THE HUMAN FIREWALL By Mike Gilmore, Chief Compliance Officer, RESULTS Technology A recent study by a security awareness training platform showed that the average rate at which employees of small banks clicked on phishing emails was 25% (the rate for bigger banks is even worse!). Ransomware (malware that encrypts your data and only provides a decryption key if you pay a ransom) continues to be a threat to banks. This malware can hide in links in emails, as hidden code in email attachments or even embedded in seemingly safe websites. If technology can’t filter out all the sources of malware, it is critical to train employees on how to recognize and avoid these hidden traps. A welldesigned Security Awareness Training program turns everyone in your company into a “human firewall.” What Does an Effective Training Program Look Like? An effective security awareness training program should illustrate with real-life examples the danger of social engineering and the importance of constant vigilance to avoid malware infections. The training should be attended by everyone in your organization who has access to the internet, repeated at least annually (we recommend every six months) and should be part of the standard onboarding process for new employees. To ensure that the training “takes,” the program should include regular social engineering tests. The easiest way to do this is to use a service to send your own unannounced phishing emails to see who “clicks.” In the programs that we administer at RESULTS Technology, we typically see about a 15% hit rate on phishing emails sent out before training is initiated. This dramatically drops to less than 5% after training is completed. Over time, the hit rate creeps back up, so it is important to refresh training regularly. Here are a few training tips to pass along to get your program going: • Do not open attachments unless you are 100% certain of the sender and the purpose of the attachment. When in doubt, pick up the phone and call. • Never click embedded links in messages without hovering your mouse over them first. • Look for “fake” domains. Note that www.microsoft.com and www.support.microsoft.software.com are two different domains (and only the first is an actual Microsoft site). 28 | The Show-Me Banker Magazine
RkJQdWJsaXNoZXIy MTg3NDExNQ==