Why Your Bank Needs a Cybersecurity Awareness Program

Intro: Helping community bankers grow themselves, their team, and their profits. This is The Community Bank Podcast.

Erik Bagwell: Welcome to The Community Bank Podcast. I’m Erik Bagwell, Director of Sales and Marketing for the Correspondent Division of SouthState bank, and joining me as always is Caleb Stevens. Caleb’s a Business Development Officer and puts this podcast together for us, Caleb, how are you?

Caleb Stevens: I’m doing good, excited for this show because I did not realize that Alex has been sending me emails for the past several months as phishing emails. I just thought they were from real phishers, scammers, but Alex runs our Information Security Awareness Program here at SouthState, and he’s been doing them to see, who’s falling for it, and who realizes that they’re phishing emails.

Erik Bagwell: Yeah, Alex Cummings is our Security Awareness Program Manager, and I will admit, raise my hand. I have clicked on a few of these emails and gotten the nasty email back saying you shouldn’t have clicked on that. He’s going to talk today about what we do at the bank, his role, and he’s got some good application for you guys out there too, but Caleb first let’s talk about our loan pricing series again, that we’ve got out and would love for folks to get this thing.

Caleb Stevens: Yeah, real quick, we’ve got five free videos to help you and your lending team price, more profitable loans this year. If you’re looking at inflation, the economy, what the Fed is up to, you’re wondering how are we going to price our credits. This year we’ve got five videos to help you. All you got to do is click the link in these show notes of this episode, just click the link in the show notes, or you can go to southstatecorrespondent.com/loanpricing. Five videos, there are about five minutes each, so you can fly through them but great tips. We hope you’ll check it out, and with that, here is our conversation with Alex Cummings. Well, Alex, how are you today? Thanks for joining us on the podcast.

Alex Cummings: I’m doing well. Thanks very much. I’m glad to be here.

Erik Bagwell: All right, so Caleb and I are not computer guys, like we said, on the intro, you are the Security Awareness Program Manager here at the bank. We talked to you, I guess, last week about some things that had nothing to do with really the podcast. In the course of the conversation, we thought, let’s have Alex on and he can talk about security awareness and what he’s doing at the bank. So, tell us real quick, what is security awareness and what is security awareness programs? What do they look like and what do they do?

Alex Cummings: Yeah, sure. You say I’m a computer guy. So, I was a computer guy and then I got into awareness. So, awareness, it’s a security control, an information security control, but it focuses more on the human aspect of information, security risk. Like any other security program, it’s designed to support and add value to the business mission and objectives. It’s a business line of support, but what it does really is it addresses and engages with your employees in an effort to boost your overall cybersecurity, resiliency and reduce the cost of response and reputation, risk and stuff like that, that would be involved should someone make a mistake and there be an incident that comes out of that. It starts with compliance, the bigger you get the more and more regulations and stuff that you become required of you to become compliant with.

A lot of the modern compliance requirements involve some sort of security awareness aspect. So, that’s where these programs typically start is a checkbox somewhere that someone feels like they need to meet, but when you start really maturing your program and addressing the risks that are involved with your employees, that’s when you start seeing the real value add and return on your investment with this stuff. So, like I said, it’s a security control risk mitigation, and it’s essentially just acts as an extension of the security team.

Erik Bagwell: So, let’s drill down a little bit into what are some of the risks? We’ve got a lot of bankers listening from all different, sizes of community banks. What are some of the common themes in terms of human risk and IT security risks that you see all banks facing today and what do they need to be aware of and how can a program like this really help them guard against it?

Alex Cummings: Yeah, absolutely. So, the first thing that comes to everyone’s mind, when you talk about security awareness is phishing. It’s fairly ubiquitous these days, everyone has some sort of phishing program, or they are at least aware that phishing exists and it is an issue that needs to be addressed, so that’s number one. Within phishing you’ve got a couple different topics. Gosh, what was the organization? It was a report put out in conjunction with the FBI, the Internet Crime Report, IC3 2021. They come out with their 2021 report, and their findings were that the top vector in phishing right now or in scams in general is BEC, which is business email compromise. Which is essentially when you have a malicious actor who will pretend to be someone you trust over an email. They can do that through a couple of different ways. They can have a domain that looks very similar to the one that you trust.

They can actually hack into someone’s, trusted third party email account and leverage it directly, but essentially, they try to leverage existing trust to get you to either divulge sensitive information or to transfer funds somewhere that they’re not supposed to go so on and so forth. So, business email compromise is number one in phishing, but phishing is just a subset of everything that awareness can address. Human risk spans a very wide range. Actually, let me pull up topics and objectives, I have notes here for one of the program I have all the topics list out. Okay. So, we’ve got phishing, passwords, data loss prevention, social engineering, privilege abuse. That’s a fun one. You’ve got IT administrators and stuff like that who have access to sensitive systems.

Well, what if they’re using those credentials to do something that doesn’t quite adhere with policy, so stuff like that. The dangers of social media or just telling people how to use multifactor authentication, why that’s important. In public networks, passwords, the list goes on and on. It can cover anything. What it really comes down to when you are focusing on your internal awareness program is identifying what those top risks are for your organization. It’s really subjective, but once you have those risks identified, what you need to do from there is move into, okay, here’s what we’re concerned about. What are the behaviors that our employees are exhibiting that make these risks, risks, and how do we address those behaviors? That’s kind of where you get into the building blocks of how you put together your awareness program.

Erik Bagwell: Alex, I know at our bank and obviously every bank we go through training, we take tests. This is drilled into us a couple times during the year. Talk about all the components that go into a security awareness program.

Alex Cummings: Okay. Yeah. So, for starters, like you just mentioned the training, annual compliance, the stuff that everyone takes every year takes off the check box for making sure that we meet our goals when it comes to making sure that we are within compliance for regulations, that’s baseline step one, but if you look at the actual maturity model of an awareness program and there’s a couple of different ones but the most notable, the one that most people follow is one that’s put out by The SANS Institute and it has five layers to it. Number one is you don’t have an awareness program at all. Which is where a lot of smaller organizations, that’s where they stand right now. Number two is compliance focused, like we just discussed, you’re making sure you meet those compliance requirements.

Once you get beyond that, that’s three, four and five, which are promoting awareness and behavior change. Long term sustainment, and then the metrics framework, again, this is part of The SANS maturity model. Those higher levels start delving into how you actually start producing this change with your employees. Excuse me, it’s important, I think at this point to identify the difference between awareness training and education. A lot of times those words get thrown around interchangeably when we’re talking about this stuff, but they do actually mean very different and distinct things. So, that annual compliance, that’s training, here’s what we need you to know. Here’s what we need you to do.

It’s telling someone how to perform a function or how to respond to a certain event in the organization and which is separate from education, which is where we tell people about specific risks that they need to know about and do a deeper dive into it that they understand better the reasoning behind what it is that we’re doing. Then you’ve got general awareness, which is, hey, did you see that Bridgestone got popped last week, or whatever it is that’s in the news right now just to keep people, is to keep security on their minds throughout their day, okay. So, when you move into accomplishing the goal of managing human risk, now, understanding your maturity model and your objectives and where you want to go. Understanding the difference between awareness training, and education, you start breaking it down into these building blocks and each one falls into a different category as to how they’re distributed depending on your audience and your goals, depending on what your risks are.

So, once you have those risk defined, you build out learning objectives which define what the risk is, what are the objectives that we need to meet to manage these risks and those objectives are going to be based on the behaviors that you’ve identified. Those help you define in a way that is measurable. Okay. They have to be well defined and measurable objectives, and you have to use clear language. Like a learner correctly identifies sensitive data top from a list. So, that can be a metric for data loss prevention. You want a learner to be able to identify what is sensitive data in our organization, and that’s something you can clearly measure. Making sure that those things are well identified is important upfront. So, once you have those things built out, then you start thinking to yourself, okay, we need to get this content in front of our employees. How do we do that?

There’s a number of different ways, it’s going to depend on your organization and your budget, emails pretty common, but maybe you have an internal learning management system that you can leverage. Maybe you have a marketing and communications team that you can leverage and internal processes, internet pages, video content, the more creative you can get, and the more — what’s the word I’m looking for here — you want to be able to deliver your content in a way that is effective and being effective requires that the content be delivered to the right audience at the right time and in the right way. A 30-minute video, nobody’s going to pay attention to. You want to make sure you’re not delivering information that people don’t need to know, and you want to make sure the information that you do deliver is done so in a way that is going to be engaging.
So, this is where those partnerships with, if you have a breakdown of internal divisions, like I just mentioned, those partnerships become invaluable in how you deliver your content and start, engaging your employees in a way that will produce the results that you want of managing that risk.

Erik Bagwell: Yeah. Well, I know one of the things that you do is you actually write fake phishing emails and you send them out to the bank and you see who’s following their training and who paid attention in these annual training courses to identify what does a phishing email typically look like. I’d just be curious to kind of hear your thoughts on what is that like, I’m sure you fool a lot of people sadly, and you probably have to have conversations with them around, hey, you realize, this was a fake phishing email from me, but the future could be a real thing and you could be compromising bank’s security. Talk about just the experience of sending fake phishing emails out to folks and trying to help them see the risks that are relevant to them day to day.

Alex Cummings: Yeah, sure. So, that’s a fun one. So, the phishing program is a lot of fun to run. You can get creative with it. There’s a pit all here, though. You don’t want to get too creative, at least not up front. This is something that we struggle with internally with management and compliance. We want to be able to define a value in terms of what is our goal with our metrics around the phishing program. That is a really, really bad idea and I’ll tell you why. Once you have a set number in line, a set percentage of employees who fall susceptible to the phishing campaign that you have to stay under, to remain in compliance, that is going to essentially guarantee that your employees are going to stop learning anything. The point of the program is to educate people, so if you’re constantly sending out really low level obvious phishing emails that anyone off the street can be like, yeah, no, that’s a scam.

They’re not learning anything. You have to be able; you have to have the room and the flexibility to be able to increase the difficulty as your program matures in order to actually start reducing the risk around phishing, so, pitfall to be aware out there. The phishing stuff is fun. It is a lot of fun. I enjoy looking at the metrics. I’m actually working right now on figuring out how to break down our results based on internal department. Just try and kind of gamify it a little bit, let’s see who can do the best, I think people enjoy that. One important aspect of the phishing stuff though, is the follow ups that come out the week after the simulation. This is something that has been maturing over the last couple of months of, I don’t know if you’ve noticed, but the newsletter’s getting more and more complex or better or worse, but one thing that I’ve gotten a lot of feedback around that on is the question of, I see that you’re reporting on how many employees reported the email. What I want to see is how many people failed.

That’s come up a couple of times from a couple of different individuals who addressed me on it and that’s not the way we want to go. When it comes to reporting on how we did as an organization, when we were telling employees, here’s how we did in phishing, we don’t want to highlight the failures. Can’t remember the — is it social proof? There’s a behavioral science concept around this, but essentially, we want to highlight the good behavior. Hey, 60 percent of your fellow employees identified this as a phishing email and reported it. Give them a pat on the back, a round of applause; we want to call attention to the good behavior. We don’t really want to get in front of people’s faces, but like, hey guys, 60, 70, 200, how [inaudible 16:01] number of you failed this. We want to keep a positive spin on.

Erik Bagwell: Right. We’re not here to shame you; we’re here to help educate you. That said, I selfishly hope that correspondent is up there in the rankings. I hope we’re leading the pack.

Alex Cummings: Yeah. I’m working on it. Once I have those metrics together. I’ll be sure to let you know.

Erik Bagwell: Alex, obviously you talk about this stuff and you’re in this every day. For the folks that aren’t though, how do you make security relevant and important to those people, this is back of mind and the only time they even think about it’s when they’re trying to pass a test to satisfy a regulatory requirement.

Alex Cummings: Yeah. So, here’s the thing, we’re all security people. Whether you’re logging into your online banking account or using some generic password on your social media, or you’re setting up your home WIFI router you make a decision to what kind of security you want to run on it. We all make security decisions every day. Sometimes those decisions are bad ones. Information security and data protection are ingrained in literally everything we do these days. So, the key to driving the importance of secure your practices is just helping people to understand that fact, okay. Security should be relatable and it’s our job as awareness practitioners to break it down and deliver it in a relatable way, but your exact engagement formula is going to vary between organizational cultures. The basics are always the same though. It needs to be relatable, brief content, delivered and engaging and easy to follow way.

Awareness, it’s about education. Awareness is education and enablement on security topics. We need to be able to demystify what happens in the security program. A lot of people will, feel some trepidation around reporting an incident because they don’t really understand what it means when they raise their hand and say, hey, this bad thing happened. Maybe they’re afraid for their job or some kind of repercussion. That whole process needs to be demystified and people need to be given some self-efficacy. They need to be empowered to take action and feel comfortable doing so when they recognize that something is wrong. In addition to understanding how these things impact them, not only at work, but in their personal lives as well. So, making sure that those messages are clear in your communications and your training and all the stuff that you put out that is, the key building block of making this stuff relevant and engaging to people who don’t work in security every day.

Erik Bagwell: Well, as we wrap up for the bankers listening, who they know security is very important for all the reasons that you’ve mentioned here on this podcast but they don’t have an awareness program that’s intentionally put together that they’re using to make sure their whole organization is buying into the importance of security, why it matters and how to implement it. What’s an easy first step that a smaller community bank could take to codify here’s our philosophy around security. Here’s how we want to make sure it gets in front of all of our team members, any advice for those bankers?

Alex Cummings: Yeah. So, a couple of identified building blocks that make a program successful and this comes from numerous reports. The first one, every time, all the time is leadership support. Executive management, the higher up, you go in the food chain with support for your program, the higher likelihood you’re going to have that it’s going to be successful. That kind of comes down to the culture at your organization. Culture is highly related to awareness. Culture is broken down by a couple of different organizations. MIT put out a couple of papers KnowBe4 came out with a paper recently. SANS have a class on it, it’s a thing. Okay. I have a paper here. Where is it? Here we go. Okay. So yeah, culture. According to this one, top management support policy and procedures and awareness for instance, are critical in engendering cybersecurity culture. Okay.

So, culture is the overarching thing. Awareness is a component of that culture. Top management support is essential to both the success of implementing your awareness program and your overall security culture. Once you have that in place, you have a much higher chance of affecting the change that you want. Following that the statistics show that if you have a full-time employee who is running the awareness program, who has a title to match the job description, like myself, for example, I’m the information Security Awareness Program Manager, that’s my title. So, it’s what I do. The more time that you have employees putting into the program significantly impacts your positive outcomes. So, leadership support full-time employee, and then following that you need policies which are clearly written and clearly communicated.

A lot of times we have employees, especially when we start doing audits and stuff. We’ll look into things, we’ll see some issues like, well, yeah, we have this issue, but we also have a policy over here that’s supposed to address this. That happens all the time. It’s important as a function of the awareness program to make sure those policies are clear and understandable and are communicated in a way that just make sure they get in front of people. So, people have the opportunity to make sure they understand what is expected of them. So, I would say, those are the key fundamentals of success, leadership support, fulltime employee, clear communicated policy. Everything after that is gravy, you start throwing in a nice budget, and then you start getting some graphic designers in there, real creativity flowing and everything just builds on itself, but those are the essentials to making sure that you have what you need to move into a successful program.

Erik Bagwell: We appreciate what you do for the bank to keep everybody safe. I hope all the listeners who’ve tuned in today have gotten some nuggets for their own banks and some tips on what they can be doing to make sure that their banks are kept safe as well, because it’s an important function in a bank, and one that is only going to get more important as time goes on in the future. So, Alex, we appreciate you joining us. This has been very helpful and we are thankful for your time.

Alex Cummings: Yeah, I am so glad I was here. Thanks for having me, and I hope to do this again sometime.