ISA Posters & branch collaterals Screensavers, tips, alert messages On-hold scripts & ATM digital messages Company-wide messages Security Awareness Days Shred Events Awards programs Videos & games
20 How to monitor the program Monitoring Compliance: Once the program has been implemented, processes must be put in place to monitor compliance and program effectiveness. Track the number of attendees at awareness sessions Track the number of people trained on a particular topic Track the number of people yet to attend awareness and training sessions Compare the number of security incidents reported before & after the program What other benefit does monitoring have besides compliance reporting? Protection during litigation!
21 Steps to planning your ISA program 1. Identify Program Scope, Goals & Objectives Scope to provide training to both types of customers Goal to protect customers by increasing security awareness 2. Involving Management & Employees All employees need to be aware of the of the losses that security awareness can reduce Employees need to comprehend the value of educating customers and be familiar with content 3. Identify Target Audiences Segment audiences according to type of customer 4. Implementing the Program Include efforts to achieve high visibility of the program Methods used deliver the message to the audience Consider the frequency of training 5. Monitoring the Program Track the trends Observe how well customers follow security procedures Monitor the number & kind of security incidents reported before & after the program 6. Evaluation & Feedback Keep abreast of changes in technology & security requirements Obtain feedback from audiences
22 The Customer Experience is key! Security Usability Cost Your customers need to understand that security is as much their responsibility as it is yours.
23 How do you make Compliance Profitable?
24 Profitable compliance in action Develop Customer Security Awareness Program Create new revenue opportunities like cyber crime coverage Acquire content for your website & branch collaterals, newsletters, s, etc. Drive new product adoption & social media initiatives Conduct commercial customer security workshops Create cross-sales & new client onboarding opportunities
25 InfoSight s Customer Awareness Program Engage your customers in onsite workshops Have a call to action! Partner with a subject matter expert Prepare your customer list Determine how you will invite customers Use InfoSight s template Provide a meal or snacks Distribute audience handouts Invite your staff
26 InfoSight s Customer Awareness Program Live and/or pre-recorded webinars templates provided
27 InfoSight s Customer Awareness Program Provide short videos with ISA tips
28 InfoSight s Customer Awareness Program Newsletters & Branch Collaterals
29 InfoSight s Customer Awareness Program & Social Media Campaigns
30 InfoSight s Customer Awareness Program Educate your customers with short ISA articles Sample topics: Understanding cybercrime What is malware? ID Theft & tax filing tips Making secure online transactions Payment card security How to create a strong password Beware of spyware Password protect your flash drive The social engineering con game Securing your home network Avoiding Facebook scams What are you sharing online? And more!
31 InfoSight s Customer Awareness Program Support your program with print collaterals Statement Stuffers Posters
32 Polls & Surveys InfoSight s Customer Awareness Program Top 5 Smartphone Security Concerns
33 InfoSight s Customer Awareness Program Engage your customers with interactive games
34 For your customers MySecurityAwareness.com Educational resources for: 1. Your commercial customers And their staff 2. Your retail customers And their family (youth & kids) 3. Your employees Monthly Security Theme Downloadable Security Tools Videos, games, quizzes, and more!
35 Designed for your commercial & retail customers For Business For Consumers
36 An effective awareness program checks all 3 boxes! Compliance Security Sales Opportunities
37 Benefits of InfoSight s Customer Security Awareness Program 1. Create cross-sales and new-sales opportunities by conducting security workshops. 2. Drive new product adoption such as mobile and/or Cash Management Services. 3. Create new recurring revenue by selling products such as Cyber-Crime Insurance. 4. Onboarding of new prospective relationships with larger commercial clients by selectively inviting prospects. 5. Integrate with existing Social Media initiatives and/or assist in future efforts. 6. Instill confidence in your customers that doing business with your financial institution electronically is safe. 7. Reduce liability & the risk of litigation InfoSight s CSAP is turnkey offering both full and self-service programs!
38 A consideration for higher risk commercial customers
39 CSAP Commercial Delivery Portal Login Page Customizable! Puts you in control by providing an interface that s branded with your logo Use your logo and colors to Brand it!
40 Welcome page Customer security awareness training portal Update headlines and messages at anytime or schedule them in advanced Customize and change your message at any time
41 CSAP Commercial Delivery Portal Policies Use the online Policy Repository to provide centralized access and distribution of policies and updates.
42 CSAP Commercial Delivery Portal Course Folders Courseware is divided into smaller courses so they can be completed in one sitting enabling the student to retain more information.
43 CSAP Commercial Delivery Portal Document Library The online Document Library can act as your own Document Sharing Solution!
44 CSAP Commercial Delivery Portal Reports
45 Additional Features CSAP Commercial Delivery Portal Features Unique features make this training solution like none you ve ever seen. 1. Institution-branded portal - include your logo and corporate colors 2. Trackable Policy Acceptance - acquire and track signatures of policy acceptance in digital format or in writing, where necessary 3. Online Document Library - host all your documents in one accessible and centralized location including manuals, policies, procedures, HR forms, DR and emergency contact lists, etc. 4. Compliance Tracking & Reporting - by regulation, student, policy, course 5. Customizable & Automated Messaging System - notify employees of FDIC fraud alerts, IT service alerts, customer service improvement measures, health and benefit plan updates, or other internal communications or events 6. Acts as your own intranet - use it for more than just training purposes 7. Effortless Administration Controls 8. Host your own course material too
46 Online Risk Assessment
47 What we covered today 1. The MFA & NACHA Guidance 2. Developing & implementing your program 3. How to make compliance profitable 4. Managing higher-risk commercial clients 5. Available Resources to assist
48 Some Takeaways Remember that the guidance isn t optional Take a proactive approach Do what you know you have to do now Don t solely focus on compliance Technology alone is not the answer Policy driven controls are also a big part of the puzzle Focus on prevention, not just detection Train staff to ensure they understand the controls Educating customers on How not to become a victim which can be the greatest protection
49 So how can InfoSight help? MFA & ebanking Security Reviews & Risk Assessments Pre-implementation Enrollment Technology Operational Controls Customer Awareness Program ebanking Risk Assessment Gap Analysis Penetration Testing & Vulnerability Assessments Virtual ISO Mentoring Programs Turnkey Customer Awareness Program CSAP Portal
50 InfoSight s Starter Toolkit Thank you for attending! Request the free toolkit to help you get started: wtgarcia Customer Security Awareness Program Toolkit +InfoSightInc
FAQs on the Customer Security Awareness Program (CSAP) About the program: 1. How does this security awareness program differ from other programs on the market? 2. What does the Customer Security Awareness
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
CYBERSECURITY A Resource Guide for BANK EXECUTIVES Executive Leadership of Cybersecurity CEO LETTER I am proud to present to you the CSBS Executive Leadership of Cybersecurity Resource Guide. The number
Information security awareness initiatives: Current practice and the measurement of success July 2007 Preface The European Network and Information Security Agency (ENISA) is a European Union Agency created
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
Internet Security Essentials for Business 2.0 U.S. CHAMBER OF COMMERCE 1615 H Street, NW, Washington, DC 20062 www.uschamber.com firstname.lastname@example.org The STOP. THINK. CONNECT. messaging convention
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
Standard: PCI Data Security Standard (PCI DSS) Version: 3.0 Date: August 2014 Author: Third-Party Security Assurance Special Interest Group PCI Security Standards Council Information Supplement: Third-Party
Standard: PCI Data Security Standard (PCI DSS) Version: 1.0 Date: October 2014 Author: Security Awareness Program Special Interest Group PCI Security Standards Council Information Supplement: Best Practices
A REPORT FROM THE FINANCIAL INDUSTRY REGULATORY AUTHORITY Report on Cybersecurity Practices FEBRUARY 2015 Contents Executive Summary 1 Background 3 Governance and Risk Management for Cybersecurity 6 Cybersecurity
Building an Information Technology Security Awareness and Training Program Mark Wilson and Joan Hash C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National
Top Online Banking Threats to Financial Service Providers in 2010 Table of Contents Introduction... 3 No Silver Bullet... 4 Authentication... 4 The Trade Off... 4 Top Threats to Financial Services... 5
SECURITY MATTERS Insights on Advancing Security and Fraud Management for Payment Cards Security Considerations for Mobile Point-of-Sale Acceptance Smartphones and tablets are providing users with an ever-expanding
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
FP7-SEC-2013.2.5-2 Grant Agreement Number 607775 Collaborative Project E-CRIME The economic impacts of cybercrime D3.1 Anti-Cybercrime technologies and best practices assessment and monitoring Deliverable
Securing Your Web World Top 10 Tips to Keep Your Small Business Safe Protecting your business against the latest Web threats has become an incredibly complicated task. The consequences of external attacks,
Communications Toolkit Part 1 of 3 This online download includes toolkit copy without the FAQ and Sample sections. Principles & Practices for Nonprofit Excellence in Colorado second edition TABLE OF CONTENTS
COMMUNICATIONS ALLIANCE LTD INDUSTRY CODE C650:2014 icode INTERNET SERVICE PROVIDERS VOLUNTARY CODE OF PRACTICE FOR INDUSTRY SELF-REGULATION IN THE AREA OF CYBER SECURITY C650:2014 icode - Internet Industry
CYBERSECURITY INSIDER THREAT BEST PRACTICES GUIDE JULY 2014 INSIDER THREAT BEST PRACTICES GUIDE I. DISCLAIMER This report was prepared as an account of work within the private and public sector. Neither
Email Authentication Policy and Deployment Strategy for Financial Services Firms A PUBLICATION OF THE BITS SECURITY PROGRAM February 2013 BITS/The Financial Services Roundtable 1001 Pennsylvania Avenue
Standard: PIN Transaction Security Program Requirements and PCI Data Security Standard Date: August 29 Author: PCI SSC PIN Transaction Security Working Group Information Supplement: Skimming Prevention
TELSTRA CYBER SECURITY REPORT 2014 Security insights, trends and impact to Australian organisations EXECUTIVE SUMMARY The internet presents a world of social connectivity, economic growth and endless opportunities
the ultimate buyer s guide to Selecting an Email Marketing Platform The most comprehensive, practical, and objective guide to choosing the email service provider that best meets the needs of your business.