In it together

Data security shouldn’t only be the concern of the IT department. Community banks must teach employees at all levels—from intern to C-suite—to be aware of threats and how to avoid them. Here’s how.

By Karen Epper Hoffman

Developing and maintaining good data security used to be a job primarily, if not solely, for the IT department. But as cyberthreats and scams become more pervasive, community banks must rely on all employees to create a culture of data security.

Take it from Joe Zazzaro, chief information officer and senior vice president at Holyoke, Mass.-based PeoplesBank, which two years ago expanded its technology staff from one full-time security employee to two full-timers focused on securing systems and data. But the $2 billion-asset community bank still spreads the gospel of good data-security practices throughout the organization.

“I have to be a security advocate with the board and the C-suite,” Zazzaro says. “I meet with every new hire as soon as they start … and we talk about cybersecurity and how people are the weakest link and targeted.”

Without frequent communication throughout PeoplesBank, Zazzaro says it is all too easy for employees to become complacent about the behaviors and processes they must embrace to mitigate the risk of falling prey to exploits. All too often, even otherwise thoughtful, diligent employees depend too much on the notion that “IT will take care of it,” and open unknown email attachments or respond to questionable requests.

But how to begin? Wes Bjorklund,senior director for technology solutions for Cornerstone Advisors, says, in his experience, it typically takes “telling people something seven times in seven different ways to get the message across.” He advises banks to consider a broad-based and varied approach to conveying data-security hygiene information. Aside from compliance-driven annual training events, community banks must deliver information about best practices for data security throughout the rest of the year through internal marketing and communications, in newsletters or blogs, or through speeches, weekly meetings or town halls with staffers. “Have a top executive come to these events and demonstrate their support and involvement,” he says.

Andrew Linn, senior vice president and chief information security officer for $1.3 billion-asset Orrstown Bank, says that “data and cybersecurity are not technology problems but rather people problems.” While a layered technology-security approach helps the Shippensburg, Penn.-based bank, “constant awareness in small, easily consumed, bite-sized blurbs [is what] we’ve found to be most effective,” Linn adds. Longer annual training courses are also important, but the smaller just-in-time awareness opportunities during or after an event have a longer-lasting impact.

“Constant awareness in small, easily consumed, bite-sized blurbs [is what] we’ve found to be most effective.”
—Andrew Linn,
Orrstown Bank

Bjorklund underscores the importance of building support with the lines of business so the IT department can work more effectively with these leaders to drill down messages about data security through these teams. “A lot of the time it’s just about competing priorities,” he says. “People are stretched thin and wearing more hats and just don’t have the time to allocate here.”

Digital bulletin board
Many community banks have opted to create their own intranets to “keep all employees aware of the possible dangers of exposing the banks’ and customers’ information,” says David Daniel, senior vice president of sales and marketing and partner at Banc Intranets, which provides enterprise content management solutions for 180 community banks. Using the intranet as a channel for communication, Daniel says several of the company’s bank clients use blogs to share information with employees about potential cyberthreats and permit or encourage online discussions. “We also see banks use intranets to provide online courses and content to educate employees and then test them to ensure they are understanding the threats and risks associated with data security,” he adds.

As new threats emerge and the industry’s policies and practices change, it is increasingly important to build on and adapt the messages being sent to employees, according to Bjorklund. It is also critical to measure the progress of these data security efforts to see what is working and what is not, so banks can gauge progress and know how to adapt.

“It’s like checking the air pressure on your tires. You can’t just look, you have to measure,” Bjorklund says, suggesting that to gauge how much progress has been made in developing a culture of data security, banks should consider a number of tests. The first is a social engineering test, where an outside firm or consultant sends phishing emails or sets other electronic traps to see if employees will fall for these frauds. The second is a vulnerability scan, where an internal or external security professional checks the network, applications and software for weaknesses that a hacker could exploit to get in, steal information or take over the network. A more creative approach would be something like surveys, contests and an employee quiz, whether on the intranet or in real life.

Zazzaro says he knows that embracing better security practices will often “slow people down.” But that makes communicating the urgency and necessity of these mandates and best practices all the more important to getting buy-in throughout the organization. “Some people will push the limits; they want ease and convenience. That’s the world we live in,” he says. “It’s always a challenge.”

Karen Epper Hoffman is a writer in Washington state.