Risk & Fraud

Onboarding New Employees: Security Starts on Day One

By: Gene Fredriksen, Security Strategy Consultant

Any new employee’s security education starts on their first day. Every organization wants their employees to be knowledgeable about a wide range of topics after training, so setting the tone from the start is crucial. Since we are all aware that “Death by PowerPoint” is an ineffective teaching method, working with your training staff to incorporate a security education message into the orientation for new employees at your financial institution is more important than ever.

The following are methods for improving security onboarding effectiveness:

  • Invite a senior executive to the onboarding session to underline the importance of security. The executive team sets the tone for the whole organization, every team and every project. Involve the management team at every stage of your security awareness training program if you want it to be effective.
  • Make sure every employee knows that cybersecurity is part of their job. Training is the most meaningful and effective when it is directly related to a worker’s position within the organization and the dangers that come with it. All employees need to know how to do their job securely. For instance, a salesperson might require more instruction than an engineer on how to safeguard information and equipment when traveling.
  • Engage — don’t lecture. The “Just Say No” strategy is ineffective and outdated. Instead, use a scenario-based instruction strategy and demonstrate how to accomplish something securely. Keep in mind that your goal is to develop positive habits and abilities rather than rote memorization. Employees won’t remember anything if they are bored, so keep the content interesting and current.
  • Tailor the onboarding training to your financial institution. Describe the importance of user credentials and the necessity of safeguards. When you hear a user complain about the password policy, explain why it is necessary and the user’s important role in maintaining security measures. This is a much better strategy than ignoring the complaining and leaving the user frustrated. An employee will be more inclined to accept security measures if they comprehend their purpose and understand how they can use similar guidelines in future “high-risk” scenarios.
  • Cover the basics in a standardized approach. Your goal is to change behavior and increase awareness; therefore, the more precise, pertinent and powerful your message can be, the more traction it will gain. It’s impossible to cover every scenario that could arise, so don’t overcomplicate things or try to do so. Keep the message standardized to ensure consistency amongst your employees.
  • Be creative and offer continuous training. Use multiple formats to do so. Security awareness is not a “one size fits all” concept, and no one training technique is appropriate for all subject matters or target audiences. Consider including a security awareness game at the next corporate retreat if it matches your financial institution’s culture. Keep in mind that you can spread the word by using blogs, posters, newsletters and other forms of media.

If done properly, security awareness training is a critical control system for every financial institution. Many possible issues that could impact the infrastructure and the financial institution as a whole could be avoided if the user base is well-informed on what to look out for, as well as preventative and remedial procedures. Employees should always be the last line of defense, and frequently all that is needed is making sure your employees understand this. By instructing people on how to stop malicious activity and what to do when it occurs, your security awareness training can be truly beneficial for your financial institution.

Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT CUSO. He has previously held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.

Fredriksen served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.