Sharpening Your Staff


Four steps to improve cybersecurity through training and testing

By Jeffrey Taft

Although financial institutions have developed written information security and incident response plans to help mitigate their cybersecurity risk, implementing certain aspects of these plans remains a work in progress for many institutions. One important, but often overlooked, aspect of successfully implementing these plans is employee training and testing.
Your community bank can take four steps to mitigate its cybersecurity risk.

1. Conduct tabletop exercises. Your community bank should schedule exercises to discuss and test its incident response plans to ensure that employees understand their role in the event of an incident. If an actual incident is the first time that employees are required to implement your bank’s incident response plan, the execution and timing of the response will suffer and mistakes will occur. Such exercises also will help ensure that your employees understand their roles and follow the proper procedures.

2. Inform employees about new threats. The cybersecurity landscape is constantly evolving. Employees need to regularly receive information and training about new threats, and your community bank should test its employees’ knowledge and understanding of these new threats. Warning employees about the danger of clicking on unknown email links is only a first step. Your bank should regularly test its employees’ adherence to security policies and procedures, perhaps by sending suspicious emails to determine whether they understand and follow the training lessons. Employees who “flunk” these tests should receive additional training.

Warning employees about the danger of clicking on unknown email links is only a first step.

3. Update the employee training and testing program. A successful cybersecurity employee-training program requires constant updating to address evolving risks. Your community bank shouldn’t simply use the same program and materials each year and expect to adequately train its employees to understand new threats. Although some compliance areas may not require frequent updates to the training program, cybersecurity is different due to the evolving threat landscape. For example, the training program from last year may have highlighted denial of service attacks and destructive malware, but omitted any discussion of ransomware or other cyberattacks involving extortion.

4. Test physical security. Although an emphasis on cybersecurity remains, financial institutions should still train and test their employees regarding physical security, such as entry to secured areas or monitoring the activities of visitors. Your community bank can test its employees’ compliance with physical security requirements by having a third party try to access secured areas or remove sensitive information (for example, computers or shred bins). A videotape showing a “helpful” employee unlocking or holding open a secured door for an unauthorized third party (usually carrying boxes or files) is a powerful training tool.

Jeffrey Taft ( is a partner in the Washington, D.C. office of the law firm of Mayer Brown LLP and a member of the Financial Services Regulatory and Enforcement and Cybersecurity and Data Privacy Groups.